PPTP client on Router

[James Records]

Hi all,

Summary,

Trying to run pptp client on my router and allow my internal Lan clients to
be natted through the tunnel.  NAT appears to never happen from what I can
tell I've got everything configured correctly, though I've never set this up
before.

Thanks in advance for your help.  I've tried to be as verbose as possible
with including all the files being uses in relation to this issue, if more
info is needed just say so.

Thanks,
J

I'm trying to get a pptp client on my router to function as described here
in the pptp man page.

 *PPTP on a router
 This example assumes that you want to configure a router running
OpenBSD
 to provide PPTP VPN access to a remote network for all hosts on your
in-
 ternal network.

 Let us assume that the VPN server was called vpn-gateway.net, and that
 the default route of our OpenBSD box was 42.42.42.42.  The remote
network
 shall be 10.42.0.0/16; we want all traffic to this network to go
through
 the VPN tunnel.

 First, edit /etc/ppp/ppp.conf and add an entry for the VPN connection.
 See ppp(8) for details on the format of this file.

   default:
 set log Phase Chat LCP IPCP CCP tun command
   vpn:
 set device !/usr/local/sbin/pptp --nolaunchpppd
vpn-gateway.net
 set authname User
 set authkey MySecret
 set mppe 128 stateless

 Next, you need to configure routing in /etc/ppp/ppp.linkup.  We also
load
 pf(4) anchors for the vpn interface here.  More on that later.

 /etc/ppp/ppp.linkup:

   vpn:
 add 10.42.0.0/16 HISADDR
 ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn

 If vpn-gateway.net resides inside 10.42.0.0/16, we have to add a host
 route pointing to vpn-gateway.net in order to avoid a chicken-and-egg
 problem once packets to 10.42.0.0/16 are routed through the tunnel.

 /etc/ppp/ppp.linkup:

   vpn:
 add vpn-gateway.net 42.42.42.42
 add 10.42.0.0/16 HISADDR
 ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn

 If your default route is not fixed, for example if your ISP does not
al-
 ways assign the same gateway to you, use a script to figure out the
cur-
 rent default route and add the host route to the VPN gateway.  For
exam-
 ple:

 /etc/ppp/vpn-default-route.sh:

 #!/bin/sh
 gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
 /sbin/route add -host vpn-gateway.net ${gw}

 Call the script from /etc/ppp/ppp.linkup:

   vpn:
 ! sh /etc/ppp/vpn-default-route.sh
 add 10.42.0.0/16 HISADDR
 ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn

 Make sure the changes to the routing table are
 reversed when the VPN connection drops:

 /etc/ppp/ppp.linkdown:

   vpn:
 ! sh -c /sbin/pfctl -a vpn -F all
 delete 10.42.0.0/16
 delete vpn-gateway.net

   # NAT is of course optional. The remote network needs
   # a route to our network as well if we don't do NAT.
   nat on $vpn_if from $int_if:network to any - ($vpn_if)

   block drop on $vpn_if
   pass out on $vpn_if

   # Allow ping from remote, and explicitly make sure our replies are
   # routed back through the tunnel.
   pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \
 inet proto icmp icmp-type echoreq keep state

   # Same for ssh.
   pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \
 from any to ($vpn_if) port ssh flags S/SA keep state

 Connect by running:
   ppp -unit0 -ddial vpn

 The -unit0 option makes sure ppp configures tun0 as the VPN connection
 end point, and not some other tun device.  The packet filter rules con-
 figured above assume tun0 as the VPN connection end point.

 To terminate the connection, kill the ppp process. It creates a PID
file
 in /var/run/tunX.pid, where X is the number of the tun device used.*


I have tried to match this as much as possible on my setup, but I can't seem
to get the packets from the LAN network to NAT to the pptp ip address, here
are my files that I'm actually using:

*pf.conf:*

##
### Tables ###
##
table abusive_hosts persist

###
### Aliases ###
###
RFC_1918 = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }


LAN_IP = 192.168.254.1
LAN_Network = 192.168.254.0/24

#
### Global PF Options ###
#

set skip on lo0

set loginterface dc0

#
### Traffic Normalization ###
#
scrub in all fragment reassemble


#
### RDR rules ###
#


rdr-anchor ftp-proxy/*
rdr-anchor relayd/*

###
### FWall-MGMT ###
###
rdr on dc0 proto tcp \
from { any } to { 192.168.185.52 }\
port{ 443 } - 192.168.254.1



###
### FTP-OUT ###
###
rdr

OpenBSD 4.1 + pptp client problem

[smonek]

Hello I have OpenBSD server VPN /router on OpenBSD 4.1 + Pf +
poptop-1.1.4.b4p1
This server work ok (perfect)

All Windows clients connected without any problems :-)

But I have problem with connecting form OpenBSD 4.1 :-(

I installed pptp-1.7.1 and sysctl net.inet.gre.allow=1

this is my /etc/ppp/ppp.conf
default:
  set log Phase Chat LCP IPCP CCP tun command
  disable ipv6cp

pptp:
  #  pptp- ppp
  set device !/usr/local/sbin/pptp 83.16.208.84 --nolaunchpppd
  #
  set timeout 0
  #
  set lqrperiod 5
  set cd 5
  set redial 30
  #
  set authname tester
  set authkey test123
  set dial
  set login
  # MPPE
  set mppe 128 stateless
  #  MS-CHAP V2
  accept MSChapV2
  #LQR
  enable lqr
  # MSS  MTU
  enable mssfixup
  #
  disable acfcomp protocomp
  deny acfcomp
  #
  add! default HISADDR


Then I do:  ppp -ddial pptp

and ifconfig tun0

tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
groups: tun egress
inet 10.1.0.62 -- 10.1.0.1 netmask 0x

ping 10.1.0.1

ping: sendto: No buffer space available
ping: wrote 10.1.0.1 64 chars, ret=-1
ping: sendto: No buffer space available
ping: wrote 10.1.0.1 64 chars, ret=-1

tcpdump -i tun0

13:36:36.460056 10.1.0.62  10.1.0.1: icmp: echo request
13:36:37.470066 10.1.0.62  10.1.0.1: icmp: echo request
13:36:38.360038 10.1.0.62.41667  83.16.208.84.pptp: S
3429645879:3429645879(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 2547667706 0
13:36:38.480060 10.1.0.62  10.1.0.1: icmp: echo request

ppp log

Jul  9 13:36:32 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored
Jul  9 13:36:51 MyBSD pptp[23396]: anon log[main:pptp.c:276]: The synchronous
pptp option is NOT activated
Jul  9 13:36:51 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored
Jul  9 13:37:09 MyBSD pptp[31817]: anon
warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out
Jul  9 13:37:09 MyBSD pptp[31817]: anon
fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to
83.18.208.84
Jul  9 13:37:10 MyBSD pptp[24975]: anon log[main:pptp.c:276]: The synchronous
pptp option is NOT activated
Jul  9 13:37:10 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored
Jul  9 13:37:28 MyBSD pptp[11362]: anon
warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out
Jul  9 13:37:28 MyBSD pptp[11362]: anon
fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to
83.16.208.84
Jul  9 13:37:29 MyBSD pptp[32119]: anon log[main:pptp.c:276]: The synchronous
pptp option is NOT activated
Jul  9 13:37:29 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored
Jul  9 13:37:47 MyBSD pptp[20030]: anon
warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out
Jul  9 13:37:47 MyBSD pptp[20030]: anon
fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to
83.16.208.84
Jul  9 13:37:49 MyBSD pptp[2565]: anon log[main:pptp.c:276]: The synchronous
pptp option is NOT activated
Jul  9 13:37:49 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored
Jul  9 13:38:06 MyBSD pptp[8251]: anon
warn[open_inetsock:pptp_callmgr.c:326]:
connect: Connection timed out
Jul  9 13:38:06 MyBSD pptp[8251]: anon
fatal[callmgr_main:pptp_callmgr.c:124]:
Could not open control connection to 83.16.208.84
Jul  9 13:38:08 MyBSD pptp[28051]: anon log[main:pptp.c:276]: The synchronous
pptp option is NOT activated
Jul  9 13:38:08 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored

What it is ??? whay a cant connect to the server

On my OpenBSD I don't have enable pf and any packet filter

Re: PPTP client

[Otto Moerbeek]

On Wed, 5 Oct 2005, Waldemar Brodkorb wrote:

 Hi,
 Otto Moerbeek wrote,
 
  
  On Fri, 30 Sep 2005, Peter Bako wrote:
  
   I have a situation where I need to connect an OpenBSD box to a MS Windows
   PPTP server (yep, I know it is not secure, but in this case I have no 
   choice
   in the matter).
   
   After looking around the net I found myself at
   http://pptpclient.sourceforge.net/.  So I downloaded, complied and 
   installed
   the program and tried to connect to my test box.  (Also complied a custom
   kernel using the GENERIC files with only the pseudo-device GRE line
   commented out.)  There aren't any OpenBSD specific instructions on the 
   site,
   but reading the generic docs, as well as the docs for NetBSD, the PPTP man
   pages, etc. I think I have enough to get started.  However when I try to
   connect up I get nothing but a list of errors (connection timed out, could
   not open connection, etc.)  I know the path from my OpenBSD box to the 
   test
   server is correct, because if I plug my Win2k laptop in it is able to
   successfully connect to the server.
   
   As far as I can tell the problem is a lack of MPPE support either in the
   Kernel or in PPP.  However I cannot find any information on how to get 
   this
   support onto an OpenBSD system.
   
   Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
   you be kind enough to send me some steps or any other info on how you did
   it?
  
  Check the pptp package. It's a port of pptpclient. There used to be a
  FAQ entry about pptp, but it somehow was reduced to just mention pptp.
  
  The most important thing is to put net.inet.gre.allow=1 into your
  sysctl.conf. Or compile a kernel without gre(4), but why bother? It's
  a bit strange the pptp man page still contains instructions to
  recompile the kernel and does not mention the systcl. I'll prod the
  maintainer.
 
 Oh, that's probably me. What I never understood in the past:
 Do a PPTP user always have to set net.inet.gre.allow=1 ?

Yes, I think so. Though you should ask somebody like markus@ to
confirm that.

-Otto

Re: PPTP client

[Waldemar Brodkorb]

Hi,
Otto Moerbeek wrote,

 
 On Fri, 30 Sep 2005, Peter Bako wrote:
 
  I have a situation where I need to connect an OpenBSD box to a MS Windows
  PPTP server (yep, I know it is not secure, but in this case I have no choice
  in the matter).
  
  After looking around the net I found myself at
  http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
  the program and tried to connect to my test box.  (Also complied a custom
  kernel using the GENERIC files with only the pseudo-device GRE line
  commented out.)  There aren't any OpenBSD specific instructions on the site,
  but reading the generic docs, as well as the docs for NetBSD, the PPTP man
  pages, etc. I think I have enough to get started.  However when I try to
  connect up I get nothing but a list of errors (connection timed out, could
  not open connection, etc.)  I know the path from my OpenBSD box to the test
  server is correct, because if I plug my Win2k laptop in it is able to
  successfully connect to the server.
  
  As far as I can tell the problem is a lack of MPPE support either in the
  Kernel or in PPP.  However I cannot find any information on how to get this
  support onto an OpenBSD system.
  
  Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
  you be kind enough to send me some steps or any other info on how you did
  it?
 
 Check the pptp package. It's a port of pptpclient. There used to be a
 FAQ entry about pptp, but it somehow was reduced to just mention pptp.
 
 The most important thing is to put net.inet.gre.allow=1 into your
 sysctl.conf. Or compile a kernel without gre(4), but why bother? It's
 a bit strange the pptp man page still contains instructions to
 recompile the kernel and does not mention the systcl. I'll prod the
 maintainer.

Oh, that's probably me. What I never understood in the past:
Do a PPTP user always have to set net.inet.gre.allow=1 ?

bye
Waldemar

Re: PPTP client

[Okan Demirmen]

On Fri 2005.09.30 at 14:51 -0700, Peter Bako wrote:
 I have a situation where I need to connect an OpenBSD box to a MS Windows
 PPTP server (yep, I know it is not secure, but in this case I have no choice
 in the matter).
 
 After looking around the net I found myself at
 http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
 the program and tried to connect to my test box.  (Also complied a custom
 kernel using the GENERIC files with only the pseudo-device GRE line
 commented out.)  There aren't any OpenBSD specific instructions on the site,
 but reading the generic docs, as well as the docs for NetBSD, the PPTP man
 pages, etc. I think I have enough to get started.  However when I try to
 connect up I get nothing but a list of errors (connection timed out, could
 not open connection, etc.)  I know the path from my OpenBSD box to the test
 server is correct, because if I plug my Win2k laptop in it is able to
 successfully connect to the server.
 
 As far as I can tell the problem is a lack of MPPE support either in the
 Kernel or in PPP.  However I cannot find any information on how to get this
 support onto an OpenBSD system.

 Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
 you be kind enough to send me some steps or any other info on how you did
 it?

the pptp port used to use pppd(8), which does not have mppe and other
gue. the -current port has switched to userland ppp(8), which has all
the gue needed for certain(tm) pptp servers. if you want to use it on
pre -current, look the -current port to see how to enable userland
ppp(8) instead (i.e. not officially supported ;).

don't mess with GENERIC - just set net.inet.gre.allow=1

and yes, it works - been using it with userland ppp(8) for a while now.

Re: PPTP client

[Otto Moerbeek]

On Fri, 30 Sep 2005, Peter Bako wrote:

 I have a situation where I need to connect an OpenBSD box to a MS Windows
 PPTP server (yep, I know it is not secure, but in this case I have no choice
 in the matter).
 
 After looking around the net I found myself at
 http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
 the program and tried to connect to my test box.  (Also complied a custom
 kernel using the GENERIC files with only the pseudo-device GRE line
 commented out.)  There aren't any OpenBSD specific instructions on the site,
 but reading the generic docs, as well as the docs for NetBSD, the PPTP man
 pages, etc. I think I have enough to get started.  However when I try to
 connect up I get nothing but a list of errors (connection timed out, could
 not open connection, etc.)  I know the path from my OpenBSD box to the test
 server is correct, because if I plug my Win2k laptop in it is able to
 successfully connect to the server.
 
 As far as I can tell the problem is a lack of MPPE support either in the
 Kernel or in PPP.  However I cannot find any information on how to get this
 support onto an OpenBSD system.
 
 Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
 you be kind enough to send me some steps or any other info on how you did
 it?

Check the pptp package. It's a port of pptpclient. There used to be a
FAQ entry about pptp, but it somehow was reduced to just mention pptp.

The most important thing is to put net.inet.gre.allow=1 into your
sysctl.conf. Or compile a kernel without gre(4), but why bother? It's
a bit strange the pptp man page still contains instructions to
recompile the kernel and does not mention the systcl. I'll prod the
maintainer.

-Otto

PPTP client

[Peter Bako]

I have a situation where I need to connect an OpenBSD box to a MS Windows
PPTP server (yep, I know it is not secure, but in this case I have no choice
in the matter).

After looking around the net I found myself at
http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
the program and tried to connect to my test box.  (Also complied a custom
kernel using the GENERIC files with only the pseudo-device GRE line
commented out.)  There aren't any OpenBSD specific instructions on the site,
but reading the generic docs, as well as the docs for NetBSD, the PPTP man
pages, etc. I think I have enough to get started.  However when I try to
connect up I get nothing but a list of errors (connection timed out, could
not open connection, etc.)  I know the path from my OpenBSD box to the test
server is correct, because if I plug my Win2k laptop in it is able to
successfully connect to the server.

As far as I can tell the problem is a lack of MPPE support either in the
Kernel or in PPP.  However I cannot find any information on how to get this
support onto an OpenBSD system.

Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
you be kind enough to send me some steps or any other info on how you did
it?

Thanks,
Peter

Re: PPTP client

[Matthew Clarke]

vendredi, le 30 septembre, 2005, Peter Bako nous a dit ceci:

 I have a situation where I need to connect an OpenBSD box to a MS Windows
 PPTP server (yep, I know it is not secure, but in this case I have no choice
 in the matter).
 
 After looking around the net I found myself at
 http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
 the program and tried to connect to my test box.  (Also complied a custom
 kernel using the GENERIC files with only the pseudo-device GRE line
 commented out.)  There aren't any OpenBSD specific instructions on the site,
 but reading the generic docs, as well as the docs for NetBSD, the PPTP man
 pages, etc. I think I have enough to get started.  However when I try to
 connect up I get nothing but a list of errors (connection timed out, could
 not open connection, etc.)  I know the path from my OpenBSD box to the test
 server is correct, because if I plug my Win2k laptop in it is able to
 successfully connect to the server.
 
 As far as I can tell the problem is a lack of MPPE support either in the
 Kernel or in PPP.  However I cannot find any information on how to get this
 support onto an OpenBSD system.
 
 Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
 you be kind enough to send me some steps or any other info on how you did
 it?

Yes.  Search the openbsd-misc archives (start at the bottom of
http://www.openbsd.org/mail.html); there have been several threads about
the PPTP client over the past couple of years and some of those include
sample configuration information.

-- 
On two occasions I have been asked [by members of Parliament!], `Pray, Mr.
Babbage, if you put into the machine wrong figures, will the right answers
come out?'  I am not able rightly to apprehend the kind of confusion of
ideas that could provoke such a question.  -- Charles Babbage

PPTP client ... Non-zero Async Control Character Maps are not supported!

[Eli Richmond]

Hi,
I'm fairly new to OpenBSD so please bare with me. For the past week or
so I've been trying to connect my OpenBSD box to a Microsoft VPN server
using the pptp client from pptpclient.sourceforge.net without success.
Here is my current setup:

OpenBSD 3.6 (just the basics, no X-windows)
I've recompiled the GENERIC kernel and commented out the gre
pseudo device (the pptp client man pages said to do this)
I've downloaded and installed pptp-1.7.0.tar.gz from
pptpclient.sourceforge.net

/etc/ppp/chap-secrets:
#$OpenBSD: chap-secrets,v 1.3 2002/06/09 06:15:15 todd Exp $
# Secrets for authentication using CHAP
# clientserver  secret  IP addresses
domain\\myusername * mypassword *

/etc/ppp/options
name domain\\myusername
noauth
noipdefault
defaultroute
debug

These are the error messages that I get in /var/log/messages:
Sep  2 14:07:33 firewall3 pptp[31847]: anon log[main:pptp.c:267]: The
synchronous pptp option is NOT activated
Sep  2 14:07:33 firewall3 pptp[20169]: anon
log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1
'Start-Control-Connection-Request'
Sep  2 14:07:33 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Sep  2 14:07:33 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Sep  2 14:07:34 firewall3 pptp[20169]: anon
log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7
'Outgoing-Call-Request'
Sep  2 14:07:34 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Sep  2 14:07:34 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0,
peer's call ID 8872).
Sep  2 14:07:34 firewall3 pppd[11145]: pppd 2.3.5 started by elira, uid 0
Sep  2 14:07:34 firewall3 pppd[11145]: Using interface ppp0
Sep  2 14:07:34 firewall3 pppd[11145]: Connect: ppp0 -- /dev/ttyp1
Sep  2 14:07:37 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from
peer_callid 0
Sep  2 14:07:37 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:953]:   send_accm is , recv_accm is

Sep  2 14:07:37 firewall3 pptp[20169]: anon
warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps
are not supported!
Sep  2 14:07:37 firewall3 pppd[11145]: LCP terminated by peer
(o(M-K^@[EMAIL PROTECTED]@^BM-3)
Sep  2 14:07:37 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from
peer_callid 0
Sep  2 14:07:37 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:953]:   send_accm is , recv_accm is

Sep  2 14:07:37 firewall3 pptp[20169]: anon
warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps
are not supported!
Sep  2 14:07:37 firewall3 pptp[20169]: anon
log[ctrlp_disp:pptp_ctrl.c:912]: Received Call Clear Request.
Sep  2 14:07:40 firewall3 pppd[11145]: Connection terminated.
Sep  2 14:07:41 firewall3 pptp[11481]: anon
warn[decaps_hdlc:pptp_gre.c:197]: short read (0): Invalid argument
Sep  2 14:07:41 firewall3 pptp[20169]: anon
log[callmgr_main:pptp_callmgr.c:231]: Closing connection (unhandled)
Sep  2 14:07:41 firewall3 pptp[20169]: anon
log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12
'Call-Clear-Request'
Sep  2 14:07:41 firewall3 pptp[20169]: anon
log[call_callback:pptp_callmgr.c:78]: Closing connection (call state)

Right now I'm all out of ideas. Any help would be greatly appreciated.
If any one knows of any basic setup instructions for pptp on OpenBSD I
would love to see them.
Thanks,
- Eli