VPN revisited.

Peter Warasin peter at endian.com
Thu Aug 21 10:57:38 UTC 2008

Hi Sevan, hi IanC

Sevan / Venture37 wrote:
>> Yes, its those very kernel modules and iptables rules Im currently
>> wrestling with, to no avail.

I have exactly the same problem. I narrowed down the problem to chilli, 
at least I think so.

(it's a linux kernel 2.6.22, with pptp netfilter helpers loaded and gre 
and port 1723 allowed)

PPTP is working well passing through the exactly same box when chilli is 
not running. It takes about 2 seconds to connect. connect, disconnect, 
reconnecting, that's all working fine, also with multiple clients and 
different servers.

As soon as i snap in chilli, establishing a PPTP connection takes a very 
very long time (several minutes).
Most of the time there is no chance to connect. Only sometimes, after a 
long handshake period PPTP connects. I think that's pure luck that it 

I noticed that chilli somehow seems to send out of order duplicates 
through the tun device. At least I see (with wireshark) TCP DUP ACK's 
coming back from the server some packets after the original ACK, which 
causes the client to resend a SYN, which then confuses the protocol.
I see then closing the connection (PSH ACK, FIN ACK, ACK, RST) and 
reconnecting (SYN, SYN ACK, ...).

I am digging deeper into the source code right now in order to debug the 
problem. If someone has advices, please tell me :)

kind regards,


:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter at endian.com

