Our thinking


Fix for PPTP VPN access via Telstra Next G/3G wireless internet

Telstra have some of the fastest 3G wireless and some of the best coverage in Australia. Yes, you sure pay for the privilege, but it’s there when you need it and it works. Mostly.

One thing that has been an issue for a lot of my clients is accessing their corporate VPNs via a NextG connection. They can easily establish the NextG connection to the internet and easily bring up the PPTP VPN connection back to their LAN, but no traffic seems to pass over this link.

I’ve done some digging and have discovered that it all seems to be down to the routing tables. Most of my clients all have LANs on 10.0.x.0/24 subnets. They’ve all been set out so that none of them overlap, and having a block of 10 /24 subnets for if they need multiple sites. For instance, one client may have network addresses in the range 10.0.30.1 – 10.0.30.254 (or 10.0.30.0/24) and another one may have three networks, all linked via dedicated VPN connections on 10.0.40.0/24, 10.0.41.0/24 and 10.0.42.0/24 and so on.

This is generally all fine, as long as you’re picking a range of addresses from the ranges allocated by RFC 1918 then it’s usually all OK.

Enter, from stage left, Telstra. Their NextG dongles exhibit some interesting behaviour. If you’re connected to, say, a wifi LAN that uses a subnet anywhere in the 10/8 subnet, and you establish your NextG connection, then connect to the VPN, it all works as expected.

If, however, you are not connected to a network and you establish a connection to the NextG service, the ppp daemon brings up the connection on ppp0, but it “grabs” the entire 10/8 subnet for itself. If you then go on to establish a VPN to a network that’s also within this address range, you can ping the gateway at the other end, but you can’t ping any addresses on the LAN.

The solution is to delete the route for the 10/8 subnet, and this can either be done manually, or via a script that the pppd daemon automatically calls whenever it establishes a connection.

If you’re wanting to do it manually here’s an one-liner to execute in the terminal:
sudo /sbin/route delete 10.0.0.0/8

Connect to the Telstra NextG, run the above command and then connect to the VPN and it will work as expected.

If you want a more permanent solution, I have created a fix which you can download and install.
Telstra NextG VPN Fix

What it does is explained in the installer but essentially it puts a couple of scripts in a directory where the pppd daemon will automatically call them. If the ppp connection is identified as a Telstra NextG connection (using the IP address of the gateway, which in my testing has always been 10.64.64.64) then it will fix the routing table for you.

To uninstall, delete /etc/ppp/ip-up and /etc/ppp/ip-down.

14 thoughts on “Fix for PPTP VPN access via Telstra Next G/3G wireless internet

  1. If you’re running a Unix-like operating system, something like the route command provided should sort you out:

    sudo /sbin/route delete 10.0.0.0/8

    If you’re running Windows, then I’m afraid I can’t help you there.

    If you’re interested in the actual scripts I’m using, let me know…

  2. I caught your post on Whirlpool, and you’re a bloody genius.

    I’d figured that this was a routing issue, but short of manually killing the route I didn’t have time to sit down and figure out how to automate it.

    If only Telstra implemented things properly with consideration for how the real world works, it wouldn’t take a solution like this to fix a problem they’d created.

  3. One thing I’ve found out, but not put into practice, is that if you talk to your Telstra account manager, you can request an IP on their edge network (edge, as in on the edge, not on a private IP address range) and you will get a real-world IP address which will also solve this problem…

    Knowing what it’s like dealing with Telstra however, it’s probably going to be quicker to use this fix 😉

  4. Hi Kai, I tried that command line, which you posted, on my MacBook Air but I got the following message:
    route: writing to routing socket: No such process
    delete net 10.0.0.0: not in table

    My VPN still doesn’t work properly. Anything else I can try?

    Thanks in advance.

  5. Hi Kai,

    You awesome, thanks for the automate script, interest on actual script, can you send it to me please?

    Thanks

  6. I installed the package provided above and the problem has not been resolved. I don’t know how to uninstall it as I have made the situation worse. I would appreciate if you can advise me how to perform the following:
    If you’re wanting to do it manually here’s an one-liner to execute in the terminal:
    sudo /sbin/route delete 10.0.0.0/8

    what is the exact command ? I am running OSX Lion on Mac. Thank you very much for your help.

    1. There is some light at the end of the tunnel, and no, it’s not an incomong train.1. My friend got a Galaxy Tab on Telstra. He thought reception sucked and so was data speed. Turns out it was also stuck on the 3TELSTRA 2100MHz network instead of the 850MHz network. Fortunately he was able to use the dialler to get into the band selection and chose 850MHz only. After a reboot, he registered on the Telstra Mobile network, the data speeds went up and reception issues have gone away. Looks like the 7in Galaxy Tab may not be prone to this issue.2. Another friend accidentally smashed the screen on his Galaxy S. When he took it for repair, he found that replacing the screen also means replacing the antenna and radio modules since they are all moulded together as one unit and board (with the computer part being the separate PCB board). When he got the screen replaced, they did so with the part used in the I-9000T instead of the 850MHz crippled I-9000 hardware, and now his phone can access the Telstra 850MHz band. The repair/replacement costs $150-$200 which is FAR less than the cost of a new phone.Still, poor form from Samsung and the Australian mobile carriers but we’ve come to expect such shady tactics in this greedy corporate world.

  7. Khundry,

    To uninstall, delete /etc/ppp/ip-up and /etc/ppp/ip-down.

    The command you have copied and pasted above is the exact command to use.

Leave a Reply