# HOWTO: PPTP VPN Server with MPPE, including Shorewall config

## texas1emt

HOWTO: PPTP VPN Server with MPPE, including Shorewall configuration

Goal of this HOWTO:

The goal of this howto is to create a PPTP VPN server on a Gentoo workstation or server so that you can access resources behind your firewall when you are away.  You can use clients such as pptpclient, Windows XP, or OS X to connect to this VPN securely.  Also, you can access the internet using your VPN server's internet connection, which is handy if you're in a location with unsecured wireless.

Packages For This HOWTO:

PoPToP VPN Server - http://www.poptop.org/

Point To Point Protocol (PPP) - http://samba.org/ppp/

Gentoo Patched Kernel 2.6.16 (or later) - http://dev.gentoo.org/~dsd/genpatches/

Shorewall (optional) - http://www.shorewall.net/

Step 1: Preparing Your Kernel Modules

For PPP and PoPToP to work properly, you'll need a 2.6.16 or later kernel.  The reason for this is that the 2.6.16 kernel contains the proprietary MPPE (Microsoft Point To Point Encryption) module that is required for the PPTP VPN to serve Windows clients.  I've heard from many people that the Polbox MPPE-MPPC patch works well on older kernels, but I've always run into issues when I've tried to use it.

If you want to get the latest kernel, just run: 

```
# emerge sync

# emerge gentoo-sources
```

As of the writing of this HOWTO, the latest stable gentoo-sources kernel is 2.6.16-r7 but your results may vary.  If you already have a 2.6.16 kernel, then keep on going in the HOWTO.  If you just upgraded your kernel from another kernel by running the previous two commands, then please be sure to configure your kernel to support your hardware first, then move on to the next paragraph.

Inside your kernel configuration, be sure to enable the following:

PPP Support:

```
Device Drivers -> Network Device Support

 <*> PPP (point-to-point protocol) support

      [*]   PPP multilink support (EXPERIMENTAL)

      [*]   PPP filtering

      <*>   PPP support for async serial ports

      <*>   PPP support for sync tty ports

      <*>   PPP Deflate compression

      <*>   PPP BSD-Compress compression

      <*>   PPP MPPE compression (encryption) (EXPERIMENTAL)

      <*>   PPP over Ethernet (EXPERIMENTAL)
```

Crypto Support: (I generally modularize all of the crypto modules, just in case)

```
Cryptographic API                         

[*]   HMAC support                            

<M>   Null algorithms                         

<M>   MD4 digest algorithm                    

<M>   MD5 digest algorithm                    

---   SHA1 digest algorithm                   

<M>   SHA256 digest algorithm                 

<M>   SHA384 and SHA512 digest algorithms     

<M>   Whirlpool digest algorithms             

<M>   Tiger digest algorithms                 

<M>   DES and Triple DES EDE cipher algorithms

<M>   Blowfish cipher algorithm               

<M>   Twofish cipher algorithm                

<M>   Serpent cipher algorithm                

<M>   AES cipher algorithms                   

<M>   AES cipher algorithms (i586)            

<M>   CAST5 (CAST-128) cipher algorithm       

<M>   CAST6 (CAST-256) cipher algorithm       

<M>   TEA, XTEA and XETA cipher algorithms    

---   ARC4 cipher algorithm                   

<M>   Khazad cipher algorithm                 

<M>   Anubis cipher algorithm                 

<M>   Deflate compression algorithm           

<M>   Michael MIC keyed digest algorithm      

<M>   CRC32c CRC algorithm                    

<M>   Testing module
```

Netfilter Support for Shorewall: (If you're not going to use Shorewall, then skip this step)

```
Networking Options -> Network packet filtering (replaces ipchains)

    Make sure everything within this area is compiled in [*]
```

Exit the kernel configuration, save your changes, and compile your kernel:

```
make && make modules_install
```

Copy your kernel over to /boot.  If you upgraded a kernel during this procedure be sure to change your bootloader configuration!  Reboot your box and continue to step 2.

Step 2: Install Packages

At this step, you should now be booted into your kernel with PPP and MPPE support.  You will need two packages:

 net-dialup/ppp (compiles in < 2 minutes on a P3 900)

 net-dialup/pptpd (compiles in < 1 minute on a P3 900)

When you emerge ppp, DO NOT enable the mppe-mppc use flag!  Enabling the flag will make PPP depend on the Polbox MPPE-MPPC patch, which isn't the same as the module built into your kernel.  A pretend merge should show something like this:

```
# emerge -pv ppp pptpd

[ebuild  N    ] net-dialup/ppp-2.4.2-r15  -activefilter -atm -dhcp -ipv6 -mppe-mppc +pam -radius 0 kB

[ebuild  N    ] net-dialup/pptpd-1.2.3-r1  +tcpd 0 kB
```

Just emerge the packages now (takes less than 3 minutes on a P3 900):

```
emerge ppp pptpd
```

Step 3: Configure PoPToP/PPP

At this step, you should have a kernel with MPPE support and PPP/PPTPD should be installed.  Now it's time to edit some configuration files.  I'll only show the relevant lines here for brevity's sake.

/etc/pptpd.conf

This file contains the basic instructions for the PPTPD process.

```
#  This tells PPTPD to find its options in another file (which we will edit later)

option /etc/ppp/options.pptpd

#  Turn on debug output until you get things working properly, then comment it later

debug

#  Log the connects and disconnects to your system log

logwtmp

#  Set your local and remote ip's (this is tricky - see info below)

localip 192.168.0.1

remoteip 192.168.0.210-220
```

Okay, so what's this deal about localip and remoteip?  It is a bit tricky, indeed.  You can read the comments from the authors of PoPToP there in your conf file, but they're a bit unclear.

First, I'll explain how my setup works, as it may be common.  I have two interfaces: eth0 faces the internet and eth1 faces my internal NAT'ed network.  My eth0 interface connects to a cable modem and it gets its networking information via DHCP.  My eth1 interface connects into a switch and serves my internal network only.  The internal network is 192.168.0.0/24 (or 192.168.0.1-192.168.0.255).  The IP 192.168.0.1 is assigned to eth1 at all times.  For those of you who are visual learners, enjoy my rudimentary network diagram:

```
/----------\          /---------------\          /--------\         /-----\

| Internet |---eth0---| Gentoo Router |---eth1---| Switch |---------| LAN |

\----------/          \---------------/          \--------/         \-----/

           (dynamic ip)                192.168.0.1       192.168.0.0/24
```

Here's a few tips to keep in mind when you're setting up localip and remoteip:

 For localip, specify the IP address of your internal interface.

 For remoteip, specify the IP addresses that remote users are allowed to use.  When remote users connect, they will be assigned IP's starting at the lowest end of the range you provide.  In my example configuration above, my first remote user will be assigned 192.168.0.210.

 The amount of connections allowed is the same as the number of remote IP's provided.  If you want 10 remote users, provide 10 remote ip's.

 The IP's for localip and remoteip MUST be on the same network interface and MUST be on the same subnet.  For example, if the IP you provide for localip is on eth0 and the IP's for remoteip are on eth1, you will have connection issues.

/etc/ppp/options.pptpd

This file contains the instructions for PPP when someone tries to connect to your VPN.

```
#  The name is pretty arbitrary, but it must match the entry in your chap-secrets

name pptpd

#  These are really unsecure methods, so they're disabled

refuse-pap

refuse-chap

refuse-mschap

#  This is the most secure handshake method

require-mschap-v2

#  We want to force 128 bit encryption for the session

require-mppe-128

#  Enable a lot of debugging to the syslog (comment it out once everything works)

debug

#  Make a lock file while the connection is open

lock

#  Disable compression (it's not available with your module)

nobsdcomp

#  Don't log to your terminal window

nologfd
```

/etc/ppp/chap-secrets

This file contains login credentials for your remote users.

```
# client        server  secret                  IP addresses

  mylogin       pptpd   mypassword              *

  googlebuddy   pptpd   googlebuddypass         216.239.32.0/19
```

The client is the username, the server defines which server the secret is meant for (see line 1 of /etc/ppp/options.pptpd), and the secret is the password.  For IP addresses, the asterisk (*) means allow from all IP's.  You can specify a single IP or CIDR block to limit access to certain IP addresses.

Step 4: Firewall Configuration

For the folks who are pretty smart when it comes to firewalls, you will want to allow TCP traffic to come into the router and also to go out of the router.  In addition, you will want to allow GRE 47 to leave your router.  

If you like IPTables: (Borrowed From Experts-Exchange)

```
iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT

iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE

iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723
```

ProTech made a good point (see first reply below) that the above instructions are for a VPN server that is NAT'd on an internal network.  My mistake!  ProTech made the suggestion to use these iptables commands to use a VPN server on the router/firewall itself:

```
iptables -A INPUT -p gre -d FIREWALL_IP -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -d FIREWALL_IP -j ACCEPT
```

Since Shorewall is my favorite way to configure netfilter, this HOWTO is pretty Shorewall-centric.  Luckily, you only need a few edits:

/etc/shorewall/interfaces

```
#ZONE   INTERFACE       BROADCAST       OPTIONS

net     eth0            detect          dhcp

gig     eth1            192.168.0.255   dhcp

vpn     ppp+

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

The net zone connects to the internet on eth0, gig connects to the internal gigabit network on eth1, and vpn comprises all of the ppp interfaces.  By using ppp+ in the file, you're telling shorewall to include ppp0, ppp1, ppp2, etc. in this zone.

/etc/shorewall/zones

```
#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

net     ipv4

gig     ipv4

vpn     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

I added the vpn zone here, and it is an IPv4 network.

/etc/shorewall/policy

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

fw              net             ACCEPT

fw              gig             ACCEPT

fw              vpn             ACCEPT

gig             fw              ACCEPT

gig             net             ACCEPT

gig             vpn             ACCEPT

vpn             fw              ACCEPT

vpn             net             ACCEPT

net             all             DROP

all             all             REJECT

#LAST LINE -- DO NOT REMOVE
```

The firewall, internal gigabit network, and vpn can talk between themselves and also to the internet.  However, the internet isn't allowed to talk directly to any of them (unless I allow it in /etc/shorewall/rules).

/etc/shorewall/rules

```
ACCEPT  net             fw              tcp     22,443,1723,10000
```

For the firewall, I'm allowing ssh, https, pptp vpn, and webmin in from the outside.  Where's GRE Protocol 47?  Check the next file.

/etc/shorewall/tunnels

```
#TYPE                   ZONE    GATEWAY         GATEWAY

#                                               ZONE

pptpserver              vpn     192.168.0.1
```

This tells shorewall to allow GRE traffic to go from the VPN's gateway (192.168.0.1) back out to the internet to our remote users.

Now, check your syntax and restart the firewall:

```
# shorewall check

# shorewall restart
```

Step 5: Starting PPTPD

You're on the home stretch!  Start the PPTPD daemon and make it start at boot time.

```
# /etc/init.d/pptpd start

# rc-update add pptpd default
```

Now, test a connection.  You should get something like this in the syslog.  (I'm only displaying the non-debug output)

```
Jun 12 16:38:30 router pptpd[23810]: CTRL: Client xxx.xxx.xxx.xxx control connection started

pptpd[23810]: CTRL: Starting call (launching pppd, opening GRE)

pppd[23811]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.

pppd[23811]: pppd 2.4.2 started by root, uid 0

pppd[23811]: Using interface ppp0

pppd[23811]: Connect: ppp0 <--> /dev/pts/1

pptpd[23810]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!

pppd[23811]: MPPE 128-bit stateless compression enabled

pppd[23811]: found interface eth1 for proxy arp

pppd[23811]: local  IP address 192.168.0.1

pppd[23811]: remote IP address 192.168.0.210
```

At this point, you should be a-okay!  Check the common issues below if something doesn't seem right.

Common Issues:

 The connection hangs on Connect: ppp0 <--> /dev/pts/x: Most likely, your localip and remoteip in /etc/pptpd.conf are on different interfaces or subnets.  They have to be on the same interface and within the same subnet!

 The connection hangs on CTRL: Ignored a SET LINK INFO packet with real ACCMs!: Your remote location might not be allowing GRE traffic in, or it might not be surviving a NAT properly.  Confer with your network administrator at the remote location.

Step 6: How do I connect to the VPN?

Using Windows XP:

 Go to File -> Settings -> Control Panel. Choose Network Connections.

 Click Create a new connection.

 When the wizard starts, click Next, Connect to the network at my workplace, then Next.

 Click Virtual Private Network connection, Next, name the connection, then Next.

 If it asks about dialing an initial connection, click Do not dial... unless you are using dialup to connect to the internet.

 Enter the external address of your VPN server, click Next, choose an availability option, then Next and Finish.

 Click Properties, the Networking tab, choose PPTP VPN from the drop down and double click Internet Protocol (TCP/IP).

 Click Advanced and uncheck Use default gateway on remote network.  If you leave it checked, ALL of your computer's traffic will be routed through your home network.  This will cut off current connections, downloads, chats, etc.

 Back in the Network Connections panel, choose Advanced -> Advanced Settings.  Then move Remote Access Connections to the top spot.  Click OK.

 Double click the VPN network connection, enter your username and password from /etc/ppp/chap-secrets and connect!

Using OS X:

 Double click your hard drive icon, then double click Applications, and then double click Internet Connect.

 Click the VPN icon in the top bar and choose Edit Configurations from the drop down list.

 Click the + under the list on the left and complete the description, server address, account name, and password fields.

 Be sure to choose Maximum (128 bit only) from the Encryption drop down menu and click OK.

 Click connect and your VPN should be connected.

 With OS X, all of your traffic will get routed through the remote network.  To fix this, drop to a terminal and execute:

```
$ sudo route add default 192.168.0.1
```

Change 192.168.0.1 to your local gateway so that only the traffic that needs to go over the VPN actually does go over the VPN.

Final Thoughts

If you have any questions or comments, reply to the post or contact me and I'll see what I can do to help.

Version History:Jun-12-06: First Revision

Jun-18-06: Included iptables configuration for PPTP server on firewall itself, thanks to ProTech.

----------

## ProTech

Thanks for the HOWTO!

I will try this as soon as a hardened-sources-2.6.16 kernel get stabilized.

I have some questions about the firewall section. You can use iptables or shorewall, right? So if I'm using iptables already, I don't have to do anything with the sorewall section. I know nothing about shorewall...

I think the iptables section is for a VPN server not in the router/firewall, but in a NAT'ed machine inside your local net. For a VPN server in the router you have to add the something similar to the first two commands, like this (I didn't tried this):

```
iptables -A INPUT -p gre -d FIREWALL_IP -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -d FIREWALL_IP -j ACCEPT
```

I usually use the -i INTERFACE option instead of the -d FIREWALL_IP, becouse I have dynamic IP adress...

Is there a way to use an existing dhcp server to assign ip adresses to the VPN clients too?

----------

## texas1emt

 *ProTech wrote:*   

> Thanks for the HOWTO!

 

No problem!  It took so much time to figure this out, I thought I'd do my best to save everyone else some work.

 *ProTech wrote:*   

> 
> 
> I have some questions about the firewall section. You can use iptables or shorewall, right? So if I'm using iptables already, I don't have to do anything with the sorewall section. I know nothing about shorewall...

 

Correct.  If you configure your firewall without using shorewall, you can configure it using any tools/commands that you like.  I'm just partial to shorewall because it allows me to make firewall changes relatively easily.

 *ProTech wrote:*   

> I think the iptables section is for a VPN server not in the router/firewall, but in a NAT'ed machine inside your local net.

 

Correct again!  That was my error and I didn't examine the iptables commands before I posted it.  I included your suggested commands into the HOWTO above.  Thanks!

 *ProTech wrote:*   

> Is there a way to use an existing dhcp server to assign ip adresses to the VPN clients too?

 

Actually, when you configure the remoteip section of the /etc/pptpd.conf, you're specifying which range of IP's are allowed to be assigned to remote users.  I believe the PPP server is the one that assigns these IP's when remote users connect.  It will start from the lowest IP in the range and keep handing out IP's until the highest IP in the range is given out.

As far as using your own DHCPD server to hand out IP's - that's something I've never tinkered with, actually.  It seems like the PPP server wants to be in charge of giving out IP's the entire time.  If you are able to get something working with DHCPD, let me know, because I could probably use that in my situation as well.

Thanks for the reply!

----------

## Vieri

 *Quote:*   

> 
> 
> /etc/shorewall/tunnels 
> 
> ```
> ...

 

According to the configuration reported above, shouldn't /etc/shorewall/tunnels be:

```

#TYPE                   ZONE    GATEWAY         GATEWAY 

#                                               ZONE 

pptpserver              net 

```

?

----------

## DooMi

 *texas1emt wrote:*   

> Netfilter Support for Shorewall: (If you're not going to use Shorewall, then skip this step)
> 
> ```
> Networking Options -> Network packet filtering (replaces ipchains)
> 
> ...

 

that will really bloat the kernel to ZOMG...

maybe some detailed informations on this would be handy to know (so i dont have to bloat the kernel by enabling all of that crap in there...)

cheers

----------

## fr3akX

After this im getting on client machine gateway and ipadress the same! Client machine runs on winxp, how do i get to route all clients traffic thru VPN?

----------

## jhunholz

I've set up my firewall like you say to above, but when I try to log on from a client at work, it gets to verifying the username/password, waits for a while, then asks if I want to try again.   When I try to connect, I'm seeing this printed over and over in /var/log/messages on the server:

```

pppd[4356]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xcedf90d0> <pcomp> <accomp>]
```

My /etc/pptpd.conf:

```

###############################################################################

# $Id: pptpd.conf,v 1.8 2004/04/28 11:36:07 quozl Exp $

#

# Sample Poptop configuration file /etc/pptpd.conf

#

# Changes are effective when pptpd is restarted.

###############################################################################

# TAG: ppp

#       Path to the pppd program, default '/usr/sbin/pppd' on Linux

#

#ppp /usr/sbin/pppd

# TAG: option

#       Specifies the location of the PPP options file.

#       By default PPP looks in '/etc/ppp/options'

#

option /etc/ppp/options.pptpd

# TAG: debug

#       Turns on (more) debugging to syslog

#

debug

# TAG: stimeout

#       Specifies timeout (in seconds) on starting ctrl connection

#

# stimeout 10

# TAG: noipparam

#       Suppress the passing of the client's IP address to PPP, which is

#       done by default otherwise.

#

#noipparam

# TAG: logwtmp

#       Use wtmp(5) to record client connections and disconnections.

#

logwtmp

# TAG: bcrelay <if>

#       Turns on broadcast relay to clients from interface <if>

#

#bcrelay eth1

# TAG: localip

# TAG: remoteip

#       Specifies the local and remote IP address ranges.

#

#       Any addresses work as long as the local machine takes care of the

#       routing.  But if you want to use MS-Windows networking, you should

#       use IP addresses out of the LAN address space and use the proxyarp

#       option in the pppd options file, or run bcrelay.

#

#       You can specify single IP addresses seperated by commas or you can

#       specify ranges, or both. For example:

#

#               192.168.0.234,192.168.0.245-249,192.168.0.254

#

#       IMPORTANT RESTRICTIONS:

#

#       1. No spaces are permitted between commas or within addresses.

#

#       2. If you give more IP addresses than MAX_CONNECTIONS, it will

#          start at the beginning of the list and go until it gets

#          MAX_CONNECTIONS IPs. Others will be ignored.

#

#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

#          you must type 234-238 if you mean this.

#

#       4. If you give a single localIP, that's ok - all local IPs will

#          be set to the given one. You MUST still give at least one remote

#          IP for each simultaneous client.

#

# (Recommended)

localip 10.4.1.1

remoteip 10.4.1.100-110

# or

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

```

My /etc/ppp/chap-secrets:

```

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

  jhunholz      pptpd   monkey                  *

```

Any ideas why it's not working?

----------

## jhunholz

After doing some investigating, it seems my problem is the firewall my company has in place.  So I guess I'll have to find another way of connecting to my home network.

----------

## RayVad

Q: How should i setup my /etc/conf.d/net for PPTP? (This question came up to me since PPTP wasn't working at first)

A: I have two NICs in my system and like to use eth0 = LAN en eth1 =WAN.

My /etc/conf.d/net is configured as:

```

config_eth0=( "192.168.6.40 netmask 255.255.255.0 brd 192.168.6.255" )

config_eth1=( "10.0.0.150 netmask 255.255.255.0 brd 10.0.0.255" )

routes_eth1=( "default gw 192.168.6.1" )

```

Everything seemed to be configured correctly following above guide, but PPTP didn't accept connections.

I had to compile MPPE as a module in the kernel, to make PPTP work.

----------

## Jeff4321

Huuuuuuge thanks to texas1emt for this guide.  I had been pissing around for a day and a half before I finally found this easy to use guide and got my VPN server up and working.

One issue that I did have that no one has mentioned yet was that I could ping the two end-points of my VPN tunnel but my server was not forwarding the packets.  For example: My VPN server has an address of 10.235.1.1 and my VPN client was assigned an address of 10.235.1.240.  When I attempted to ping another device at 10.235.1.4 it did not work.  My ICMP packets arrived at the VPN server and nothing happened.  I made sure my IPTABLES forwarding rules were set correctly, made sure /proc/sys/net/ipv4/ip_forward had a '1' in it, etc.

My problem was resolved simply by setting proxyarp on in /etc/ppp/options.pptpd and restarting /etc/init.d/pptpd.  I think that should be added to the original post as initially it is set in the default /etc/ppp/options.pptpd file but I commented it out and just used what the guide told me to use.

Other than that it is working great!

----------

## rottis

Hi!

Thanks for this great howto... I used this howto to be able to connect a windows xp client to a samba pdc and i ran into trouble.

I thought I would share my problem and solution for future references for me (I have a very short memory) and for other users.

Problem:

I could not get netbiosnames to work. I needed this to be able to add the computer to the domain but it is the same problem if you want to browse computers which are in your workgroup.

Solution in theory:

You have to add a wins-server in my case the samba pdc server. I tried to add it through the network settings and through the pptpd and it always showed up in the ipconfig /all but I couldn't talk to the other computers except for via dns or ip.

Solution in practice:

Add the wins-server and enable the netbios over tcp/ip on the vpn network connection and disable the netbios over tcp-ip on the external network card because windows gets confused when it is enabled on both and you will need it to be enabled on the vpn-connection.

/marcus

----------

## Brownstone

Thanks for this HOWTO! I have the following setup and it worked fine:

1. 3com ADSL Wireless Router -- Port 1723 open and pointing to my Gentoo server

2. Netgear 5 Port 1G Switch -- 3com + Server + Desktop all connected to this

Turns out I didn't need to do any of the IPTABLES or Shorewall stuff, since my Gentoo box is pretty much a file-server only. The 3com takes care of the routing well enough for the moment.

Thanks again!

EDIT - Turns out I *did* need to do one extra thing before I could ping other machines on the VPN:

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

 The proxyarp option was enabled by default when I emerged pptpd.

That was it for me!

----------

## JasonX

What's mean this proposition ?

"Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK."

----------

## JasonX

Hi there, thanks to texas1emt for this very article. His article spur me to improve my intranet server.

Not counting previous question, I have few more questions. May be someone can help me ...

I complete all instructions in this guide and have such problem :

Connection estableshed, but client can't  ping any internet server ...

I suspect that something with iptables rules ... 

Are any suggestions ?

----------

## JasonX

If my question so simple or stupid, please say to me

----------

## xanas3712

 *JasonX wrote:*   

> What's mean this proposition ?
> 
> "Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK."

 

Can I not use an internal network computer to test or something?  Will it not even try to register a connection if something has the same external IP?  I've even tried using my internal IP (192.168.0.2) with no luck (again, my router is 192.168.0.1 here, and of course my localip is set to 192.168.0.2 to compensate.. is that wrong?

----------

## Just_Chris

Thanks for nice guide - I have got this working, sort of...

I dont use IPTABLES or any firewall as I only use this to access a private lab network from a secure corporate network. Like the poster above i had to do:

```
 echo 1 > /proc/sys/net/ipv4/ip_forward
```

 to get any traffic working.

The next problem is subnets. My private subnet is 255.255.252.0 but I can only seem to ping stuff with within a 255.255.255.0 range. For example:

My local IP is 192.168.0.2 (the server)

My remote IP is 192.168.3.3 (the client)

The client can only ping stuff in the range 192.168.3.x, I want to be able to communicate with 192.168.0-3.x I cant even ping the server lol. Anyone got any ideas about this?

EDIT: I looked at the routing entries on my client and it only created appropiate ones for a /24 subnet. Since this information presumably comes from the server? (or maybe its windows being lame?) i should be able to change things somewhere without having to manually add a route?

----------

## JasonX

Hi

I'm using hardened kernel & profile

I did all steps, that texas1emt wrote

I'm not using any firewall at my server

The server use 1 lan card and receives internet traffic throw eth0 (from another server)

Also clients are on the same interface as a internet (eth0)

Connection going well established but clients can't ping any host in the internet.

server routing table:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.0.112   *               255.255.255.255 UH    0      0        0 ppp0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
```

client ipconfig of the internet connection:

```
PPP adapter Test:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

        Physical Address. . . . . . . . . : 00-53-45-00-00-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 192.168.0.112

        Subnet Mask . . . . . . . . . . . : 255.255.255.255

        Default Gateway . . . . . . . . . : 192.168.0.112

        DNS Servers . . . . . . . . . . . : 213.184.241.5

                                            193.232.248.2

        NetBIOS over Tcpip. . . . . . . . : Disabled

```

What is wrong ?

Does server need iproute or any other packet ?Last edited by JasonX on Sun Apr 29, 2007 8:15 am; edited 3 times in total

----------

## JasonX

what's wrong? does anybody can't help to man what just set up vpn server? what for that forum ?

here's my pptpd.conf

```
option /etc/ppp/options.pptpd.nodefault

localip 192.168.0.10

remoteip 192.168.0.112-120

logwtmp
```

here's my /etc/ppp/options.pptpd.nodefault

```
name pptpd

lock

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

nobsdcomp

nologfd

novj

novjccomp

ms-dns 213.184.241.5

ms-dns 193.232.248.2
```

Mashine on what modem situated 192.168.0.1

Internet server 192.168.0.10

Clients 192.168.0.255

/etc/conf.d/net for eth0

```
config_eth0=( "192.168.0.10 netmask 255.255.255.0 brd 192.168.0.255" )

routes_eth0=( "default gw 192.168.0.1" )
```

my lan scheme:

http://img99.imageshack.us/img99/6098/lanschemeuj6.th.png

For more information see previous post

Problem: users can't ping any host in the internet

----------

## JasonX

Hi, everyone.

Did anyone knows another HOWTO VPN SERVER ?

----------

## JasonX

Hi again.

Does anybody know about peculiar properties of this howto in hardened-sources?

I have a problem with Incorrect mtu value.

----------

## JasonX

The problem was SOLVED see solution here and pptpd server were setted up with help of this howto.

Thanks everybody who tried to assist.

----------

