FreePBX | Register | Issues | Wiki | Portal | Support

Outgoing PPTP and Sangoma firewall


(Chris Wilson) #1

Hello Everyone,

I’m trying to find some information on the sangoma firewall, I’m trying to establish a remote pptp connection to a server however it is failing when the firewall is enabled.

i’m digging through the iptables rules but its getting a bit confusing.

When the firewall is enabled, connections time out:

[root@server1 ~]# pppd call vpn
using channel 17
Using interface ppp0
Connect: ppp0 <–> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2ea47fc2> ]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup

With the firewall disabled, it works fine:

[root@server1 ~]# pppd call purevpn
Using interface ppp0
Connect: ppp0 <–> /dev/pts/1
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local IP address 172.94.45.14
remote IP address 172.94.45.5

Any help would be greatly appreciated, I have already added PPTP (1723) and GRE (47) to the firewall custom ports in services.

Best Regards,

Chris


#2

I’m not sure which is the ‘server’. Are you trying to establish a PPTP connection from e.g. your workstation to your remote FreePBX system? If so, note that GRE is protocol type 47 (similar to TCP is type 6 and UDP is type 17). 47 is not a port number. The needed iptables entries are something like:
# Allow PPTP Control connection
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
# Allow GRE
iptables -A INPUT -p gre -j ACCEPT
See http://computer-outlines.over-blog.com/2013/10/vpn-6-iptables-for-your-pptp-server-and-pptp-client.html .

If you are trying to connect (as a client) from your FreePBX system to a remote VPN server, that would normally work without any special firewall rules, because the outbound requests are permitted and the replies should appear to be ‘related’ and automatically accepted. You’ll have to look at the iptables rules generated by FreePBX firewall to see why GRE packets are being blocked.

If you have trouble (or maybe even if you don’t), consider using OpenVPN instead. It’s much more secure and runs over a single UDP port. For PureVPN, see https://support.purevpn.com/openvpn-manual-setup-guide .


(Chris Wilson) #3

I am most likely going to use opnevpn, pptp has just been easy in the past ;).

It seems openvpn is working, pptp wont until I disable the firewall. Even after applying the rules from the above site. I actually caught that one earlier.

I am going to keep digging around just because i’m curious. I may need to use it at some point in the future somewhere, for whatever reason ;).

Best Regards,

Chris