# VPN?

## KraziKid

i want to set up a VPN for my fathers office.  What would be a good vpn server to use?

----------

## Antagony

Depends on what exactly you want to do.

Do you just need filesharing, or do you want to be able to forward desktops and what-not?  Do you need printer sharing?  What about access to other hardware devices (like CDROM)?

Oh yes, and also, which OS's are you running?  From linux to windows, from windows to linux, or do you need both?

----------

## KraziKid

I need filsharing for SAMBA.  The server will be running gentoo, and all the clients are running Windows XP or Windows 2000.  Any suggestions?

----------

## thinair

You should look to the OpenVPN sourceforge project

http://openvpn.sourceforge.net/

----------

## CountZero

POPTOP is also another way to go.  It's net-dialup/pptpd or http://www.poptop.org  You can even get encryption working with this.  I did on my machine.

----------

## Ethereal

I recommend you IPSEC, maybe its a little overkill, but its much more powerful than poptop. I had numerous problems with pptp due to its strange behavior and sometimes difficult installation.

----------

## KraziKid

Will OpenVPN allow me to connect to the client computers that are running Windows XP?  The client's do not have a linux gatewaty, they are directly connected to the internet using a cable modem.

----------

## el*Loco

 *CountZero wrote:*   

> POPTOP is also another way to go.  It's net-dialup/pptpd or http://www.poptop.org  You can even get encryption working with this.  I did on my machine.

 

I tried using poptop with my Windows XP client (running with default Win XP VPN Settings) without success  :Sad: 

Error in syslog:

```

Mar 24 21:53:42 loco pptpd[16110]: MGR: Launching /usr/sbin/pptpctrl to handle client

Mar 24 21:53:42 loco pptpd[16110]: CTRL: local address = 192.168.1.1

Mar 24 21:53:42 loco pptpd[16110]: CTRL: remote address = 192.168.1.200

Mar 24 21:53:42 loco pptpd[16110]: CTRL: pppd speed = 115200

Mar 24 21:53:42 loco pptpd[16110]: CTRL: pppd options file = /etc/ppp/options.pptpd

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Client 192.168.6.2 control connection started

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Received PPTP Control Message (type: 1)

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Made a START CTRL CONN RPLY packet

Mar 24 21:53:42 loco pptpd[16110]: CTRL: I wrote 156 bytes to the client.

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Sent packet to client

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Received PPTP Control Message (type: 7)

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Set parameters to 1525 maxbps, 64 window size

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Made a OUT CALL RPLY packet

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Starting call (launching pppd, opening GRE)

Mar 24 21:53:42 loco pptpd[16110]: CTRL: pty_fd = 5

Mar 24 21:53:42 loco pptpd[16110]: CTRL: tty_fd = 6

Mar 24 21:53:42 loco pptpd[16110]: CTRL: I wrote 32 bytes to the client.

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Sent packet to client

Mar 24 21:53:42 loco pptpd[16111]: CTRL (PPPD Launcher): Connection speed = 115200

Mar 24 21:53:42 loco pptpd[16111]: CTRL (PPPD Launcher): local address = 192.168.1.1

Mar 24 21:53:42 loco pptpd[16111]: CTRL (PPPD Launcher): remote address = 192.168.1.200

Mar 24 21:53:42 loco pppd[16111]: The remote system is required to authenticate itself

Mar 24 21:53:42 loco pppd[16111]: but I couldn't find any suitable secret (password) for it to use to do so.

Mar 24 21:53:42 loco pppd[16111]: (None of the available passwords would let it use an IP address.)

Mar 24 21:53:42 loco pptpd[16110]: GRE: read(fd=5,buffer=804d520,len=8196) from PTY failed: status = -1 error = Input/output error

Mar 24 21:53:42 loco pptpd[16110]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Client 192.168.6.2 control connection finished

Mar 24 21:53:42 loco pptpd[16110]: CTRL: Exiting now

Mar 24 21:53:42 loco pptpd[16109]: MGR: Reaped child 16110

```

Any idea what might be wrong? Here are some of the config files:

/etc/ppp/options.pptpd

```
## CHANGE TO SUIT YOUR SYSTEM

lock

## turn pppd syslog debugging on

#debug

## change 'pptpd' to whatever you specify as your server name in chap-secrets

name pptpd

proxyarp

# This option applies if you use ppp with chapms-strip-domain patch

#chapms-strip-domain

+chap

auth

require-chap

nodetach

lcp-echo-interval 30

lcp-echo-failure 4

ipcp-accept-local

ipcp-accept-remote

# These options apply if you use ppp with mppe patch

# NB! You should also apply the ChapMS-V2 patch

#-chap

-chapms

+chapms-v2

mppe-128

mppe-stateless

# These options will tell ppp to pass on these to your clients

# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf

#ms-wins your.server.here

#ms-dns your.server.here
```

/etc/ppp/chap-secrets

```
# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

"abc"                   *       "123"           *
```

/etc/pptpd.conf

```
################################################################################

#

# Sample PoPToP configuration file

#

# for PoPToP version 1.1.3

#

################################################################################

# TAG: speed

#

#       Specifies the speed for the PPP daemon to talk at.

#

speed 115200

# TAG: option

#

#       Specifies the location of the PPP options file.

#       By default PPP looks in '/etc/ppp/options'

#

option /etc/ppp/options.pptpd

# TAG: debug

#

#       Turns on (more) debugging to syslog

#

debug

# TAG: localip

# TAG: remoteip

#

#       Specifies the local and remote IP address ranges.

#

#       You can specify single IP addresses seperated by commas or you can

#       specify ranges, or both. For example:

#

#               192.168.0.234,192.168.0.245-249,192.168.0.254

#

#       IMPORTANT RESTRICTIONS:

#

#       1. No spaces are permitted between commas or within addresses.

#

#       2. If you give more IP addresses than MAX_CONNECTIONS, it will

#          start at the beginning of the list and go until it gets

#          MAX_CONNECTIONS IPs. Others will be ignored.

#

#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

#          you must type 234-238 if you mean this.

#

#       4. If you give a single localIP, that's ok - all local IPs will

#          be set to the given one. You MUST still give at least one remote

#          IP for each simultaneous client.

#

localip 192.168.1.1

remoteip 192.168.1.200-238
```

----------

## acidreign

A "better" way of setting up the tunnel is to use freeswan, very nice, very simple, but read the documentation. Freeswan is the more "mature" way of doing this, it has alot of flexability, and alot of power.

Some of the solutions mentioned above may suit your needs, but I found freeswan to the single "vpn app" that suits all my needs.

----------

## honold

vote for frees/wan ipsec

----------

## honold

note you can buy some inexpensive linux-based routers from www.snapgear.com for this with a nice gui...

----------

## aheld

el*Loco:

get rid of the quotes (") in /etc/ppp/options.pptpd 

If that does not work then uncomment the debug line in

/etc/ppp/options.pptpd  

#debug

to

debug

and restart pptpd and try again, then send the logfile.

The problem is most likely your windows domain \ username do not match anything in chap-secrets

----------

## el*Loco

thx aheld,

just re-installed my router after my old harddisk failed, gonna give it a second try with pptp  :Wink: 

----------

## aheld

I made a mistake in my last post

You should remove the quotes (") from the file /etc/ppp/chap-secrets

----------

## xpunkrockryanx

does freeswan support the situation where i have one server in a local network at an office running freeswan, and i have a user at home running windows xp or 2000 that would connect in to the local network so that they could share files (samba or windows file sharing) and network printers etc. essentially, i want a server that would replace a microsoft winnt or win2k vpn server for remote access. i don't need any site to site tunneling. i do need user authentication etc. is it easy to get this functionality from freeswan? would i have to use pptpd? basically i want it to simple and comfortable for the end user. no installing of extra software or configuration of encryption keys. anybody have suggestions for that scenario?

thanks,

ryan

----------

## Crg

 *KraziKid wrote:*   

> Will OpenVPN allow me to connect to the client computers that are running Windows XP?  The client's do not have a linux gatewaty, they are directly connected to the internet using a cable modem.

 

Not as yet.

----------

## raid517

Has this been resolved yet? I am having similar problems....

https://forums.gentoo.org/viewtopic.php?t=56102&highlight=vpn

----------

## tyreth

el*Loco, those problems you see may be firewall related.  I experienced the same/similar error, but I turned the firewall to have no rules and a default policy of accept to test it, and worked fine.

----------

## TimoTye

I am almost done with an openvpn based vpn solution.  I tried freeswan but found it to not only be more than I needed but also much more complicated to get going.  With freeswan you are dealing with recompiling the kernel and also with NAT and Firewall issues.

Openvpn is user space and much easier to get working.  It handles dhcp very nicely and NAT's do not affect it at all.  If you are just setting up <10 vpn connections this is the way to go.  It requires a server running for each vpn client so it does not scale as well as freeswan.

It also simplifies things if the openvpn server is also the gateway/NAT/router for the network.  It is pretty amazing how seamless it all is when you get it set up.

----------

