dockerfiles icon indicating copy to clipboard operation
dockerfiles copied to clipboard
verified publisher icon vimagick

PPTP client doesn't work

Open aekrylov opened this issue 7 years ago • 2 comments

I'm trying to run pptp image. compose starts successfully, but after that connectivity is completely lost on my machine. Tried to ping public internet or even my VPN gateway, doesn't work docker-compose file and output logs are here There's a suspicious line there: Error: either "to" is duplicate, or "uid" is a garbage.

The host runs on Ubuntu Bionic, docker version is 18.09.0 docker-compose version is 1.23.2

aekrylov avatar Nov 30 '18 16:11 aekrylov

That message Error: either "to" is duplicate, or "uid" is a garbage is a message from the ip command which pptpclient presumably uses to set up the connection.

Offending lines are https://github.com/vimagick/dockerfiles/blob/master/pptp/docker-entrypoint.sh#L21-L22

Probably should be simply

ip route del 0.0.0.0/1
ip route del 128.0.0.0/1

But it's not fatal in our case. Except this thing Docker image is ok. According to your logs pptp client is okay and could complete session initialization successfully LCP ConfReq is okay too which means GRE is working. Script /etc/ppp/ip-up finished (pid 30), status = 0x0

You have to fix your routing problem.
I'm not so good in networking but it looks like

0.0.0.0/1 dev ppp0 scope link 
128.0.0.0/1 dev ppp0 scope link

ppp is trying to override your default route as bigger mask wins and all your outgoing traffic goes through your new connection initiated by pptp client. Ingoing part is still default route and it's a big surprise for your ssh client.

As iptables -L output is missing its hard to say more.

  1. Probably it could be better to use ip rule here. Something like
ip rule add from 10.10.129.0/24 table vpn.out 
ip route add default dev ppp0 table vpn.out

iptables -t nat -A POSTROUTING -s 10.10.129.0/24 -o ppp0 -j MASQUERADE

So you could segregate traffic a bit not routing all the stuff but only a small part.

  1. Or setup static route from your host with pptp to your ssh client which you wanted to connect from.

  2. Or add to https://github.com/vimagick/dockerfiles/blob/master/pptp/docker-entrypoint.sh (somewhere after line 5 up to 8) defaultroute while removing lines https://github.com/vimagick/dockerfiles/blob/master/pptp/docker-entrypoint.sh#L13-L23 to completely overwrite default route (dangerous). In this case you have to provide all static routes to all hosts you need beforehand or you will loose your host when pptp server goes down.

asilenkov avatar Nov 30 '18 18:11 asilenkov

@sn00p thanks for the response! I'm using PPTP to access corporate intranet, so I removed ip route add commands and added a route for intranet IPs (10.0.0.0/8), now everything works as expected. I think it would be cool to make this configurable

aekrylov avatar Dec 02 '18 11:12 aekrylov