Topic: Chillispot and VPN

Can anyone tell me of any reason why clients using my Chillispot server are not able to make a vpn connection back to their own offices?

I have installed a chilli server on my corporate network to allow guests to connect to the internet without accessing my corporate LAN.  My config is essentially the out of the box version running on Fedora Core4, with the only difference being that I am using an external FreeRADIUS server.

My wireless clients connect and get a 192.168.182.X IP assignment and allowed to connect to the internet. The are not able to make a vpn connection back to their own networks however.

tia.

Re: Chillispot and VPN

My problem is similar, the clients using my Chillispot server make all connections http, ftp etc... but not able to make a vpn (pptp) connection.

Using the Chillispot server as router ( with no Chillispot running and fixed IP assigned to interface connected to AP ) the users can connect with vpn server.

Any idea?

Thanks

Re: Chillispot and VPN

Hello,


PPTP type VPN uses tcp port 1723 to the server.
Also protocol 47 (GRE) should be allowed.

This is a firewall issue of the linux box which hosts Chillispot... but it is not an issue of Chillispot.

Hope this helps,


mson77

Re: Chillispot and VPN

Thanks for the pointers.


tp

Re: Chillispot and VPN

Any help for support pptp in chilli.iptables ?



Thanks

Re: Chillispot and VPN

Hi,

I dont have here chilli.iptables (where is the code?).

Post the scripts here and maybe I should be able to help you.

Regards,



mson77

Re: Chillispot and VPN

This is the code in the chillispot-1.1.0.tar file


#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
#   to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE




Many thanks for you help

Re: Chillispot and VPN

I dont have an environment here to test it now.
But I understand the chillispot creates a virtual interface called "tun0" from where all traffics come in from.

And on the iptables rule that you showed... "tun0" is not considered.

Maybe you should apply an ACCEPT on INPUT/FORWARD when interface is tun0.

$iptables -A INPUT -i tun0 -j ACCEPT
$iptables -A FORWARD -i tun0 -j ACCEPT


Regards,

Re: Chillispot and VPN

i think this suggestion allowing tun0 input and forward is not working

anymore suggestions????

10 (edited by jonallport 2009-05-19 10:31:08)

Re: Chillispot and VPN

I have seen this problem where the chillispot is on a private (NAT'd) network and is NAT'ing (default);  The VPN/GRE packets are 'too' encapsulated !!!

GRE[NAT[GRE[NAT[PAYLOAD]]]] sort of thing, this second layer of NAT/GRE sticks a spanner in the works - is this the case for you?