Ask Your Question
1

Connection via VPN / PPTP does not work unless firewall is disabled

asked 2016-09-21 12:42:36 -0500

Period22 gravatar image

I can't connect to a remote server via VPN / PPTP with Fedora 24 Workstation. It used to work with Fedora 23.

I've followed the instructions here to allow GRE:

https://ask.fedoraproject.org/en/question/62909/cant-connect-to-vpn-on-fedora-21/

but that does not help.

If I disable the firewall completely with sudo systemctl stop firewalld, everything works. As soon as I start it again, it stops working. So it must be some firewall configuration issue but I can't figure it out. Any help is appreciated.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
3

answered 2016-09-24 10:02:54 -0500

Period22 gravatar image

OK, I experimented some more.

This is necessary (as someone wrote below):

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --reload

But this is also needed:

modprobe nf_conntrack_pptp nf_conntrack_proto_gre

The first set of commands allows gre traffic through the firewall. The second command loads the necessary kernel modules for pptp and gre (found this here, at the very bottom).

Anyway, it works now.

edit flag offensive delete link more
0

answered 2016-09-22 01:34:08 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

It seems indeed that GRE traffic is not accepted anymore. Try:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT

firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre -j ACCEPT

firewall-cmd --reload

edit flag offensive delete link more

Comments

This worked for me. Thank you. I don't understand why Fedora makes these changes that blocks people from doing simple tasks like connecting to a pptp VPN.

Snydox gravatar imageSnydox ( 2017-02-22 13:52:00 -0500 )edit
0

answered 2017-01-18 01:25:02 -0500

updated 2017-01-18 03:23:29 -0500

I figured out how to do this in a way that is quite a bit simpler and is done through a GUI.

  1. Install firewall-config via gnome-software and launch it
  2. Switch from "Configuration: Runtime" to "Configuration: Permanent"
  3. Switch to the "Services" tab
  4. Click on the + button on the bottom of the sidebar and add the name "pptp"
  5. Find the new service in the sidebar and add port 1723, tcp
  6. Go back to "Zones" and check "pptp" in both your internet and VPN connections
  7. Reload firewall

Edit: Turns out that Firewall has a pptp module under Services->Modules that needs to be added. Click on it in the Modules sidebar, click "Add" and select pptp. Screenshot

edit flag offensive delete link more

Comments

Thanks for this - I couldn't get PureVPN to work until I found your solution.

Richard63 gravatar imageRichard63 ( 2017-08-30 14:20:10 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-09-21 12:40:37 -0500

Seen: 9,245 times

Last updated: Jan 18 '17