Michael Tremer

From the engine room: PPTP connection tracking issues
by Michael Tremer, April 28, 2016

Today I would like to share a short story with you about a bug that was introduced in the last Core Update. The bug was that when a PPTP server was hosted behind IPFire, the connection could not be fully established. Here is why that happened, why this bug went all the way into the release, and what happened afterwards…

But before we get into the details, I would like to tell you once again: Stop using PPTP. This protocol is not just a little bit unsafe; it is severely broken. There are at least six known issues with the protocol and each of those is severe enough to break the entire protocol. There is no way to fix it. It is broken in the design of the protocol. The only way is to get rid of it and start over with something new. IPFire brings you OpenVPN and other VPN solutions, so maybe have a look at those.

Core Update 100 was one of these release that was delayed a few times because of some security updates for OpenSSL and glibc that had to be fixed rather urgently. So it was in testing for months. The new connection tracking feature was available since about September, but only a few developers were running it on their machines. Feedback was, how so often, very very rare – i.e. did not exist at all.

When you don’t hear back that could mean two things: 1) Everything is working fine. 2) Nobody tested.

So which one is it? Our usual metric is to wait with the release until a significant number of systems show up in fireinfo with the new version. That allows us to at least be sure that some people installed the release. However, we never know how intensely they tested what is listed in the change log. If there are enough people and there are no complains after some time, we ship the release.

And that is usually when things take a turn.

The forums is full of some bug reports about the most obscure problems and most of them are not related to the update. They are usually hardware failures, some broken configuration, things that actually never worked but nobody noticed or issues with some other software. Of course IPFire has bugs. We are unfortunately not able to tackle them all before we ship a release, but we are trying to minimise them as good as we can. This of course needs the help of the community.

There are so many different environments and so many different circumstances that nobody can do the job on their own. I do not need to go into this in depth. You know what I am talking about here…

And this time, apparently nobody of the testers uses a PPTP server in the local network of an IPFire system.

Or: Maybe some testers are running PPTP servers, but did not install the update on the IPFire system that actually firewalls that server.

How ever this happened, the bug was not found and the update was shipped.

PPTP is nothing else than a VPN technology. It allows you to connect your employees on the road with the office and lets them check their emails and connect to internal services. If that is not running, work is almost impossible for these people. So it was no surprise that a day after the release, tons of people reported the bug on the forums. Or sometimes just complained and included about one line that was supposed to describe the issue.

Until today there is no bug report on the bug tracker. That is the place to go though. Nobody is crawling through the forums and tries to make sense of half of a report or a sidenote in a topic that is actually about something else. If you want to see bugs fixed, you need to help us identifying them and provide useful information.

I was made aware of this bug and that it really is a bug when I was called by someone and got the chance to log on to that system and actually see what was going on. The bug was fixed 10 minutes after that. It was easy when you actually know what was going wrong.

But when a bug is fixed in the repository and when there are tons of topics on the forums about it, that does not really stop the trouble going on there. New topics are still created by people who do not search for the problem. Discussion is starting from the beginning and it is not looked after what has been investigated so far.

I personally do not really mind that because I am not reading the forum that much any more. There is too much noise for my liking and too much repetition of questions that have been answered already and too many questions by people that are too lazy to read the documentation or just use the search.

I just find it disappointing that working together is not possible there. Ten different topics about the same issue is getting nobody anywhere. Searching for a problem, finding the topic and adding a simple “me too” would help more because knowing that more than one person is dealing with an issue is valuable information. Adding what someone can contribute to finding the core of the problem is also helpful. Everyone can contribute something, I am sure.

I interpret this behaviour as there is no real interest that a problem is getting solved. And if you want to catch the attention of a developer looking into things that is the number one necessity.

This is not only about me being lazy and wanting other people to do my work. I just think that as a community we have to work together to achieve something. And I wish that everyone would see for themselves how they can contribute more and make other people’s lives easier.

Only in that way we can solve these small but annoying bugs – and make IPFire better.


Posted: April 28, 2016 • 1255 views