• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1114
  • Last Modified:

Establishing VPN connection using a CentOS Server to access files

Hello,

  First of all I apologize for my english, sorry, I live in Spain and I haven't enough time to practice.

The matter is that I'm trying to establish a VPN connection between a CentOS dedicated server (GoDaddy, cPanel) as a way to share files (maybe using NFS) with a local network where all the workstations run with CentOS as well.

I've been searching and I've found that I could address the problem using either IPSec or OpenVPN. I understand the second choice a bit better, but maybe the right one will be IPSec because I already have hardware that could serve as gateway in our local network (RV042 Linksys VPN Router). I think that, if I use OpenVPN, I've to rely everything in software, is it right?

In the server, for the moment, I have only one IP address, but I'll not have problems getting one more. I also have the "tun" virtual device. In the local network I've one server (CentOS again) used as firewall and, obviously, the router to access internet.

The IP of the server is a public one (not 192.168...), I guess I'd have to create another subnet (private IPs?) and start NFS/NIS on this one, but I'm really confused about all the options.

Could you please recommend me the easiest way to do such a thing?

Thanks very much.
0
javiercito1987
Asked:
javiercito1987
  • 6
  • 4
1 Solution
 
jackiechen858Commented:
I suggest you try to install PPTN VPN server on Centos: http://wingloon.com/2007/11/06/pptp-server-installation-in-centos-5/

based on my limited VPN server configuration experience, PPTP VPN is easier to setup.  I configured Linksys RV042 before and I know it support PPTP VPN.


If you can have a static ip address of a dynamic DNS setup on your local network ( RV042 ), you can also configure RV042 as a PPTP VPN server, and configure Centos as a VPN client ( this is very easy)










0
 
jackiechen858Commented:
Sorry I mean setup RV042 with a static internet ip address or with a dynamic DNS.

0
 
javiercito1987Author Commented:
Thanks very much, now I'm able to establish the VPN connection, I'm able to ping the server (192.168.1.100) but I think I cannot pass normal packets through it. When I try, for example, to use SAMBA I obtain this error:

read_data: read failure for 4 bytes to client 192.168.1.77. Error = Connection reset by peer

I also have some kind of warning in my logs when a client connects:

Cannot determine ethernet address for proxy ARP

I think I've to add some route rule, but I still need some help... this is a sample of tcpdump output (I've faked the IPs):

12:53:13.233289 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:201288}>
12:53:13.235236 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:201468}>
12:53:13.235247 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 211352:211888(536) ack 989 win 191
12:53:13.235336 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:201972}>
12:53:13.235346 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 211888:212264(376) ack 989 win 191
12:53:13.236935 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:202136}>
12:53:13.236946 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 212264:212380(116) ack 989 win 191
12:53:13.237069 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:202496}>
12:53:13.239185 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:202660}>
12:53:13.239193 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:202968}>
12:53:13.240878 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:203148}>
12:53:13.240886 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:203328}>
12:53:13.240912 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:203688}>
12:53:13.244556 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:203852}>
12:53:13.248262 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:204160}>
12:53:13.250221 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:204340}>
12:53:13.250240 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:204700}>
12:53:13.252008 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:204864}>
12:53:13.252016 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:205044}>
12:53:13.253970 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:205224}>
12:53:13.253978 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:205404}>
12:53:13.255910 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:205856}>
12:53:13.257867 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:206020}>
12:53:13.257875 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:206200}>
12:53:13.330453 IP ip-99-137-3-251.ip.secureserver.net.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=1 addr=ip-99-137-3-253.ip.secureserver.net
12:53:13.347682 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:206560}>
12:53:13.349311 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:207116}>
12:53:13.349319 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 196592 win 256 <nop,nop,sack 1 {196952:206756}>
12:53:13.351313 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 207116 win 257
12:53:13.353014 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: P 989:1041(52) ack 207116 win 257
12:53:13.353084 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 212380:212512(132) ack 1041 win 191
12:53:13.353336 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: . 212512:213964(1452) ack 1041 win 191
12:53:13.364911 IP ip-99-137-3-252.ip.secureserver.net.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=standby group=2 addr=ip-99-137-3-254.ip.secureserver.net
12:53:13.400063 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 208564 win 257
12:53:13.400076 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: . 213964:215416(1452) ack 1041 win 191
12:53:13.400081 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: . 215416:216868(1452) ack 1041 win 191
12:53:13.400085 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 216868:217136(268) ack 1041 win 191
12:53:13.407713 IP ip-99-137-3-251.ip.secureserver.net.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=2 addr=ip-99-137-3-254.ip.secureserver.net
12:53:13.415102 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: . ack 209708 win 257
12:53:13.415114 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 217136:217980(844) ack 1041 win 191
12:53:13.415181 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 217980:218144(164) ack 1041 win 191
12:53:13.415224 IP ip-99-137-3-161.ip.secureserver.net.ssh > 249.218.202.82.dynamic.jazztel.es.5359: P 218144:218324(180) ack 1041 win 191
12:53:13.418728 IP 249.218.202.82.dynamic.jazztel.es.5359 > ip-99-137-3-161.ip.secureserver.net.ssh: P 1041:1093(52) ack 209708 win 257
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
javiercito1987Author Commented:
Sorry I forgot to say I've tried many things, adding LVM and NTLM to Windows secure settings, changing the MTU to 9000 (both in eth0 and ppp0), triple checked that ip forwarding is enabled, completely stop firewalls...
0
 
jackiechen858Commented:
First, could you explain how the VPN connection is setup? who' is the VPN server?


If you use RV042 as VPN server, Centos as VPN client, once the connection is setup, on centos side, if you run "ifconfig", you should see a new interface like ppp0

When you do tcpdump, you should run it on interface ppp0.




0
 
javiercito1987Author Commented:
Sorry, I forgot the most important thing...

I've configured the dedicated server as pptpd server, it seems that everything is ok, ppp0 is up, the server accepts connections, asigns IP addresses...

I'm trying to connect to it using Windows 7 (its own client), I succesfully login, I have an IP, etc. The problem is that the only thing I can do to the server's IP (the private one on ppp0) is pinging it. It doesn't accept ssh, ftp, http, netbios... anything else that ping.

I've passed the whole day trying different things, on the client, on the server... I think that it's a problem with "the simulated" ethernet addresses, it complaints of the proxyARP problem, and, practically, one is invisible to the other, but I'm not able to find out the solution...

0
 
javiercito1987Author Commented:
some extra information of the server (CentOS 5.5)

var/log/messages

May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp: $Version$  // ip-XX-XX-XX-XX Server's Host Name
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: pppd 2.4.4 started by root, uid 0
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Using interface ppp0
May  4 16:16:05 ip-XX-XX-XX-XX pppd[4412]: Connect: ppp0 <--> /dev/pts/1
May  4 16:16:08 ip-XX-XX-XX-XX pptpd[4411]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
May  4 16:16:11 ip-XX-XX-XX-XX pppd[4412]: MPPE 128-bit stateless compression enabled
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: Cannot determine ethernet address for proxy ARP
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: local  IP address 192.168.2.101
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: remote IP address 192.168.2.10
May  4 16:16:13 ip-XX-XX-XX-XX pppd[4412]: pptpd-logwtmp.so ip-up ppp0 myuser 80.21.21.219 // client external IP

ifconfig

eth0      Link encap:Ethernet  HWaddr 00:30:20:10:20:20
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0 // xx.xx.xx.xx external IP of the server
          inet6 addr: fe1a::110:1caf:fad4:2e1c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16892 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23003 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1327742 (1.2 MiB)  TX bytes:28781526 (27.4 MiB)
          Interrupt:185

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:90278 (88.1 KiB)  TX bytes:90278 (88.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.2.101  P-t-P:192.168.2.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:17323 (16.9 KiB)  TX bytes:7796 (7.6 KiB)

sysctl -p


net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.10    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
xx.xx.xx .0     0.0.0.0         255.255.255.0   U     0      0        0 eth0 // xx.xx.xx external IP of the server
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         xx.xx.xx.254    0.0.0.0         UG    0      0        0 eth0

I've tried using manually arp rules like:

arp --use-device --set 192.168.2.10 eth0 pub
arp --set 192.168.2.101 00:10:10:40:20:20 pub // faked real MAC


None of these seem to work, if I try to add a route for 192.168.2.101 (server IP on ppp0)  I receive a beautiful:

SIOCADDRT network unreachable ppp0

Another thing, maybe very important, is that the client is under NAT, and this router seems very basic, I've redirected port 1723, and GRE, for some reason, looks like it's working even if I don't have advanced settings to enable it in some way on the client's router.

If I had a direct connection, I could try to put the Linksys between internet and the router, to have all the packets "virgin", and try to login with it, or plug the computer directly to internet (like a modem) but I can't.

ipconfig on windows

PPP connection VPN adapter:

   DNS Sufix.... : (nothing)
   IPv4 address: 192.168.2.10
   netmask:         255.255.255.255
   default gateway: (nothing)

Maybe the lack of default gateway could be part of the problem? I've had to uncheck the option "use the default gateway on the remote network" on TCP/IP advanced options, because it'll make me to drop internet.

I've tried also to use different MTUs, 1500, 2000, 6000, 9000... no luck...
0
 
javiercito1987Author Commented:
Another thing, sorry for the epic fail tcpdump :D  I'm very tired.

I add 3 files with tcpdumps on ppp0 (full verbose), one of them pinging 192.168.2.101 (the server), another one trying to mount a SAMBA share and one making various things, accessing the IP with Firefox, trying to start a SSH session...

I've observed that connections don't fail and exit, they enter in a loop but nothing happens. rarely the connection fail and I have, for example, the already mentioned:

read_data: read failure for 4 bytes to client 192.168.2.77. Error = Connection reset by peer
tcpdump-using-samba.txt
tcpdump-pinging-ppp0.txt
tcpdump-various-ppp0.txt
0
 
jackiechen858Commented:
I guess you modified the pppd.conf as
localip 192.168.2.101
remoteip 192.168.2.10-20



so 192.168.2.101 is the centos ip, the windows VPN client got 192.168.2.10 ip.


if you can ping 192.168.2.101 from windows machine, VPN is working, do not setup ARP, no default gateway is needed.


I guess you have a firewall on Centos to refuse access, like iptable,   run "iptables  -L", what's the result?
0
 
javiercito1987Author Commented:
Solved! the problem was the router at the client side, I've changed it to a more advanced one and it's done, all packets are being routed properly.

I still have a problem to deal with, the poor performance of SAMBA shares through internet (Word or OpenOffice hangs 5-6 seconds for a 56Kb file) but that's another problem.

I'd like to know why the old router isn't working properly...

Thanks very much!
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now