Frustrated trying to set up PPTP VPN client through NAT

Hello,

I’m trying to figure out how to successfully route a particular set of web addresses through a VPN service on my Mikrotik CCR1009 running the latest stable version of RouterOS (6.40.2)

I am using the IPVanish VPN service to try and accomplish moving game packets closer to the game’s service datacenter. My ISP here has a problem with the route and it’s causing massive game lag. As much as I’ve tried to remedy the issue, I think my best option is to VPN tunnel around the issue, and it has the potential side benefit of getting me better ping/latency times. IPVanish does not specifically have instructions for RouterOS, however it does seem to support PPTP in addition to it’s preferred OpenVPN method (which is impossible due to the lacking implementation of OpenVPN on RouterOS). So I’m using PPTP.

So basically I want all my normal internet traffic routed out through my cable broadband ISP as normal. I want a certain set of packets (identified by Layer 7) to be routed out the VPN tunnel (via PPTP Client) instead.

I’ve reviewed a few “how to” pages here on the wiki, some forum posts, and other VPN providers’ instructions. I have also emailed the IPVanish customer support, but I have a feeling they’re going to tell me I’m on my own. (I do have success using their VPN app on my iPhone, as well as OpenVPN implementation on an dedicated OpenELEC/LibreELEC Kodi media PC-- however I need this to be network-wide, not tunneled on each device as I am subjected to concurrent connection limits)

I have created a Mangle rule to identify and mark the packets that need to be redirected using Layer7 RegEx’s. This seems to be working fine as I can see the marks.
I have created a NAT masquerade rule for the VPN client interface.
I have created a route entry to push all marked packets through the VPN interface.
I have created a VPN PPTP client with all the pertaining info. It seems to connect and get an IP address endpoint (“remote address”) from the VPN provider.

When I try to use the Tools->Ping, and select the VPN interface the ping responds just fine. I can see the ping traffic going out/in via the “Traffic” tab on the PPTP Client.

However, when I try to browse a webpage (I used “whatsmyip.com” as my test mule in the Layer7 RegEx) the (Firefox) web browser just shows “Performing a TLS handshake to whatsmyip.com…” and eventually times out and displays an error.

I see a connection made to the host I’m trying to reach in the connections tab of the Firewall section. If I run Torch on the VPN interface I see a source IP of the remote web server on port 443, and a destination IP of my public ISP-Assigned IP. For some odd reason I feel like the NAT isn’t working right with the return response, but I could be very wrong.

In the following configs, my LAN is 10.2.0.0/24, and my Internet ISP WAN is 98.229.234.93 (DHCP Assigned).

Configs:

[admin@CCR1009] > /interface pptp-client print
Flags: X - disabled, R - running 
 0  R ;;; INTERNET (Protected VPN)
      name="IPVanish-VPN" max-mtu=1396 max-mru=1396 mrru=disabled 
      connect-to=nyc-a10.ipvanish.com user="xxxxxxxxxxxxxx" 
      password="yyyyyyyyyyyyy" profile=IPVanish keepalive-timeout=600 
      add-default-route=no dial-on-demand=yes allow=pap,chap,mschap1,mschap2

[admin@CCR1009] > /ppp profile print
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default 
     use-encryption=default only-one=default change-tcp-mss=yes 
     use-upnp=default address-list="" on-up="" on-down="" 

 1   name="IPVanish" use-mpls=default use-compression=default use-encryption=yes 
     only-one=yes change-tcp-mss=yes use-upnp=default address-list="" on-up="" 
     on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default 
     use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default 
     address-list="" on-up="" on-down=""

[admin@CCR1009] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          IPVanish-VPN              1
 1 ADS  0.0.0.0/0                          98.229.232.1              1
 2 ADC  10.2.0.0/24        10.2.0.1        BRIDGE-LAN                0
 3 ADC  10.112.112.238/32  172.20.0.7      IPVanish-VPN              0
 4 ADC  98.229.232.0/21    98.229.234.93   wan-sfp1                  0

[admin@CCR1009] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Routing Mark for IPVanish (Secure VPN Web Service) - Dest URL
      chain=prerouting action=mark-routing new-routing-mark=IPVanish 
      passthrough=yes connection-nat-state="" 
      layer7-protocol=IPVanish_Destination log=yes log-prefix="IPVMark" 

 1    chain=prerouting action=mark-connection new-connection-mark=IPV_CONN 
      passthrough=no routing-mark=IPVanish log=no

(I add the connection mark simply to be able to see it easily in the Connections tab)

[admin@CCR1009] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade routing-mark=IPVanish 
      out-interface=IPVanish-VPN log=yes log-prefix="IPVanish" 

 1    chain=srcnat action=masquerade src-address=10.2.0.0/24 
      out-interface=wan-sfp1 log=no log-prefix="" 

 2    chain=srcnat action=masquerade src-address=10.2.0.0/24 
      out-interface=BRIDGE-LAN log=no log-prefix=""

I read elsewhere someone added these, so I tried them (it didn’t seem to help):

[admin@CCR1009] > /ip route rule print
Flags: X - disabled, I - inactive 
 0   routing-mark=IPVanish action=lookup table=IPVanish 

 1   action=lookup table=main

Any help that’s provided is extremely appreciated. I’ve truly tried to puzzle this one out as much as I could before asking the community.

I wanted to add a few WinBox screen shots to see if that helps explain anything. I hope Imgur keeps these up long enough to assist:

PPTP Client when connected:

Firewall → Connections → Details:

Browser behavior (likely not helpful, but for the sake of brevity):

I forgot to mention I disabled my DHCP “Use peer DNS” option, and manually specified the public-domain Google DNS servers (8.8.8.8 / 8.8.4.4) in my DNS setup in the following order:

10.2.0.2 - Windows Server Domain Controller
75.75.75.75 - Cable Broadband ISP DNS Primary
75.75.76.76 - Cable Broadband ISP DNS Secondary
8.8.8.8 - Google Public DNS Primary
8.8.4.4 - Google Public DNS Secondary

Allow Remote Requests is enabled.

Just in case there was some issue with my ISP blocking my DNS requests that are related to the VPN tunnel. Not likely but still wanted to cover it.

I also decided to WireShark one of my Windows client PCs to see if I could find out why the SSL connection is failing.

http://imgur.com/a/bMTsK

As seen in the above screenshot, you can see my local Windows client (10.2.0.107) contacting the remote web server (46.4.175.45), beginning a TLS handshake, and then immediately going into keep-alive starvation mode and ultimately being sent a reset. This behavior is repeated over and over by the web browser. No further TLS data is ever seen.

http://imgur.com/a/Yi9Ar

This second screen shot is what I get if I disable the PPTP Client Interface and thus direct that same request over my regular Cable ISP network. You can see that the “Server Hello” is now present and the handshake and resulting data exchange runs just fine.

I’m really at a loss to understand what is going on here.

Everything seems to make perfect sense from a configuration standpoint, and the only items I’m unsure of are:

• Why RouterOS assigns a 172.20.0.6 address to my “Local Address” in the PPTP Interface.
• Why the 209.197.30.164 “Remote Address” in the PPTP interface (after connecting) is not mentioned at all in IP->Address List, IP->Route List, or really anywhere.
• Why the dynamic “172.20.0.6” Address in IP->Address List has a network of “10.112.113.10”
• Why then, does the IP → Route List have a dynamic entry Dst. Address “10.112.113.10” with a pref. source of “172.20.0.6”, yet no apparent route from my 10.2.0.0 to the PPTP Interface unless I explicitly add one?

I don’t know where else to reach for support on this one. I’m getting desperate.

Well, I tried swapping over to L2TP with IPSec, and it connects and does the same jazz except now the browser SSL connection works on ONE client only, everything else fails.

There’s still something extremely odd about this setup and I can’t figure it out.

Hi all I wonder if someone could maybe help me with my pptp connections issues . I have a 951G with three gateways 1 for VOIP, 1 for all outgoing to the internet and i have a last one that is used for incoming VPN pptp connections. Voip and internet work fine with my normal rouing but the VPN doesnt want to connect. When i torch the interface i see pptp connections coming in but not establishing. when i change my default route to route over that gateway, only then do the pptp connections establish. please help.

ex
ether 1 internet
ether 2 Voip
ether3 Incoming pptp

I finally received a response from IPVanish VPN support regarding setup for a RouterOS device. I want to include it verbatim on this post for others trying to use their service to know what their official advice is. These are all steps I had set up correctly already, so this doesn’t assist with my issue. I think I’ve got a ROS configuration issue, but am out of ideas as to what it could be. Hoping one of the networking gurus sees this thread and can offer a few minutes to respond.

When creating a PPTP VPN connection, make sure to enter the following data in the correct fields:

• Name: Can be anything, but if creating multiple connections it makes sense to name them like “IPVanish PPTP”
• Connect To: One of our server addresses from the list here(> https://account.ipvanish.com/index.php?t=IP%20List> )
• Max MTU + Max MRU: Set to 1400
• User: Your IPVanish account username
• Password: Your password.
• Check “Dial On Demand” to ensure that the connection is being dialed when needed but disconnected.
• Check “Add Default Route” to ensure correct traffic routing.
• Allow: Leave all authentication methods checked, as it should be by default already.
  *Leave the “Enabled” checkbox unchecked, we still have a few more steps to complete.
  *Click on “OK”.

Now go to “IP” tab and select “Firewall” and “NAT”.

• In “Chain”, select “srcnat”, and check the “Enabled” checkbox.
• In “Out. Interface”, select the name of the PPTP VPN connection you just created and check its checkbox.
• In “Action”, select “Masquerade”.
• Click “OK”.

Go the “Mangle” tab now, select “Add new”.

• In “Chain”, select “prerouting”.
• In “Src. Adress”, enter the IP range you want to have routed through the VPN connection. To route all IPs in the Mikrotik routers subnet (assuming the router is 192.168.88.1), enter “192.168.88.2-192.168.88.254”. Check the checkbox next to this field.
• In “Action”, select “mark routing”.
• In “New Routing Mark”, here enter any name for the routing mark, e.g. “IPVanish PPTP RM”
• Click “OK”.

Go to “IP” and then to “Routes” and “Add New”.

• Dst. Address: has to be “0.0.0.0/0”.
• Gateway: Here enter the name of the VPN connection you created. (e.g. “IPVanish PPTP”)
• Routing Mark: select the routing mark you created before. (e.g. “IPVanish PPTP RM”)
• Click “OK”.

Go to “IP” and then to “DNS”.

• Select “Static” and now “Settings”
• Check “Enabled”
• In the “Servers” fields, enter OpenDNS servers,“198.18.0.1” into one field, and “8.8.8.8” into another.
• Check “Allow Remote Requests”.
• Click “OK”.

Now it depends: if you’ve set your gateway router to set the IPs for its connected devices automatically via DHCP, you need to change the DHCP-client settings of the Mikrotik router - otherwise it will override the DNS settings you’ve just set.

If you have set all IPs in your network manually, you can skip this step →

• Go to “IP” and “DHCP Client”.
• Doubleclick your dhcp entry and then uncheck “Use Peer DNS”.
• Now click “OK.”

That’s it, we are finished, now we’re going to test the PPTP connection.

• Go back to “PPP” and doubleclick your PPTP connection.
• Check the “Enabled” checkbox and click on “Apply”.
• Above at “Status:” you’ll see the connection status, which should be → Dialing, Authenticating, Connected
• Below at “Uptime” you can check how long the connection is active and if it is stable.

I made some progress today.

I swapped to a DOCSIS 3.1 cable modem and my ISP has enabled a “gigabit” plan (1G down / 35M up) that alerted me to the fact that my queue tree setup was dropping some serious packets. No matter what I tried to do I could not prevent it from dropping packets. So I disabled the whole freakin’ thing. My BTest straight from my CCR to the Planetcoop public server shows 979M down and 43M up. But a browser test using the ISP’s site shows a dismal 300-400Mbps download and 40Mbps upload… so I think my CCR config is really eating my bandwidth for lunch now, even with the queues disabled entirely…

BUT THE GOOD NEWS is that the VPN connection is working flawlessly now! So now I have to puzzle out why my router (never going above 9% CPU usage) is chewing up so much bandwidth…

I intend to try the Windows version of the btest app when I’m allowed to again (Planetcoop has a 2 hour timeout or something. No complaints, it’s free!!) So we will see what apples-to-apples shows me.

Moral of the story is queue trees are bad news for those of us who can’t figure out the calculus maths required on the wiki page to understand them…

I love these routers to death but the lack of any real support is exasperating sometimes!!!

IMHO this can’t ever work realiably, except for some special cases. Whole TCP is out, because anything useful you can find using L7 will be only in subsequent packets, and once the first SYN comes out one way, you can no longer redirect the rest. You can succeed with UDP packets, as long as all of them can be matched by L7.

I have since realized that address lists can now contain host names and get resolved dynamically… so I’ve swapped off the L7 in this case for performance sake.

I know it’s been like 3 years since original post. Can you please share configuration for IPvanish. My PPTP/L2TP client is working. However issue emerges when enable “add default route”. If I add static route which uses routing mark It just doesnt work..