I have a home server running Archlinux (ITXBox), which among other things, is acting as a router for my home network, including firewall. Up until yesterday, I was able to establish a pptp VPN connection between any machine on my network and an external server. In order for this to work, I had to add the following to ITXBox's "/etc/modules.load.d/pptp-forward.conf": nf_conntrack_proto_gre nf_nat_proto_gre nf_conntrack_pptp nf_nat_pptp However, last night, I upgraded the kernel from 4.6.4 to the latest version in Archlinux's repositories - 4.7. This has caused the VPN connections mentioned above to stop working. Reverting back to 4.6.4 fixes the issue. I did not perform a proper regression testing, since I don't currently have enough time for that (I guess it's not "silly season" for everyone), but some quick research indicated this(1) commit could have something to do with it. It was the only thing I found related to GRE traffic. This should be easily reproducible provided the required networking infrastructure is present. (1) https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e0c20967c8a653d0213238621381e224d8f065fc
I'd just like to add that I did not find any changes to Archlinux's kernel config relevant for breaking this. You can consult these changes here: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=c96df34bef887421b81b39598e4830d26cd1569c There are a couple of ipv6 new modules added, but I don't think they are relevant to the issue (I could be wrong, though).
I used Gentoo Linux, and upgrade from 4.6.3 to 4.7. Also has pptp pass through issue .
Another possible cause for the issue is this commit(1). Although it's only supposed to deal with GRE under ipv6. It's from the same author and committer as the previously mentioned suspect commit, so no need to add anyone else to the cc list. (1) https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a80e1facd3c825c5ac804bc2efe118872832e33
Created attachment 228831 [details] Fixes the cleanup of gre module Would any of you experiencing this bug try the attached patch?
(In reply to Johanna from comment #4) > Created attachment 228831 [details] > Fixes the cleanup of gre module > > Would any of you experiencing this bug try the attached patch? sry, this patch doesn't really make sense, I misread. You don't need to try it.
sysctl net.netfilter.nf_conntrack_helper=1
Thank you @Konstantin. Confirming that adding net.netfilter.nf_conntrack_helper=1 to /etc/sysctl.d/30-pptp_passthrough.conf solves the issue for me. Just out of curiosity: Is this option new to 4.7 or did it exist before and the default value was changed?
> Just out of curiosity: Is this option new to 4.7 or did it exist before and > the default value was changed? My testing shows that the default value has been changed. I didn't look in the code, though -- just compared two ELRepo's kernels