Establishing VPN connection using a CentOS Server to access files

Posted on 2011-05-03
Last Modified: 2012-06-21

  First of all I apologize for my english, sorry, I live in Spain and I haven't enough time to practice.

The matter is that I'm trying to establish a VPN connection between a CentOS dedicated server (GoDaddy, cPanel) as a way to share files (maybe using NFS) with a local network where all the workstations run with CentOS as well.

I've been searching and I've found that I could address the problem using either IPSec or OpenVPN. I understand the second choice a bit better, but maybe the right one will be IPSec because I already have hardware that could serve as gateway in our local network (RV042 Linksys VPN Router). I think that, if I use OpenVPN, I've to rely everything in software, is it right?

In the server, for the moment, I have only one IP address, but I'll not have problems getting one more. I also have the "tun" virtual device. In the local network I've one server (CentOS again) used as firewall and, obviously, the router to access internet.

The IP of the server is a public one (not 192.168...), I guess I'd have to create another subnet (private IPs?) and start NFS/NIS on this one, but I'm really confused about all the options.

Could you please recommend me the easiest way to do such a thing?

Thanks very much.
Question by:javiercito1987
    LVL 7

    Accepted Solution

    I suggest you try to install PPTN VPN server on Centos:

    based on my limited VPN server configuration experience, PPTP VPN is easier to setup.  I configured Linksys RV042 before and I know it support PPTP VPN.

    If you can have a static ip address of a dynamic DNS setup on your local network ( RV042 ), you can also configure RV042 as a PPTP VPN server, and configure Centos as a VPN client ( this is very easy)

    LVL 7

    Expert Comment

    Sorry I mean setup RV042 with a static internet ip address or with a dynamic DNS.


    Author Comment

    Thanks very much, now I'm able to establish the VPN connection, I'm able to ping the server ( but I think I cannot pass normal packets through it. When I try, for example, to use SAMBA I obtain this error:

    read_data: read failure for 4 bytes to client Error = Connection reset by peer

    I also have some kind of warning in my logs when a client connects:

    Cannot determine ethernet address for proxy ARP

    I think I've to add some route rule, but I still need some help... this is a sample of tcpdump output (I've faked the IPs):

    12:53:13.233289 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201288}>
    12:53:13.235236 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201468}>
    12:53:13.235247 IP > P 211352:211888(536) ack 989 win 191
    12:53:13.235336 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:201972}>
    12:53:13.235346 IP > P 211888:212264(376) ack 989 win 191
    12:53:13.236935 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202136}>
    12:53:13.236946 IP > P 212264:212380(116) ack 989 win 191
    12:53:13.237069 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202496}>
    12:53:13.239185 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202660}>
    12:53:13.239193 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:202968}>
    12:53:13.240878 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203148}>
    12:53:13.240886 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203328}>
    12:53:13.240912 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203688}>
    12:53:13.244556 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:203852}>
    12:53:13.248262 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204160}>
    12:53:13.250221 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204340}>
    12:53:13.250240 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204700}>
    12:53:13.252008 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:204864}>
    12:53:13.252016 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205044}>
    12:53:13.253970 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205224}>
    12:53:13.253978 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205404}>
    12:53:13.255910 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:205856}>
    12:53:13.257867 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206020}>
    12:53:13.257875 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206200}>
    12:53:13.330453 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=1
    12:53:13.347682 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206560}>
    12:53:13.349311 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:207116}>
    12:53:13.349319 IP > . ack 196592 win 256 <nop,nop,sack 1 {196952:206756}>
    12:53:13.351313 IP > . ack 207116 win 257
    12:53:13.353014 IP > P 989:1041(52) ack 207116 win 257
    12:53:13.353084 IP > P 212380:212512(132) ack 1041 win 191
    12:53:13.353336 IP > . 212512:213964(1452) ack 1041 win 191
    12:53:13.364911 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=2
    12:53:13.400063 IP > . ack 208564 win 257
    12:53:13.400076 IP > . 213964:215416(1452) ack 1041 win 191
    12:53:13.400081 IP > . 215416:216868(1452) ack 1041 win 191
    12:53:13.400085 IP > P 216868:217136(268) ack 1041 win 191
    12:53:13.407713 IP > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=2
    12:53:13.415102 IP > . ack 209708 win 257
    12:53:13.415114 IP > P 217136:217980(844) ack 1041 win 191
    12:53:13.415181 IP > P 217980:218144(164) ack 1041 win 191
    12:53:13.415224 IP > P 218144:218324(180) ack 1041 win 191
    12:53:13.418728 IP > P 1041:1093(52) ack 209708 win 257

    Author Comment

    Sorry I forgot to say I've tried many things, adding LVM and NTLM to Windows secure settings, changing the MTU to 9000 (both in eth0 and ppp0), triple checked that ip forwarding is enabled, completely stop firewalls...
    LVL 7

    Expert Comment

    First, could you explain how the VPN connection is setup? who' is the VPN server?

    If you use RV042 as VPN server, Centos as VPN client, once the connection is setup, on centos side, if you run "ifconfig", you should see a new interface like ppp0

    When you do tcpdump, you should run it on interface ppp0.


    Author Comment

    Sorry, I forgot the most important thing...

    I've configured the dedicated server as pptpd server, it seems that everything is ok, ppp0 is up, the server accepts connections, asigns IP addresses...

    I'm trying to connect to it using Windows 7 (its own client), I succesfully login, I have an IP, etc. The problem is that the only thing I can do to the server's IP (the private one on ppp0) is pinging it. It doesn't accept ssh, ftp, http, netbios... anything else that ping.

    I've passed the whole day trying different things, on the client, on the server... I think that it's a problem with "the simulated" ethernet addresses, it complaints of the proxyARP problem, and, practically, one is invisible to the other, but I'm not able to find out the solution...


    Author Comment

    some extra information of the server (CentOS 5.5)


    May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp: $Version$  // ip-XX-XX-XX-XX Server's Host Name
    May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pppd 2.4.4 started by root, uid 0
    May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Using interface ppp0
    May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Connect: ppp0 <--> /dev/pts/1
    May  4 16:16:08 ip-XX-XX-XX-XX pptpd[4411]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
    May  4 16:16:11 ip-XX-XX-XX-XX pppd[4412]: MPPE 128-bit stateless compression enabled
    May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: Cannot determine ethernet address for proxy ARP
    May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: local  IP address
    May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: remote IP address
    May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: ip-up ppp0 myuser // client external IP


    eth0      Link encap:Ethernet  HWaddr 00:30:20:10:20:20
              inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask: // xx.xx.xx.xx external IP of the server
              inet6 addr: fe1a::110:1caf:fad4:2e1c/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:16892 errors:0 dropped:0 overruns:0 frame:0
              TX packets:23003 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1327742 (1.2 MiB)  TX bytes:28781526 (27.4 MiB)

    lo        Link encap:Local Loopback
              inet addr:  Mask:
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:634 errors:0 dropped:0 overruns:0 frame:0
              TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:90278 (88.1 KiB)  TX bytes:90278 (88.1 KiB)

    ppp0      Link encap:Point-to-Point Protocol
              inet addr:  P-t-P:  Mask:
              RX packets:208 errors:0 dropped:0 overruns:0 frame:0
              TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:17323 (16.9 KiB)  TX bytes:7796 (7.6 KiB)

    sysctl -p

    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    kernel.shmmax = 4294967295
    kernel.shmall = 268435456

    route -n

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface UH    0      0        0 ppp0
    xx.xx.xx .0   U     0      0        0 eth0 // xx.xx.xx external IP of the server     U     0      0        0 eth0         xx.xx.xx.254         UG    0      0        0 eth0

    I've tried using manually arp rules like:

    arp --use-device --set eth0 pub
    arp --set 00:10:10:40:20:20 pub // faked real MAC

    None of these seem to work, if I try to add a route for (server IP on ppp0)  I receive a beautiful:

    SIOCADDRT network unreachable ppp0

    Another thing, maybe very important, is that the client is under NAT, and this router seems very basic, I've redirected port 1723, and GRE, for some reason, looks like it's working even if I don't have advanced settings to enable it in some way on the client's router.

    If I had a direct connection, I could try to put the Linksys between internet and the router, to have all the packets "virgin", and try to login with it, or plug the computer directly to internet (like a modem) but I can't.

    ipconfig on windows

    PPP connection VPN adapter:

       DNS Sufix.... : (nothing)
       IPv4 address:
       default gateway: (nothing)

    Maybe the lack of default gateway could be part of the problem? I've had to uncheck the option "use the default gateway on the remote network" on TCP/IP advanced options, because it'll make me to drop internet.

    I've tried also to use different MTUs, 1500, 2000, 6000, 9000... no luck...

    Author Comment

    Another thing, sorry for the epic fail tcpdump :D  I'm very tired.

    I add 3 files with tcpdumps on ppp0 (full verbose), one of them pinging (the server), another one trying to mount a SAMBA share and one making various things, accessing the IP with Firefox, trying to start a SSH session...

    I've observed that connections don't fail and exit, they enter in a loop but nothing happens. rarely the connection fail and I have, for example, the already mentioned:

    read_data: read failure for 4 bytes to client Error = Connection reset by peer
    LVL 7

    Expert Comment

    I guess you modified the pppd.conf as

    so is the centos ip, the windows VPN client got ip.

    if you can ping from windows machine, VPN is working, do not setup ARP, no default gateway is needed.

    I guess you have a firewall on Centos to refuse access, like iptable,   run "iptables  -L", what's the result?

    Author Comment

    Solved! the problem was the router at the client side, I've changed it to a more advanced one and it's done, all packets are being routed properly.

    I still have a problem to deal with, the poor performance of SAMBA shares through internet (Word or OpenOffice hangs 5-6 seconds for a 56Kb file) but that's another problem.

    I'd like to know why the old router isn't working properly...

    Thanks very much!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.c…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now