Has anyone tried pptp in qubes 4.0?

[0...@tuta.io]

Telnet 1723 port works and i can ping server  from sys-net/sys-firewall/proxy-vm

But connection can't be established from proxy-vm. Modem hangs if watch journalctl | grep ppptp

[user@sys-net ~]$ lsmod | grep pptp

nf_nat_pptp            16384  0

nf_nat_proto_gre       16384  1 nf_nat_pptp

nf_conntrack_pptp      16384  1 nf_nat_pptp

nf_conntrack_proto_gre    16384  1 nf_conntrack_pptp

nf_nat                 36864  5 nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT

nf_conntrack          163840  11 xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT

Can anyone help how to use ppptp in QubesOS ?

In 2016 Unman says

First you need to allow INBOUND protocol 47:

On sys-net:

modprobe ip_conntrack_pptp

modprobe ip_nat_pptp

iptables -I FORWARD -p 47 -s <vpn server>  -j ACCEPT

On proxyVM:

iptables -I INPUT -p 47 -s <vpn server> -j ACCEPT

Now, zero the iptables counters, (using -Z), and try to start the vpn.

You should see the counters incrementing both in sys-net and on the

vpn proxy.

If the connection fails look to see if any DROP rules are being

triggered.

By default PPTP uses tcp port 1723 so you could put in a rule to log

that traffic :

iptables -I FORWARD -p tcp --dport 1723 -j LOG

But it doesnt solve the problem.

--

[unman]

On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote:
> Telnet 1723 port works and i can ping server?? from sys-net/sys-firewall/proxy-vm

> But connection can't be established from proxy-vm. Modem hangs if watch journalctl | grep ppptp
>
> [user@sys-net ~]$ lsmod | grep pptp

> nf_nat_pptp?????????????????????? 16384?? 0
> nf_nat_proto_gre???????????? 16384?? 1 nf_nat_pptp
> nf_conntrack_pptp?????????? 16384?? 1 nf_nat_pptp
> nf_conntrack_proto_gre?????? 16384?? 1 nf_conntrack_pptp
> nf_nat???????????????????????????????? 36864?? 5 nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT
> nf_conntrack?????????????????? 163840?? 11 xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT

>
> Can anyone help how to use ppptp in QubesOS ?
>
> In 2016 Unman says
>
> First you need to allow INBOUND protocol 47:
> On sys-net:
> modprobe ip_conntrack_pptp
> modprobe ip_nat_pptp

> iptables -I FORWARD -p 47 -s <vpn server>?? -j ACCEPT

>
> On proxyVM:
> iptables -I INPUT -p 47 -s <vpn server> -j ACCEPT
>
> Now, zero the iptables counters, (using -Z), and try to start the vpn.
> You should see the counters incrementing both in sys-net and on the
> vpn proxy.
> If the connection fails look to see if any DROP rules are being
> triggered.
> By default PPTP uses tcp port 1723 so you could put in a rule to log
> that traffic :
> iptables -I FORWARD -p tcp --dport 1723 -j LOG
>
> But it doesnt solve the problem.

4 year old suggestions will rarely work in Qubes, but the principle is
good.
I don't use pptp myself, but have set this up for various users - a little
more information from your end would be useful.
Where are you trying to set up pptp connection from?
What does your Qubes netvm structure look like?
Have you set up firewall rules to allow INBOUND protocol 47?

[onelov...@tuta.io]

Hi, Unman!

I talk about default scheme. I know that pptp insecure, but i need it to test production multicast in corporate networks.

Clean Qubes install.

net-vm - fedora 30,31,32.

firewall-vm - fedora 30,31,32

proxy-vm based on debian-10 template provides network and sys-firewall as netvm

(pptp-linux network-manager-pptp network-manager-pptp-gnome packages preinstalled)

For any another Linux distro, for example Ubuntu, its enough to establish connection and send igmp query over pptp to router.

Can you advice to me which full iptables firewall rules do i need to enable on sys-firewall vm?

Thank you.

--

Securely sent with Tutanota. Get your own encrypted, ad-free mailbox:

https://tutanota.com

Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org:

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200606145106.GB10363%40thirdeyesecurity.org.

[onelov...@tuta.io]

And i forgot to tell you that pptp doesnt work from sys-net directly else. Do you know why?

Journalctl gives me a little info such like "Modem hangs up".So i cant  troubleshooting connection.

From another host it works good. Firewall doesnt block 1723 (telnet and ping to server works)

Nat_conntrack enabled in fedora template kernel.

Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org:

On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote:

[unman]

On Sat, Jun 06, 2020 at 08:02:20PM +0200, onelovecisco via qubes-users wrote:
> And i forgot to tell you that pptp doesnt work from sys-net directly else. Do you know why?

> Journalctl gives me a little info such like "Modem hangs up".So i cant?? troubleshooting connection.

The convention here is not to top-post.
Please scroll to the bottom of the message before you start typing. Or
reply inline.
It only takes you seconds, makes it much easier to follow threads, and
cumulatively saves your fellow users hours.

Have you allowed inbound proto 47?
TCP port 1723 is the control connection, but the pptp tunnel is GRE -
that's PROTOCOL 47
It might be helpful if you post your firewall rules

unman

[onelov...@tuta.io]

Unman, i think we need some external iptables rules to route traffic between sys-net and proxy-vm in qubes.

In proxy VM i use - iptables -I INPUT -p 47 -s X.X.X.X -j ACCEPT

iptables -t filter -L -n -v --line-numbers

CNAIN INPUT (policy DROP 0 packets, 0 bytes)

1        0      0    47     *   *  X.X.X.X        0.0.0.0/0

tcpdump -i eth0/wls6 port 1723 -vvv - on sys-net and proxy-vm shows me traffic between server and host.

So, maybe try to allow all traffic between sys-net and proxy-vm for experiments?

Or maybe there is something Qubes specific routing? I dont know.

what else can block the connection?

Jun 7, 2020, 18:13 by un...@thirdeyesecurity.org:

On Sat, Jun 06, 2020 at 08:02:20PM +0200, onelovecisco via qubes-users wrote:

And i forgot to tell you that pptp doesnt work from sys-net directly else. Do you know why?

Journalctl gives me a little info such like "Modem hangs up".So i cant?? troubleshooting connection.

The convention here is not to top-post.

Please scroll to the bottom of the message before you start typing. Or

reply inline.

It only takes you seconds, makes it much easier to follow threads, and

cumulatively saves your fellow users hours.

Have you allowed inbound proto 47?

TCP port 1723 is the control connection, but the pptp tunnel is GRE -

that's PROTOCOL 47

It might be helpful if you post your firewall rules

unman

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200607151318.GB14422%40thirdeyesecurity.org.