OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version openwrt-18.06
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Bill - 24.08.2018
Last edited by Koen Vandeputte - 05.10.2018

FS#1809 - 18.06.1 pptp not working. System log spammed with Protocol-Reject for unsupported protocol

BT Home Hub 5A (Lantiq)
OpenWRT 18.06.1
WAN port configured with static IP and wired to existing LAN.

Packages:
ppp-mod-pptp
kmod-nf-nathelper-extra
luci-proto-ppp

pptp won’t work on 18.06.1 without this fix:
https://bugs.openwrt.org/index.php?do=details&task_id=1646&order=id&sort=desc&order2=severity&sort2=desc

ie. install:
kmod-ipt-raw

Following added to /etc/firewall/user
iptables -t raw -A OUTPUT -p tcp -m tcp –dport 1723 -j CT –helper pptp


Same symptoms with two different VPN providers.

Hub connects to VPN provider. Acquires working IP.
I can visit whatismyipaddress.com to verify VPN is working.
I may then be able to browse to another website for a few seconds or a minute or two before VPN stops working.

Example of system log at time the VPN fails.

Fri Aug 24 06:34:03 2018 daemon.notice netifd: Interface 'VPN' is setting up now
Fri Aug 24 06:34:04 2018 daemon.info pppd[2442]: Plugin pptp.so loaded.
Fri Aug 24 06:34:04 2018 daemon.info pppd[2442]: PPTP plugin version 1.00
Fri Aug 24 06:34:04 2018 daemon.notice pppd[2442]: pppd 2.4.7 started by root, uid 0
Fri Aug 24 06:34:05 2018 kern.info kernel: [  108.753519] pptp-VPN: renamed from ppp0
Fri Aug 24 06:34:05 2018 daemon.info pppd[2442]: Using interface pptp-VPN
Fri Aug 24 06:34:05 2018 daemon.notice pppd[2442]: Connect: pptp-VPN <--> pptp (*** removed ***)
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: CHAP authentication succeeded
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: MPPE 128-bit stateless compression enabled
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: local  IP address 10.220.0.6
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: remote IP address 10.220.0.1
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: primary   DNS address 10.220.0.1
Fri Aug 24 06:34:06 2018 daemon.notice pppd[2442]: secondary DNS address 10.220.0.1
Fri Aug 24 06:34:06 2018 daemon.notice netifd: Network device 'pptp-VPN' link is up
Fri Aug 24 06:34:06 2018 daemon.notice netifd: Interface 'VPN' is now up

Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: reading /tmp/resolv.conf.auto
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain test
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain onion
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain localhost
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain local
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain invalid
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain bind
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using local addresses only for domain lan

Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using nameserver 10.220.0.1#53
Fri Aug 24 06:34:06 2018 daemon.info dnsmasq[1925]: using nameserver 8.8.8.8#53
Fri Aug 24 06:34:06 2018 user.notice firewall: Reloading firewall due to ifup of VPN (pptp-VPN)
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x2efb
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xa0bb
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xe9
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x9c89
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x9046
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xd
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x8b
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 'IP6 Header Compression' (0x4f)
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xd851
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xc4ee
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x17
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x34cf
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 'IP6 Header Compression' (0x4f)
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xad
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x47
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0x1441
Fri Aug 24 06:34:24 2018 daemon.warn pppd[2442]: Protocol-Reject for unsupported protocol 0xfec8

(If I use LEDE 17.01.4 without the kmod-ipt-raw and iptables fix, pptp vpn works fine)

Closed by  Koen Vandeputte
05.10.2018 07:42
Reason for closing:  Fixed
Additional comments about closing:  

Reporter mentions it's fixed

Paul Oranje commented on 24.08.2018 16:56

Did you install/load kmod-gre and kmod-mppe ?
Maybe also the GRE protocol (47) needs to be explicitly allowed in the firewall.
Also see https://openwrt.org/docs/guide-user/services/vpn/client.pptp

Apart from the issue, why not use another tunnelling protocol as PPTP is not a very good and safe one (in terms of security MPPE and MSCHAP aren't top notch), does your VPN provider only offer that protocol ?

Bill commented on 25.08.2018 05:48

kmod-gre and kmod-mppe are present.

HH5a is configured as per openwrt wiki.

Security is not important for streaming application. PPTP offers faster speeds than OpenVPN which is reason for looking at it.

I also tried 18.06.0-rc1 and encountered same behaviour, though system log did throw up an extra PPP: VJ uncompressed error message.

Sat Aug 25 05:08:06 2018 daemon.info dnsmasq-dhcp[1849]: DHCPREQUEST(br-lan) 192.168.111.222 00:24:e8:f6:2e:08
Sat Aug 25 05:08:06 2018 daemon.info dnsmasq-dhcp[1849]: DHCPACK(br-lan) 192.168.111.222 00:24:e8:f6:2e:08 PC
Sat Aug 25 05:08:19 2018 daemon.err uhttpd[1271]: luci: accepted login on / for root from 192.168.111.222

Sat Aug 25 05:09:06 2018 kern.err kernel: [   99.774890] pptp-VPN: PPP: VJ uncompressed error

Sat Aug 25 05:09:06 2018 daemon.warn pppd[2020]: Protocol-Reject for unsupported protocol 0x9e98
Sat Aug 25 05:09:06 2018 daemon.warn pppd[2020]: Protocol-Reject for unsupported protocol 0x4445
Sat Aug 25 05:09:06 2018 daemon.warn pppd[2020]: Protocol-Reject for unsupported protocol 0xc1
Sat Aug 25 05:09:06 2018 daemon.warn pppd[2020]: Protocol-Reject for unsupported protocol 0x7475
Sat Aug 25 05:09:06 2018 daemon.warn pppd[2020]: Protocol-Reject for unsupported protocol 0x4c2f

Adding noVJ to /etc/ppp/options.pptp did not solve original problem.

I'll see if I can get hold of a different model of router to see if I can replicate the above behaviour.

In the mean time, PPTP client appears to be unstable in 18.06 on BT Home Hub 5A.

flfq commented on 28.08.2018 19:30

R6100
R6250
openwrt 18.6.1

ADD
iptables -t raw -A OUTPUT -p tcp -m tcp –dport 1723 -j CT –helper pptp

but , not work

flfq commented on 28.08.2018 19:37

I am all ok
please kiss me

firewarl add
iptables -t raw -A OUTPUT -p tcp -m tcp –dport 1723 -j CT –helper pptp

and
opkg update
opkg list |grep kmod-crypto |awk '{print $1}' |xargs opkg install

this install all crypto

flfq commented on 28.08.2018 19:39

and reboot !

ThomasCr commented on 01.09.2018 01:44

I think you don't need a NAT helper for your OUTGOING packages (they are not using NAT at this place....) - but maybe I am wrong - and for routed (aka NAT) packages they get applied automatically (see iptables -L -vn -t raw)

but lucky that you found the problem.

Bill commented on 17.09.2018 18:55

I tried installing PPTP client again on 18.06.1 on HH5A

I also added all the crypto packages

opkg update
opkg list |grep kmod-crypto |awk '{print $1}' |xargs opkg install

Unfortunately, it does not fix the problem for HH5A.

Bill commented on 17.09.2018 18:59

I forgot to add, one difference from 3 weeks ago, is the system log is no longer spammed with "Protocol-Reject" messages causing log to overfill.

Instead, there is just one single "Protocol-Reject" message in the system log. I can only speculate this change in behaviour is as a result of installing all the crypto packages.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing