无法在内核3.18的Ubuntu 14.04上启用ufw的情况下连接到PPTP VPN


17

突然VPN断开连接,无法再在内核3.18.1上重新连接,因此我尝试安装内核3.18.2,但是我的问题仍然存在。但是我可以轻松地用3.14内核连接到VPN。

syslog的输出:

Jan 11 17:43:51 DEMON NetworkManager[7443]: <info> Starting VPN service 'pptp'...
Jan 11 17:43:51 DEMON NetworkManager[7443]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 8741
Jan 11 17:43:51 DEMON NetworkManager[7443]: <info> VPN service 'pptp' appeared; activating connections
Jan 11 17:43:51 DEMON NetworkManager[7443]: <info> VPN plugin state changed: starting (3)
Jan 11 17:43:51 DEMON NetworkManager[7443]: <info> VPN connection 'VPN connection 1' (Connect) reply received.
Jan 11 17:43:51 DEMON pppd[8742]: Plugin /usr/lib/pppd/2.4.5/nm-pptp-pppd-plugin.so loaded.
Jan 11 17:43:51 DEMON pppd[8742]: pppd 2.4.5 started by root, uid 0
Jan 11 17:43:51 DEMON pppd[8742]: Using interface ppp0
Jan 11 17:43:51 DEMON pppd[8742]: Connect: ppp0 <--> /dev/pts/25
Jan 11 17:43:51 DEMON pptp[8747]: nm-pptp-service-8741 log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Jan 11 17:43:51 DEMON NetworkManager[7443]:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Jan 11 17:43:51 DEMON NetworkManager[7443]:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Jan 11 17:43:51 DEMON NetworkManager[7443]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...
Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Jan 11 17:43:51 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Jan 11 17:43:52 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 37038).
Jan 11 17:43:53 DEMON vnstatd[1509]: Interface "ppp0" enabled.
Jan 11 17:43:55 DEMON kernel: [  921.480993] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=55 TOS=0x00 PREC=0x00 TTL=63 ID=64925 PROTO=47 
Jan 11 17:43:55 DEMON kernel: [  922.096723] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=64926 PROTO=47 
Jan 11 17:43:57 DEMON kernel: [  923.911774] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=55 TOS=0x00 PREC=0x00 TTL=63 ID=64927 PROTO=47 
Jan 11 17:44:16 DEMON kernel: [  943.116984] [UFW BLOCK] IN=wlan0 OUT= MAC=74:de:2b:02:0b:da:50:1c:bf:61:6f:41:08:00 SRC=192.168.0.1 DST=192.168.74.15 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=64937 PROTO=47 
Jan 11 17:44:22 DEMON pppd[8742]: LCP: timeout sending Config-Requests
Jan 11 17:44:22 DEMON pppd[8742]: Connection terminated.
Jan 11 17:44:22 DEMON NetworkManager[7443]: <warn> VPN plugin failed: 1
Jan 11 17:44:22 DEMON NetworkManager[7443]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Jan 11 17:44:22 DEMON pppd[8742]: Modem hangup
Jan 11 17:44:22 DEMON pptp[8747]: nm-pptp-service-8741 warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error
Jan 11 17:44:22 DEMON pptp[8747]: nm-pptp-service-8741 warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log
Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Jan 11 17:44:22 DEMON pppd[8742]: Exit.
Jan 11 17:44:22 DEMON NetworkManager[7443]: <warn> VPN plugin failed: 1
Jan 11 17:44:22 DEMON pptp[8761]: nm-pptp-service-8741 log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Jan 11 17:44:22 DEMON NetworkManager[7443]: <warn> VPN plugin failed: 1
Jan 11 17:44:22 DEMON NetworkManager[7443]: <info> VPN plugin state changed: stopped (6)
Jan 11 17:44:22 DEMON NetworkManager[7443]: <info> VPN plugin state change reason: 0
Jan 11 17:44:22 DEMON NetworkManager[7443]: <info> Policy set '4r@z31' (wlan0) as default for IPv4 routing and DNS.
Jan 11 17:44:22 DEMON NetworkManager[7443]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jan 11 17:44:23 DEMON vnstatd[1509]: Interface "ppp0" disabled.
Jan 11 17:44:28 DEMON NetworkManager[7443]: <info> VPN service 'pptp' disappeared

更新

通过禁用ufw解决了我的问题,请您帮我解决防火墙和VPN的这种冲突?

更新2

所以我尝试添加

-A ufw-before-input -p 47 -j ACCEPT
-A ufw-before-output -p 47 -j ACCEPT

/etc/ufw/before.rules,但我的问题仍然存在。

Answers:


35

这是由于内核3.18 [1]中出于安全原因的更改而引起的。有两种方法可以解决此问题。

第一种方法是将此规则添加到/etc/ufw/before.rules该行之前的文件中# drop INVALID packets ...

-A ufw-before-input -p 47 -j ACCEPT

第二种方法是手动加载nf_conntrack_pptp模块。您可以通过运行

sudo modprobe nf_conntrack_pptp

要在Ubuntu的每次启动时加载此模块,请将其添加到文件中/etc/modules


2
不要忘记重新启动ufw以重新加载新配置。
RedPixel

1
你救了我的命!!!
艾伦

1
@wwwhizz你的意思是sudo ufw reload?一旦我找到了要添加该规则的文件的正确部分,就可以做到。
NoBugs 2015年

我想知道,如何通过gufw ui完成这种事情?
模糊分析

“ nf_conntrack_pptp”对我来说不起作用,但正如OP所写的那样,它允许proto 47(GRE)。
peterh-恢复莫妮卡

10

对于较新版本的ufw,可以使用以下解决方案:

sudo ufw allow proto gre from [PPTP gateway IP address]
sudo systemctl restart ufw

3
答案应尽可能完整并独立存在-如果您只想在现有答案中添加一些内容,请使用注释。
guntbert

@Draco哇!没有电话侮辱其他用户。并且我们希望所有用户在此谨慎行事。
terdon

我只为将来的访问者提到:此解决方案是完整的,并不打算添加到其他任何解决方案上。
Dzamo Norton

3

添加nf_conntrack_pptp/etc/modules-load.d/pptp.conf

一支班轮

echo nf_conntrack_pptp | sudo tee /etc/modules-load.d/pptp.conf

说明

接受的答案对我有用,尤其是第二个建议-加载nf_conntrack_pptp内核模块-而不是修改我的iptables防火墙。我的笔记本电脑防火墙未经修改。sudo ufw enable无一例外是干净的。但是我不喜欢/etc/modules手工编辑 ...将来的程序包升级可能会有冲突。/etc/modules-load.d/提供了一种升级友好且更易于自动化的方式来加载模块。

也可以看看

与/ etc / modules相对,在引导时是否存在用于加载模块的“ .d”目录?

离别镜头:请勿使用PPTP!

请尝试使用openvpn。

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.