Howto setup Microsoft VPN with gpptp (4.12 - 4.31) + (5.xx)

How to do things, solutions, recipes, tutorials
Message
Author
jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#21 Post by jafadmin »

One important note.

I have not been able to assign a default route to a pptp vpn tunnel in the puppy implementation of ppp.

If your network admins assume you can set the default route to the VPN tunnel, there will be issues. You will need them to tell you the networks inside their company that you need to reach and set the routes to them after connecting.

I'm working on trying to find out what the underlying problem is with this.

I Have a New Puppy
Posts: 7
Joined: Fri 05 Jun 2009, 17:11

#22 Post by I Have a New Puppy »

Thanks for all your replies so far.
jafadmin, it's not my intention to frustrate you, and I apologize
that my lack of networking knowledge is annoying.

I want to route ALL traffic through ppp0, and none through
the wlan0 (which I guess makes it a "pass-through"). If the
VPN connection drops, I don't want any data to leak through
wlan0 in the clear because I use public wifi often enough
to be concerned about security.

I'm using my desired VPN right now, but in Windows through wifi.
I've set up several VPNs through MS over the years, but I've never
had to change any routing -- hence the trouble now. I've thoroughly gone
through my VPN's manual (nothing for Linux, naturally).

My VPN server has an IP domain 78.x.x.x that is used for GPPTP logon.
This is a different IP from the 192.168.2.1 seen in resolv.conf, route, etc.
I have not tried the 78.x.x.x within any route add -net command.

jafadmin, from your first post here, I'd assumed that running
"route" and "ip addr" would give me what I needed to
write my own "route add -net" command. It did not for me,
and even copying the data here was apparently insufficient
for anybody else here.

I tried your:
route add -net 192.168.2.0/24 ppp0
and it didn't reroute traffic through the VPN, at least
not through the browser.


___________
The most promising to date has been:
route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0

. . . which allowed me to ping 192.168.2.1 from both blinkys,
and ppp0 showed traffic. There was no browser ppp0 traffic, however.

What I will next try is this, and report back:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.2.1/32


________
OK, to get back on track, here is my info after GPPTP was connected:


WHAT I GOT FROM ROUTE:
Destination Gateway Genmask Flags Iface
192.168.2.1 * 255.255.255.255 UH ppp0
192.168.0.0 * 255.255.255.0 U wlan0
169.254.0.0 * 255.255.0.0 U wlan0
default 192.168.0.1 0.0.0.0 UG wlan0


WHAT I GOT FROM LINUX IP ADDR:
inet 192.168.0.12/24 brd 192.168.0.255 scope global wlan0
inet 192.168.2.54 peer 192.168.2.1/32 scope global ppp0


WHAT I GOT FROM LINUX resolv.conf
nameserver 192.168.2.1
nameserver 208.67.222.222 (this secondary IP is mentioned in my VPN provider's manual, but not one I want to use)


I can also paste here results of MS and PL route traces, if nec.

Based on the above, here is what I so far understand:

VPN logon IP domain: 78.x.x.x
VPN peer address: 192.168.2.1/32 (Windows calls it 192.168.2.1)
gateway assigned by my ISP: 192.168.0.1

I understand that once connected to the VPN, it assigns a varying
inet address of 192.168.2.x, and that such isn't used in any routing
commands. It is the never-changing peer of 192.168.2.1/32 that
is relevant here.

192.168.1.0 isn't in any of my routing tables.
Now, instead of 192.168.1.0, isn't 169.254.0.0 my route to external networks
(ADSL is passing through wlan0)? Jafa calls this the
"placeholder for your corp subnet", if I understand correctly (though
I could easily have this wrong).

If correct, then wouldn't 169.254.0.0 be used in the new route, i.e.:

route add -net 169.254.0.0 netmask 255.255.255.0 gw 192.168.2.1/32



Now, to my final questions_____________________

1) which IP to enter after "route add -net"?

(Is it the VPN's domain of 78.x.x.x, 192.168.1.0, 192.168.2.1,
jafa's rec. of 192.168.2.0/24, 169.254.0.0, or some other 192.168.x.x?)


2) must I then include "netmask 255.255.255.0"?

(My VPN provider's manual specifies so for Macs, but Windows
has assigned it 255.255.255.255 and VPN works fine. PL also assigns
ppp0 the mask of 255.255.255.255, but that is somehow the problem?
You can understand why this seems confusing.)


3) must I then include any "gw x.x.x.x", or is "dev ppp0" sufficient?

(If gw is to be 192.168.2.1, would it necessarily be 192.168.2.1/32?)


4) must I then follow up with "ip route replace default dev ppp0" to
force all traffic to VPN, or was that accomplished through the above?


(I tried that after what seemed a promising route add -net, and
got an infinite upload thing and only through ppp0. Had to killall pppd.)


5) Will killall pppd after each unsuccessful "route add" attempt
restore the original routing table, or must I use "route del" each time?



6) Finally, before shutdown, must I undo any of the above for wlan0 to
automatically connect after the next boot? Do I need to add an
ip-down script, or does closing GPPTP revert traffic back to wlan0?
Lastly, you want to make sure that when you close the connection, you correct the routing table. Add the following lines to a script here: /etc/ppp/ip-down.d/routing, and chmod +x so that it can execute.
route del -net 192.168.0.0 netmask 255.255.255.0 dev ppp0
route del -host 22.0.0.22 gw 10.20.0.36
And again, make sure that script executes by referencing it as in the above by puting a line in /etc/ppp/ip-down .
/etc/ppp/ip-down.d/routing
http://ubuntuforums.org/showpost.php?p= ... tcount=121

_______
After absorbing that very helpful post, I'm seriously suspecting that I
need to add something like these two entries to the routing table:

route add -host (remoteserver: 78.x.x.x or 192.168.2.1?) gw (ADSL Router's address: 192.168.0.1?)
route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0

This would add a new route flagged UGH for ppp0.

jafa, what are your thoughts on this? Do I need to add a new host
before a new route?



___________
Routing issues by Linux PPTP clients seem ubiquitous.
btw, I've scoured 20 pages from an Ubuntu forum:
http://ubuntuforums.org/showthread.php?t=91249&page=13

Post #121 has been very helpful; maybe there's something there
to add in our PL thread to clarify things? (It was there that I learned
of "ip route replace default dev ppp0".)

I'm learning a lot about networks from:
http://pptpclient.sourceforge.net/routi ... lan-to-lan
http://pptpclient.sourceforge.net/routi ... adsl.phtml

Sorry for the lengthy post, but I want want to be thorough.
Thanks for your patience; I'm trying mightily to understand all this.
I know that I'm very nearly there.
This thread will help get many Puppy-walkers up to GPPTP speed.

Jafa, my hearty thanks for your help here, and in reconfiguring GPPTP!

Regards,
Ken

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#23 Post by jafadmin »

Ken,
As I said in the post just above yours, I haven't had any luck yet assigning a default route to a pptp vpn. I'm trying to find out what is prohibiting this in puppy.

So if you're trying to make all your web browsing go through this vpn connection, I'm afraid you're out of luck until I (or someone else) can find a solution to this.

That said, a command like:

route add -net 192.168.0.0 netmask 255.255.0.0 ppp0

Would route all 192.168 traffic over the VPN. (except what's on the wlan0 subnet, of course)

192.168.0.0 means: 192.168. anything . anything
netmask 255.255.0.0 means: 255.255. anything . anything

So what this does is create a route to the entire 192.168.whatever range of ip subnets over the vpn, except the one you're directly connected to with wlan0.
Last edited by jafadmin on Sat 06 Jun 2009, 20:58, edited 1 time in total.

I Have a New Puppy
Posts: 7
Joined: Fri 05 Jun 2009, 17:11

#24 Post by I Have a New Puppy »

Thanks, but it's an unexpected bummer, obviously.

I'll try your suggestions and report back. I appreciate the prompt help!

Has anyone built their own PPTP client for Puppy, or
will not even that work until Puppy is fixed?

Ken

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#25 Post by jafadmin »

I Have a New Puppy wrote:Thanks, but it's an unexpected bummer, obviously.

I'll try your suggestions and report back. I appreciate the prompt help!

Has anyone built their own PPTP client for Puppy, or
will not even that work until Puppy is fixed?

Ken
Gpptp is just a front-end that calls pptp and pppd to create the tunnels. The problem is somehow related to how those get configured. They are standard components to linux.

I'm researching this. If I find the fix I'll post it.

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#26 Post by disciple »

disciple wrote:When I tried it before though, my network still worked after I killed pppd Confused
Aha - it seems whatever is dealing with the routing doesn't necessarily notice straight away when pppd is killed - sometimes the local network / internet will keep working for a little while afterwards.

Your latest version restores the network OK, thanks.

BTW does anyone know where the routing table is actually kept?
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#27 Post by jafadmin »

disciple wrote:
disciple wrote:When I tried it before though, my network still worked after I killed pppd Confused
Aha - it seems whatever is dealing with the routing doesn't necessarily notice straight away when pppd is killed - sometimes the local network / internet will keep working for a little while afterwards.

Your latest version restores the network OK, thanks.

BTW does anyone know where the routing table is actually kept?
/proc/net/route

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#28 Post by PaulBx1 »

Do the symptoms of this problem match none of the examples on http://pptpclient.sourceforge.net/howto-diagnosis.phtml? It's pretty extensive...

This might also be of interest:
All Traffic Through Tunnel
by James Cameron
30th December 2002

Some sites ask that you route all your traffic through the tunnel. This is also the default behaviour of the Microsoft VPN client. You may not want to do this, as it can slow your internet performance.

GUI Note
If you are using the pptpconfig GUI then Stop the tunnel, select it again, then on the Routing tab, click on All to Tunnel, then click Update and try Start again. The remainder of this section covers alternate methods.
http://pptpclient.sourceforge.net/routing.phtml#same-ip

It occurs to me it might be interesting to see how their pptpconfig GUI handles this.

I don't know if this is a help. I'm barely understanding what is going on here... :roll:
Last edited by PaulBx1 on Mon 08 Jun 2009, 16:31, edited 1 time in total.

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#29 Post by jafadmin »

PaulBx1 wrote:Do the symptoms of this problem match none of the examples on http://pptpclient.sourceforge.net/howto-diagnosis.phtml? It's pretty extensive...
Thanks for that link, but no. pppd makes the connection and sets up the tunnel ok. You can ping the peer ip address of the vpn server. You can set any kinds of routes you want to the ppp* once connected except a default route. In other words, you cannot successfully do:

route add -net 0.0.0.0 netmask 0.0.0.0 ppp0 , or ...
route add default ppp0

What happens at that point is that the "route -n" command will show the default route set to the relevant ppp* in the routing table, but all routing on the pc stops. After that you can only ping the ppp* peer address of the vpn server.

I'm not even sure it's pppd/ppp that's the issue. It might be the BusyBox variant of the "route" command that is the culprit. I'm currently working on testing that possibility. (although a look at the /proc/net/route file looks normal enough) :?

jafa

I Have a New Puppy
Posts: 7
Joined: Fri 05 Jun 2009, 17:11

#30 Post by I Have a New Puppy »

jafa, once you fix PL's issue, would the correct command then be:
route add -net 192.168.0.0 netmask 255.255.255.0 ppp0

Do you think that a new host must be added before that?
I understand that all this is theoretical until the deeper problem
is fixed, but after so much time on it, I'm naturally curious!


____________
OK, what about a meanwhile option of at least being about to
route all SeaMonkey traffic through VPN?
Will its proxy settings
to (in my case) 192.168.2.1 do the trick? Which port? Which proxy
setting option: auto config, etc.?


____________
Speaking of proxies, my MS route print of the same VPN showed
something interesting: routes through 127.0.0.1, which I didn't
suspect a VPN (versus SSH tunnel or stunnel.exe) would need.
In case this is helpful, here they are:

Network Destination Netmask Gateway Interface
(ppp0 DCHP IP) 255.255.255.255 127.0.0.1 127.0.0.1
(wlan0 DCHP IP) 255.255.255.255 127.0.0.1 127.0.0.1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

Something else interesting is that MS creates a route for the VPN
logon domain as destination, with wlan0 as interface:

78.x.x.x 255.255.255.255 192.168.0.1 wlan0

Might this be necessary in PL's routing table, or will the fix let PL
create such automatically as GPPTP should?

______________
Finally, a Linux programmer friend offered to build an OpenVPN client
for Puppy. (OpenVPN is the way to go for security.) Is anybody
else interested in this? He's bored and has the time!

______________
Jafa, best of success to you in your fix, and thanks for your work!

Ken

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#31 Post by jafadmin »

I Have a New Puppy wrote:jafa, once you fix PL's issue, would the correct command then be:
route add -net 192.168.0.0 netmask 255.255.255.0 ppp0

Ken
That route will give you access to: 192.168.0.1 thru 192.168.0.254 (254 addresses)

route add -net 192.168.0.0 netmask 255.255.0.0 ppp0

will give you access to: 192.168.0.1 thru 192.168.254.254 (65,533 addresses)

I Have a New Puppy
Posts: 7
Joined: Fri 05 Jun 2009, 17:11

#32 Post by I Have a New Puppy »

Understood finally about the whole subnet thang, thanks.

To access addresses 192.168.2.1 through 192.168.2.254
(which would cover my VPN's DHCP IPs) would be:

route add -net 192.168.2.0 netmask 255.255.255.0 ppp0


_________
Where any of my M$ route print data helpful?
Do you want the whole table?

Can at least browser traffic be forced through VPN via proxy settings?

Thanks,
Ken

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#33 Post by jafadmin »

I Have a New Puppy wrote:
Where any of my M$ route print data helpful?
Do you want the whole table?

Can at least browser traffic be forced through VPN via proxy settings?

Thanks,
Ken
1. No, I don't need to see any more route tables.

2. If there is a proxy server on the subnet you are connecting to over VPN, then you can set that in your browser and get to the web.

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#34 Post by jafadmin »

jafadmin wrote:One important note.

I have not been able to assign a default route to a pptp vpn tunnel in the puppy implementation of ppp.

If your network admins assume you can set the default route to the VPN tunnel, there will be issues. You will need them to tell you the networks inside their company that you need to reach and set the routes to them after connecting.

I'm working on trying to find out what the underlying problem is with this.
I have been testing Barry's latest version of puppy (Woof Alpha 9) and the problem with the default route seems to be gone in that version. As more info becomes available we'll let you know.

I Have a New Puppy
Posts: 7
Joined: Fri 05 Jun 2009, 17:11

#35 Post by I Have a New Puppy »

What's the latest on all this, please?
Does the newer Puppy VPN work?
Does the code have the answer to fix 4.21, or must I install the new Puppy?

Thanks!

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#36 Post by jafadmin »

This version of gpptp works fine except that you cannot assign the default route through the vpn. This appears to be a problem with all 4.xx puppy versions. Puppy versions based on "Jaunty" don't have this problem. If you want to be able to set the default route through your vpn then I recommend using one of the jaunty based puppys.

Other than that one difference, this enhanced version of gpptp will work with either.

The inability to set a default route through a vpn has nothing to do with the gpptp app. It's a limitation of the "ppp" and "route" utilities in the standard puppy kernels.

I hope this clears it up a little ...

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#37 Post by jafadmin »

I have compiled a new version of gpptp for puppy 5.28. It's available in my top post.

VPN on the lucid kernel is much smoother and you don't need to worry about the route assignments as much. It will automatically route all traffic (default route) throuth the VPN connection.

You can start the gui and connect, then kill the gui. When you restart it, it will know you have an active VPN session already running, and offer you a button to disconnect. When you disconnect via the gui it fixes up your routes and DNS.

Good Luck!

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#38 Post by disciple »

Can you please provide the source?
Thanks.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Post Reply