View previous topic :: View next topic |
Author |
Message |
texas1emt Guru
Joined: 27 Oct 2003 Posts: 352 Location: San Antonio, TX
|
Posted: Mon Jun 12, 2006 9:51 pm Post subject: HOWTO: PPTP VPN Server with MPPE, including Shorewall config |
|
|
HOWTO: PPTP VPN Server with MPPE, including Shorewall configuration
Goal of this HOWTO:
The goal of this howto is to create a PPTP VPN server on a Gentoo workstation or server so that you can access resources behind your firewall when you are away. You can use clients such as pptpclient, Windows XP, or OS X to connect to this VPN securely. Also, you can access the internet using your VPN server's internet connection, which is handy if you're in a location with unsecured wireless.
Packages For This HOWTO:
Step 1: Preparing Your Kernel Modules
For PPP and PoPToP to work properly, you'll need a 2.6.16 or later kernel. The reason for this is that the 2.6.16 kernel contains the proprietary MPPE (Microsoft Point To Point Encryption) module that is required for the PPTP VPN to serve Windows clients. I've heard from many people that the Polbox MPPE-MPPC patch works well on older kernels, but I've always run into issues when I've tried to use it.
If you want to get the latest kernel, just run:
Code: | # emerge sync
# emerge gentoo-sources |
As of the writing of this HOWTO, the latest stable gentoo-sources kernel is 2.6.16-r7 but your results may vary. If you already have a 2.6.16 kernel, then keep on going in the HOWTO. If you just upgraded your kernel from another kernel by running the previous two commands, then please be sure to configure your kernel to support your hardware first, then move on to the next paragraph.
Inside your kernel configuration, be sure to enable the following:
PPP Support:
Code: | Device Drivers -> Network Device Support
<*> PPP (point-to-point protocol) support
[*] PPP multilink support (EXPERIMENTAL)
[*] PPP filtering
<*> PPP support for async serial ports
<*> PPP support for sync tty ports
<*> PPP Deflate compression
<*> PPP BSD-Compress compression
<*> PPP MPPE compression (encryption) (EXPERIMENTAL)
<*> PPP over Ethernet (EXPERIMENTAL) |
Crypto Support: (I generally modularize all of the crypto modules, just in case)
Code: | Cryptographic API
[*] HMAC support
<M> Null algorithms
<M> MD4 digest algorithm
<M> MD5 digest algorithm
--- SHA1 digest algorithm
<M> SHA256 digest algorithm
<M> SHA384 and SHA512 digest algorithms
<M> Whirlpool digest algorithms
<M> Tiger digest algorithms
<M> DES and Triple DES EDE cipher algorithms
<M> Blowfish cipher algorithm
<M> Twofish cipher algorithm
<M> Serpent cipher algorithm
<M> AES cipher algorithms
<M> AES cipher algorithms (i586)
<M> CAST5 (CAST-128) cipher algorithm
<M> CAST6 (CAST-256) cipher algorithm
<M> TEA, XTEA and XETA cipher algorithms
--- ARC4 cipher algorithm
<M> Khazad cipher algorithm
<M> Anubis cipher algorithm
<M> Deflate compression algorithm
<M> Michael MIC keyed digest algorithm
<M> CRC32c CRC algorithm
<M> Testing module |
Netfilter Support for Shorewall: (If you're not going to use Shorewall, then skip this step)
Code: | Networking Options -> Network packet filtering (replaces ipchains)
Make sure everything within this area is compiled in [*] |
Exit the kernel configuration, save your changes, and compile your kernel:
Code: | make && make modules_install |
Copy your kernel over to /boot. If you upgraded a kernel during this procedure be sure to change your bootloader configuration! Reboot your box and continue to step 2.
Step 2: Install Packages
At this step, you should now be booted into your kernel with PPP and MPPE support. You will need two packages:
- net-dialup/ppp (compiles in < 2 minutes on a P3 900)
- net-dialup/pptpd (compiles in < 1 minute on a P3 900)
When you emerge ppp, DO NOT enable the mppe-mppc use flag! Enabling the flag will make PPP depend on the Polbox MPPE-MPPC patch, which isn't the same as the module built into your kernel. A pretend merge should show something like this:
Code: | # emerge -pv ppp pptpd
[ebuild N ] net-dialup/ppp-2.4.2-r15 -activefilter -atm -dhcp -ipv6 -mppe-mppc +pam -radius 0 kB
[ebuild N ] net-dialup/pptpd-1.2.3-r1 +tcpd 0 kB |
Just emerge the packages now (takes less than 3 minutes on a P3 900):
Step 3: Configure PoPToP/PPP
At this step, you should have a kernel with MPPE support and PPP/PPTPD should be installed. Now it's time to edit some configuration files. I'll only show the relevant lines here for brevity's sake.
/etc/pptpd.conf
This file contains the basic instructions for the PPTPD process.
Code: | # This tells PPTPD to find its options in another file (which we will edit later)
option /etc/ppp/options.pptpd
# Turn on debug output until you get things working properly, then comment it later
debug
# Log the connects and disconnects to your system log
logwtmp
# Set your local and remote ip's (this is tricky - see info below)
localip 192.168.0.1
remoteip 192.168.0.210-220 |
Okay, so what's this deal about localip and remoteip? It is a bit tricky, indeed. You can read the comments from the authors of PoPToP there in your conf file, but they're a bit unclear.
First, I'll explain how my setup works, as it may be common. I have two interfaces: eth0 faces the internet and eth1 faces my internal NAT'ed network. My eth0 interface connects to a cable modem and it gets its networking information via DHCP. My eth1 interface connects into a switch and serves my internal network only. The internal network is 192.168.0.0/24 (or 192.168.0.1-192.168.0.255). The IP 192.168.0.1 is assigned to eth1 at all times. For those of you who are visual learners, enjoy my rudimentary network diagram:
Code: | /----------\ /---------------\ /--------\ /-----\
| Internet |---eth0---| Gentoo Router |---eth1---| Switch |---------| LAN |
\----------/ \---------------/ \--------/ \-----/
(dynamic ip) 192.168.0.1 192.168.0.0/24 |
Here's a few tips to keep in mind when you're setting up localip and remoteip:
- For localip, specify the IP address of your internal interface.
- For remoteip, specify the IP addresses that remote users are allowed to use. When remote users connect, they will be assigned IP's starting at the lowest end of the range you provide. In my example configuration above, my first remote user will be assigned 192.168.0.210.
- The amount of connections allowed is the same as the number of remote IP's provided. If you want 10 remote users, provide 10 remote ip's.
- The IP's for localip and remoteip MUST be on the same network interface and MUST be on the same subnet. For example, if the IP you provide for localip is on eth0 and the IP's for remoteip are on eth1, you will have connection issues.
/etc/ppp/options.pptpd
This file contains the instructions for PPP when someone tries to connect to your VPN.
Code: | # The name is pretty arbitrary, but it must match the entry in your chap-secrets
name pptpd
# These are really unsecure methods, so they're disabled
refuse-pap
refuse-chap
refuse-mschap
# This is the most secure handshake method
require-mschap-v2
# We want to force 128 bit encryption for the session
require-mppe-128
# Enable a lot of debugging to the syslog (comment it out once everything works)
debug
# Make a lock file while the connection is open
lock
# Disable compression (it's not available with your module)
nobsdcomp
# Don't log to your terminal window
nologfd |
/etc/ppp/chap-secrets
This file contains login credentials for your remote users.
Code: | # client server secret IP addresses
mylogin pptpd mypassword *
googlebuddy pptpd googlebuddypass 216.239.32.0/19 |
The client is the username, the server defines which server the secret is meant for (see line 1 of /etc/ppp/options.pptpd), and the secret is the password. For IP addresses, the asterisk (*) means allow from all IP's. You can specify a single IP or CIDR block to limit access to certain IP addresses.
Step 4: Firewall Configuration
For the folks who are pretty smart when it comes to firewalls, you will want to allow TCP traffic to come into the router and also to go out of the router. In addition, you will want to allow GRE 47 to leave your router.
If you like IPTables: (Borrowed From Experts-Exchange)
Code: | iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT
Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:
iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723 |
ProTech made a good point (see first reply below) that the above instructions are for a VPN server that is NAT'd on an internal network. My mistake! ProTech made the suggestion to use these iptables commands to use a VPN server on the router/firewall itself:
Code: | iptables -A INPUT -p gre -d FIREWALL_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -d FIREWALL_IP -j ACCEPT |
Since Shorewall is my favorite way to configure netfilter, this HOWTO is pretty Shorewall-centric. Luckily, you only need a few edits:
/etc/shorewall/interfaces
Code: | #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
gig eth1 192.168.0.255 dhcp
vpn ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
The net zone connects to the internet on eth0, gig connects to the internal gigabit network on eth1, and vpn comprises all of the ppp interfaces. By using ppp+ in the file, you're telling shorewall to include ppp0, ppp1, ppp2, etc. in this zone.
/etc/shorewall/zones
Code: | #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
gig ipv4
vpn ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE |
I added the vpn zone here, and it is an IPv4 network.
/etc/shorewall/policy
Code: | #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
fw gig ACCEPT
fw vpn ACCEPT
gig fw ACCEPT
gig net ACCEPT
gig vpn ACCEPT
vpn fw ACCEPT
vpn net ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE |
The firewall, internal gigabit network, and vpn can talk between themselves and also to the internet. However, the internet isn't allowed to talk directly to any of them (unless I allow it in /etc/shorewall/rules).
/etc/shorewall/rules
Code: | ACCEPT net fw tcp 22,443,1723,10000 |
For the firewall, I'm allowing ssh, https, pptp vpn, and webmin in from the outside. Where's GRE Protocol 47? Check the next file.
/etc/shorewall/tunnels
Code: | #TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver vpn 192.168.0.1 |
This tells shorewall to allow GRE traffic to go from the VPN's gateway (192.168.0.1) back out to the internet to our remote users.
Now, check your syntax and restart the firewall:
Code: | # shorewall check
# shorewall restart |
Step 5: Starting PPTPD
You're on the home stretch! Start the PPTPD daemon and make it start at boot time.
Code: | # /etc/init.d/pptpd start
# rc-update add pptpd default |
Now, test a connection. You should get something like this in the syslog. (I'm only displaying the non-debug output)
Code: | Jun 12 16:38:30 router pptpd[23810]: CTRL: Client xxx.xxx.xxx.xxx control connection started
pptpd[23810]: CTRL: Starting call (launching pppd, opening GRE)
pppd[23811]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[23811]: pppd 2.4.2 started by root, uid 0
pppd[23811]: Using interface ppp0
pppd[23811]: Connect: ppp0 <--> /dev/pts/1
pptpd[23810]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
pppd[23811]: MPPE 128-bit stateless compression enabled
pppd[23811]: found interface eth1 for proxy arp
pppd[23811]: local IP address 192.168.0.1
pppd[23811]: remote IP address 192.168.0.210 |
At this point, you should be a-okay! Check the common issues below if something doesn't seem right.
Common Issues:
- The connection hangs on Connect: ppp0 <--> /dev/pts/x: Most likely, your localip and remoteip in /etc/pptpd.conf are on different interfaces or subnets. They have to be on the same interface and within the same subnet!
- The connection hangs on CTRL: Ignored a SET LINK INFO packet with real ACCMs!: Your remote location might not be allowing GRE traffic in, or it might not be surviving a NAT properly. Confer with your network administrator at the remote location.
Step 6: How do I connect to the VPN?
Using Windows XP:
- Go to File -> Settings -> Control Panel. Choose Network Connections.
- Click Create a new connection.
- When the wizard starts, click Next, Connect to the network at my workplace, then Next.
- Click Virtual Private Network connection, Next, name the connection, then Next.
- If it asks about dialing an initial connection, click Do not dial... unless you are using dialup to connect to the internet.
- Enter the external address of your VPN server, click Next, choose an availability option, then Next and Finish.
- Click Properties, the Networking tab, choose PPTP VPN from the drop down and double click Internet Protocol (TCP/IP).
- Click Advanced and uncheck Use default gateway on remote network. If you leave it checked, ALL of your computer's traffic will be routed through your home network. This will cut off current connections, downloads, chats, etc.
- Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK.
- Double click the VPN network connection, enter your username and password from /etc/ppp/chap-secrets and connect!
Using OS X:
- Double click your hard drive icon, then double click Applications, and then double click Internet Connect.
- Click the VPN icon in the top bar and choose Edit Configurations from the drop down list.
- Click the + under the list on the left and complete the description, server address, account name, and password fields.
- Be sure to choose Maximum (128 bit only) from the Encryption drop down menu and click OK.
- Click connect and your VPN should be connected.
- With OS X, all of your traffic will get routed through the remote network. To fix this, drop to a terminal and execute:
Code: | $ sudo route add default 192.168.0.1 | Change 192.168.0.1 to your local gateway so that only the traffic that needs to go over the VPN actually does go over the VPN.
Final Thoughts
If you have any questions or comments, reply to the post or contact me and I'll see what I can do to help.
Version History:Jun-12-06: First Revision
Jun-18-06: Included iptables configuration for PPTP server on firewall itself, thanks to ProTech.
_________________ M. Hayden - San Antonio, TX
Last edited by texas1emt on Sun Jun 18, 2006 2:45 pm; edited 2 times in total |
|
Back to top |
|
|
ProTech Tux's lil' helper
Joined: 30 Dec 2003 Posts: 88 Location: Hungary
|
Posted: Sun Jun 18, 2006 10:08 am Post subject: |
|
|
Thanks for the HOWTO!
I will try this as soon as a hardened-sources-2.6.16 kernel get stabilized.
I have some questions about the firewall section. You can use iptables or shorewall, right? So if I'm using iptables already, I don't have to do anything with the sorewall section. I know nothing about shorewall...
I think the iptables section is for a VPN server not in the router/firewall, but in a NAT'ed machine inside your local net. For a VPN server in the router you have to add the something similar to the first two commands, like this (I didn't tried this):
Code: | iptables -A INPUT -p gre -d FIREWALL_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -d FIREWALL_IP -j ACCEPT |
I usually use the -i INTERFACE option instead of the -d FIREWALL_IP, becouse I have dynamic IP adress...
Is there a way to use an existing dhcp server to assign ip adresses to the VPN clients too? |
|
Back to top |
|
|
texas1emt Guru
Joined: 27 Oct 2003 Posts: 352 Location: San Antonio, TX
|
Posted: Sun Jun 18, 2006 2:51 pm Post subject: |
|
|
ProTech wrote: | Thanks for the HOWTO! |
No problem! It took so much time to figure this out, I thought I'd do my best to save everyone else some work.
ProTech wrote: |
I have some questions about the firewall section. You can use iptables or shorewall, right? So if I'm using iptables already, I don't have to do anything with the sorewall section. I know nothing about shorewall... |
Correct. If you configure your firewall without using shorewall, you can configure it using any tools/commands that you like. I'm just partial to shorewall because it allows me to make firewall changes relatively easily.
ProTech wrote: | I think the iptables section is for a VPN server not in the router/firewall, but in a NAT'ed machine inside your local net. |
Correct again! That was my error and I didn't examine the iptables commands before I posted it. I included your suggested commands into the HOWTO above. Thanks!
ProTech wrote: | Is there a way to use an existing dhcp server to assign ip adresses to the VPN clients too? |
Actually, when you configure the remoteip section of the /etc/pptpd.conf, you're specifying which range of IP's are allowed to be assigned to remote users. I believe the PPP server is the one that assigns these IP's when remote users connect. It will start from the lowest IP in the range and keep handing out IP's until the highest IP in the range is given out.
As far as using your own DHCPD server to hand out IP's - that's something I've never tinkered with, actually. It seems like the PPP server wants to be in charge of giving out IP's the entire time. If you are able to get something working with DHCPD, let me know, because I could probably use that in my situation as well.
Thanks for the reply! _________________ M. Hayden - San Antonio, TX |
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 874
|
Posted: Wed Jun 28, 2006 8:43 pm Post subject: |
|
|
Quote: |
/etc/shorewall/tunnels
Code: |
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver vpn 192.168.0.1
|
This tells shorewall to allow GRE traffic to go from the VPN's gateway (192.168.0.1) back out to the internet to our remote users.
|
According to the configuration reported above, shouldn't /etc/shorewall/tunnels be:
Code: |
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver net
|
? |
|
Back to top |
|
|
DooMi Tux's lil' helper
Joined: 03 May 2004 Posts: 103 Location: /dev/null
|
Posted: Fri Jul 14, 2006 7:12 am Post subject: Re: HOWTO: PPTP VPN Server with MPPE, including Shorewall co |
|
|
texas1emt wrote: | Netfilter Support for Shorewall: (If you're not going to use Shorewall, then skip this step)
Code: | Networking Options -> Network packet filtering (replaces ipchains)
Make sure everything within this area is compiled in [*] |
Exit the kernel configuration, save your changes, and compile your kernel: |
that will really bloat the kernel to ZOMG...
maybe some detailed informations on this would be handy to know (so i dont have to bloat the kernel by enabling all of that crap in there...)
cheers _________________ cyrex ~ # ./vpenis
--- Weeee! Congrats! Your VPenis is actually 356.8 cm long --- |
|
Back to top |
|
|
fr3akX n00b
Joined: 17 Oct 2005 Posts: 31 Location: LV
|
Posted: Thu Jul 27, 2006 6:37 am Post subject: |
|
|
After this im getting on client machine gateway and ipadress the same! Client machine runs on winxp, how do i get to route all clients traffic thru VPN? _________________ http://chown.lv |
|
Back to top |
|
|
jhunholz Apprentice
Joined: 29 Apr 2004 Posts: 154 Location: Raleigh, NC
|
Posted: Wed Oct 04, 2006 5:51 pm Post subject: |
|
|
I've set up my firewall like you say to above, but when I try to log on from a client at work, it gets to verifying the username/password, waits for a while, then asks if I want to try again. When I try to connect, I'm seeing this printed over and over in /var/log/messages on the server:
Code: |
pppd[4356]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xcedf90d0> <pcomp> <accomp>] |
My /etc/pptpd.conf: Code: |
###############################################################################
# $Id: pptpd.conf,v 1.8 2004/04/28 11:36:07 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 10.4.1.1
remoteip 10.4.1.100-110
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
|
My /etc/ppp/chap-secrets:
Code: |
# Secrets for authentication using CHAP
# client server secret IP addresses
jhunholz pptpd monkey *
|
Any ideas why it's not working? _________________ Member of the Gentoo Right Wing Conspiracy |
|
Back to top |
|
|
jhunholz Apprentice
Joined: 29 Apr 2004 Posts: 154 Location: Raleigh, NC
|
Posted: Wed Oct 04, 2006 6:34 pm Post subject: |
|
|
After doing some investigating, it seems my problem is the firewall my company has in place. So I guess I'll have to find another way of connecting to my home network. _________________ Member of the Gentoo Right Wing Conspiracy |
|
Back to top |
|
|
RayVad n00b
Joined: 10 Nov 2005 Posts: 67 Location: Netherlands
|
Posted: Tue Jan 09, 2007 12:21 am Post subject: |
|
|
Q: How should i setup my /etc/conf.d/net for PPTP? (This question came up to me since PPTP wasn't working at first)
A: I have two NICs in my system and like to use eth0 = LAN en eth1 =WAN.
My /etc/conf.d/net is configured as:
Code: |
config_eth0=( "192.168.6.40 netmask 255.255.255.0 brd 192.168.6.255" )
config_eth1=( "10.0.0.150 netmask 255.255.255.0 brd 10.0.0.255" )
routes_eth1=( "default gw 192.168.6.1" )
|
Everything seemed to be configured correctly following above guide, but PPTP didn't accept connections.
I had to compile MPPE as a module in the kernel, to make PPTP work. |
|
Back to top |
|
|
Jeff4321 n00b
Joined: 19 Dec 2006 Posts: 2
|
Posted: Thu Jan 25, 2007 5:01 pm Post subject: |
|
|
Huuuuuuge thanks to texas1emt for this guide. I had been pissing around for a day and a half before I finally found this easy to use guide and got my VPN server up and working.
One issue that I did have that no one has mentioned yet was that I could ping the two end-points of my VPN tunnel but my server was not forwarding the packets. For example: My VPN server has an address of 10.235.1.1 and my VPN client was assigned an address of 10.235.1.240. When I attempted to ping another device at 10.235.1.4 it did not work. My ICMP packets arrived at the VPN server and nothing happened. I made sure my IPTABLES forwarding rules were set correctly, made sure /proc/sys/net/ipv4/ip_forward had a '1' in it, etc.
My problem was resolved simply by setting proxyarp on in /etc/ppp/options.pptpd and restarting /etc/init.d/pptpd. I think that should be added to the original post as initially it is set in the default /etc/ppp/options.pptpd file but I commented it out and just used what the guide told me to use.
Other than that it is working great! |
|
Back to top |
|
|
rottis n00b
Joined: 06 Jul 2004 Posts: 5
|
Posted: Mon Feb 05, 2007 2:33 pm Post subject: vpn, samba pdc, wins and netbiosnames |
|
|
Hi!
Thanks for this great howto... I used this howto to be able to connect a windows xp client to a samba pdc and i ran into trouble.
I thought I would share my problem and solution for future references for me (I have a very short memory) and for other users.
Problem:
I could not get netbiosnames to work. I needed this to be able to add the computer to the domain but it is the same problem if you want to browse computers which are in your workgroup.
Solution in theory:
You have to add a wins-server in my case the samba pdc server. I tried to add it through the network settings and through the pptpd and it always showed up in the ipconfig /all but I couldn't talk to the other computers except for via dns or ip.
Solution in practice:
Add the wins-server and enable the netbios over tcp/ip on the vpn network connection and disable the netbios over tcp-ip on the external network card because windows gets confused when it is enabled on both and you will need it to be enabled on the vpn-connection.
/marcus |
|
Back to top |
|
|
Brownstone n00b
Joined: 18 Aug 2006 Posts: 25
|
Posted: Sat Feb 24, 2007 11:15 pm Post subject: |
|
|
Thanks for this HOWTO! I have the following setup and it worked fine:
1. 3com ADSL Wireless Router -- Port 1723 open and pointing to my Gentoo server
2. Netgear 5 Port 1G Switch -- 3com + Server + Desktop all connected to this
Turns out I didn't need to do any of the IPTABLES or Shorewall stuff, since my Gentoo box is pretty much a file-server only. The 3com takes care of the routing well enough for the moment.
Thanks again!
EDIT - Turns out I *did* need to do one extra thing before I could ping other machines on the VPN: Code: | echo 1 > /proc/sys/net/ipv4/ip_forward | The proxyarp option was enabled by default when I emerged pptpd.
That was it for me! _________________ Of course, that's just my opinion. I could be wrong.
Last edited by Brownstone on Mon Feb 26, 2007 3:45 am; edited 2 times in total |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Sun Feb 25, 2007 12:02 pm Post subject: |
|
|
What's mean this proposition ?
"Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK." |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Sun Feb 25, 2007 8:04 pm Post subject: Man in trouble |
|
|
Hi there, thanks to texas1emt for this very article. His article spur me to improve my intranet server.
Not counting previous question, I have few more questions. May be someone can help me ...
I complete all instructions in this guide and have such problem :
Connection estableshed, but client can't ping any internet server ...
I suspect that something with iptables rules ...
Are any suggestions ? |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Tue Feb 27, 2007 6:15 pm Post subject: Please Help |
|
|
If my question so simple or stupid, please say to me |
|
Back to top |
|
|
xanas3712 Guru
Joined: 15 Oct 2004 Posts: 455
|
Posted: Sat Mar 03, 2007 3:07 am Post subject: |
|
|
JasonX wrote: | What's mean this proposition ?
"Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK." |
Can I not use an internal network computer to test or something? Will it not even try to register a connection if something has the same external IP? I've even tried using my internal IP (192.168.0.2) with no luck (again, my router is 192.168.0.1 here, and of course my localip is set to 192.168.0.2 to compensate.. is that wrong? |
|
Back to top |
|
|
Just_Chris n00b
Joined: 20 Nov 2003 Posts: 23
|
Posted: Mon Mar 05, 2007 11:04 am Post subject: Subnet |
|
|
Thanks for nice guide - I have got this working, sort of...
I dont use IPTABLES or any firewall as I only use this to access a private lab network from a secure corporate network. Like the poster above i had to do: Code: | echo 1 > /proc/sys/net/ipv4/ip_forward | to get any traffic working.
The next problem is subnets. My private subnet is 255.255.252.0 but I can only seem to ping stuff with within a 255.255.255.0 range. For example:
My local IP is 192.168.0.2 (the server)
My remote IP is 192.168.3.3 (the client)
The client can only ping stuff in the range 192.168.3.x, I want to be able to communicate with 192.168.0-3.x I cant even ping the server lol. Anyone got any ideas about this?
EDIT: I looked at the routing entries on my client and it only created appropiate ones for a /24 subnet. Since this information presumably comes from the server? (or maybe its windows being lame?) i should be able to change things somewhere without having to manually add a route? _________________ Thanks,
Chris |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Sat Apr 28, 2007 9:21 pm Post subject: |
|
|
Hi
I'm using hardened kernel & profile
I did all steps, that texas1emt wrote
I'm not using any firewall at my server
The server use 1 lan card and receives internet traffic throw eth0 (from another server)
Also clients are on the same interface as a internet (eth0)
Connection going well established but clients can't ping any host in the internet.
server routing table:
Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.112 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 |
client ipconfig of the internet connection:
Code: | PPP adapter Test:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.112
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.112
DNS Servers . . . . . . . . . . . : 213.184.241.5
193.232.248.2
NetBIOS over Tcpip. . . . . . . . : Disabled
|
What is wrong ?
Does server need iproute or any other packet ?
Last edited by JasonX on Sun Apr 29, 2007 8:15 am; edited 3 times in total |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Sun Apr 29, 2007 8:06 am Post subject: |
|
|
what's wrong? does anybody can't help to man what just set up vpn server? what for that forum ?
here's my pptpd.conf
Code: | option /etc/ppp/options.pptpd.nodefault
localip 192.168.0.10
remoteip 192.168.0.112-120
logwtmp |
here's my /etc/ppp/options.pptpd.nodefault
Code: | name pptpd
lock
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
nobsdcomp
nologfd
novj
novjccomp
ms-dns 213.184.241.5
ms-dns 193.232.248.2 |
Mashine on what modem situated 192.168.0.1
Internet server 192.168.0.10
Clients 192.168.0.255
/etc/conf.d/net for eth0
Code: | config_eth0=( "192.168.0.10 netmask 255.255.255.0 brd 192.168.0.255" )
routes_eth0=( "default gw 192.168.0.1" ) |
my lan scheme:
http://img99.imageshack.us/img99/6098/lanschemeuj6.th.png
For more information see previous post
Problem: users can't ping any host in the internet |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Tue May 08, 2007 6:18 pm Post subject: Did anyone knows another HOWTO VPN SERVER ? |
|
|
Hi, everyone.
Did anyone knows another HOWTO VPN SERVER ? |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Thu Jun 14, 2007 1:37 pm Post subject: |
|
|
Hi again.
Does anybody know about peculiar properties of this howto in hardened-sources?
I have a problem with Incorrect mtu value. |
|
Back to top |
|
|
JasonX n00b
Joined: 26 Jul 2006 Posts: 66 Location: Minsk
|
Posted: Fri Jun 15, 2007 8:09 am Post subject: Incorrect mtu value |
|
|
The problem was SOLVED see solution here and pptpd server were setted up with help of this howto.
Thanks everybody who tried to assist. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|