PPTP VPN cant connect to Lan
I have a Lan with two Windows XP - Machines und one Linux RedHat 9.0 (controlled by ssh with X-Win32) both connected to a Router with an ADSL connection.
On the Linux machine I have installed Samba and PPTP for VPN-Server.
It works real fine, the VPN-Clients could connect and see the Samba-Server in Windows but there are still two great Problems.
1. The VPN-Clients could not ping or see other VPN-Clients connected to the Server
2. The VPN-Clients could not see my Windows XP Machine. Also I am unable to ping the VPN-Clients on my Windows-Machine.
I red the offical FAQ's an lots of Forums but it didn' work.
router IP 192.168.1.1
Windows-machines IP's 192.168.1.9 / 19
Linux IP 192.168.1.20
PPTP VPN-Clients start with 192.168.1.21 -254
I tried to set a route
This was the example from a pptp sourceforge page :
# route add -net 192.168.10.0 netmask 255.255.255.0 dev ppp0
So i set
# route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0
after the first VPN -Client connecet with 192.168.1.21 netmask 255.255.255.255 ppp0
If I set this # route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0
the Linux machine crashes my ssh-connection stops and must restart the system by pressing the reset-button.
Sometimes the system puts out an Error-Message wrong Subnetmask so i tried with the one of the ppp0 device
# route add -net 192.168.1.0 netmask 255.255.255.255 dev ppp0
the system accept this but nothing changes. No Client could reach each other.
There is no Firewall in the system and also the Router has DMZ for the Linux-Machine.
Where is my failure ?
Are you connecting to the PPTP server from 'inside' the LAN?
If so, there will always be a routing loop if they are assigned LAN based numbers from the pptp server.
The server won't know which interface, eth or ppp, to send the replies on...
They can't be local on both...
The ppp interface is a tunnel inside the ip connection, so only the pptp server can talk to it directly.
Give different numbers and make the pptp server the default gateway for that new network..
The static route will need to be added to the XP clients.
Then when they connect via pptp, they should use the pptp server as their default route.
Then make sure bcrelay is loading to allow them to browse...
No the VPN-Clients connect via Internet to the Linux-Server
The aim was that they could see my other Windwos-Clients connectd to the same network as the Linux-Server.
If i set my Linux-Server as Default Gateway, is it right that after that change the complette traffic of the VPN-Clients is routet over my ADSL-Connection? I only ask beacsue of the conection speed ? :D
and what is whith my local Windows-Clients
they have the IP 192.168.1.9 /19
If i change the VPN-Client Ips to 192.168.0.xxx for example i should have the same problem because Windows can't ping other local Ip ranges until i install a networkbreak! Is that correct ? Or should i also change the default Gateway of the Router to the linux-Server as default gateway for my local windwos-clients?
Sorry but what ist bcrealy ?
Setting the default gateway on the clients is necessary when you are inside the LAN... to make sure packets go via the ppp tunnel rather than eth card...
Connecting from inside the LAN is a good way of testing server configs.
From outside the LAN, yes, it would pass everything through the tunnel.
Not a good choice when you only want the LAN traffic on the tunnel ;)
Keep the ip numbers inside the LAN allocation for external clients, this way the proxy-arp and bcrelay programmes can work properly.
Both these are used to pass packets into the tunnel that normally wouldn't be passed into a ppp link, eg ARP & broadcast packets.
You can use different ip subnets, it will work, but you need static routes in the clients if you don't use the default gateway into the ppp tunnel...
bcrelay is a compile option when you build pptpd, --with-bcrelay.
It may not be present in prebuilt binaries...
Check ps ax and see if it running on the correct interface.
Also, do which bcrelay to find it if it isn't running. (/usr/local/sbin/)
The source package of pptpd has a file README.bcrelay explaining it's operation etc
Ok if i understand it right i should use the same Ip-adress range for the VPN-Clients like my local Lan ? I thought i should use different ranges because of the loopback problem ?
2. Second problem if i set the Linux-Server as default-Gateway for my Windows Client my internet stops working and it changes nothing. I am not abled to ping my VPN-Clients form my Windwos machine!
3. Where the hell must I set the static route in M$ Windows ? I know this is not a Windows Forum but plz help. Or do you mean i must set a route with
# route add -net IP netmask -dev pppX for each Client
in Linux ? I also tried this but it changes nothing.
Sorry for the delay answering..
1. Use the same ip numbers as the LAN if you are connecting from outside the LAN.
Use different numbers if you are testing from inside the LAN
2. Setting the default Gateway is an option in the PPTP setup in M$.
You must use it if you want to test inside the LAN, otherwise best not to.
With it on, you should be able to ping and resolve correctly from the M$ clients. If not, fix that first..
Ping from the M$ client first to the Linux-server, then to an outside ip number, then to an outside domain name.
Then you can try pinging the LAN by ip number.
3. The static routes in the M$ LAN pcs would only be necessary when testing the M$ clients inside the LAN.
Routes are automatically added to the Linux server when pptpd starts a connection.
Do ROUTE /? for help in a M$ command window.
PopTop (pptpd) uses a proxy arp to redirect pings etc into the pptp tunnel.
You can watch this activity with tcpdump on the Linux-server. Do man tcpdump for more info.
There are debug options in both pptpd.options and pptpd.conf
Add both to get more logging output.
The browsing function is handled by the bcrelay programme.
If it's not running, you can only work with ip numbers not the Net Neighbourhood
I've never had any success putting M$ network devices inside a DMZ.
The dmz can block broadcast packets, deny new connections from the dmz outward etc...
I tried and tried and know I am tired of trying.
It won't work. I also stop trying to reach my local lan.
First I want that my VPN Clients could communicate with each other.
My Server could ping them. They could ping my Server, but the same Problem as before they could not ping each other!
I also tried with different ip-ranges. One for my Local and one for my VPN-Network. I enabled and disabled proxyarp und tried to set the routes explained in FAQ of PopTop.org
No Chance. Everytime the same problem. It seems that it ist unimportant what I change in the pptp configuration, after i restart the service i have evertime the same problems!
Could you give me an complete example of the configuration-files
and the exact paramters for the routes I must add, and every other thing that I musst change.
I am know using
Suse Linux 9.0 Professional pptp included.
Everything is fine
I activated IP-Forwarding for the Ethnertcard in my Server and everything is working.
The Clients see each other and my local lan.
But how can I activate the hostnames of each Client so that I am not forced to youse the IP to see ther files in Windows an Samba ?
Good news... ;)
You can add the wins-server address in your options.pptp file... last couple of lines...
It's great, everything is working without problems.
I added the Ip for the WINS-Server wich i activated first in the smb.conf of my Samba-Server.
The Windows Netneighbourhood is working fine, and I think much faster than the common Windows VPN.
Thanks for all the help!
PPTP VPN pptpd connects but no access
Windows XP,unix,linux ubuntu network.
Goal to connect remotely through VPN to this network and access resources on any PC.(also browse internet when connected)
So far I can establish vpn connection and access vpn server only.
Past that nothing.Pings are dead.
I have netgear router Static IP/nat/router .(lan IP 192.168.1.1)
Port forwarded to VPN server 192.168.1.12
Ubuntu 6.10 ,pptpd 192.168.1.12 eth0 and 192.168.1.13 eth1
Only config I changed was adding ip address in config file:
local 192.168.1.12(is this needs to be same as the server ip? or other? why to have more that one ip here?)
remote 192.168.1.15-20 ( is this needs to be same subnet as server?)
bcrelay ( should I put here eth1 or eth0? like this):
Then I created user.
What needs to be done to open up the communication past VPN server?
Hints:add nic to bcrelay?what nic and why?
-change my ip local and remote configuration? how and why?
-enable IP forwarding on VPN server?how and why?
-routing tables changes? how and why?
-other? what?how?and why?
|All times are GMT -5. The time now is 04:03 AM.|