Establishing VPN connection using a CentOS Server to access files


  First of all I apologize for my english, sorry, I live in Spain and I haven't enough time to practice.

The matter is that I'm trying to establish a VPN connection between a CentOS dedicated server (GoDaddy, cPanel) as a way to share files (maybe using NFS) with a local network where all the workstations run with CentOS as well.

I've been searching and I've found that I could address the problem using either IPSec or OpenVPN. I understand the second choice a bit better, but maybe the right one will be IPSec because I already have hardware that could serve as gateway in our local network (RV042 Linksys VPN Router). I think that, if I use OpenVPN, I've to rely everything in software, is it right?

In the server, for the moment, I have only one IP address, but I'll not have problems getting one more. I also have the "tun" virtual device. In the local network I've one server (CentOS again) used as firewall and, obviously, the router to access internet.

The IP of the server is a public one (not 192.168...), I guess I'd have to create another subnet (private IPs?) and start NFS/NIS on this one, but I'm really confused about all the options.

Could you please recommend me the easiest way to do such a thing?

Thanks very much.
Who is Participating?
jackiechen858Connect With a Mentor Commented:
I suggest you try to install PPTN VPN server on Centos:

based on my limited VPN server configuration experience, PPTP VPN is easier to setup.  I configured Linksys RV042 before and I know it support PPTP VPN.

If you can have a static ip address of a dynamic DNS setup on your local network ( RV042 ), you can also configure RV042 as a PPTP VPN server, and configure Centos as a VPN client ( this is very easy)

Sorry I mean setup RV042 with a static internet ip address or with a dynamic DNS.

javiercito1987Author Commented:
Thanks very much, now I'm able to establish the VPN connection, I'm able to ping the server ( but I think I cannot pass normal packets through it. When I try, for example, to use SAMBA I obtain this error:

read_data: read failure for 4 bytes to client Error = Connection reset by peer

I also have some kind of warning in my logs when a client connects:

Cannot determine ethernet address for proxy ARP

I think I've to add some route rule, but I still need some help... this is a sample of tcpdump output (I've faked the IPs):

12:53:13.233289 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201288}>
12:53:13.235236 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201468}>
12:53:13.235247 IP > P 211352:211888(536) ack 989 win 191
12:53:13.235336 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201972}>
12:53:13.235346 IP > P 211888:212264(376) ack 989 win 191
12:53:13.236935 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202136}>
12:53:13.236946 IP > P 212264:212380(116) ack 989 win 191
12:53:13.237069 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202496}>
12:53:13.239185 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202660}>
12:53:13.239193 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202968}>
12:53:13.240878 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203148}>
12:53:13.240886 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203328}>
12:53:13.240912 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203688}>
12:53:13.244556 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203852}>
12:53:13.248262 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204160}>
12:53:13.250221 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204340}>
12:53:13.250240 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204700}>
12:53:13.252008 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204864}>
12:53:13.252016 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205044}>
12:53:13.253970 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205224}>
12:53:13.253978 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205404}>
12:53:13.255910 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205856}>
12:53:13.257867 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206020}>
12:53:13.257875 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206200}>
12:53:13.330453 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=1
12:53:13.347682 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206560}>
12:53:13.349311 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:207116}>
12:53:13.349319 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206756}>
12:53:13.351313 IP > . ack 207116 win 257
12:53:13.353014 IP > P 989:1041(52) ack 207116 win 257
12:53:13.353084 IP > P 212380:212512(132) ack 1041 win 191
12:53:13.353336 IP > . 212512:213964(1452) ack 1041 win 191
12:53:13.364911 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=2
12:53:13.400063 IP > . ack 208564 win 257
12:53:13.400076 IP > . 213964:215416(1452) ack 1041 win 191
12:53:13.400081 IP > . 215416:216868(1452) ack 1041 win 191
12:53:13.400085 IP > P 216868:217136(268) ack 1041 win 191
12:53:13.407713 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=2
12:53:13.415102 IP > . ack 209708 win 257
12:53:13.415114 IP > P 217136:217980(844) ack 1041 win 191
12:53:13.415181 IP > P 217980:218144(164) ack 1041 win 191
12:53:13.415224 IP > P 218144:218324(180) ack 1041 win 191
12:53:13.418728 IP > P 1041:1093(52) ack 209708 win 257
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

javiercito1987Author Commented:
Sorry I forgot to say I've tried many things, adding LVM and NTLM to Windows secure settings, changing the MTU to 9000 (both in eth0 and ppp0), triple checked that ip forwarding is enabled, completely stop firewalls...
First, could you explain how the VPN connection is setup? who' is the VPN server?

If you use RV042 as VPN server, Centos as VPN client, once the connection is setup, on centos side, if you run "ifconfig", you should see a new interface like ppp0

When you do tcpdump, you should run it on interface ppp0.

javiercito1987Author Commented:
Sorry, I forgot the most important thing...

I've configured the dedicated server as pptpd server, it seems that everything is ok, ppp0 is up, the server accepts connections, asigns IP addresses...

I'm trying to connect to it using Windows 7 (its own client), I succesfully login, I have an IP, etc. The problem is that the only thing I can do to the server's IP (the private one on ppp0) is pinging it. It doesn't accept ssh, ftp, http, netbios... anything else that ping.

I've passed the whole day trying different things, on the client, on the server... I think that it's a problem with "the simulated" ethernet addresses, it complaints of the proxyARP problem, and, practically, one is invisible to the other, but I'm not able to find out the solution...

javiercito1987Author Commented:
some extra information of the server (CentOS 5.5)


May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp: $Version$  // ip-XX-XX-XX-XX Server's Host Name
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pppd 2.4.4 started by root, uid 0
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Using interface ppp0
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Connect: ppp0 <--> /dev/pts/1
May  4 16:16:08 ip-XX-XX-XX-XX pptpd[4411]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
May  4 16:16:11 ip-XX-XX-XX-XX pppd[4412]: MPPE 128-bit stateless compression enabled
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: Cannot determine ethernet address for proxy ARP
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: local  IP address
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: remote IP address
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: ip-up ppp0 myuser // client external IP


eth0      Link encap:Ethernet  HWaddr 00:30:20:10:20:20
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask: // xx.xx.xx.xx external IP of the server
          inet6 addr: fe1a::110:1caf:fad4:2e1c/64 Scope:Link
          RX packets:16892 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23003 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1327742 (1.2 MiB)  TX bytes:28781526 (27.4 MiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:90278 (88.1 KiB)  TX bytes:90278 (88.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:  P-t-P:  Mask:
          RX packets:208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:17323 (16.9 KiB)  TX bytes:7796 (7.6 KiB)

sysctl -p

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface UH    0      0        0 ppp0
xx.xx.xx .0   U     0      0        0 eth0 // xx.xx.xx external IP of the server     U     0      0        0 eth0         xx.xx.xx.254         UG    0      0        0 eth0

I've tried using manually arp rules like:

arp --use-device --set eth0 pub
arp --set 00:10:10:40:20:20 pub // faked real MAC

None of these seem to work, if I try to add a route for (server IP on ppp0)  I receive a beautiful:

SIOCADDRT network unreachable ppp0

Another thing, maybe very important, is that the client is under NAT, and this router seems very basic, I've redirected port 1723, and GRE, for some reason, looks like it's working even if I don't have advanced settings to enable it in some way on the client's router.

If I had a direct connection, I could try to put the Linksys between internet and the router, to have all the packets "virgin", and try to login with it, or plug the computer directly to internet (like a modem) but I can't.

ipconfig on windows

PPP connection VPN adapter:

   DNS Sufix.... : (nothing)
   IPv4 address:
   default gateway: (nothing)

Maybe the lack of default gateway could be part of the problem? I've had to uncheck the option "use the default gateway on the remote network" on TCP/IP advanced options, because it'll make me to drop internet.

I've tried also to use different MTUs, 1500, 2000, 6000, 9000... no luck...
javiercito1987Author Commented:
Another thing, sorry for the epic fail tcpdump :D  I'm very tired.

I add 3 files with tcpdumps on ppp0 (full verbose), one of them pinging (the server), another one trying to mount a SAMBA share and one making various things, accessing the IP with Firefox, trying to start a SSH session...

I've observed that connections don't fail and exit, they enter in a loop but nothing happens. rarely the connection fail and I have, for example, the already mentioned:

read_data: read failure for 4 bytes to client Error = Connection reset by peer
I guess you modified the pppd.conf as

so is the centos ip, the windows VPN client got ip.

if you can ping from windows machine, VPN is working, do not setup ARP, no default gateway is needed.

I guess you have a firewall on Centos to refuse access, like iptable,   run "iptables  -L", what's the result?
javiercito1987Author Commented:
Solved! the problem was the router at the client side, I've changed it to a more advanced one and it's done, all packets are being routed properly.

I still have a problem to deal with, the poor performance of SAMBA shares through internet (Word or OpenOffice hangs 5-6 seconds for a 56Kb file) but that's another problem.

I'd like to know why the old router isn't working properly...

Thanks very much!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.