Routing for VPN with PPTP

I've had a maddening few hours trying to get my home Debian box
connected to my employer's VPN... I've gone through hundreds of
instruction lists that Google turned up, but not one of them seems to
have the precise incantation required.

Here is my normal pre-VPN routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Here 192.168.1.1 is my router, and other addresses 192.168.1.* are
machines on my home LAN.

I now run PPTP to connect to the VPN server 9.10.11.12, authentication
works fine, and:

1) ifconfig ppp0 gives the line
inet addr:1.2.3.4 P-t-P:5.6.7.8 Mask:255.255.255.255

Both addresses in this line are clearly dynamically assigned to this VPN
connection by the server.

2) route -n now shows

Destination Gateway Genmask Flags Metric Ref Use Iface
5.6.7.8 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

What I want is to tunnel everything through the VPN connection apart
from LAN traffic. What I'd like to know is: what should the routing
table look like for that? All these damn guides on the internet give a
list of a few combinations of "route add" and "route del" commands, but
none of them think to show the routing table you're meant to end up
with!

Next question will be: what about nameservers? Do I need to add my home
ISP nameservers to the routing table?

Thanks in advance.

>>>>> "Sword" == Sword Spider <(E-Mail Removed)> writes:

> I've had a maddening few hours trying to get my home Debian box
> connected to my employer's VPN... I've gone through hundreds of
> instruction lists that Google turned up, but not one of them seems to
> have the precise incantation required.

> Here is my normal pre-VPN routing table:

> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

> Here 192.168.1.1 is my router, and other addresses 192.168.1.* are
> machines on my home LAN.

> I now run PPTP to connect to the VPN server 9.10.11.12, authentication
> works fine, and:

> 1) ifconfig ppp0 gives the line
> inet addr:1.2.3.4 P-t-P:5.6.7.8 Mask:255.255.255.255

> Both addresses in this line are clearly dynamically assigned to this VPN
> connection by the server.

> 2) route -n now shows

> Destination Gateway Genmask Flags Metric Ref Use Iface
> 5.6.7.8 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

> What I want is to tunnel everything through the VPN connection apart
> from LAN traffic. What I'd like to know is: what should the routing
> table look like for that? All these damn guides on the internet give a
> list of a few combinations of "route add" and "route del" commands, but
> none of them think to show the routing table you're meant to end up
> with!

T
he routing I use amounts to using a table along the lines of:

> Destination Gateway Genmask Flags Metric Ref Use Iface
> 5.6.7.8 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default * 0.0.0.0 U 0 0 0 ppp0

The first line tries to make sure that the PPTP packets are sent via your
router rather than trying to send them through the VPN connection
(otherwise you get an infinite recursion).

A similar setup seems to work here for me, but I'm no expert.

> Next question will be: what about nameservers? Do I need to add my home
> ISP nameservers to the routing table?

I don't know because my own setup only routes some address through the VPN
so I still contact most hosts directly. But I guess you have the following
choices:
1 - add a routing rule such as

<myisp'snameserver> 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

2 - change your resolv.conf file so as to use your employer's nameservers
via the VPN.

3 - use your router as your nameserver. Most routers can do that.

Most likely you're already doing number 3 so it should just work.


Stefan

On Thu, 14 Jun 2007 10:05:29 +0200 (CEST), Sword Spider
<(E-Mail Removed)> wrote:
>
>
> I've had a maddening few hours trying to get my home Debian box
> connected to my employer's VPN... I've gone through hundreds of
> instruction lists that Google turned up, but not one of them seems to
> have the precise incantation required.
>
> Here is my normal pre-VPN routing table:
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
>
> Here 192.168.1.1 is my router, and other addresses 192.168.1.* are
> machines on my home LAN.
>
> I now run PPTP to connect to the VPN server 9.10.11.12, authentication
> works fine, and:
>
> 1) ifconfig ppp0 gives the line
> inet addr:1.2.3.4 P-t-P:5.6.7.8 Mask:255.255.255.255
>
> Both addresses in this line are clearly dynamically assigned to this VPN
> connection by the server.
>
> 2) route -n now shows
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 5.6.7.8 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
>
> What I want is to tunnel everything through the VPN connection apart
> from LAN traffic. What I'd like to know is: what should the routing
> table look like for that? All these damn guides on the internet give a
> list of a few combinations of "route add" and "route del" commands, but
> none of them think to show the routing table you're meant to end up
> with!
>
Remove the default gateway on 192.168.1.1 and set 5.6.7.8 as the default
gateway.

> Next question will be: what about nameservers? Do I need to add my home
> ISP nameservers to the routing table?
>
Your nameservers should be in /etc/resolv.conf. When the VPN connection
is up, you might want to add your employer's or their ISP's nameservers.

> Thanks in advance.
>


--
People are unconditionally guaranteed to be full of defects.