VPN revisited.

Peter Warasin peter at endian.com
Thu Aug 21 18:39:32 UTC 2008

Hi David

wlanmac wrote:
> I had just completed a test connecting Windows Vista PPTP through
> chilli. I had no issues once the required kernel modules were loaded. 

That's wired. Maybe it was only luck? Sometimes it works also for me 
without special iptables rules. But most of the time it doesn't.
Have you tried to connect/disconnect/connect/disconnect all the time?

Maybe there's also a special combination you need to have (maybe a 
special service pack on client), because we have this problem only on 
some installations and in my lab of course. Some other installations 
never had that problem. Probably nobody tried there..

If i unload the helper modules, it also works always, without any 
problem. It stops working only if i load the helper modules. That makes 
also perfectly sense, because it does not pass twice the helper modules 
if they are unloaded.
But certainly I need the modules, otherwise you could never have 
multiple connections through the machine.

> With that said, I have actually long suspected that problems with VPNs
> could be due to connection tracking... I'm guessing those notrack rules
> are keepers.

I really hope that's the solution.
Next i would like to try is trying only with the notrack rules and 
removing the drop rules. Only for trying.. Because in theory they should 
not harm nor help

> I don't think your FORWARD ACCEPT rules on tun0 are necessary... it
> should be forwarding everything from/to tun0. 

Well, surely you don't really need them. I added them because normally a 
firewall is configured in order to block all traffic and let pass only 
what you want, as it is in my case.
But you're right, the accept rules are not necessary when nothing other 

Thank you..



:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter at endian.com

More information about the Chilli mailing list