Author Topic: VPN connects but with no useful data flow  (Read 200 times)

0 Members and 1 Guest are viewing this topic.

Offline peter-h

  • Frequent Contributor
  • **
  • Posts: 280
  • Country: gb
  • Doing electronics since the 1960s...
VPN connects but with no useful data flow
« on: February 22, 2020, 04:57:53 pm »
I have set up two of these, terminated on a Draytek 2960 router. One is PPTP and the other is L2TP/IPSEC.

The PPTP one is especially simple to set up. I have set that up on various different Draytek boxes and all worked straight off. Draytek call them Teleworker VPNs.

Both of them connect i.e. authenticate, and I can see an IP has been allocated, which is from the LAN subnet of the router. From either, I can ping devices on the LAN.

I cannot ping e.g. cisco.com but ping shows the right IP so DNS is presumably working.

And I can run an RDP client but this goes to a fixed IP machine on the LAN, like the pings.

The client (phone, tablet, laptop) has no functioning internet access. A web browser, etc, does nothing... So it looks like the VPN termination cannot get outside the router.

It isn't the firewall; I can disable that.

Does anyone have any ideas? These sorts of issues are all over the internet but with no apparent solutions.

A supposedly identical setup, with identical clients, works fine on several 2955 routers, including one which served in the same place, before being replaced with the 2960. The 2960 is somehow different...
 

Offline peter-h

  • Frequent Contributor
  • **
  • Posts: 280
  • Country: gb
  • Doing electronics since the 1960s...
Re: VPN connects but with no useful data flow
« Reply #1 on: February 23, 2020, 01:34:20 pm »
I have solved it.

The system defaults (for what traffic is monitored by the firewall) are different in the Draytek 2960 from the 2955.

The 2955 connected remote VPN clients to the outside (internet), without any firewall rules being required. AFAICT, from tests, its firewall is totally bypassed by VPN traffic. So if e.g. 123.124.125.126 was constantly hacking your VPN ports, you cannot block him.

The 2960 firewall may process VPN traffic fully, or not, but definitely it blocks the VPN clients' traffic going outside onto the WAN.

To compound the debugging, I was mistakenly "disabling" the firewall by unchecking all its rules, which is ok on the 2955 but is no good on the 2960 because of the different default behaviour. I discovered this when I disabled the fw by changing its default from Block to Accept.

Now I get internet connectivity via PPTP.

Can't get L2TP to work on the 2960, from android, but that doesn't matter. I recall it worked with win10.

AFAICT the security worry with PPTP is that it is possible to intercept the login credentials, on e.g. a compromised wifi AP. The VPN port is not a security issue in itself. The attacker needs the username+pwd. I did a lot of reading on this topic and everybody was just repeating the same stuff they got off the internet...
 

Offline peter-h

  • Frequent Contributor
  • **
  • Posts: 280
  • Country: gb
  • Doing electronics since the 1960s...
Re: VPN connects but with no useful data flow
« Reply #2 on: February 24, 2020, 09:39:44 pm »
I posted a summary on the Draytek site, FWIW, in case somebody finds this on google...

https://forum.draytek.co.uk/viewtopic.php?f=14&t=23384
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf