在内核3.18的Ubuntu 14.04上启用了ufw,无法连接到PPTP VPN
突然VPN断开连接,不能再在内核3.18.1上重新连接,所以我尝试安装内核3.18.2,但我的问题仍然存在。 但是我可以轻松地用3.14内核连接到VPN。
syslog的输出:
Jan 11 17:43:51 DEMON NetworkManager[7443]: Starting VPN service 'pptp'... Jan 11 17:43:51 DEMON NetworkManager[7443]: VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 8741 Jan 11 17:43:51 DEMON NetworkManager[7443]: VPN service 'pptp' appeared; activating connections Jan 11 17:43:51 DEMON NetworkManager[7443]: VPN plugin state changed: starting (3) Jan 11 17:43:51 DEMON NetworkManager[7443]: VPN connection 'VPN connection 1' (Connect) reply received. Jan 11 17:43:51 DEMON pppd[8742]: Plugin /usr/lib/pppd/2.4.5/nm-pptp-pppd-plugin.so loaded. Jan 11 17:43:51 DEMON pppd[8742]: pppd 2.4.5 started by root, uid 0 Jan 11 17:43:51 DEMON pppd[8742]: Using interface ppp0 Jan 11 17:43:51 DEMON pppd[8742]: Connect: ppp0 /dev/pts/25 Jan 11 17:43:51 DEMON pptp[8747]: nm-pptp-service-8741 log[main:pptp.c:314]: The synchronous pptp option is NOT activated Jan 11 17:43:51 DEMON NetworkManager[7443]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0) Jan 11 17:43:51 DEMON NetworkManager[7443]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found. Jan 11 17:43:51 DEMON NetworkManager[7443]: /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring... Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established. Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply. Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 37038). Jan 11 17:43:53 DEMON vnstatd[1509]: Interface "ppp0" enabled. Jan 11 17:43:55 DEMON kernel: [ 921.480993] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=55 TOS=0x00 PREC=0x00 TTL=63 ID=64925 PROTO=47 Jan 11 17:43:55 DEMON kernel: [ 922.096723] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=64926 PROTO=47 Jan 11 17:43:57 DEMON kernel: [ 923.911774] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=55 TOS=0x00 PREC=0x00 TTL=63 ID=64927 PROTO=47 Jan 11 17:44:16 DEMON kernel: [ 943.116984] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=64937 PROTO=47 Jan 11 17:44:22 DEMON pppd[8742]: LCP: timeout sending Config-Requests Jan 11 17:44:22 DEMON pppd[8742]: Connection terminated. Jan 11 17:44:22 DEMON NetworkManager[7443]: VPN plugin failed: 1 Jan 11 17:44:22 DEMON NetworkManager[7443]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0) Jan 11 17:44:22 DEMON pppd[8742]: Modem hangup Jan 11 17:44:22 DEMON pptp[8747]: nm-pptp-service-8741 warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error Jan 11 17:44:22 DEMON pptp[8747]: nm-pptp-service-8741 warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled) Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request' Jan 11 17:44:22 DEMON pppd[8742]: Exit. Jan 11 17:44:22 DEMON NetworkManager[7443]: VPN plugin failed: 1 Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[call_callback:pptp_callmgr.c:79]: Closing connection (call state) Jan 11 17:44:22 DEMON NetworkManager[7443]: VPN plugin failed: 1 Jan 11 17:44:22 DEMON NetworkManager[7443]: VPN plugin state changed: stopped (6) Jan 11 17:44:22 DEMON NetworkManager[7443]: VPN plugin state change reason: 0 Jan 11 17:44:22 DEMON NetworkManager[7443]: Policy set '4r@z31' (wlan0) as default for IPv4 routing and DNS. Jan 11 17:44:22 DEMON NetworkManager[7443]: error disconnecting VPN: Could not process the request because no VPN connection was active. Jan 11 17:44:23 DEMON vnstatd[1509]: Interface "ppp0" disabled. Jan 11 17:44:28 DEMON NetworkManager[7443]: VPN service 'pptp' disappeared UPDATE
我的问题通过禁用ufw解决了,你能帮我解决这个防火墙和VPN的冲突吗?
更新2
所以我尝试添加
-A ufw-before-input -p 47 -j ACCEPT -A ufw-before-output -p 47 -j ACCEPT
到/etc/ufw/before.rules但我的问题仍然存在。
这是由内核3.18 [1]中安全原因的变化引起的。 有两种方法可以解决这个问题。
第一种方法是将此规则添加到文件/etc/ufw/before.rules之前,然后行/etc/ufw/before.rules # drop INVALID packets ...
-A ufw-before-input -p 47 -j ACCEPT
第二种方法是手动加载nf_conntrack_pptp模块。 你可以通过运行来做到这一点
sudo modprobe nf_conntrack_pptp
要在Ubuntu上的每次启动时加载此模块,请将其添加到文件/etc/modules 。
对于更新版本的ufw,解决方案是:
sudo ufw allow proto gre from [PPTP gateway IP address] sudo systemctl restart ufw
将nf_conntrack_pptp添加到/etc/modules-load.d/pptp.conf
一个class轮
echo nf_conntrack_pptp | sudo tee /etc/modules-load.d/pptp.conf
说明
接受的答案对我nf_conntrack_pptp ,特别是第二个建议 – 加载nf_conntrack_pptp内核模块 – 而不是修改我的iptables防火墙。 我的笔记本电脑防火墙未经修改。 没有例外的sudo ufw enable很干净。 但我不喜欢手动编辑/etc/modules …未来的软件包升级可能会有冲突。 /etc/modules-load.d/提供了一种升级友好且更容易自动化的加载模块的方法。
也可以看看
是否有一个“.d”目录用于在启动时加载模块,与/ etc / modules相反?
分手镜头:不要使用PPTP!
- https://www.schneier.com/cryptography/pptp/faq.html
- https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
- http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/
请尝试使用openvpn。