I have pptp vpn server at some location and can’t connect to it without stopping firewalld. I tried already this but this is output sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_helper: No such file or directory and i don’t know what to do.spec: archlinux rolling, kernel linux-6.0.2.arch1-1 client: networkmanager-pptp
edit: if someone wants logs there
Have you added the PPTP TCP port 1723 to firewalld through firewall-cmd on the server? If not you can do so by running firewall-cmd --zone <zone which you use> --add-port 1723/tcp
i don’t know what to do.
Stop using PPTP, it is insecure. Has been for a very long time.
yes, I did, but firewalld is on my laptop too and I can’t connect to server without stopping firewalld on my laptop
I know that but it’s only way for now, I plan to upgrade that but idk how long it’s gonna be
Normally all outgoing connections are allowed by default on firewalld. But the conntrack module is the stateful packet module which keeps track of these sessions. IPtables is the standard access list which exists on all modern Linux distros. It’s stateless by default which means it doesn’t rely on the conntrack module unless you explicitly configure it to. Try adding a IPtables rule through firewalld on your laptop.
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o <name of your interface> -d <IP address of server> -j ACCEPT
This should definitively allow all outgoing connections to the server.Also you might want to do the same for incoming connections from the server.
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i <name of your interface> -s <IP address of server> -j ACCEPT
I suggest Wireguard as a replacement in the future. It’s fairly easy to set up and is quite high performant.
still, doesn’t work, but thanks for your time 
edit: maybe logs can help link
I’m not really very knowledgeable about PPTP in particular, I decided to mainly respond because I’m fairly good at managing firewalld. As far as I can tell from the logs it looks like it can establish a session but the problem is that it times out when it sends the configuration. I’d guess that it tries to send it over the tunnel and it might fail because of the default firewall zone spawned when the connection opens. By default the default firewall zone is “public” but you can change that if you really want to by running sudo firewall-cmd --permanent --set-default <zone> and then running sudo firewall-cmd --reload. Running reload will unload your temporary changes so make sure that you run sudo firewall-cmd --runtime-to-permanent so your running config is saved.
It also looks like you have a network manager connection established with pptp. You should be able to inspect this connection with the command nmcli connection show then you can force the connection to use an open zone in firewalld by running the command sudo nmcli connection modify <name of your pptp connection as shown previously> connection.zone trusted (or any other desired zone in lieu of trusted) and then run sudo nmcli device reapply <nmcli device as shown by nmcli device status>. Why do this through network manager and not firewalld you might wonder? Well it’s because firewalld can only be managed on running connections. By doing it through network manager you get a persistent firewall zone applied to it instead of the default when the pptp interface is created (in the eyes of firewalld).
You can also try running sudo modprobe nf_conntrack_pptp This should load the conntrack driver for pptp.
You shouldn’t need to but other things you might have to try would be to keep the session open with something like keepalived.
Or if you really cannot get it to work with firewalld you might have to look for an alternative solution. In that case you can set up iptables for a stateless packet filtering solution which definitively should allow you to establish a session since a stateless ruleset isn’t dependant on the conntrack module.