VPN problems

Hiya!

I'm Joshua, and I'm part of the Technology working group for #Occupy
Wall Street. I'm trying to get a VPN set up on one of our hosts, so that
we can bypass the diabolical ISP that our building insists we use who
blocks everything in creation. I'm running into a few problems.

I'm following this tutorial here:
http://poptop.sourceforge.net/dox/debian-howto.phtml
and also this one here:
http://www.initcron.org/sysadmin/how...rver-on-debian
-50-lenny/

I've set everything up as recommended (the two tutorials seem almost
identical to me, and I'm hardly a virgin when it comes to networking),
and it kinda almost works. I'm trying to do a test login with my iphone,
and here's where I'm running into trouble. Here's the output from syslog:

Dec 7 12:48:10 occupyeverything pptpd[4658]: CTRL: Client 69.10.70.163
control connection started
Dec 7 12:48:10 occupyeverything pptpd[4658]: CTRL: Starting call
(launching pppd, opening GRE)
Dec 7 12:48:10 occupyeverything pppd[4660]: Plugin
/usr/lib/pptpd/pptpd-logwtmp.so loaded.
Dec 7 12:48:10 occupyeverything pppd[4660]: pptpd-logwtmp: $Version$
Dec 7 12:48:10 occupyeverything pppd[4660]: pppd options in effect:
Dec 7 12:48:10 occupyeverything pppd[4660]: debug#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: domain
occupyeverything.info#011#011# (from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: dump#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: plugin
/usr/lib/pptpd/pptpd-logwtmp.so#011#011# (from command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: require-mschap-v2#011#011#
(from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: refuse-pap#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: refuse-chap#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: refuse-mschap#011#011#
(from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: name pptpd#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: pptpd-original-ip
69.10.70.163#011#011# (from command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: 115200#011#011# (from
command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: lock#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: crtscts#011#011# (from
/etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: local#011#011# (from
command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: asyncmap 0#011#011# (from
/etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: lcp-echo-failure 4#011#011#
(from /etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: lcp-echo-interval
30#011#011# (from /etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: hide-password#011#011#
(from /etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: ipparam
69.10.70.163#011#011# (from command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: ms-dns xxx # [don't know
how to print value]#011#011# (from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: nodefaultroute#011#011#
(from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: proxyarp#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]:
192.168.0.1:192.168.0.234#011#011# (from command line)
Dec 7 12:48:10 occupyeverything pppd[4660]: nobsdcomp#011#011# (from
/etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: require-mppe-128#011#011#
(from /etc/ppp/pptpd-options)
Dec 7 12:48:10 occupyeverything pppd[4660]: noipx#011#011# (from
/etc/ppp/options)
Dec 7 12:48:10 occupyeverything pppd[4660]: pppd 2.4.5 started by root,
uid 0
Dec 7 12:48:10 occupyeverything pppd[4660]: using channel 5
Dec 7 12:48:10 occupyeverything pppd[4660]: Using interface ppp0
Dec 7 12:48:10 occupyeverything pppd[4660]: Connect: ppp0 <-->
/dev/pts/2
Dec 7 12:48:10 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:10 occupyeverything pptpd[4658]: GRE: Bad checksum from
pppd.
Dec 7 12:48:13 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:16 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:19 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:22 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:25 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:28 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:31 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:34 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:37 occupyeverything pppd[4660]: sent [LCP ConfReq id=0x1
<asyncmap 0x0> <auth chap MS-v2> <magic 0xe417d252> <pcomp> <accomp>]
Dec 7 12:48:40 occupyeverything pppd[4660]: LCP: timeout sending
Config-Requests
Dec 7 12:48:40 occupyeverything pppd[4660]: Connection terminated.
Dec 7 12:48:40 occupyeverything pppd[4660]: Modem hangup
Dec 7 12:48:40 occupyeverything pppd[4660]: Exit.
Dec 7 12:48:40 occupyeverything pptpd[4658]: GRE:
read(fd=6,buffer=610d20,len=8196) from PTY failed: status = -1 error =
Input/output error, usually caused by unexpected termination of pppd,
check option syntax and pppd logs
Dec 7 12:48:40 occupyeverything pptpd[4658]: CTRL: PTY read or GRE
write failed (pty,gre)=(6,7)
Dec 7 12:48:40 occupyeverything pptpd[4658]: CTRL: Reaping child
PPP[4660]
Dec 7 12:48:40 occupyeverything pptpd[4658]: CTRL: Client 69.10.70.163
control connection finished


Now, here's the iphone's side of the story:

Wed Dec 7 12:48:01 2011 : PPTP connecting to server '166.84.136.86'
(166.84.136.86)...
Wed Dec 7 12:48:01 2011 : PPTP connection established.
Wed Dec 7 12:48:02 2011 : Using interface ppp0
Wed Dec 7 12:48:02 2011 : Connect: ppp0 <--> socket[34:17]
Wed Dec 7 12:48:32 2011 : PPTP error when reading socket : EOF
Wed Dec 7 12:48:32 2011 : PPTP error when reading header : read -1,
expected 12 bytes
Wed Dec 7 12:48:32 2011 : PPTP hangup
Wed Dec 7 12:48:32 2011 : Connection terminated.
Wed Dec 7 12:48:32 2011 : PPTP disconnecting...
Wed Dec 7 12:48:32 2011 : PPTP disconnected


Any clues?

BTW, I'd be grateful for replies via email. I really should hang out in
this group, but #OWS has me swamped! So here's the address:
manhattangeek at geee mail dot com

Thanks in advance, all,

Joshua

On 07/12/11 18:53, Joshua Whalen wrote:
> Hiya!
>
> I'm Joshua, and I'm part of the Technology working group for #Occupy
> Wall Street. I'm trying to get a VPN set up on one of our hosts, so that
> we can bypass the diabolical ISP that our building insists we use who
> blocks everything in creation. I'm running into a few problems.
>

Hi,

I've no experience with pptpd - it has always seemed like a poor and
old-fashioned sort of tool that is only used because Windows supports it
natively. It still may be the best tool for the job, but if you have
the option you should look at OpenVPN. It is easy to configure, runs on
just about anything, and can be made to run over any port if your ISP or
firewall is being a problem. Maybe you'll have more luck with it.

mvh.,

David

On 2011-12-07, David Brown <(E-Mail Removed)> wrote:
> On 07/12/11 18:53, Joshua Whalen wrote:
>> Hiya!
>>
>> I'm Joshua, and I'm part of the Technology working group for #Occupy
>> Wall Street. I'm trying to get a VPN set up on one of our hosts, so that
>> we can bypass the diabolical ISP that our building insists we use who
>> blocks everything in creation. I'm running into a few problems.
>
> I've no experience with pptpd

I have.

> - it has always seemed like a poor and old-fashioned sort of tool

It is.

> that is only used because Windows supports it natively.

Bingo.

> It still may be the best tool for the job, but if you have
> the option you should look at OpenVPN. It is easy to configure, runs on
> just about anything, and can be made to run over any port if your ISP or
> firewall is being a problem. Maybe you'll have more luck with it.

Definitely go with OpenVPN if at all possible. The _only_ reason to
use pptp is that you have to talk to a Windows system run by an admin
too much under Microsoft's thumb to allow anything else. PPTP can be
made to work, but it's not easy -- it takes a lot of futzing and
trial-and-error (I alwayus ended up having to rebuild the kernel).

For a trivial amount of money, you can get an account with a VPN
provider that will terminate OpenVPN connections on _any_ port that
your ISP will let you connect to (including 80, 443, etc.).

http://openvpn.net/

The vpn provider that I always used to use (vpnout) seems to be out of
business, but there are dozens of others.

--
Grant Edwards grant.b.edwards Yow! I feel ... JUGULAR ...
at
gmail.com

WOW.

The amount of response and useful knowledge... awesome. I'm not used to
this low a signal to noise ration in usenet. Thank you.

Here's the problem with openVPN (which I definitely will check into, it
sounds like it might solve the problem easiest of all, but...):

If you've been watching TV or reading the paper, I'm sure you've heard
that #OWS has a fancy office on lower broadway these days thanks to a
generous donor. HOWEVER, that's all we have. An office. With an evil
broadband provider who blocks almost everything. We have maybe 5
computers of our own, mostly macs, 1 windows box. We have hundreds of
people coming in and out of here every day, bringing their own machines.
Some run various linuxen, some OS X (anything from tiger to lion.
Haven't seen any system 7 yet, but don't doubt it might walk in the door
any second now...), and a lotta various windozen. Some people run
WIn2000, others run 7, whatever I do, it has to take minimal config on
all of these, because I'm just one guy and I'm the only fulltime ( or
almost full time ) tech around here. That's actually why I chose pptp. I
knew it was old and clunky, but everything already has it installed. I
never know what is going to walk in the door and scream "WHY CAN'T I
ACCESS dreamhost.com?" Yes, believe it or not, they have dreamhost of
all the innocuous hosts in the universe, blocked. That's basically why
I'm setting it up, to give our people an easy way to route around the
blocks.

So... my error is GRE packets being blocked. What can I do about that?
Can I redirect to another port? How difficult?

I'm visiting the recommended links now as soon as I finish typing this.
Thanks again for all the help. It's nice to know that what I suspected
of the GRE error is...well, what I suspected.

Joshua

On 08/12/2011 01:25, Joshua Whalen wrote:
> WOW.
>
> The amount of response and useful knowledge... awesome. I'm not used to
> this low a signal to noise ration in usenet. Thank you.
>

That would be a /high/ signal-to-noise ratio :-)

> Here's the problem with openVPN (which I definitely will check into, it
> sounds like it might solve the problem easiest of all, but...):
>
> If you've been watching TV or reading the paper, I'm sure you've heard
> that #OWS has a fancy office on lower broadway these days thanks to a
> generous donor. HOWEVER, that's all we have. An office. With an evil
> broadband provider who blocks almost everything. We have maybe 5
> computers of our own, mostly macs, 1 windows box. We have hundreds of
> people coming in and out of here every day, bringing their own machines.
> Some run various linuxen, some OS X (anything from tiger to lion.
> Haven't seen any system 7 yet, but don't doubt it might walk in the door
> any second now...), and a lotta various windozen. Some people run
> WIn2000, others run 7, whatever I do, it has to take minimal config on
> all of these, because I'm just one guy and I'm the only fulltime ( or
> almost full time ) tech around here. That's actually why I chose pptp. I
> knew it was old and clunky, but everything already has it installed. I
> never know what is going to walk in the door and scream "WHY CAN'T I
> ACCESS dreamhost.com?" Yes, believe it or not, they have dreamhost of
> all the innocuous hosts in the universe, blocked. That's basically why
> I'm setting it up, to give our people an easy way to route around the
> blocks.
>

I am not sure where you want the other end of your VPN tunnel - it has
to go somewhere.

But assuming you want to let people at the office access something else
through the VPN tunnel, your easiest method is to set up one Linux box
(or BSD - pfSense might be an easy option for you) as a router so that
everyone's traffic passes through that box and out. Don't try to get
individual machines on their own tunnels.

Anyway, you shouldn't be letting people with Macs connect directly to
broadband - and certainly not people with Windows (or people with Linux,
if they don't know what they are doing) - especially in your case, you
should assume the broadband connection is full of evil hackers and
worms. You should always have your own firewall/router device between
your vulnerable users and the outside internet. And that is the ideal
place to put your VPN tunnel (assuming everyone should have access to it).

As for the blocking, check first that they are not just using DNS to
re-direct or hide the hosts. If that's the case, then on your
firewall/router you want a local DNS server, and use something like
OpenDNS for the upstream server.

> So... my error is GRE packets being blocked. What can I do about that?
> Can I redirect to another port? How difficult?
>

GRE packets don't have ports - it's a protocol on the same level as UDP,
TCP/IP, ICMP, etc. Only protocols on top of UDP and TCP/IP have ports.

One of the nice things with OpenVPN is that it uses UDP (or TCP/IP, if
it has to - but with higher latency) and so you can easily change the
port if you want.

> I'm visiting the recommended links now as soon as I finish typing this.
> Thanks again for all the help. It's nice to know that what I suspected
> of the GRE error is...well, what I suspected.
>
> Joshua

On 2011-12-08, David Brown <(E-Mail Removed)> wrote:

> I am not sure where you want the other end of your VPN tunnel - it has
> to go somewhere.



> But assuming you want to let people at the office access something else
> through the VPN tunnel, your easiest method is to set up one Linux box
> (or BSD - pfSense might be an easy option for you) as a router so that
> everyone's traffic passes through that box and out. Don't try to get
> individual machines on their own tunnels.

Even a $50 Buffalo WAP running OpenWRT would work fine as a router for
a small office. OpenWRT supports both PPTP and OpenVPN.

> Anyway, you shouldn't be letting people with Macs connect directly to
> broadband - and certainly not people with Windows (or people with
> Linux, if they don't know what they are doing) - especially in your
> case, you should assume the broadband connection is full of evil
> hackers and worms. You should always have your own firewall/router
> device between your vulnerable users and the outside internet. And
> that is the ideal place to put your VPN tunnel (assuming everyone
> should have access to it).

I can't agree strongly enough.

> As for the blocking, check first that they are not just using DNS to
> re-direct or hide the hosts. If that's the case, then on your
> firewall/router you want a local DNS server, and use something like
> OpenDNS for the upstream server.
>
>> So... my error is GRE packets being blocked. What can I do about
>> that? Can I redirect to another port? How difficult?
>
> GRE packets don't have ports - it's a protocol on the same level as
> UDP, TCP/IP, ICMP, etc. Only protocols on top of UDP and TCP/IP have
> ports.
>
> One of the nice things with OpenVPN is that it uses UDP (or TCP/IP,
> if it has to - but with higher latency) and so you can easily change
> the port if you want.
>
>> I'm visiting the recommended links now as soon as I finish typing
>> this. Thanks again for all the help. It's nice to know that what I
>> suspected of the GRE error is...well, what I suspected.

Whatever you do, do it it in _one_ place on a dedicated box (either a
WAP with OpenVPN, or a dedicated router/firewall box running Linux or
BSD). Trying to configure a random collection of different machines
to all use VPNs is going to be hell...

--
Grant Edwards grant.b.edwards Yow! This is a NO-FRILLS
at flight -- hold th' CANADIAN
gmail.com BACON!!

On 08/12/11 15:53, Grant Edwards wrote:
> On 2011-12-08, David Brown<(E-Mail Removed)> wrote:
>
>> I am not sure where you want the other end of your VPN tunnel - it has
>> to go somewhere.
>
>
>
>> But assuming you want to let people at the office access something else
>> through the VPN tunnel, your easiest method is to set up one Linux box
>> (or BSD - pfSense might be an easy option for you) as a router so that
>> everyone's traffic passes through that box and out. Don't try to get
>> individual machines on their own tunnels.
>
> Even a $50 Buffalo WAP running OpenWRT would work fine as a router for
> a small office. OpenWRT supports both PPTP and OpenVPN.
>

I use LinkSys WRT54GL routers with OpenWRT for OpenVPN gateways.
OpenWRT is a good system, but if the OP is not used to it, it might be
difficult to get it installed and configured. It is definitely worth
checking the website and being sure you buy hardware that is fully
compatible - otherwise you can waste a lot of time getting it up and
running.

If you can find an old PC with two network cards, it's probably easiest
to use that for a Linux router (or pfSense). Bigger, noisier, more
power, less elegant - but easier and faster to get working.

Hello,

Grant Edwards a écrit :
>
> Definitely go with OpenVPN if at all possible. The _only_ reason to
> use pptp is that you have to talk to a Windows system run by an admin
> too much under Microsoft's thumb to allow anything else.

It is not hte only reason. Once I needed to set up a *real* point to
point (no subnet, just individual addresses) tunnel with a Windows host
in order not to waste my precious public IPv4 addresses, and at that
time the TUN/TAP driver for Windows used by OpenVPN did not allow this.
PPTP and poptop did the job. Things may have changed though.

David Brown a écrit :
>
> GRE packets don't have ports - it's a protocol on the same level as UDP,
> TCP/IP, ICMP, etc. Only protocols on top of UDP and TCP/IP have ports.

Not only. Other transport protocols such as SCTP and DCCP also have
ports. Granted, they are much less well known than TCP and UDP.