LinuxQuestions.org - VPN Server Problem

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - VPN Server Problem (https://www.linuxquestions.org/questions/linux-networking-3/vpn-server-problem-552138/)

VPN Server Problem

Ok. Here's the deal. I'm trying to set up a VPN server so my clients can connect to my server's PDC in a remote place. I have installed ppp, pptp and pptpd. I have also opened port 1723 on the firewall and on my router. My router is a D-Link DI-614+. When I try to connect, I get error 619. If I look in the logs I get:

Code:

pptpd[1803]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

pptpd[1803]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)

Anyone want to take a look at my configuration files?

pptp is not a tcp or udp protocol so just opening up port 1723 is usually not enough. pptp's protocol is "gre" - as the errors indercate. Normally the firewall has to support "gre" to pass it through - not all routers/firewalls support "gre" pass through. I don't know the DI-614+ but you have two options - find the gre/pptp pass through option (if it has it - usually just a tick box) or does the DI-614+ support VPN its self.

Hmmmm. I can't find any gre option but there was a default virtual server setting for PPTP so I'm assuming it supports PPTP.

I know this does not help with your D-link but A quick google (pptp gre firewall) shows simular situation with smoothwall - http://martybugs.net/smoothwall/vpn.cgi which says:

Background:
A PPTP VPN server requires TCP port 1723 forwarded to the VPN server, as well as the GRE protocol (protocol 47).

As the Smoothwall web interface doesn't provide functionality for forwarding the GRE protocol, you'll have to edit the firewall script.

When I say "supports PPTP" there are two ways a router/firwall can support PPTP. 1) Pass it through to another device (what I assume you are doing) and/or 2) Answer the VPN its self.

Have you VPNed to your pptp server from the inside (i.e. not through the D-Link). That would confirm your server is infact OK and the problem lies with the D-Links GRE support/config.

I don't think it works when I use 127.0.0.1. I am using pptpclient.

No sorry I did not mean inside to be 127.0.0.1 but another machine on the same subnet. Say your PPTP server is 192.168.1.100/24 add your pptp clint PC at say 192.168.1.101 and pptp to 192.168.1.100 and debug. Once that is working OK but is still not via D-Link it would kind of confirm it is a D-Link PPTP pass through issue.

There should be a pptp passthrough option on the D-link router, it will open GRE and the pptp port for you. I had difficulty setting up my pptp server and encountered the same error, I wish I could remember what I did to fix it, so I could tell you, but I don't think it's your router. Let us see your configs, or do a search on my name for posts it should lead you to some info about pptp setup.

Which config file do you want first?

start with your pptp config, and your pppd config file.

/etc/pptp.conf:

Code:

###############################################################################

# $Id: pptpd.conf,v 1.8 2004/04/28 11:36:07 quozl Exp $

#

# Sample Poptop configuration file /etc/pptpd.conf

#

# Changes are effective when pptpd is restarted.

###############################################################################



# TAG: ppp

#        Path to the pppd program, default '/usr/sbin/pppd' on Linux

#

#ppp /usr/sbin/pppd



# TAG: option

#        Specifies the location of the PPP options file.

#        By default PPP looks in '/etc/ppp/options'

#

option /etc/ppp/options.pptpd



# TAG: debug

#        Turns on (more) debugging to syslog

#

#debug



# TAG: stimeout

#        Specifies timeout (in seconds) on starting ctrl connection

#

# stimeout 10



# TAG: noipparam

#      Suppress the passing of the client's IP address to PPP, which is

#      done by default otherwise.

#

#noipparam



# TAG: logwtmp

#        Use wtmp(5) to record client connections and disconnections.

#

logwtmp



# TAG: bcrelay <if>

#        Turns on broadcast relay to clients from interface <if>

#

#bcrelay eth1



# TAG: localip

# TAG: remoteip

#        Specifies the local and remote IP address ranges.

#

#      Any addresses work as long as the local machine takes care of the

#      routing.  But if you want to use MS-Windows networking, you should

#      use IP addresses out of the LAN address space and use the proxyarp

#      option in the pppd options file, or run bcrelay.

#

#        You can specify single IP addresses seperated by commas or you can

#        specify ranges, or both. For example:

#

#                192.168.0.234,192.168.0.245-249,192.168.0.254

#

#        IMPORTANT RESTRICTIONS:

#

#        1. No spaces are permitted between commas or within addresses.

#

#        2. If you give more IP addresses than MAX_CONNECTIONS, it will

#          start at the beginning of the list and go until it gets 

#          MAX_CONNECTIONS IPs. Others will be ignored.

#

#        3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

#          you must type 234-238 if you mean this.

#

#        4. If you give a single localIP, that's ok - all local IPs will

#          be set to the given one. You MUST still give at least one remote

#          IP for each simultaneous client.

#

# (Recommended)

#localip 192.168.0.1

#remoteip 192.168.0.234-238,192.168.0.245

# or

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

/etc/pptpd.conf

Code:

###############################################################################

# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $

#

# Sample Poptop configuration file /etc/pptpd.conf

#

# Changes are effective when pptpd is restarted.

###############################################################################



# TAG: ppp

#        Path to the pppd program, default '/usr/sbin/pppd' on Linux

#

#ppp /usr/sbin/pppd



# TAG: option

#        Specifies the location of the PPP options file.

#        By default PPP looks in '/etc/ppp/options'

#

option /etc/ppp/options.pptpd



# TAG: debug

#        Turns on (more) debugging to syslog

#

#debug



# TAG: stimeout

#        Specifies timeout (in seconds) on starting ctrl connection

#

# stimeout 10



# TAG: noipparam

#      Suppress the passing of the client's IP address to PPP, which is

#      done by default otherwise.

#

#noipparam



# TAG: logwtmp

#        Use wtmp(5) to record client connections and disconnections.

#

logwtmp



# TAG: bcrelay <if>

#        Turns on broadcast relay to clients from interface <if>

#

#bcrelay eth1



# TAG: delegate

#        Delegates the allocation of client IP addresses to pppd.

#

#      Without this option, which is the default, pptpd manages the list of

#      IP addresses for clients and passes the next free address to pppd.

#      With this option, pptpd does not pass an address, and so pppd may use

#      radius or chap-secrets to allocate an address.

#

#delegate



# TAG: connections

#      Limits the number of client connections that may be accepted.

#

#      If pptpd is allocating IP addresses (e.g. delegate is not

#      used) then the number of connections is also limited by the

#      remoteip option.  The default is 100.

#connections 100



# TAG: localip

# TAG: remoteip

#        Specifies the local and remote IP address ranges.

#

#        These options are ignored if delegate option is set.

#

#      Any addresses work as long as the local machine takes care of the

#      routing.  But if you want to use MS-Windows networking, you should

#      use IP addresses out of the LAN address space and use the proxyarp

#      option in the pppd options file, or run bcrelay.

#

#        You can specify single IP addresses seperated by commas or you can

#        specify ranges, or both. For example:

#

#                192.168.0.234,192.168.0.245-249,192.168.0.254

#

#        IMPORTANT RESTRICTIONS:

#

#        1. No spaces are permitted between commas or within addresses.

#

#        2. If you give more IP addresses than the value of connections,

#          it will start at the beginning of the list and go until it

#          gets connections IPs.  Others will be ignored.

#

#        3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

#          you must type 234-238 if you mean this.

#

#        4. If you give a single localIP, that's ok - all local IPs will

#          be set to the given one. You MUST still give at least one remote

#          IP for each simultaneous client.

#

# (Recommended)

#localip 192.168.0.1

#remoteip 192.168.0.234-238,192.168.0.245

# or

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

First you need to actually have a pool of addresses for use by the clients so you have to enable the localip and remoteip tags. Next step post your pppd configuration for the actual ppp protocol daemon. Additionally isn't there an options file for routing I would like to see that too.

I found the following on the D-Link web site after much gnashing of teeth about my network. Try this link: support.dlink.com and look under the FAQ for your particular router. This entry was one of the selections on the navigation column under VPN Support. It appears to work as WireShark shows two way GRE traffic in the PPP pipe.

PPTP VPN

Print Protocols have 8 bit identification numbers that are specified in the TCP header. PPTP uses Protocol Id 47 which is GRE. Protocol 6 is TCP. This identifies what protocol is being used.

This router does not support specific rules for specific protocols other than TCP or UDP. The correct Virtual Server entry will however forward Protocol ID 47/GRE properly.

Make sure you have the latest firmware. To upgrade, visit support.dlink.com/faq/view.asp?prod_id=966. After flashing the firmware reset the router. Reconfigure your WAN interface to connect with your ISP. Verify Internet connection.

In Virtual Server make 1 entry for your PPTP/GRE connection. Use TCP port 1723 and forward to your MS VPN (PPTP/GRE) server. This has to be TCP (not UDP or Both). After applying settings, check Firewall section for a TCP 1723 entry and a PPTP_GRE entry. Now connect to your WAN IP address using your MS VPN client from the WAN (this will not work from LAN using the WAN IP to loopback to LAN).

Note: PPTP pass-through does not need to be enabled in the Tools > Misc section.

Quote:

Originally Posted by jwaustin

Thanks, that part is solved.

But I still can't connect locally. Do you think it could be my firewall, since there is a GRE read error?

VPN Server Problem

I have the impression that you can't connect remotely to the domain from within the domain. Is that what you mean?

Quote:

Originally Posted by jwaustin

I have the impression that you can't connect remotely to the domain from within the domain. Is that what you mean?

No, that's not what I mean. I have two computers, one running Fedora Core 6 (the VPN server) and one running Windows XP Professional. They are connected through a D-Link DI-614+ router. I am trying to establish a connection from the XP one to the Fedora one using the internal ip address assigned by the router (192.168.249.105).