Hi, I am trying to connect to a VPN with my Linux box. The administrators told me to use pptp(and haven't said anything about mppe patches). I have some problems with the routing table, I suppose, this is what I did:
1) I started the dhcp client and I got this:
'ifconfig eth0':
eth0 Link encap:Ethernet HWaddr 00:E0:18:2C:5E:9A
inet addr:10.10.74.118 Bcast:10.10.79.255 Mask:255.255.240.0

'route':
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.64.0 * 255.255.240.0 U 0 0 0 eth0
default 10.10.64.1 0.0.0.0 UG 0 0 0 eth0

2) I executed `pptp vpn-server debug name <myusername> defaultroute noauth' (they told me exactly to do this,I edited also pap-secrets according to) and I got this:
'ifconfig'
eth0 Link encap:Ethernet HWaddr 00:E0:18:2C:5E:9A
inet addr:10.10.74.118 Bcast:10.10.79.255 Mask:255.255.240.0

ppp0 Link encap:Point-to-Point Protocol
inet addr:129.177.43.114 P-t-P:129.177.43.1 Mask:255.255.255.255

'route':
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
uib-gw3.uib.no * 255.255.255.255 UH 0 0 ppp0
10.10.64.0 * 255.255.240.0 U 0 0 0 eth0
default 10.10.64.1 0.0.0.0 UG 0 0 0 eth0

I cannot connect, a traceroute shows that the packets do this:
1 10.10.64.1 (10.10.64.1) 0 ms 0 ms 0 ms
2 * 10.10.64.1 (10.10.64.1) 0 ms !H *
I was told to disable the dhcp client to ask for the default route ('routers') so that pptp could set the default one, but without a default route I can't launch pptp(get_host_name errors or something similar).
How can I fix the routing table?
My few knowledges of networkings took me to do this:
route del default eth0
route add default ppp0
but the only thing that I obtain is that the ppp0 interface goes down after a while...
Thanks if you can help me not to use windog to connect to the VPN server of my university and sorry for the verbosity of the post..
puccio.

I would say that you probably want to change your default gateway to point to 129.177.43.1. I would also say that uib-gw3.uib.no resolves to 129.177.43.1. You may want to try to ping it to be sure.

To add it as your default gateway use:

route add default gw uib-gw3.uib.no
or
route add default gw 129.177.43.1

Another problem I can see that you might have is in regards to your DNS servers. When you execute pptp, does it reset your DNS servers to something reachable via the 129.177 network?

If not, you could have a problem with name resolution if your DNS servers are not on your local 10.10.x network. You may have to create a static route so you can get to your DNS servers or change your DNS servers to something reachable through your VPN connection.

Changing the default route will kill the pptp connection....

To get pppd (pptp) to route to the remote network I use the /etc/ppp/ip-up.local file to set up the routing, you may have to create it. It contains something like this: (edit this to fit the remote network)

/sbin/route add -net 10.0.0.0 netmask 255.255.255.0 $1

You may also be blocking traffic to/from the ppp interface with you firewall script. Any iptables/ipchain rejects in /var/log/messages regarding ppp0?

To have your resolver look to the remote lan's dns servers use "usepeerdns" to your options.pptp file.

more info in man pppd
and some examples at:

http://www.shorewall.net/PPTP.htm
The two link script at the bottom is mine :D

Use the email address listed from here if you want help off list...

Hi guys, thanks for the past attention to my question, but I still have the same problem. Maybe this can help you a bit more, since I am trying to go deeper into the m$ VPN structure of my University.
After the usual dhcp client and a pptp-command (but the result is tha same if a just launch pptp and pass the pppd options), my ifconfig looks something like:

eth0 inet addr:10.10.77.103 Bcast:10.10.79.255 Mask:255.255.240.0

lo inet addr:127.0.0.1 Mask:255.0.0.0

ppp0 Link encap:Point-to-Point Protocol
inet addr:129.177.43.124 P-t-P:129.177.43.1 Mask:255.255.255.255

and my route is:
Destination Gateway Genmask Flags MSS Window irtt Iface
129.177.43.1 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
10.10.64.0 0.0.0.0 255.255.240.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 10.10.64.1 0.0.0.0 UG 40 0 0 eth0

The VPN server is clearly 129.177.43.1, the gateway to reach it from my local lan is 10.10.64.1 of course. In /etc/resolv.conf I have the DNS 10.0.0.3. If I tell pppd to usepeerdns I obtain in /etc/ppp/resolv.conf to be with the ONLY line 129.177.30.3 (I suppose it should become my external DNS). I can receive a ping reply from both the DNS, the gateway 10.10.64.1 and the VPN server 129.177.43.1 but when I try to go outside, for example if I ping www.awebsite.com, the name is resolved correctly into the IP address, but there is something wrong with the route To or From, I don't know..
I can connect from windog and a route PRINT here says a lot of lines, maybe too many:
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.64.1 10.10.76.115 2
0.0.0.0 0.0.0.0 129.177.43.156 129.177.43.156 1
10.0.0.3 255.255.255.255 10.10.64.1 10.10.76.115 1
10.10.64.0 255.255.240.0 10.10.76.115 10.10.76.115 2
10.10.76.115 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.10.76.115 10.10.76.115 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
129.177.0.0 255.255.0.0 129.177.43.156 129.177.43.156 1
129.177.43.156 255.255.255.255 127.0.0.1 127.0.0.1 1
129.177.255.255 255.255.255.255 129.177.43.156 129.177.43.156 1
224.0.0.0 224.0.0.0 10.10.76.115 10.10.76.115 1
224.0.0.0 224.0.0.0 129.177.43.156 129.177.43.156 1
255.255.255.255 255.255.255.255 129.177.43.156 129.177.43.156 1
Default Gateway: 129.177.43.156

Where 129.177.43.156 was the IP address of my ppp0 and 10.10.76.115 the eth0 address.
I have the mppe module installed and I don't actually filter anything.
Sorry for bothering you again :-)
puccio.

What options are you handing to pppd?

Well, I connect to the VPN server with 2 kinds of script, the first one is the bash one suggested by the VPN administrators:
'/usr/sbin/pptp 129.177.43.1 debug name <my_pap_name> defaultroute noauth' ,so the pppd options are just defaultroute (that does nothing,because already set by the dhcp client) and noauth. In pap-secrets there are the matching user name and the password of course. I tried to add to the parameters also 'usepeerdns' and the result is that I have a file in /etc/ppp/ with (and only) the name server 129.177.30.3 as I said in the past message.
The other way is via the pptp-command perl script, whose /etc/ppp/options.pptp is:
#/etc/ppp/options.pptp
#Lock the port
lock
#
# We don't need the tunnel server to authenticate itself
#
noauth
#
# Turn off transmission protocols we know won't be used
#
nobsdcomp
nodeflate
#
# We want MPPE
#
mppe-40
mppe-128
mppe-stateless
#
# We want a sane mtu/mru
#
mtu 1000
mru 1000
#
# Time this thing out of it goes poof
#
#lcp-echo-failure 10
#lcp-echo-interval 10

I think that the /etc/ppp/options file is completely unuseful for both the scripts, because both look somewhere else for pppd options, the first one as command line parameters, the pptp-command in its options.pptp, isn't it so?
I think is just a manner of setting up a proper routing...
I hope I have been exhaustive.
Thanks again.
puccio.

The options file as an effect on all ppp connections.
Try starting it without defaultroute and see what happends.
Try a traceroute out to the internet and see how the traffic is routed.

Well, I am right now surfing with my linux box ;-)
Changing or not the (no)defaultroute option didn't produce any effect on the routing table. Instead with these 3 only commands:
route del default
route add -net 10.0.0.0/8 gw 10.10.64.1 dev eth0
route add default gw <dynamic_ipaddress_ppp0> dev ppp0

Now I am quite happy :-)
Thanks for the help.
puccio.

I'm I bit confused, you using pptp to get out to the net from the the local LAN? That was not clear to me from your first post, sorry.

You can make those commands automatic by placing them in /etc/ppp.ip-up.local. You may have to create that file.

pppd will feed some variables to the above file, check man pppd for the $1-$6 variables.

<dynamic_ipaddress_ppp0> will be one of those variables
I'd add the -net route before deleting the gateway.

or

Don't set the default route on eth0 at all (Not sure if you could do that with dhcpcd or pump, the dhcp clients), add

'route add -net 10.0.0.0/8 gw 10.10.64.1 dev eth0',
'route del default dev eth0' # if required

to the rc.local file. and use defaultroute with pppd.



Hope it helps.

Yes, I was just trying to get onto the Internet. I will try to see what happens with your suggestions!
Thanks
puccio.

What if now I wanted to set up a firewall for my linux box? The IP that I appear in the Internet is the one provided by the VPN server (which acts as a ISP as well so, because if I don't login to it and obtain a IP on the ppp0 tunnel interface I don't go to the Internet). How do I have to filter the packets, because I don't understand how the 2 interfaces (eth0 and ppp0) are related assuming that the route table is still:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
uib-gw3.uib.no * 255.255.255.255 UH 0 0 0 ppp0
10.10.64.0 * 255.255.240.0 U 0 0 0 eth0
localnet 10.10.64.1 255.0.0.0 UG 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default tunnel-43-201.v 0.0.0.0 UG 0 0 0 ppp0

Thanks if you can help me again.

-----quote------
How do I have to filter the packets, because I don't understand how the 2 interfaces (eth0 and ppp0)
-----------------
well you have two network interfaces eth0 is private and need protection from others on the same lan.

ppp0 is public and you need protection from everybody....


I'll work something up later and post it....

Ok thanks, but the point is, the ppp0 tunnel interface has nothing to do with the private one for what concerns the traffic to the Internet? Because the DNS is on the private LAN, so the DNS messages how are sent there? Through the eth0? Do you suggest me to modify /etc/resolv.conf adding a DNS entry that is on the public Net? And what about the gateway? Is it "trasparent" for my iptables rules? Sorry for the so many questions but I am greed to know more about VPN, do you have a nice HOWTO to suggest me? I haven't actualy found one that fits my needs..
Thanks.

Ok thanks, but the point is, the ppp0 tunnel interface has nothing to do with the private one for what concerns the traffic to the Internet?

>> not really, you'll have traffic going to port 1723 and using protocol 47 (gre) accross the private lan.

Because the DNS is on the private LAN, so the DNS messages how are sent there? Through the eth0? Do you suggest me to modify /etc/resolv.conf adding a DNS entry that is on the public Net?

>> are you useing "usepeerdns" in the options file for the vpn? If so, then resolv.conf would be changed to what ever is suppied by the vpn server. If not, then your using what ever is in resolv.conf

And what about the gateway? Is it "trasparent" for my iptables rules?

>>sort of, depends on how the rules are written...

Sorry for the so many questions but I am greed to know more about VPN, do you have a nice HOWTO to suggest me? I haven't actualy found one that fits my needs..

>> not really, this is not a 'standard' pptp setup....

How tight to you want the rules??
What do you plan on using the box for??

This should allow all client traffic form your box to the lan and inet, while blocking eveything else that your box didn't start. If your going to run any servers (samba, web, ftp) you'll need open up some ports...
post back if you need an example
edit PPTPSRV to the one that you connect to.

Thanks for the skeleton of the firewall, it will be very useful now that I have to open some ports. I would like to set up a web server(and maybe something else) ONLY for the LAN, so I will accet connections only from source 10.0.0.0/8, won't I?
For the other questions: no I don't use 'usepeerdns' and in fact there is no *new* resolv.con either in /etc or in /etc/ppp so the DNS server is still the same(10.0.0.3) as set after the dhcp start up. So do I have to allow connection to it from/to my eth0 and/or my ppp0? I'm planning to make the rules more strict.
One last connection: the gre packets need the ip_gre module in the kernel?Because I have compiled it as a loadable module but a lsmod doesn't show it...
I'll let you know, really thanks again.

I don't have that module loaded either.....

So set up your server and then open the ports on the lan interface...

$IPT -A INPUT -i $INTIF -p tcp --dport 80 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $INTIF -p tcp --sport 80 -j ACCEPT

Only people on the lan will see it anyway...

You want to restrict it more, use -s with as wide or narrow range of ips
single host -s 192.168.0.1
network -s 192.168.0.0/24

Other than setting up some icmp rules/rate limiting, what are you going to do that makes it more secure??
It will only allow inbound connections that starts with the firewall, just replies, no NEW connections (syn) connections, everything else going out is ok.

Well, maybe I am a bit paranoic, but who isn't? :-)
What if I wanted to substitute this generic rule:
# allow dhcp on LAN
$IPT -A INPUT -i $INTIF -p udp --sport 67:68 -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p udp --dport 67:68 -j ACCEPT

with something more strict? I mean, I want just ingoing/outoing traffic to specific services also on the LAN(DNS, my/other web servers), not only on the Internet. tried removing it and putting something such as:
$IPT -A INPUT -i $INTIF -p udp --sport 67:68 -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p udp --dport 67:68 -j ACCEPT

# allow DNS server->client
# variable NAMESERVER_1="10.0.0.3"
#$IPT -A INPUT -i $INTIF -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
# allow DNS client->server
#$IPT -A OUTPUT -o $INTIF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

#allow gre to vpnserver
$IPT -A INPUT -i $INTIF -p 47 -s $PPTPSRV -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p 47 -d $PPTPSRV -j ACCEPT

But doesn't work.Where am I wrong? Do I have to enable something from/to the gateway which is between the DNS and me or something else? mmm
Thanks for the time you are spending here..

Obviously when I pasted I forgot to uncomment these lines, it is:
# allow DNS server->client
# variable NAMESERVER_1="10.0.0.3" set at the beginning of the script
$IPT -A INPUT -i $INTIF -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT

# allow DNS client->server
$IPT -A OUTPUT -o $INTIF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

Sorry..

you'd have to comment these out first:

#on the LAN Allow all connections OUT and only existing and related ones IN
$IPT -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $INTIF -j ACCEPT

Now you have to define each service you wish to use as a client, www, ftp, dns, smb, nfs. repeat your rule for each service changing the port and -s , pain in the *** IMHO, got the picture?? Either way you go, your box won't respond to NEW connections.

Your just restricting yourself. The dhcp rules should stay, could be made tighter....

Yeah I know, I think I will keep it as it is now, it seems to be ok.
Thanks :-)