Howto setup Microsoft VPN with gpptp (4.12 - 4.31) + (5.xx)

[jafadmin]

If you can't ping the peer you probably won't be able to set a route. Disregard the blinky thing. It is misleading.

[PaulBx1]

Ken, you must be connecting to a particular VPN server. Are they no help in setting up this thing? Shouldn't they have instructions, just as if you were doing an ordinary connection to an ISP?

I too find these instructions confusing. I don't know if the 192.168.1.0/24 network is supposed to be entirely on the VPN server, or maybe has something to do with the local router, or what. I don't know if 192.168.1.142 is the gateway on the local router, or something on the server. It's not clear what devices and lans we are talking about. Most local router lans are 192.168.1.0/24 by default...

Maybe jafadmin could make a picture, an example setup showing the lan(s) and what addresses are where?

[jafadmin]

Ok guys, it's beyond the scope of this topic to explain networking to people.

If you don't understand that 192.168.1.0 (or 192.168.168.0 for that matter) are class C subnets with 254 addresses in the range 192.168.1.1 to 192.168.1.254 for instance, then you need the people whose network you're trying to connect to help you with the routing.

You guys need to at least know the address range of the network you're trying to connect to for me to be of help with routing. I'm just making assumptions based on the addresses that you are posting.

jafa

[PaulBx1]

Well, I don't think you need to go back that far.

I'd suggest you assume people interested in this have managed to get their ordinary networks going, and do understand about the basics of subnets and whatnot. Also assume this is the first time they have ever tried to get VPN going, so that what they are shaky on is not network basics, but the additional increment of knowledge for getting VPN working.

For example, there are apparently 3 kinds of VPN setups, from what I have read about them. Does your procedure cover all 3, or is there just one that it is for? What is the big picture; is this as if we are (for example) home trying to connect to our corporate network? What does "lanside" mean? What does "vpn peer" mean? Where do we find the "peer ip" in the output of the "ip addr" command? Can we see an example of the output of your "ip addr" command, both before and after you did those steps? What, generally speaking, was being accomplished by the first 4 steps of your procedure? If you don't mean any of this to have anything to do with the user's local router, why use an address like 192.168.1.0 as the target of your "route add" command, when such an address is almost certainly used by default for the router's local net? (I understand this private address - address range - may legally be used in both lans, but for the purposes of illustration different addresses should be used on the different subnets.) Why not show the "route add" command you actually used on your system? What kinds of information are the service providers expected to supply? Wouldn't it normally be a public address? If so, why does the route add command not have a public address?

These are questions that occur to me about this setup. I'm not looking for the basics of networking. I've just never set up VPN before, and don't quite have the big picture.

[jafadmin]

As the title of this thread subtly suggests, this thread is about connecting to a MS VPN Server.

If users have never set up a VPN connection before using puppy I suggest they have a talk with the IT people who run the VPN server and the network that they're trying to connect to first. If they have any questions that can't be answered by their own IT people (i.e. puppy specific questions), I'm glad to help.

[jafadmin]

One important note.

I have not been able to assign a default route to a pptp vpn tunnel in the puppy implementation of ppp.

If your network admins assume you can set the default route to the VPN tunnel, there will be issues. You will need them to tell you the networks inside their company that you need to reach and set the routes to them after connecting.

I'm working on trying to find out what the underlying problem is with this.

[I Have a New Puppy]

Thanks for all your replies so far.
jafadmin, it's not my intention to frustrate you, and I apologize
that my lack of networking knowledge is annoying.

I want to route ALL traffic through ppp0, and none through
the wlan0 (which I guess makes it a "pass-through"). If the
VPN connection drops, I don't want any data to leak through
wlan0 in the clear because I use public wifi often enough
to be concerned about security.

I'm using my desired VPN right now, but in Windows through wifi.
I've set up several VPNs through MS over the years, but I've never
had to change any routing -- hence the trouble now. I've thoroughly gone
through my VPN's manual (nothing for Linux, naturally).

My VPN server has an IP domain 78.x.x.x that is used for GPPTP logon.
This is a different IP from the 192.168.2.1 seen in resolv.conf, route, etc.
I have not tried the 78.x.x.x within any route add -net command.

jafadmin, from your first post here, I'd assumed that running
"route" and "ip addr" would give me what I needed to
write my own "route add -net" command. It did not for me,
and even copying the data here was apparently insufficient
for anybody else here.

I tried your:
route add -net 192.168.2.0/24 ppp0
and it didn't reroute traffic through the VPN, at least
not through the browser.


___________
The most promising to date has been:
route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0

. . . which allowed me to ping 192.168.2.1 from both blinkys,
and ppp0 showed traffic. There was no browser ppp0 traffic, however.

What I will next try is this, and report back:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.2.1/32


________
OK, to get back on track, here is my info after GPPTP was connected:


WHAT I GOT FROM ROUTE:
Destination Gateway Genmask Flags Iface
192.168.2.1 * 255.255.255.255 UH ppp0
192.168.0.0 * 255.255.255.0 U wlan0
169.254.0.0 * 255.255.0.0 U wlan0
default 192.168.0.1 0.0.0.0 UG wlan0


WHAT I GOT FROM LINUX IP ADDR:
inet 192.168.0.12/24 brd 192.168.0.255 scope global wlan0
inet 192.168.2.54 peer 192.168.2.1/32 scope global ppp0


WHAT I GOT FROM LINUX resolv.conf
nameserver 192.168.2.1
nameserver 208.67.222.222 (this secondary IP is mentioned in my VPN provider's manual, but not one I want to use)


I can also paste here results of MS and PL route traces, if nec.

Based on the above, here is what I so far understand:

VPN logon IP domain: 78.x.x.x
VPN peer address: 192.168.2.1/32 (Windows calls it 192.168.2.1)
gateway assigned by my ISP: 192.168.0.1

I understand that once connected to the VPN, it assigns a varying
inet address of 192.168.2.x, and that such isn't used in any routing
commands. It is the never-changing peer of 192.168.2.1/32 that
is relevant here.

192.168.1.0 isn't in any of my routing tables.
Now, instead of 192.168.1.0, isn't 169.254.0.0 my route to external networks
(ADSL is passing through wlan0)? Jafa calls this the
"placeholder for your corp subnet", if I understand correctly (though
I could easily have this wrong).

If correct, then wouldn't 169.254.0.0 be used in the new route, i.e.:

route add -net 169.254.0.0 netmask 255.255.255.0 gw 192.168.2.1/32



Now, to my final questions_____________________

1) which IP to enter after "route add -net"?

(Is it the VPN's domain of 78.x.x.x, 192.168.1.0, 192.168.2.1,
jafa's rec. of 192.168.2.0/24, 169.254.0.0, or some other 192.168.x.x?)


2) must I then include "netmask 255.255.255.0"?

(My VPN provider's manual specifies so for Macs, but Windows
has assigned it 255.255.255.255 and VPN works fine. PL also assigns
ppp0 the mask of 255.255.255.255, but that is somehow the problem?
You can understand why this seems confusing.)


3) must I then include any "gw x.x.x.x", or is "dev ppp0" sufficient?

(If gw is to be 192.168.2.1, would it necessarily be 192.168.2.1/32?)


4) must I then follow up with "ip route replace default dev ppp0" to
force all traffic to VPN, or was that accomplished through the above?

(I tried that after what seemed a promising route add -net, and
got an infinite upload thing and only through ppp0. Had to killall pppd.)


5) Will killall pppd after each unsuccessful "route add" attempt
restore the original routing table, or must I use "route del" each time?


6) Finally, before shutdown, must I undo any of the above for wlan0 to
automatically connect after the next boot? Do I need to add an
ip-down script, or does closing GPPTP revert traffic back to wlan0?

Lastly, you want to make sure that when you close the connection, you correct the routing table. Add the following lines to a script here: /etc/ppp/ip-down.d/routing, and chmod +x so that it can execute.

route del -net 192.168.0.0 netmask 255.255.255.0 dev ppp0
route del -host 22.0.0.22 gw 10.20.0.36

And again, make sure that script executes by referencing it as in the above by puting a line in /etc/ppp/ip-down .

/etc/ppp/ip-down.d/routing

http://ubuntuforums.org/showpost.php?p= ... tcount=121

_______
After absorbing that very helpful post, I'm seriously suspecting that I
need to add something like these two entries to the routing table:

route add -host (remoteserver: 78.x.x.x or 192.168.2.1?) gw (ADSL Router's address: 192.168.0.1?)
route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0

This would add a new route flagged UGH for ppp0.

jafa, what are your thoughts on this? Do I need to add a new host
before a new route?


___________
Routing issues by Linux PPTP clients seem ubiquitous.
btw, I've scoured 20 pages from an Ubuntu forum:
http://ubuntuforums.org/showthread.php?t=91249&page=13

Post #121 has been very helpful; maybe there's something there
to add in our PL thread to clarify things? (It was there that I learned
of "ip route replace default dev ppp0".)

I'm learning a lot about networks from:
http://pptpclient.sourceforge.net/routi ... lan-to-lan
http://pptpclient.sourceforge.net/routi ... adsl.phtml

Sorry for the lengthy post, but I want want to be thorough.
Thanks for your patience; I'm trying mightily to understand all this.
I know that I'm very nearly there.
This thread will help get many Puppy-walkers up to GPPTP speed.

Jafa, my hearty thanks for your help here, and in reconfiguring GPPTP!

Regards,
Ken

[jafadmin]

Ken,
As I said in the post just above yours, I haven't had any luck yet assigning a default route to a pptp vpn. I'm trying to find out what is prohibiting this in puppy.

So if you're trying to make all your web browsing go through this vpn connection, I'm afraid you're out of luck until I (or someone else) can find a solution to this.

That said, a command like:

route add -net 192.168.0.0 netmask 255.255.0.0 ppp0

Would route all 192.168 traffic over the VPN. (except what's on the wlan0 subnet, of course)

192.168.0.0 means: 192.168. anything . anything
netmask 255.255.0.0 means: 255.255. anything . anything

So what this does is create a route to the entire 192.168.whatever range of ip subnets over the vpn, except the one you're directly connected to with wlan0.

[I Have a New Puppy]

Thanks, but it's an unexpected bummer, obviously.

I'll try your suggestions and report back. I appreciate the prompt help!

Has anyone built their own PPTP client for Puppy, or
will not even that work until Puppy is fixed?

Ken

[jafadmin]

Thanks, but it's an unexpected bummer, obviously.

I'll try your suggestions and report back. I appreciate the prompt help!

Has anyone built their own PPTP client for Puppy, or
will not even that work until Puppy is fixed?

Ken

Gpptp is just a front-end that calls pptp and pppd to create the tunnels. The problem is somehow related to how those get configured. They are standard components to linux.

I'm researching this. If I find the fix I'll post it.

[disciple]

When I tried it before though, my network still worked after I killed pppd Confused

Aha - it seems whatever is dealing with the routing doesn't necessarily notice straight away when pppd is killed - sometimes the local network / internet will keep working for a little while afterwards.

Your latest version restores the network OK, thanks.

BTW does anyone know where the routing table is actually kept?

[jafadmin]

When I tried it before though, my network still worked after I killed pppd Confused

Aha - it seems whatever is dealing with the routing doesn't necessarily notice straight away when pppd is killed - sometimes the local network / internet will keep working for a little while afterwards.

Your latest version restores the network OK, thanks.

BTW does anyone know where the routing table is actually kept?

/proc/net/route

[PaulBx1]

Do the symptoms of this problem match none of the examples on http://pptpclient.sourceforge.net/howto-diagnosis.phtml? It's pretty extensive...

This might also be of interest:

All Traffic Through Tunnel
by James Cameron
30th December 2002

Some sites ask that you route all your traffic through the tunnel. This is also the default behaviour of the Microsoft VPN client. You may not want to do this, as it can slow your internet performance.

GUI Note
If you are using the pptpconfig GUI then Stop the tunnel, select it again, then on the Routing tab, click on All to Tunnel, then click Update and try Start again. The remainder of this section covers alternate methods.

http://pptpclient.sourceforge.net/routing.phtml#same-ip

It occurs to me it might be interesting to see how their pptpconfig GUI handles this.

I don't know if this is a help. I'm barely understanding what is going on here...

[jafadmin]

Do the symptoms of this problem match none of the examples on http://pptpclient.sourceforge.net/howto-diagnosis.phtml? It's pretty extensive...

Thanks for that link, but no. pppd makes the connection and sets up the tunnel ok. You can ping the peer ip address of the vpn server. You can set any kinds of routes you want to the ppp* once connected except a default route. In other words, you cannot successfully do:

route add -net 0.0.0.0 netmask 0.0.0.0 ppp0 , or ...
route add default ppp0

What happens at that point is that the "route -n" command will show the default route set to the relevant ppp* in the routing table, but all routing on the pc stops. After that you can only ping the ppp* peer address of the vpn server.

I'm not even sure it's pppd/ppp that's the issue. It might be the BusyBox variant of the "route" command that is the culprit. I'm currently working on testing that possibility. (although a look at the /proc/net/route file looks normal enough)

jafa

[I Have a New Puppy]

jafa, once you fix PL's issue, would the correct command then be:
route add -net 192.168.0.0 netmask 255.255.255.0 ppp0

Do you think that a new host must be added before that?
I understand that all this is theoretical until the deeper problem
is fixed, but after so much time on it, I'm naturally curious!


____________
OK, what about a meanwhile option of at least being about to
route all SeaMonkey traffic through VPN? Will its proxy settings
to (in my case) 192.168.2.1 do the trick? Which port? Which proxy
setting option: auto config, etc.?


____________
Speaking of proxies, my MS route print of the same VPN showed
something interesting: routes through 127.0.0.1, which I didn't
suspect a VPN (versus SSH tunnel or stunnel.exe) would need.
In case this is helpful, here they are:

Network Destination Netmask Gateway Interface
(ppp0 DCHP IP) 255.255.255.255 127.0.0.1 127.0.0.1
(wlan0 DCHP IP) 255.255.255.255 127.0.0.1 127.0.0.1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

Something else interesting is that MS creates a route for the VPN
logon domain as destination, with wlan0 as interface:

78.x.x.x 255.255.255.255 192.168.0.1 wlan0

Might this be necessary in PL's routing table, or will the fix let PL
create such automatically as GPPTP should?

______________
Finally, a Linux programmer friend offered to build an OpenVPN client
for Puppy. (OpenVPN is the way to go for security.) Is anybody
else interested in this? He's bored and has the time!

______________
Jafa, best of success to you in your fix, and thanks for your work!

Ken

[jafadmin]

jafa, once you fix PL's issue, would the correct command then be:
route add -net 192.168.0.0 netmask 255.255.255.0 ppp0

Ken

That route will give you access to: 192.168.0.1 thru 192.168.0.254 (254 addresses)

route add -net 192.168.0.0 netmask 255.255.0.0 ppp0

will give you access to: 192.168.0.1 thru 192.168.254.254 (65,533 addresses)

[I Have a New Puppy]

Understood finally about the whole subnet thang, thanks.

To access addresses 192.168.2.1 through 192.168.2.254
(which would cover my VPN's DHCP IPs) would be:

route add -net 192.168.2.0 netmask 255.255.255.0 ppp0


_________
Where any of my M$ route print data helpful?
Do you want the whole table?

Can at least browser traffic be forced through VPN via proxy settings?

Thanks,
Ken

[jafadmin]

Where any of my M$ route print data helpful?
Do you want the whole table?

Can at least browser traffic be forced through VPN via proxy settings?

Thanks,
Ken

1. No, I don't need to see any more route tables.

2. If there is a proxy server on the subnet you are connecting to over VPN, then you can set that in your browser and get to the web.

[jafadmin]

One important note.

I have not been able to assign a default route to a pptp vpn tunnel in the puppy implementation of ppp.

If your network admins assume you can set the default route to the VPN tunnel, there will be issues. You will need them to tell you the networks inside their company that you need to reach and set the routes to them after connecting.

I'm working on trying to find out what the underlying problem is with this.

I have been testing Barry's latest version of puppy (Woof Alpha 9) and the problem with the default route seems to be gone in that version. As more info becomes available we'll let you know.

[I Have a New Puppy]

What's the latest on all this, please?
Does the newer Puppy VPN work?
Does the code have the answer to fix 4.21, or must I install the new Puppy?

Thanks!