Linux VPN Client setup info
Prerequisites
- VPN registration (VPN registration page)
-
Kernel support for MPPE protocol (Microsoft Point-to-Point Encryption)
-
PPP daemon support for MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) and MPPE
-
PPTP software (Point-to-Point Tunneling Protocol)
-
Working Internet connection ;-)
We cannot provide that, you must setup it yourself ;-)... (Please note
that 33Kbps modem connection will work ... but SLOW, MPPE encryption adds
significient overhead ..)
- Precompiled (for RedHat 7.*) pptp-linux and ppp rpms are available at:
pptpclient.sourceforge.net
- Source rpms for above are available at:
pptpclient.sourceforge.net
- Patches applied to the standard RedHat packages are here: INSERT
-
A tarball archive of a patched pppd source as well as the kernel modules is available at:
fiu-scs
NOTE: You only need this tarball if you are not running redhat or debian or if you want to compile and install the packages you need from source
Setup
Once you've downloaded all above software proceed (as root
on your machine) to the
PPTP configuration
Following is a screen dump of configuration utility. User input is marked
in blue.
[root@lisa root]# /usr/sbin/pptp-command
1.) start
2.) stop
3.) setup
4.) quit
What task would you like to do?: 3
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 1
1.) List CHAP secrets
2.) Add a New CHAP secret
3.) Delete a CHAP secret
4.) Quit
?: 2
Add a NEW CHAP secret.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name:
This is the 'local' identifier for CHAP authentication.
NOTE: If the server is a Windows NT machine, the local name
should be your Windows NT username including domain.
For example:
domain\\username
Local Name: username
Remote Name:
This is the 'remote' identifier for CHAP authentication.
In most cases, this can be left as the default. It must be
set if you have multiple CHAP secrets with the same local name
and different passwords. Just press ENTER to keep the default.
Remote Name [PPTP]:*
Password:
This is the password or CHAP secret for the account specified. The
password will not be echoed.
Password: ************* (your NICE password)
Adding secret username * ***********
1.) List CHAP secrets
2.) Add a New CHAP secret
3.) Delete a CHAP secret
4.) Quit
?: 4
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 4
Add a NEW PPTP Tunnel.
1.) Other
Which configuration would you like to use?: 1
Tunnel Name: FIUSCS
Server IP: vpn.cs.fiu.edu
What route(s) would you like to add when the tunnel comes up?
This is usually a route to your internal network behind the PPTP server.
You can use TUNNEL_DEV and DEF_GW as in /etc/pptp.d/ config file
TUNNEL_DEV is replaced by the device of the tunnel interface.
DEF_GW is replaced by the existing default gateway.
The syntax to use is the same as the route(8) command.
Enter a blank line to stop.
route: add -host vpn.cs.fiu.edu gw DEF_GW NOTE: replace DEF_GW above with the ip address of your local gateway
route: add -net 131.94.0.0 netmask 255.255.0.0 ppp0
route:
Local Name and Remote Name should match a configured CHAP or PAP secret.
Local Name is probably your NT domain\username.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name: username
Remote Name [PPTP]: *
Adding FIUSCS - vpn.cs.fiu.edu - username - PPTP
Added tunnel FIUSCS
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 7
1.) FIUSCS
2.) cancel
Which tunnel do you want to be the default?: 1
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 8
[root@lisa root]#
Notes:
Above configuration encrypts and routes through the tunnel
ONLY your communication channels to FIU networks. All other traffic
from your machines goes unencrypted over your internet connection
to the provider.
Your NICE password is stored in CLEARTEXT in /etc/ppp/chap-secrets. (This could be a security problem on multiuser machines...)
Test it
Run
[root@lisa root]# /usr/sbin/pptp-command start
You should see the output similar to the following:
Route: add -host vpn.cs.fiu.edu gw 64.129.118.41 added
Route: add -net 131.94.0.0 netmask 255.255.0.0 ppp0 added
All routes added.
Tunnel FIUSCS is active on ppp0. IP Address: 131.94.127.*
To verify that your tunnel is running you may try:
[root@lisa root]# traceroute www.cs.fiu.edu
traceroute to leopard.cs.fiu.edu (131.94.125.219), 30 hops max, 38 byte
packets
1 vpn.cs.fiu.edu (131.94.127.129) 68.169 ms 70.184 ms 80.097 ms
2 sagwa.cs.fiu.edu (131.94.133.5) 80.163 ms 79.496 ms 69.764 ms
3 leopard.cs.fiu.edu (131.94.125.219) 84.726 ms 79.591 ms 79.936 ms
[root@lisa root]#
Your first hop on the route should be named INSERT
To stop the tunnel use:
[root@lisa root]# /usr/sbin/pptp-command stop
Sending HUP signal to PPTP processes...
[root@lisa root]#
To see the tunnel state use:
[root@lisa root]# /usr/sbin/pptp-command status
There is probably not a pptp tunnel up
[root@lisa root]#
(As you may see even on the above output the detection is somehow flaky ...)
NOTE:pptp-command is not very clever: watchout for multiple starting
of the tunnel ...
Troubleshooting
- Are you registered ?
- Have you supplied correct VPN userid and password ?
- Is your underlying internet connection working ?
- Debug your connection attempts:
Add debug keyword in /etc/ppp/options.pptp
Edit your /etc/syslog.conf to contain line: *.* /var/log/messages
restart syslog: /sbin/service syslog restart
Watch the debug output:tail -f /var/log/messages
during subsequent attempts
- Consult the documentation: http://pptpclient.sourceforge.net.
- What works over the tunnel?: Everything using IP should work - let me know about any exceptions you find ..
Support