[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1157
  • Last Modified:

route all traffic through pptpd on Ubuntu

Hello,

How it's possible which when I connect with PPTP VPN connection to my server it's route all traffic through it?
0
re-searcher
Asked:
re-searcher
  • 11
  • 9
1 Solution
 
Duncan RoeSoftware DeveloperCommented:
You need to make the VPN be the default route. That should only require that you add a line saying defaultroute to the relevant pppd conf file.
0
 
re-searcherAuthor Commented:
we don't have defaultroute option in pptpd.conf file.
just i want to be sure which command i should run at iptables (forwarding and masquerade).
0
 
Duncan RoeSoftware DeveloperCommented:
Now I'm at work, I can see that we didn't use defaultroute   on our pptp VPN either. We did use iptables to do source natting
# Clear out old natting rules if any (there shouldn't be)
./iptables-nat-off

# Get gateway address (what ppp gave us)
gateway=$(/sbin/ifconfig ppp1|grep 'inet addr'|cut -d: -f2|cut -d' ' -f1)
[ -n "$gateway" ] ||
{
  logger -i -p local0.debug "ERROR: could not determine VPN gateway address"
  exit 1
}

# Mangle source addresses of all outgoing traffic
/usr/sbin/iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to $gateway

# Turn on packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Open in new window

The dynamic gateway code requires that the above lines be in a script invoked by ip-up for ppp1 (test if $1 is ppp1). If you are happy with a static gateway address, you can set up iptables any time - interfaces in iptables rules don't need to exist at time of rule creation.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Duncan RoeSoftware DeveloperCommented:
We set the default route to be via ppp1 separately, with ip route command
0
 
Duncan RoeSoftware DeveloperCommented:
The ppp0 connection went to the ISP (via 3G modem). You may only have 1 ppp connection
0
 
re-searcherAuthor Commented:
Thanks duncan_roe,

i justs want to check somethings before run your script.

+ you said in post #36989675 which i should append that script to ip-up which located at /etc/ppp right?
+ how can i get $1 which it's ppp1 or ppp0?
+ i don't understand what you said in post #36989680, would you mind explain more?
0
 
re-searcherAuthor Commented:
I used this article -> http://cviorel.easyblog.ro/2009/02/09/how-to-set-up-a-vpn-server-on-ubuntu/

but currently i can't browse internet after that connection established.
0
 
re-searcherAuthor Commented:
and new problem is i disconnect from pptp server after 14 sec.

it's happen most of times (around 90%).
0
 
Duncan RoeSoftware DeveloperCommented:
When the link is established, pppd invokes /etc/ppp/ip-up with a number of positional parameters. The first parameter is the interface name.
I'll check at work tomorrow how we used ip route.
The article you used references ufw, with which I am not familiar. We only used iptables and other basic commands.
We were never able to gain Internet access through the poptop (ppp1) connection. That wasn't a problem, because we used the Internet (ppp0) connection. We did not default route to ppp1: we only routed the secure domain to which it gave access.
Could you post the file in /etc/ppp/peers that describes your connection? I can post ours (sensitive information overwritten, of course).
0
 
re-searcherAuthor Commented:
i have just providers file on peers folder:
/etc/ppp/peers# cat provider
# example configuration for a dialup connection authenticated with PAP or CHAP
#
# This is the default configuration used by pon(1) and poff(1).
# See the manual page pppd(8) for information on all the options.

# MUST CHANGE: replace myusername@realm with the PPP login name given to
# your by your provider.
# There should be a matching entry with the password in /etc/ppp/pap-secrets
# and/or /etc/ppp/chap-secrets.
user "myusername@realm"

# MUST CHANGE: replace ******** with the phone number of your provider.
# The /etc/chatscripts/pap chat script may be modified to change the
# modem initialization string.
connect "/usr/sbin/chat -v -f /etc/chatscripts/pap -T ********"

# Serial device to which the modem is connected.
/dev/modem

# Speed of the serial line.
115200

# Assumes that your IP address is allocated dynamically by the ISP.
noipdefault
# Try to get the name server addresses from the ISP.
usepeerdns
# Use this connection as the default route.
defaultroute

# Makes pppd "dial again" when the connection is lost.
persist

# Do not ask the remote to authenticate.
noauth

Open in new window


for more information i should say i authenticate poptop with freeradius-mysql. everythings ok and authentication works great. my problem is just i don't know how i should route on Ubuntu.
I will remove all ufw and other configurations with applied through that article.
0
 
Duncan RoeSoftware DeveloperCommented:
That looks to me like the generic file for a dial-up connection. Note that it does contain defaultroute, which I don't think you want. pptpsetup should have produced another file for you - do you have that? It looks like
10:09:32$ cat VPN
# written by pptpsetup
pty "pptp xxx.xxx.xxx.xxx --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name VPN
remotename VPN
ipparam VPN
require-mppe-128
novj
noipdefault
nodetach
ipcp-max-failure 6

# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap

Open in new window

I replaced the company name with VPN and xxx'd out the IP address of the system with the pptp server.
Are you actually expecting people to connect to your system in order to establish VPNs? Poptop is really to let you connect to Windows servers - if you are the server then OpenVPN is much better.
0
 
re-searcherAuthor Commented:
Yes, i have.
# cat /etc/ppp/pptpd-options
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes 
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns xx.xx.xx.xx

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
ms-wins xx.xx.xx.xx

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp 

novj
novjccomp
nologfd
auth

noipx
mtu 1490
mru 1490

# plugins
plugin radius.so
#plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf

Open in new window

0
 
re-searcherAuthor Commented:
but i need to know how to route pptp traffic through iptables.

my problem is not pptpd-options and ppp configurations.
0
 
Duncan RoeSoftware DeveloperCommented:
You need to do the source mangling as I indicated in http:#a36989675. Other than that, what are you trying to do? Are you setting up a VPN with some firewalled site somewhere, or are you anticipating that other sites will connect to your system in order to establish a VPN? At least for the former, you need a route, not an iptables rule. The function of the routing table is to direct an ip to the appropriate network interface. iptables rules work on frames that have already got to some interface
0
 
re-searcherAuthor Commented:
I just want to route all PPTP traffics to eth0.
we need add new iptables rules (I think), because it will block routing...
0
 
Duncan RoeSoftware DeveloperCommented:
I just noticed you posted /etc/ppp/pptpd-options when I really wanted you to post the file in /etc/ppp/peers which connects with the remote peer (pptpd-equivalent in a Windows system). The pty directive in that file nominates a remote address to connect the other end of the tunnel. Normal routing will ensure that connection goes out through the right NIC - eth0 in your case. All connections to ppp0 will go through that tunnel - there is no need nor even possibility to route them anywhere else.
I have not used pptp in server mode but I guess it will be similar.
0
 
re-searcherAuthor Commented:
Thanks Duncan,

you mean I should using script which you sent in post #36989675 ?!
But you don't tell me where i should save this script? is it /etc/ppp/ip-up.d/ ? what's name of this script should be? and etc...
0
 
re-searcherAuthor Commented:
Duncan,

I fix it myself, without any script and other methods.

but my problem is connect automatically disconnect after 15-30 second.
0
 
Duncan RoeSoftware DeveloperCommented:
Script went in /etc/ppp/peers.
Is the disconnection initiated by the ISP? Check pppd entries in /var/log/debug or maybe some other file in /var/log.
Also, how did you fix it yourself: what exactly did you do?
0
 
re-searcherAuthor Commented:
i just add rules on network interface and set IP gateway for range of IPs. i.e 192.168.1.0/24 -> 204.122.123.124

i will accept your 2nd post as solution here and for that question please, read this post: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_27408110.html
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now