HOW-TO: PPTP VPN to MS Networks

[travisN000]

I just recently saw another post for help setting up a PPTP VPN connection from PCLinuxOS..  KVpnc hasn't worked properly for this type of vpn in pclos for as long as I can remember, but flux was once helpful enough to point me to the method that the users of his german pclos remaster use..  Here is my how-to / tutorial:

( adapted from http://pptpclient.sourceforge.net/howto-mandrake-101.phtml )


NOTE: this may break other functionality that requires the use of newer pclos ppp / php-pcntl packages (ie. some dial-up connections, etc).  If you are dependent on this type of connection for internet access it is probably a good idea to download the packages in step 2 before you begin.

Before we begin, first open Synaptic package manager and remove any of the following packages (and dependencies) if they are installed:

php-pcntl
php-gtk-pcntl
ppp
ppp-pppoe
ppp-pppoatm
pptp
pptp-linux



Next download and install needed packages from console:

Code:

######### must be done as root #############
su
<enter root password at prompt>

apt-get install libglade libxml

cd /tmp

#### NOTE: the following block is one command.. copy and paste it in its entirety! ####

wget http://prdownloads.sourceforge.net/poptop/ppp-2.4.3-4mdk10.1.i586.rpm \
http://prdownloads.sourceforge.net/pptpclient/pptp-1.6.0-1.i386.rpm \
http://prdownloads.sourceforge.net/pptpclient/php-pcntl-4.3.10-1.i386.rpm \
http://prdownloads.sourceforge.net/pptpclient/php-gtk-pcntl-1.0.1-2.i386.rpm \
http://prdownloads.sourceforge.net/pptpclient/pptpconfig-20040722-6mdk.noarch.rpm


rpm --upgrade *.rpm
ldconfig

#### Installation done; to start the GUI.. ####
pptpconfig

Configutation using pptpconfig is as follows:

Configuration

   1. obtain from your PPTP Server administrator:

          * the IP address or host name of the server,
          * the authentication domain name, (e.g. WORKGROUP),
          * the username you are to use,
          * the password you are to use,
          * whether encryption is required.

   2. run pptpconfig as root, and a window should appear,

   3. enter the server, domain, username and password into the Server tab,

   4. if you decided in Installation step 1 above that you would need MPPE, and if your administrator says encryption is required, then on the Encryption tab, click on Require Microsoft Point-to-Point Encryption (MPPE),

   5. click on Add, and the tunnel will appear in the list,

   6. click on the tunnel to select it, click on Start, and a window will appear with the tunnel connection log and status,

   7. if the connection fails, you will need to gather more information, so on the Miscellaneous tab, click on Enable connection debugging facilities, click Update, try Start again, then look at the Diagnosis HOWTO for whatever error is displayed.

   8. if the connection succeeded, you can try the Ping test button. If the ping fails, you should try to find out why before proceeding. If the ping works, then the tunnel is active and you may now work on routing.

   9. decide whether all your network traffic should go via the tunnel or not. If so, Stop the tunnel, select it again, then on the Routing tab, click on All to Tunnel, then click Update and try Start again. Now try to access the network behind the server.

  10. on the other hand, if only some of your network traffic should go via the tunnel, you will need to obtain from the server administrator or folk lore a series of network routes to enter. Stop the tunnel, select it again, then click on either Client to LAN or LAN to LAN on the Routing tab, use the Edit Network Routes button to enter the routes one by one, and then try Start again. Now try to access the network behind the server.

Network routes (if needed) should be as follows:

The solution to routing only traffic directed toward the remote LAN over the VPN while keeping internet traffic directed to its usual route is quite simple: Once you have the connection configured you have to "Edit Network Routes.." on the routing tab of pptpconfig (make sure you select the connection in the top section first).

If your remote LAN has ip's that vary only in the last set of digits (ie 10.1.10.XXX or 192.168.1.XXX) then you would set "Network:" in "Edit Network Routes.." on the routing tab of pptpconfig to 10.1.10.0/24 or similar so that the first three groups of digits in the "Network:" match the remote LAN's network match.

If you had multiple subnets on your remote LAN (IP's that vary in more than one of of their digit groupings) that you wanted to be able to reach you might instead use something like the following:

If remote IP's vary: 192.168.1.XX then use 192.168.1.0/24
If remote IP's vary: 192.168.XX.XX then use 192.168.0.0/16
If remote IP's vary: 10.XX.XX.XX then use 10.0.0.0/8
If remote IP's vary: 10.1.XX.XX then use 10.1.0.0/16
If remote IP's vary: 10.1.10.XX then use 10.1.10.0/24
..etc


Once you have made the appropriate configuration in the box labeled "Network:" then click "add" and "close" in that window, and "update" in the pptpconfig window (or "add if you hadn't previously saved the connection)

Once you have it working, be careful about updating your system..  don't allow ppp or php-pcntl to be updated (..see tex's post about how to pin an older version in synaptic to prevent update)

For the files we installed, the /etc/apt/preferences file that you would create looks like this:

Package: ppp
Pin: version 2.4.3-4mdk*
Pin-Priority: 1001

Package: pptp
Pin: version 1.6.0-1*
Pin-Priority: 1001

Package: php-pcntl
Pin: version 4.3.10-1*
Pin-Priority: 1001

Package: php-gtk-pcntl
Pin: version 1.0.1-2*
Pin-Priority: 1001

Package: pptpconfig
Pin: version 20040722-6mdk*
Pin-Priority: 1001

To create a link to the pptpconfig GUI on your desktop, create a text file named pptpconfig.desktop with the following contents:

[Desktop Entry]
Comment=Used to create VPNs using the Microsoft PPTP protocal
Exec[$e]=pptpconfig
GenericName=PPTP VPN GUI
Icon=irkick
Name=pptpconfig
Path[$e]=
StartupNotify=true
Terminal=0
TerminalOptions=
Type=Application
X-KDE-SubstituteUID=true
X-KDE-Username=

..then drag it to your panel if you like!
 

[kjpetrie]

I think many people would have to download those packages before removing the default ones - otherwise they won't have an internet connection to download them with.

Anyone who's using some kind of modem as opposed to an ethernet router would be caught by that.

Think I might stick to doing this from inside a Windows virtual machine for now - jails that insecure encryption too.

[rick71]

It seems to me that connecting to VPNs in PCLOS (at least) is broken. Instead of replacing all these files, shouldn't the problems be fixed?

[travisN000]

KVpnc will actually create a pptp vpn connection..  ifconfig and other network monitoring tools will show it being there and connected, but for what ever reason no traffic will route over the connection.  I've tried more than a few times over the last couple years to get the right combination of routing / IPtables rules, even copying the ones created by pptpconfig, but I have never been able to get it to work ( I've had great success with VNC over SSH, but one network I connect to only allows PPTP ).

If you know of a real fix, I would love to hear about it..  but until then, this works.

[rick71]

Thanks for the directions. I will give them a try.

I have been reading that kvpnc is fixed in KDE 4, but it doesn't seem to properly shut down in the versions I've tried.

[travisN000]

That sounds like a similar problem that was also in the KDE3 version..

TIP:  When kvpnc killed my ethernet connection previously, I never could get it back and ended up having to reinstall the entire OS to get the networking stack functional again.

While working on this again today, I figured out how kvpnc occasionally manages to kill all network connectivity so effectively:  It seems that when KVPNC starts the VPN it backs up and replaces /etc/resolve.conf with a sym link to one of its own, but unfortunately it doesn't always revert back to the original when disconnecting  / closing.

This if easily fixed by restoring the backup manually as follows (in root console):

Code:

cp /etc/resolv.conf.before.kvpnc /etc/resolv.conf

[rick71]

For me at least, the kvpnc in KDE4 doesn't disconnect at all. The 2 disconnect buttons don't work, and the menu item doesn't work. I have to do a couple of kills from a terminal. This is in KUbuntu 9.04. That's the only distro I have been testing KDE4 with.

[rick71]

I downloaded kvpn source, compiled and installed it. I can now connect, but then it disconnects in about 5-10 seconds and then successfully reconnects.

[travisN000]

I have not tried the KDE4 versions yet, but if I recall correctly there were settings in the kde3 version for how the connection status was verified..  I had to change the settings at one point because of similar behavior; I think it was trying to ping a router / server that I had set to drop ping request.  Simply pointing KVPNC  at another server on the VPN that would reply solved the problem.

[GOTHBITES]

So you are saying if I want to remote deskstop a friends computer that has windows to see what kind of problems he has. you are saying that isn't possible if they are behind a router or Period. So trying to access  at my network at school would be moot point.  I just started the networking plus certification classes and I thought about trying this for my class as an example of how versatile linux can be and economical

but the thing is I have heard how a lot of servers are using linux that are access by different platforms so how come it seems this seem to be a larger problem

just curious

[rick71]

I regularly remote in to a WIndows 2003 server and a another distro server on a network at work. That is not the same as connecting through a VPN.

The troubles I have been having is to successfully connect  to a MS/pptp VPN. I can connect under Gnome in another distro. There are disconnection problems using KDR4 in kUbuntu. Until this morning, I haven't been able to connect at all using kvpnc in pclos. Now, I am able to connect, but there is an 8-10 second disconnect reconnect problem.

So... you may be able to remote in to school. It all depends on the network setup.

[GOTHBITES]

Thank you for that

[rick71]

I changed the connection status settings...

First, I unchecked it. I was able to connect and ping internal machines. I then checked it, and specified an machine to ping, again I was able to connect and ping internal machines.

So, for me at the moment, kvpnc is working for short periods. As the school year moves along, I'll be testing it more.

[rick71]

travisn000,

I downloaded the source for kvpnc, compiled it, used check install to make an rpm, and installed it. After that, it ran like it was supposed to, after I figured out the right settings for our VPN at work.

Maybe it just needs to be recompiled and uploaded?

[travisN000]

What type of VPN connection are you using..  is it PPTP? 

Also, what versions of KVPNC, PPP, & PPTP are you using?   If I can recreate your success I will update the packages for the repo..