[pptp-server] ICMP Host Unreachable messages not traveling back through tunnel

[Benjamin Carter]

I was experimenting with setting up PPTP, and got a server set up and
connected to it with a Win95 client.  I accidentally checked "use
default gateway on remote network" on the client; I had already included
rejecting firewall rules on the server so that it would not forward
traffic from the private network to anywhere but other private network
hosts.

However, in the course of diagnosing the situation, a look at the
packets on the wire revealed that when the Win95 client machine was
attemping a DNS lookup on its workgroup name, the server would send back
ICMP Host Unreachable messages to the client - but they did not go back
through the tunnel, but rather alongside it on the wire.

I don't know if this is a result of interaction with the firewalling
code (I am running 2.2 and ipchains) or if it is a more significant
issue.  As I do not plan on using the VPN's gateway [using a
defaultroute through a VPN connection seems like something that would
not be useful as a general case, only for more specific setups] this is
not an issue for me.  I am also not using encryption on the tunnel - it
is just a test setup - but the security implications would seem to be
minor (the only information is the host IP in the dest unreachable
message - which will usually be just the IP of the DNS servers.)  Still,
I thought it was important enough to point out.

-- 
-Ben Carter
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so. - Douglas Adams, "Last Chance to See"