Microsoft VPN client setup with pptpclient
From ArchWiki
Contents |
Overview
From the pptpclient website:
"PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers."
While pptpclient is great and lightweight, it isn't exactly the easiest thing to get up and running by itself. There is another program called pptpconfig which does what I describe below and more. Unfortunately it's not in any of the repos and I couldn't get all the php4 stuff that it depends on to work. If/when it makes it into the repositories, use that instead of this.
Lastly I got almost all of my information from this forum post (connecting to Relakks from Arch) and from the pptpclient's pages on configuring by hand and routing. If my way doesn't work for you try those pages.
Install
The package we need is pptpclient, which is in the [core] repository.
pacman -S pptpclient
If you don't already have ppp installed, make sure pacman picks it up for you.
Configuring and Connecting
Firewall Config
If you're smart/safe you're running a firewall. If thats so, we need to make sure some things are open in order for us to be able to connect. Personally I use guarddog, in which case you just need to go to the Protocol Tab->Internet Zone->Networking and make sure PPTP is checked.
If you use firestarter, they supposedly have a workaround for VPNs, but it didn't work for me.
Lastly if you despise all GUIness and still use iptables directly, check out the forum post from above, it uses iptables. For the most part it involves opening protocol 47 and port 1723.
PPTP Config
I guess pptpsetup is made to automate the tasks described below. Just give it a try !
All (I think) configuration and running of pptpclient requires root, so first
su
Then
cd /etc/ppp
Here you should see the following files:
$ls -l total 36K -rw------- 1 root root 78 2006-09-28 02:52 chap-secrets -rwxr-xr-x 1 root root 75 2006-09-28 02:52 ip-down* -rwxr-xr-x 1 root root 85 2006-09-28 02:52 ip-up* -rw-r--r-- 1 root root 14K 2006-09-28 02:52 options -rw-r--r-- 1 root root 1.7K 2006-12-25 06:06 options.pptp -rw------- 1 root root 77 2006-09-28 02:52 pap-secrets
Of those files we only need to muck with options.pptp and chap-secrets
My options.pptp file has these options set
lock noauth refuse-eap refuse-chap refuse-mschap nobsdcomp nodeflate
In chap-secrets put username, password, a name to identify the server and a * for ip addresses
DOMAIN\\MyUserName TheServer MyPassWord *
Note: If your pptp server does not require a domain name, leave it and the slashes out.
Yes you really did just put your password in a file in plain text, so
chmod 600 chap-secrets
If it wasn't already that way.
Now its time to define our vpn connection:
First
mkdir peers; cd peers
Now come up with a name for your connection, I'll call it myCon.
touch myCon
Add the following lines with your editor of choice, making sure that the variables match what you defined in chap-secrets:
remotename TheServer ipparam myCon pty "pptp my.vpn.server --nolaunchpppd" name DOMAIN\\MyUserName usepeerdns require-mppe-128 refuse-eap noauth file /etc/ppp/options.pptp
If you don't need MPPE support, remove the require-mppe-128 line
With that you should be able to execute the following command
pon myCon
and see something like this in /var/log/daemon.log
pppd[10505]: pppd 2.4.4 started by root, uid 0 pppd[10505]: Using interface ppp0 pppd[10505]: Connect: ppp0 <--> /dev/pts/7 pptp[10506]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated pptp[10513]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established. pptp[10513]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply. pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer's call ID 64029). pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:949]: PPTP_SET_LINK_INFO received from peer_callid 0 pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:952]: send_accm is 00000000, recv_accm is FFFFFFFF pptp[10513]: anon warn[ctrlp_disp:pptp_ctrl.c:955]: Non-zero Async Control Character Maps are not supported! pppd[10505]: CHAP authentication succeeded pppd[10505]: MPPE 128-bit stateless compression enabled pppd[10505]: Cannot determine ethernet address for proxy ARP pppd[10505]: local IP address <local IP address> pppd[10505]: remote IP address <remote IP address> pppd[10505]: primary DNS address <primary DNS> pppd[10505]: secondary DNS address <secondary DNS>
Issuing
ifconfig ppp0
should show you an inet addr matching <local IP address> and P-t-P matching <remote IP address>
If that didn't work, see below in the Troubleshooting section
Network Config
If the vpn server is also the computer you need to connect to, then you can skip this section. However, if you're like me, the vpn server is just a gateway and what you really want access to is the computers on the other side. There are several different methods of routing traffic through the vpn tunnel, all of which can be found here at the pptpclient's website. For my purposes, I want only traffic destined for the remote network to go through the tunnel, i.e. a Client -> LAN setup.
For this to work, you need to know what the remote network address start with, i.e. 192.168.10. So for every subnet (is that the right term?) on the remote network that you want to access, issue this command
route add -net <subnet address>.0 netmask 255.255.255.0 dev ppp0
Which in our example of remote network addresses starting with 192.168.10 means
route add -net 192.168.10.0 netmask 255.255.255.0 dev ppp0
Alternatively if you only have particular hosts on the other side you want to connect to (say 192.168.10.160), this ought to do the trick
route add -host 192.168.10.160 dev ppp0
Now that we have that set, if pptp found DNS servers for the remote network, you'll want to use/add those to /etc/resolv.conf. Conveniently it stores them in /etc/ppp/resolv.conf, so just take whats there and add it to the beginning of your existing resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.bak mv /etc/ppp/resolv.conf /etc/resolv.conf cat /etc/resolv.conf.bak >> /etc/resolv.conf
With that you should be connected! Try route, ping, and/or traceroute to see the layout of your connections.
Connection teardown
When your done just issue
poff myCon
Also don't forget to restore your resolv.conf
mv /etc/resolv.conf.bak /etc/resolv.conf
Troubleshooting
Bad config files
When my server identifier in chap-secrets didn't match what remotename was in peers/myCon, I got the following in /var/log/daemon.log:
pppd[13068]: pppd 2.4.4 started by root, uid 0 pppd[13068]: Using interface ppp0 pppd[13068]: Connect: ppp0 <--> /dev/pts/5 pptp[13069]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated pptp[13082]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' pptp[13082]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply pptp[13082]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established. pptp[13082]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' pptp[13082]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply. pptp[13082]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer's call ID 15473). pptp[13082]: anon log[ctrlp_disp:pptp_ctrl.c:911]: Received Call Clear Request. pptp[13082]: anon log[pptp_read_some:pptp_ctrl.c:543]: read returned zero, peer has closed pptp[13082]: anon log[callmgr_main:pptp_callmgr.c:255]: Closing connection (shutdown) pptp[13082]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request' pptp[13082]: anon log[pptp_read_some:pptp_ctrl.c:543]: read returned zero, peer has closed pptp[13082]: anon log[call_callback:pptp_callmgr.c:78]: Closing connection (call state) pppd[13068]: Modem hangup pppd[13068]: Connection terminated. pppd[13068]: Exit.
Firewall isn't configured correctly
If this is the case you should see logs from your firewall blocking things from your ip to my.vpn.server, but in case it helps, here is what it looks like from the pppd logs.
When the firewall is blocking things
pppd[25387]: pppd 2.4.4 started by root, uid 0 pppd[25387]: Using interface ppp0 pppd[25387]: Connect: ppp0 <--> /dev/pts/7 pptp[25388]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated pppd[25387]: LCP: timeout sending Config-Requests pppd[25387]: Connection terminated. pppd[25387]: Modem hangup pppd[25387]: Exit.
When the firewall is rejecting things
pppd[24971]: pppd 2.4.4 started by root, uid 0 pppd[24971]: Using interface ppp0 pppd[24971]: Connect: ppp0 <--> /dev/pts/7 pptp[24972]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated pptp[24974]: anon warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection refused pptp[24974]: anon fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to 206.169.229.172 pptp[24972]: anon fatal[open_callmgr:pptp.c:439]: Call manager exited with error 256 pppd[24971]: Modem hangup pppd[24971]: Connection terminated. pppd[24971]: Exit.
More debugging
See also: pptpclient fault tree