I have set up a VPN over PPTP on a CentOS server using the DKMS module rpm dkms-0-2.0.6-3.el4 from http://centos.karan.org/el4/extras/stable/i386/RPMS/repodata/repovie w/dkms-0-2.0.6-3.el4.kb.html and kernel_ppp_mppe-0.0.5-2dkms.noarch.rpm at http://pptpclient.sourceforge.net/howto-fedora- core-3.phtml. I have configured the pptpd server on Centos4 to use MS_CHAPv2, 128bit encryption and to assign server side and client IP addresses in the range a.b.c.42-48 and a.b.c.52-58 respectively. I have also opened the firewall for tcp port 1723 and the GRE protocol (47). I have configured a Microsoft Win2Kpro client and I can connect and establish a VPN. However I am missing something because: 1. If I try and connect to a machine on the local network segment then the VPN channel is not used (this is probably the correct behaviour but it is not what I want and I need to know how to force local network paths over an encrypted connection). 2. If I try and connect to a host outside our local network then the traffic is not routed out through the gateway but it does travel over the vpn to the local pptdp server. So, what am I missing in all of this? Are there options for the pptpd that I need to set for this to work? I have a similar problem when I connect from outside the local network segment. The the vpn connects but then I cannot reach any other host. Any suggestions are welcome. I am a digest subscriber so if you could copy my email address on your reply then I would be appreciative. Regards, Jim -- *** e-mail is not a secure channel *** mailto:byrnejb.<token>@harte-lyne.ca James B. Byrne Harte & Lyne Limited vox: +1 905 561 1241 9 Brockley Drive fax: +1 905 561 0757 Hamilton, Ontario <token> = hal Canada L8E 3C3
On 1 Nov 2005 at 11:25, Joe Pruett wrote:> on the windows box deep in the network properties for the vpn you'll > find the 'use default gateway on this interface' or something very much > like that. uncheck that and then regular internet traffic will not go > over the vpn.Thank you. I found a fairly well written faq on what can go wrong with vpn, which of course I cannot find at the moment. The basic problem with my setup as originally given is that VPNs cannot connect over IPs belonging to the same netblock as the physical NICs. So the client end has to have an IP address assigned by the pptpd that is on a different netblock from that assigned to its NIC. I changed the client side IP address asignment and I can now get a VPN link to the PPTPD host, but I cannot get a route off that box. Once I get past that problem then I will post a summary of whaI did. This is evidently a routing issue, as you have pointed out, but one that is probably a by product of some configuration error I have made to the pptpd options. Regards, Jim -- *** e-mail is NOT a secure channel *** James B. Byrne mailto:ByrneJB.<token>@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3CE delivery <token> = hal
On Tue, 2005-11-01 at 22:53, James B. Byrne wrote:> On 1 Nov 2005 at 11:25, Joe Pruett wrote: > > > on the windows box deep in the network properties for the vpn you'll > > find the 'use default gateway on this interface' or something very much > > like that. uncheck that and then regular internet traffic will not go > > over the vpn. > > Thank you. I found a fairly well written faq on what can go wrong > with vpn, which of course I cannot find at the moment. The basic > problem with my setup as originally given is that VPNs cannot connect > over IPs belonging to the same netblock as the physical NICs. So > the client end has to have an IP address assigned by the pptpd that > is on a different netblock from that assigned to its NIC. > > I changed the client side IP address asignment and I can now get a > VPN link to the PPTPD host, but I cannot get a route off that box. > Once I get past that problem then I will post a summary of whaI did. > This is evidently a routing issue, as you have pointed out, but one > that is probably a by product of some configuration error I have made > to the pptpd options.Does the rest of the world have a route back to the server for that new IP address? That is, you may be using the VPN address as your source and the server side as your default gateway so the packets go out, but you need routes back for the return packets. -- Les Mikesell lesmikesell at gmail.com
On 1 Nov 2005 at 11:25, Joe Pruett wrote:> as for your local traffic, the vpn only sets up a route for the > natural netmask of the remote end. so if the vpn server is > 192.168.1.4, then a route for 192.168.1.0/24 will be installed. > you can see what routes get setup via 'route print' at a dos > prompt. if you need other routes setup, then you have to do it > manually after the vpn is running. i seem to recall there might > be a way to invoke the vpn from a command script, so you might be > able to start it and add the routes from a .bat file.Thank you for the assistance. I have reached the point where I seem to have resolved all the firewall issues that were contributing to my problems and I can now reliably connect a vpn between my MS-W2K box on one C class to a CentOS4.2 box running PopTop pptpd with 128 bit MPPE. As you anticipated, now I am down to routing problems. I have set up the pptpd server to supply a non-routable address in the range 192.168.209.194-254 as the client side IP and a routable address from the remote C block as the server side. I have very little knowledge and even less experience with this so please bear with me. Here is what I want to do: Case 1. Typical:>From any arbitrary external IP address, establish a VPN to a pptpdserver inside our firewall that will route all traffic consigned to our internal network over that VPN while all other traffic goes over the gateway established before the VPN is set up. I cannot seem to get this to work with the MS network connection client. I have turned off the "use default gateway on remote network" option in the tcp/ip advanced networking options in the MS client, but the only effect that seems to have is that no traffic goes over the VPN at all. I have confirmed via tracert that the destination IP of the VPN tunnel is recognized on the eth0 interface and responds to ping and traceroute, but the routing from my test workstation is invariantly over the public gateway and not via the vpn. Case 2. All traffic is routed over the VPN and then, if necessary, out onto the Internet via our own gateway. I need to get case 1. working before I do this, but this will be a another requirement that will have to be available in addition to case 1. for some users. What I need is a way of configuring vpn clients on Windows 2K and XPpro so that these two cases work automatically from some sort of simple to deploy client install script. I am open to using alternative vpn client software if that is required. As this is evidently a client side problem I understand that it is not strictly CentOS related. However, this issue naturally falls on the server end to provide an answer and I hope that someone here has gone through this already and can provide me with some advice or referrals to other venues for help. Presently, this is what I get on the MS-W2K client when I establish a VPN between netblock A and netblock B: =========================================================================Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 48 54 8c 2a fb ...... NDIS 5.0 driver 0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface ==================================================================================================================================================Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 A.1 A.77 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.209.0 255.255.255.0 192.168.209.214 192.168.209.214 1 192.168.209.214 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.209.255 255.255.255.255 192.168.209.214 192.168.209.214 1 B.21 255.255.255.255 A.1 A.77 1 A.0 255.255.255.0 A.77 A.77 1 A.77 255.255.255.255 127.0.0.1 127.0.0.1 1 A.255 255.255.255.255 A.77 A.77 1 224.0.0.0 224.0.0.0 192.168.209.214 192.168.209.214 1 224.0.0.0 224.0.0.0 A.77 A.77 1 255.255.255.255 255.255.255.255 A.77 A.77 1 Default Gateway: A.1 =========================================================================Persistent Routes: None The only route to the B network seems to go through the usual gateway A.1 and not over the VPN. If I do NOT clear the use default GW option then all traffic goes from the client on A.77 over the VPN Default Gateway (192.168.209.214), reaches the IP at the server end (B.214), but then is not routed off the pptpd server (forwarding is enabled): # cat /proc/sys/net/ipv4/ip_forward 1 Regards, Jim -- *** e-mail is not a secure channel *** mailto:byrnejb.<token>@harte-lyne.ca James B. Byrne Harte & Lyne Limited vox: +1 905 561 1241 9 Brockley Drive fax: +1 905 561 0757 Hamilton, Ontario <token> = hal Canada L8E 3C3
I tried several times to get a VPN working - I tried 1) Tunneling IP over SSH fw. 2) IPSec 3) PPTP All were painful, and often unreliable. (I'd do a kernel update, and suddenly VPN would die a horrible death, and I'd have to recompile a bunch of stuff to get it back up - ugh) The best way, bar none, no exceptions, is using OpenVPN. Cross platform, fairly quick setup, good security, highly reliable. After a few hours of tinkering during setup, "it just works" and has done so very reliably under rather demanding circumstances for over a year. Probably the worst part was setting up the routing tables on either end, and that seems to be a PITA regardless of your VPN solution... The only downside I can find to OpenVPN is that it requires a process on the GW for each connection, so this could get cumbersome if you have hundreds of simultaneous connections. But, with my half-dozen connections, it works fanastically! Cheers! -Ben On Monday 31 October 2005 13:27, James B. Byrne wrote:> I have set up a VPN over PPTP on a CentOS server using the > DKMS module rpm dkms-0-2.0.6-3.el4 from > http://centos.karan.org/el4/extras/stable/i386/RPMS/repodata/repovie > w/dkms-0-2.0.6-3.el4.kb.html > > and > > kernel_ppp_mppe-0.0.5-2dkms.noarch.rpm at > http://pptpclient.sourceforge.net/howto-fedora- > core-3.phtml. > > I have configured the pptpd server on Centos4 to use MS_CHAPv2, > 128bit encryption and to assign server side and client IP addresses > in the range a.b.c.42-48 and a.b.c.52-58 respectively. > > I have also opened the firewall for tcp port 1723 and the GRE > protocol (47). > > I have configured a Microsoft Win2Kpro client and I can connect and > establish a VPN. However I am missing something because: > > 1. If I try and connect to a machine on the local network segment > then the VPN channel is not used (this is probably the correct > behaviour but it is not what I want and I need to know how to force > local network paths over an encrypted connection). > > 2. If I try and connect to a host outside our local network then > the traffic is not routed out through the gateway but it does > travel over the vpn to the local pptdp server. > > So, what am I missing in all of this? Are there options for the > pptpd that I need to set for this to work? > > I have a similar problem when I connect from outside the local > network segment. The the vpn connects but then I cannot reach any > other host. > > Any suggestions are welcome. I am a digest subscriber so if you > could copy my email address on your reply then I would be > appreciative. > > Regards, > Jim > > -- > *** e-mail is not a secure channel *** > mailto:byrnejb.<token>@harte-lyne.ca > James B. Byrne Harte & Lyne Limited > vox: +1 905 561 1241 9 Brockley Drive > fax: +1 905 561 0757 Hamilton, Ontario > <token> = hal Canada L8E 3C3 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- "The best way to predict the future is to invent it." - XEROX PARC slogan, circa 1978