Cannot setup PPTP VPN connection in openSUSE Leap

Setting PPTP connection by NetworkManagement PPTP, and uncheck the PAP and EAP in advanced setting. Connection cannot be setup. I want to know if Anyone has the same problem?

Problem fixed. The connection was restricted by the suseFirewall, and setting the firewall fixed the problem.

Hello

I have the same problem but I dont know how to setup the firewall.
Can you explain me how did you setup the firewall?

Thanks,

Best regards

Some more information about my situation.
When i go to yast and in the firewall I click in “Stop Firewall Now”, the vpn pptp connection works. When I click Start Firewall Now, the vpn connection is lost.
When i go to ternimal and clean all rules with:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
then the vpn connection works. When I make iptables-restore the rules the vpn connection is lost.
I googled some iptables rules for this, but no luck.
I appreciate the help.
thanks.

You can find what needs to be allowed here: https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

thanks for the reply.

I already tried this:

Accept all packets via ppp* interfaces (for example, ppp0)

iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT

Accept incoming connections to port 1723 (PPTP)

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

Accept GRE packets

iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT

Enable IP forwarding

iptables -F FORWARD
iptables -A FORWARD -j ACCEPT

Enable NAT for eth0 и ppp* interfaces

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE

And didn’t work.

My default firewall:

:~>iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination          
ACCEPT     all  --  anywhere             anywhere             
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere             
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG le
vel warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere             

Chain FORWARD (policy DROP)
target     prot opt source               destination          
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG le
vel warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination          
ACCEPT     all  --  anywhere             anywhere             

Chain forward_ext (0 references)
target     prot opt source               destination          

Chain input_ext (1 references)
target     prot opt source               destination          
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp fl
ags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFL
T "
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG le
vel warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstat
e NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  anywhere             anywhere             

Chain reject_func (0 references)
target     prot opt source               destination          
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachab
le
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreacha
ble

With the above iptables rules:

Chain INPUT (policy DROP)
target     prot opt source               destination          
ACCEPT     all  --  anywhere             anywhere             
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere             
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG le
vel warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere             
ACCEPT     all  --  anywhere             anywhere             
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pptp
ACCEPT     gre  --  anywhere             anywhere             

Chain FORWARD (policy DROP)
target     prot opt source               destination          
ACCEPT     all  --  anywhere             anywhere             

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination          
ACCEPT     all  --  anywhere             anywhere             
ACCEPT     all  --  anywhere             anywhere             
ACCEPT     gre  --  anywhere             anywhere             

Chain forward_ext (0 references)
target     prot opt source               destination          

Chain input_ext (1 references)
target     prot opt source               destination          
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp fl
ags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFL
T "
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG le
vel warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstat
e NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  anywhere             anywhere             

Chain reject_func (0 references)
target     prot opt source               destination          
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachab
le
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreacha
ble

What I’m doing wrong?

Thanks.

You did not provide enough information to guess. Do you try to setup PPTP server or client? Is your system directly connected to Internet? If not, are you behind NAT? Where do you use these rules - on PPTP system, on gateway/firewall system?

Sorry,
I’m directly connected to the internet. And is pptp client.
I want from my home be able to access the computer at work thru ssh. And they give me the vpn pptp user login.
I used the NetworkManager to add the vpn like explained in documentation (https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.nm.html#pro.nm.configure.add).
So my firewall is the obstacle that i’m not getting to configure.

Thanks for your help.

This should be something straightforward to do.
For me, i think that it is not a good practice to disconnect the firewall every time i need to use the vpn.

I would appreciate a solution for this.
Thanks again.

Sorry again.
I found my mistake. The iptables rule needed to go to the top of the chain. So i needed to use the -I not -A.


# Accept GRE packets
iptables -I INPUT -p 47 -j ACCEPT
iptables -I OUTPUT -p 47 -j ACCEPT

It is working.
Thanks.