javiercito1987
asked on
Establishing VPN connection using a CentOS Server to access files
Hello,
First of all I apologize for my english, sorry, I live in Spain and I haven't enough time to practice.
The matter is that I'm trying to establish a VPN connection between a CentOS dedicated server (GoDaddy, cPanel) as a way to share files (maybe using NFS) with a local network where all the workstations run with CentOS as well.
I've been searching and I've found that I could address the problem using either IPSec or OpenVPN. I understand the second choice a bit better, but maybe the right one will be IPSec because I already have hardware that could serve as gateway in our local network (RV042 Linksys VPN Router). I think that, if I use OpenVPN, I've to rely everything in software, is it right?
In the server, for the moment, I have only one IP address, but I'll not have problems getting one more. I also have the "tun" virtual device. In the local network I've one server (CentOS again) used as firewall and, obviously, the router to access internet.
The IP of the server is a public one (not 192.168...), I guess I'd have to create another subnet (private IPs?) and start NFS/NIS on this one, but I'm really confused about all the options.
Could you please recommend me the easiest way to do such a thing?
Thanks very much.
First of all I apologize for my english, sorry, I live in Spain and I haven't enough time to practice.
The matter is that I'm trying to establish a VPN connection between a CentOS dedicated server (GoDaddy, cPanel) as a way to share files (maybe using NFS) with a local network where all the workstations run with CentOS as well.
I've been searching and I've found that I could address the problem using either IPSec or OpenVPN. I understand the second choice a bit better, but maybe the right one will be IPSec because I already have hardware that could serve as gateway in our local network (RV042 Linksys VPN Router). I think that, if I use OpenVPN, I've to rely everything in software, is it right?
In the server, for the moment, I have only one IP address, but I'll not have problems getting one more. I also have the "tun" virtual device. In the local network I've one server (CentOS again) used as firewall and, obviously, the router to access internet.
The IP of the server is a public one (not 192.168...), I guess I'd have to create another subnet (private IPs?) and start NFS/NIS on this one, but I'm really confused about all the options.
Could you please recommend me the easiest way to do such a thing?
Thanks very much.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jackiechen858
Sorry I mean setup RV042 with a static internet ip address or with a dynamic DNS.
ASKER
Thanks very much, now I'm able to establish the VPN connection, I'm able to ping the server (192.168.1.100) but I think I cannot pass normal packets through it. When I try, for example, to use SAMBA I obtain this error:
read_data: read failure for 4 bytes to client 192.168.1.77. Error = Connection reset by peer
I also have some kind of warning in my logs when a client connects:
Cannot determine ethernet address for proxy ARP
I think I've to add some route rule, but I still need some help... this is a sample of tcpdump output (I've faked the IPs):
12:53:13.233289 IP 249.218.202.82.dynamic.jaz
12:53:13.235236 IP 249.218.202.82.dynamic.jaz
12:53:13.235247 IP ip-99-137-3-161.ip.secures
12:53:13.235336 IP 249.218.202.82.dynamic.jaz
12:53:13.235346 IP ip-99-137-3-161.ip.secures
12:53:13.236935 IP 249.218.202.82.dynamic.jaz
12:53:13.236946 IP ip-99-137-3-161.ip.secures
12:53:13.237069 IP 249.218.202.82.dynamic.jaz
12:53:13.239185 IP 249.218.202.82.dynamic.jaz
12:53:13.239193 IP 249.218.202.82.dynamic.jaz
12:53:13.240878 IP 249.218.202.82.dynamic.jaz
12:53:13.240886 IP 249.218.202.82.dynamic.jaz
12:53:13.240912 IP 249.218.202.82.dynamic.jaz
12:53:13.244556 IP 249.218.202.82.dynamic.jaz
12:53:13.248262 IP 249.218.202.82.dynamic.jaz
12:53:13.250221 IP 249.218.202.82.dynamic.jaz
12:53:13.250240 IP 249.218.202.82.dynamic.jaz
12:53:13.252008 IP 249.218.202.82.dynamic.jaz
12:53:13.252016 IP 249.218.202.82.dynamic.jaz
12:53:13.253970 IP 249.218.202.82.dynamic.jaz
12:53:13.253978 IP 249.218.202.82.dynamic.jaz
12:53:13.255910 IP 249.218.202.82.dynamic.jaz
12:53:13.257867 IP 249.218.202.82.dynamic.jaz
12:53:13.257875 IP 249.218.202.82.dynamic.jaz
12:53:13.330453 IP ip-99-137-3-251.ip.secures
12:53:13.347682 IP 249.218.202.82.dynamic.jaz
12:53:13.349311 IP 249.218.202.82.dynamic.jaz
12:53:13.349319 IP 249.218.202.82.dynamic.jaz
12:53:13.351313 IP 249.218.202.82.dynamic.jaz
12:53:13.353014 IP 249.218.202.82.dynamic.jaz
12:53:13.353084 IP ip-99-137-3-161.ip.secures
12:53:13.353336 IP ip-99-137-3-161.ip.secures
12:53:13.364911 IP ip-99-137-3-252.ip.secures
12:53:13.400063 IP 249.218.202.82.dynamic.jaz
12:53:13.400076 IP ip-99-137-3-161.ip.secures
12:53:13.400081 IP ip-99-137-3-161.ip.secures
12:53:13.400085 IP ip-99-137-3-161.ip.secures
12:53:13.407713 IP ip-99-137-3-251.ip.secures
12:53:13.415102 IP 249.218.202.82.dynamic.jaz
12:53:13.415114 IP ip-99-137-3-161.ip.secures
12:53:13.415181 IP ip-99-137-3-161.ip.secures
12:53:13.415224 IP ip-99-137-3-161.ip.secures
12:53:13.418728 IP 249.218.202.82.dynamic.jaz
read_data: read failure for 4 bytes to client 192.168.1.77. Error = Connection reset by peer
I also have some kind of warning in my logs when a client connects:
Cannot determine ethernet address for proxy ARP
I think I've to add some route rule, but I still need some help... this is a sample of tcpdump output (I've faked the IPs):
12:53:13.233289 IP 249.218.202.82.dynamic.jaz
12:53:13.235236 IP 249.218.202.82.dynamic.jaz
12:53:13.235247 IP ip-99-137-3-161.ip.secures
12:53:13.235336 IP 249.218.202.82.dynamic.jaz
12:53:13.235346 IP ip-99-137-3-161.ip.secures
12:53:13.236935 IP 249.218.202.82.dynamic.jaz
12:53:13.236946 IP ip-99-137-3-161.ip.secures
12:53:13.237069 IP 249.218.202.82.dynamic.jaz
12:53:13.239185 IP 249.218.202.82.dynamic.jaz
12:53:13.239193 IP 249.218.202.82.dynamic.jaz
12:53:13.240878 IP 249.218.202.82.dynamic.jaz
12:53:13.240886 IP 249.218.202.82.dynamic.jaz
12:53:13.240912 IP 249.218.202.82.dynamic.jaz
12:53:13.244556 IP 249.218.202.82.dynamic.jaz
12:53:13.248262 IP 249.218.202.82.dynamic.jaz
12:53:13.250221 IP 249.218.202.82.dynamic.jaz
12:53:13.250240 IP 249.218.202.82.dynamic.jaz
12:53:13.252008 IP 249.218.202.82.dynamic.jaz
12:53:13.252016 IP 249.218.202.82.dynamic.jaz
12:53:13.253970 IP 249.218.202.82.dynamic.jaz
12:53:13.253978 IP 249.218.202.82.dynamic.jaz
12:53:13.255910 IP 249.218.202.82.dynamic.jaz
12:53:13.257867 IP 249.218.202.82.dynamic.jaz
12:53:13.257875 IP 249.218.202.82.dynamic.jaz
12:53:13.330453 IP ip-99-137-3-251.ip.secures
12:53:13.347682 IP 249.218.202.82.dynamic.jaz
12:53:13.349311 IP 249.218.202.82.dynamic.jaz
12:53:13.349319 IP 249.218.202.82.dynamic.jaz
12:53:13.351313 IP 249.218.202.82.dynamic.jaz
12:53:13.353014 IP 249.218.202.82.dynamic.jaz
12:53:13.353084 IP ip-99-137-3-161.ip.secures
12:53:13.353336 IP ip-99-137-3-161.ip.secures
12:53:13.364911 IP ip-99-137-3-252.ip.secures
12:53:13.400063 IP 249.218.202.82.dynamic.jaz
12:53:13.400076 IP ip-99-137-3-161.ip.secures
12:53:13.400081 IP ip-99-137-3-161.ip.secures
12:53:13.400085 IP ip-99-137-3-161.ip.secures
12:53:13.407713 IP ip-99-137-3-251.ip.secures
12:53:13.415102 IP 249.218.202.82.dynamic.jaz
12:53:13.415114 IP ip-99-137-3-161.ip.secures
12:53:13.415181 IP ip-99-137-3-161.ip.secures
12:53:13.415224 IP ip-99-137-3-161.ip.secures
12:53:13.418728 IP 249.218.202.82.dynamic.jaz
ASKER
Sorry I forgot to say I've tried many things, adding LVM and NTLM to Windows secure settings, changing the MTU to 9000 (both in eth0 and ppp0), triple checked that ip forwarding is enabled, completely stop firewalls...
First, could you explain how the VPN connection is setup? who' is the VPN server?
If you use RV042 as VPN server, Centos as VPN client, once the connection is setup, on centos side, if you run "ifconfig", you should see a new interface like ppp0
When you do tcpdump, you should run it on interface ppp0.
If you use RV042 as VPN server, Centos as VPN client, once the connection is setup, on centos side, if you run "ifconfig", you should see a new interface like ppp0
When you do tcpdump, you should run it on interface ppp0.
ASKER
Sorry, I forgot the most important thing...
I've configured the dedicated server as pptpd server, it seems that everything is ok, ppp0 is up, the server accepts connections, asigns IP addresses...
I'm trying to connect to it using Windows 7 (its own client), I succesfully login, I have an IP, etc. The problem is that the only thing I can do to the server's IP (the private one on ppp0) is pinging it. It doesn't accept ssh, ftp, http, netbios... anything else that ping.
I've passed the whole day trying different things, on the client, on the server... I think that it's a problem with "the simulated" ethernet addresses, it complaints of the proxyARP problem, and, practically, one is invisible to the other, but I'm not able to find out the solution...
I've configured the dedicated server as pptpd server, it seems that everything is ok, ppp0 is up, the server accepts connections, asigns IP addresses...
I'm trying to connect to it using Windows 7 (its own client), I succesfully login, I have an IP, etc. The problem is that the only thing I can do to the server's IP (the private one on ppp0) is pinging it. It doesn't accept ssh, ftp, http, netbios... anything else that ping.
I've passed the whole day trying different things, on the client, on the server... I think that it's a problem with "the simulated" ethernet addresses, it complaints of the proxyARP problem, and, practically, one is invisible to the other, but I'm not able to find out the solution...
ASKER
some extra information of the server (CentOS 5.5)
var/log/messages
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp: $Version$ // ip-XX-XX-XX-XX Server's Host Name
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pppd 2.4.4 started by root, uid 0
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Using interface ppp0
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Connect: ppp0 <--> /dev/pts/1
May 4 16:16:08 ip-XX-XX-XX-XX pptpd[4411]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
May 4 16:16:11 ip-XX-XX-XX-XX pppd[4412]: MPPE 128-bit stateless compression enabled
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: Cannot determine ethernet address for proxy ARP
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: local IP address 192.168.2.101
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: remote IP address 192.168.2.10
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp.so ip-up ppp0 myuser 80.21.21.219 // client external IP
ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:20:10:20:20
inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.255 Mask:255.255.255.0 // xx.xx.xx.xx external IP of the server
inet6 addr: fe1a::110:1caf:fad4:2e1c/6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16892 errors:0 dropped:0 overruns:0 frame:0
TX packets:23003 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1327742 (1.2 MiB) TX bytes:28781526 (27.4 MiB)
Interrupt:185
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:634 errors:0 dropped:0 overruns:0 frame:0
TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90278 (88.1 KiB) TX bytes:90278 (88.1 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.2.101 P-t-P:192.168.2.10 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:208 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:17323 (16.9 KiB) TX bytes:7796 (7.6 KiB)
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_f
net.ipv4.conf.default.acce
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.10 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
xx.xx.xx .0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 // xx.xx.xx external IP of the server
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 xx.xx.xx.254 0.0.0.0 UG 0 0 0 eth0
I've tried using manually arp rules like:
arp --use-device --set 192.168.2.10 eth0 pub
arp --set 192.168.2.101 00:10:10:40:20:20 pub // faked real MAC
None of these seem to work, if I try to add a route for 192.168.2.101 (server IP on ppp0) I receive a beautiful:
SIOCADDRT network unreachable ppp0
Another thing, maybe very important, is that the client is under NAT, and this router seems very basic, I've redirected port 1723, and GRE, for some reason, looks like it's working even if I don't have advanced settings to enable it in some way on the client's router.
If I had a direct connection, I could try to put the Linksys between internet and the router, to have all the packets "virgin", and try to login with it, or plug the computer directly to internet (like a modem) but I can't.
ipconfig on windows
PPP connection VPN adapter:
DNS Sufix.... : (nothing)
IPv4 address: 192.168.2.10
netmask: 255.255.255.255
default gateway: (nothing)
Maybe the lack of default gateway could be part of the problem? I've had to uncheck the option "use the default gateway on the remote network" on TCP/IP advanced options, because it'll make me to drop internet.
I've tried also to use different MTUs, 1500, 2000, 6000, 9000... no luck...
var/log/messages
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp: $Version$ // ip-XX-XX-XX-XX Server's Host Name
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pppd 2.4.4 started by root, uid 0
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Using interface ppp0
May 4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Connect: ppp0 <--> /dev/pts/1
May 4 16:16:08 ip-XX-XX-XX-XX pptpd[4411]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
May 4 16:16:11 ip-XX-XX-XX-XX pppd[4412]: MPPE 128-bit stateless compression enabled
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: Cannot determine ethernet address for proxy ARP
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: local IP address 192.168.2.101
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: remote IP address 192.168.2.10
May 4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp.so ip-up ppp0 myuser 80.21.21.219 // client external IP
ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:20:10:20:20
inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.255 Mask:255.255.255.0 // xx.xx.xx.xx external IP of the server
inet6 addr: fe1a::110:1caf:fad4:2e1c/6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16892 errors:0 dropped:0 overruns:0 frame:0
TX packets:23003 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1327742 (1.2 MiB) TX bytes:28781526 (27.4 MiB)
Interrupt:185
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:634 errors:0 dropped:0 overruns:0 frame:0
TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90278 (88.1 KiB) TX bytes:90278 (88.1 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.2.101 P-t-P:192.168.2.10 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:208 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:17323 (16.9 KiB) TX bytes:7796 (7.6 KiB)
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_f
net.ipv4.conf.default.acce
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.10 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
xx.xx.xx .0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 // xx.xx.xx external IP of the server
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 xx.xx.xx.254 0.0.0.0 UG 0 0 0 eth0
I've tried using manually arp rules like:
arp --use-device --set 192.168.2.10 eth0 pub
arp --set 192.168.2.101 00:10:10:40:20:20 pub // faked real MAC
None of these seem to work, if I try to add a route for 192.168.2.101 (server IP on ppp0) I receive a beautiful:
SIOCADDRT network unreachable ppp0
Another thing, maybe very important, is that the client is under NAT, and this router seems very basic, I've redirected port 1723, and GRE, for some reason, looks like it's working even if I don't have advanced settings to enable it in some way on the client's router.
If I had a direct connection, I could try to put the Linksys between internet and the router, to have all the packets "virgin", and try to login with it, or plug the computer directly to internet (like a modem) but I can't.
ipconfig on windows
PPP connection VPN adapter:
DNS Sufix.... : (nothing)
IPv4 address: 192.168.2.10
netmask: 255.255.255.255
default gateway: (nothing)
Maybe the lack of default gateway could be part of the problem? I've had to uncheck the option "use the default gateway on the remote network" on TCP/IP advanced options, because it'll make me to drop internet.
I've tried also to use different MTUs, 1500, 2000, 6000, 9000... no luck...
ASKER
Another thing, sorry for the epic fail tcpdump :D I'm very tired.
I add 3 files with tcpdumps on ppp0 (full verbose), one of them pinging 192.168.2.101 (the server), another one trying to mount a SAMBA share and one making various things, accessing the IP with Firefox, trying to start a SSH session...
I've observed that connections don't fail and exit, they enter in a loop but nothing happens. rarely the connection fail and I have, for example, the already mentioned:
read_data: read failure for 4 bytes to client 192.168.2.77. Error = Connection reset by peer
tcpdump-using-samba.txt
tcpdump-pinging-ppp0.txt
tcpdump-various-ppp0.txt
I add 3 files with tcpdumps on ppp0 (full verbose), one of them pinging 192.168.2.101 (the server), another one trying to mount a SAMBA share and one making various things, accessing the IP with Firefox, trying to start a SSH session...
I've observed that connections don't fail and exit, they enter in a loop but nothing happens. rarely the connection fail and I have, for example, the already mentioned:
read_data: read failure for 4 bytes to client 192.168.2.77. Error = Connection reset by peer
tcpdump-using-samba.txt
tcpdump-pinging-ppp0.txt
tcpdump-various-ppp0.txt
I guess you modified the pppd.conf as
localip 192.168.2.101
remoteip 192.168.2.10-20
so 192.168.2.101 is the centos ip, the windows VPN client got 192.168.2.10 ip.
if you can ping 192.168.2.101 from windows machine, VPN is working, do not setup ARP, no default gateway is needed.
I guess you have a firewall on Centos to refuse access, like iptable, run "iptables -L", what's the result?
localip 192.168.2.101
remoteip 192.168.2.10-20
so 192.168.2.101 is the centos ip, the windows VPN client got 192.168.2.10 ip.
if you can ping 192.168.2.101 from windows machine, VPN is working, do not setup ARP, no default gateway is needed.
I guess you have a firewall on Centos to refuse access, like iptable, run "iptables -L", what's the result?
ASKER
Solved! the problem was the router at the client side, I've changed it to a more advanced one and it's done, all packets are being routed properly.
I still have a problem to deal with, the poor performance of SAMBA shares through internet (Word or OpenOffice hangs 5-6 seconds for a 56Kb file) but that's another problem.
I'd like to know why the old router isn't working properly...
Thanks very much!
I still have a problem to deal with, the poor performance of SAMBA shares through internet (Word or OpenOffice hangs 5-6 seconds for a 56Kb file) but that's another problem.
I'd like to know why the old router isn't working properly...
Thanks very much!