PPTP client on Router
Hi all, Summary, Trying to run pptp client on my router and allow my internal Lan clients to be natted through the tunnel. NAT appears to never happen from what I can tell I've got everything configured correctly, though I've never set this up before. Thanks in advance for your help. I've tried to be as verbose as possible with including all the files being uses in relation to this issue, if more info is needed just say so. Thanks, J I'm trying to get a pptp client on my router to function as described here in the pptp man page. *PPTP on a router This example assumes that you want to configure a router running OpenBSD to provide PPTP VPN access to a remote network for all hosts on your in- ternal network. Let us assume that the VPN server was called vpn-gateway.net, and that the default route of our OpenBSD box was 42.42.42.42. The remote network shall be 10.42.0.0/16; we want all traffic to this network to go through the VPN tunnel. First, edit /etc/ppp/ppp.conf and add an entry for the VPN connection. See ppp(8) for details on the format of this file. default: set log Phase Chat LCP IPCP CCP tun command vpn: set device !/usr/local/sbin/pptp --nolaunchpppd vpn-gateway.net set authname User set authkey MySecret set mppe 128 stateless Next, you need to configure routing in /etc/ppp/ppp.linkup. We also load pf(4) anchors for the vpn interface here. More on that later. /etc/ppp/ppp.linkup: vpn: add 10.42.0.0/16 HISADDR ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn If vpn-gateway.net resides inside 10.42.0.0/16, we have to add a host route pointing to vpn-gateway.net in order to avoid a chicken-and-egg problem once packets to 10.42.0.0/16 are routed through the tunnel. /etc/ppp/ppp.linkup: vpn: add vpn-gateway.net 42.42.42.42 add 10.42.0.0/16 HISADDR ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn If your default route is not fixed, for example if your ISP does not al- ways assign the same gateway to you, use a script to figure out the cur- rent default route and add the host route to the VPN gateway. For exam- ple: /etc/ppp/vpn-default-route.sh: #!/bin/sh gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'` /sbin/route add -host vpn-gateway.net ${gw} Call the script from /etc/ppp/ppp.linkup: vpn: ! sh /etc/ppp/vpn-default-route.sh add 10.42.0.0/16 HISADDR ! sh -c /sbin/pfctl -a vpn -f /etc/pf.conf.vpn Make sure the changes to the routing table are reversed when the VPN connection drops: /etc/ppp/ppp.linkdown: vpn: ! sh -c /sbin/pfctl -a vpn -F all delete 10.42.0.0/16 delete vpn-gateway.net # NAT is of course optional. The remote network needs # a route to our network as well if we don't do NAT. nat on $vpn_if from $int_if:network to any - ($vpn_if) block drop on $vpn_if pass out on $vpn_if # Allow ping from remote, and explicitly make sure our replies are # routed back through the tunnel. pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \ inet proto icmp icmp-type echoreq keep state # Same for ssh. pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \ from any to ($vpn_if) port ssh flags S/SA keep state Connect by running: ppp -unit0 -ddial vpn The -unit0 option makes sure ppp configures tun0 as the VPN connection end point, and not some other tun device. The packet filter rules con- figured above assume tun0 as the VPN connection end point. To terminate the connection, kill the ppp process. It creates a PID file in /var/run/tunX.pid, where X is the number of the tun device used.* I have tried to match this as much as possible on my setup, but I can't seem to get the packets from the LAN network to NAT to the pptp ip address, here are my files that I'm actually using: *pf.conf:* ## ### Tables ### ## table abusive_hosts persist ### ### Aliases ### ### RFC_1918 = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } LAN_IP = 192.168.254.1 LAN_Network = 192.168.254.0/24 # ### Global PF Options ### # set skip on lo0 set loginterface dc0 # ### Traffic Normalization ### # scrub in all fragment reassemble # ### RDR rules ### # rdr-anchor ftp-proxy/* rdr-anchor relayd/* ### ### FWall-MGMT ### ### rdr on dc0 proto tcp \ from { any } to { 192.168.185.52 }\ port{ 443 } - 192.168.254.1 ### ### FTP-OUT ### ### rdr
OpenBSD 4.1 + pptp client problem
Hello I have OpenBSD server VPN /router on OpenBSD 4.1 + Pf + poptop-1.1.4.b4p1 This server work ok (perfect) All Windows clients connected without any problems :-) But I have problem with connecting form OpenBSD 4.1 :-( I installed pptp-1.7.1 and sysctl net.inet.gre.allow=1 this is my /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command disable ipv6cp pptp: # pptp- ppp set device !/usr/local/sbin/pptp 83.16.208.84 --nolaunchpppd # set timeout 0 # set lqrperiod 5 set cd 5 set redial 30 # set authname tester set authkey test123 set dial set login # MPPE set mppe 128 stateless # MS-CHAP V2 accept MSChapV2 #LQR enable lqr # MSS MTU enable mssfixup # disable acfcomp protocomp deny acfcomp # add! default HISADDR Then I do: ppp -ddial pptp and ifconfig tun0 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 groups: tun egress inet 10.1.0.62 -- 10.1.0.1 netmask 0x ping 10.1.0.1 ping: sendto: No buffer space available ping: wrote 10.1.0.1 64 chars, ret=-1 ping: sendto: No buffer space available ping: wrote 10.1.0.1 64 chars, ret=-1 tcpdump -i tun0 13:36:36.460056 10.1.0.62 10.1.0.1: icmp: echo request 13:36:37.470066 10.1.0.62 10.1.0.1: icmp: echo request 13:36:38.360038 10.1.0.62.41667 83.16.208.84.pptp: S 3429645879:3429645879(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2547667706 0 13:36:38.480060 10.1.0.62 10.1.0.1: icmp: echo request ppp log Jul 9 13:36:32 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored Jul 9 13:36:51 MyBSD pptp[23396]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated Jul 9 13:36:51 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored Jul 9 13:37:09 MyBSD pptp[31817]: anon warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out Jul 9 13:37:09 MyBSD pptp[31817]: anon fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to 83.18.208.84 Jul 9 13:37:10 MyBSD pptp[24975]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated Jul 9 13:37:10 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored Jul 9 13:37:28 MyBSD pptp[11362]: anon warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out Jul 9 13:37:28 MyBSD pptp[11362]: anon fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to 83.16.208.84 Jul 9 13:37:29 MyBSD pptp[32119]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated Jul 9 13:37:29 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored Jul 9 13:37:47 MyBSD pptp[20030]: anon warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out Jul 9 13:37:47 MyBSD pptp[20030]: anon fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to 83.16.208.84 Jul 9 13:37:49 MyBSD pptp[2565]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated Jul 9 13:37:49 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored Jul 9 13:38:06 MyBSD pptp[8251]: anon warn[open_inetsock:pptp_callmgr.c:326]: connect: Connection timed out Jul 9 13:38:06 MyBSD pptp[8251]: anon fatal[callmgr_main:pptp_callmgr.c:124]: Could not open control connection to 83.16.208.84 Jul 9 13:38:08 MyBSD pptp[28051]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated Jul 9 13:38:08 MyBSD ppp[8850]: tun0: Warning: Carrier settings ignored What it is ??? whay a cant connect to the server On my OpenBSD I don't have enable pf and any packet filter
Re: PPTP client
On Wed, 5 Oct 2005, Waldemar Brodkorb wrote: Hi, Otto Moerbeek wrote, On Fri, 30 Sep 2005, Peter Bako wrote: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Check the pptp package. It's a port of pptpclient. There used to be a FAQ entry about pptp, but it somehow was reduced to just mention pptp. The most important thing is to put net.inet.gre.allow=1 into your sysctl.conf. Or compile a kernel without gre(4), but why bother? It's a bit strange the pptp man page still contains instructions to recompile the kernel and does not mention the systcl. I'll prod the maintainer. Oh, that's probably me. What I never understood in the past: Do a PPTP user always have to set net.inet.gre.allow=1 ? Yes, I think so. Though you should ask somebody like markus@ to confirm that. -Otto
Re: PPTP client
Hi, Otto Moerbeek wrote, On Fri, 30 Sep 2005, Peter Bako wrote: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Check the pptp package. It's a port of pptpclient. There used to be a FAQ entry about pptp, but it somehow was reduced to just mention pptp. The most important thing is to put net.inet.gre.allow=1 into your sysctl.conf. Or compile a kernel without gre(4), but why bother? It's a bit strange the pptp man page still contains instructions to recompile the kernel and does not mention the systcl. I'll prod the maintainer. Oh, that's probably me. What I never understood in the past: Do a PPTP user always have to set net.inet.gre.allow=1 ? bye Waldemar
Re: PPTP client
On Fri 2005.09.30 at 14:51 -0700, Peter Bako wrote: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? the pptp port used to use pppd(8), which does not have mppe and other gue. the -current port has switched to userland ppp(8), which has all the gue needed for certain(tm) pptp servers. if you want to use it on pre -current, look the -current port to see how to enable userland ppp(8) instead (i.e. not officially supported ;). don't mess with GENERIC - just set net.inet.gre.allow=1 and yes, it works - been using it with userland ppp(8) for a while now.
Re: PPTP client
On Fri, 30 Sep 2005, Peter Bako wrote: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Check the pptp package. It's a port of pptpclient. There used to be a FAQ entry about pptp, but it somehow was reduced to just mention pptp. The most important thing is to put net.inet.gre.allow=1 into your sysctl.conf. Or compile a kernel without gre(4), but why bother? It's a bit strange the pptp man page still contains instructions to recompile the kernel and does not mention the systcl. I'll prod the maintainer. -Otto
PPTP client
I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Thanks, Peter
Re: PPTP client
vendredi, le 30 septembre, 2005, Peter Bako nous a dit ceci: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Yes. Search the openbsd-misc archives (start at the bottom of http://www.openbsd.org/mail.html); there have been several threads about the PPTP client over the past couple of years and some of those include sample configuration information. -- On two occasions I have been asked [by members of Parliament!], `Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. -- Charles Babbage
PPTP client ... Non-zero Async Control Character Maps are not supported!
Hi, I'm fairly new to OpenBSD so please bare with me. For the past week or so I've been trying to connect my OpenBSD box to a Microsoft VPN server using the pptp client from pptpclient.sourceforge.net without success. Here is my current setup: OpenBSD 3.6 (just the basics, no X-windows) I've recompiled the GENERIC kernel and commented out the gre pseudo device (the pptp client man pages said to do this) I've downloaded and installed pptp-1.7.0.tar.gz from pptpclient.sourceforge.net /etc/ppp/chap-secrets: #$OpenBSD: chap-secrets,v 1.3 2002/06/09 06:15:15 todd Exp $ # Secrets for authentication using CHAP # clientserver secret IP addresses domain\\myusername * mypassword * /etc/ppp/options name domain\\myusername noauth noipdefault defaultroute debug These are the error messages that I get in /var/log/messages: Sep 2 14:07:33 firewall3 pptp[31847]: anon log[main:pptp.c:267]: The synchronous pptp option is NOT activated Sep 2 14:07:33 firewall3 pptp[20169]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' Sep 2 14:07:33 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply Sep 2 14:07:33 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established. Sep 2 14:07:34 firewall3 pptp[20169]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' Sep 2 14:07:34 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply. Sep 2 14:07:34 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 8872). Sep 2 14:07:34 firewall3 pppd[11145]: pppd 2.3.5 started by elira, uid 0 Sep 2 14:07:34 firewall3 pppd[11145]: Using interface ppp0 Sep 2 14:07:34 firewall3 pppd[11145]: Connect: ppp0 -- /dev/ttyp1 Sep 2 14:07:37 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from peer_callid 0 Sep 2 14:07:37 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:953]: send_accm is , recv_accm is Sep 2 14:07:37 firewall3 pptp[20169]: anon warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps are not supported! Sep 2 14:07:37 firewall3 pppd[11145]: LCP terminated by peer (o(M-K^@[EMAIL PROTECTED]@^BM-3) Sep 2 14:07:37 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from peer_callid 0 Sep 2 14:07:37 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:953]: send_accm is , recv_accm is Sep 2 14:07:37 firewall3 pptp[20169]: anon warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps are not supported! Sep 2 14:07:37 firewall3 pptp[20169]: anon log[ctrlp_disp:pptp_ctrl.c:912]: Received Call Clear Request. Sep 2 14:07:40 firewall3 pppd[11145]: Connection terminated. Sep 2 14:07:41 firewall3 pptp[11481]: anon warn[decaps_hdlc:pptp_gre.c:197]: short read (0): Invalid argument Sep 2 14:07:41 firewall3 pptp[20169]: anon log[callmgr_main:pptp_callmgr.c:231]: Closing connection (unhandled) Sep 2 14:07:41 firewall3 pptp[20169]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request' Sep 2 14:07:41 firewall3 pptp[20169]: anon log[call_callback:pptp_callmgr.c:78]: Closing connection (call state) Right now I'm all out of ideas. Any help would be greatly appreciated. If any one knows of any basic setup instructions for pptp on OpenBSD I would love to see them. Thanks, - Eli