VPN
From PrincetonUnixFAQ
Virtual Private Networking (VPN) configuration for Linux
| Table of contents |
Introduction
Virtual Private Networking (VPN) can be used to access Princeton-specific resources from off-campus. Although the Linux operating system is not fully supported by OIT, some individuals have followed these steps to access Princeton's VPN using Linux.
Currently, Princeton only supports using Microsoft's Point-to-Point Tunneling Protocol. While the VPN server, a Cisco 3000 Series VPN Concentrator, supports IPSec, OIT hasn't enabled support for it. However, this is something the Network Systems (http://www.net.princeton.edu/) staff would like to support in the future.
Because support for Microsoft's Point-to-Point protocol with encryption (MPPE) is not built into Linux kernels previous to 2.6.15 by default, setting up the VPN for those kernels is quite a complicated process. You should therefore obtain a newer version of the Linux kernel.
The software used for VPN is called PPTP Client (http://pptpclient.sourceforge.net/). For questions about PPTP Client, you should contact the mailing list at ptpclient-devel@lists.sourceforge.net (mailto:pptpclient-devel@lists.sourceforge.net).
The PPTP Client (http://pptpclient.sourceforge.net/) web site contains detailed instructions for building a kernel with MPPE support, installing the necessary software, and configuring the PPTP Client for several Linux distributions. In outline, the steps (described in much greater detail at the PPTP Client web site (http://pptpclient.sourceforge.net/)) are as follows. Please first read the entire document below and bear it in mind while following the directions at the PPTP Client web site; some configurations to be made are Princeton-specific.
Enable compression and encryption
For people with kernels newer than 2.6.15, make sure that you have enabled support for it. Specifically, you should have the following kernel options selected:
Cryptographic options ---> [*] Cryptographic API [*] HMAC support [M] MD5 digest algorithm --- SHA1 digest algorithm [M] SHA256 digest algorithm [M] SHA384 and SHA512 digest algorithms [M] DES and Triple DES EDE cipher algorithms [M] ARC4 cipher algorithm [M] Deflate compression algorithm Device Drivers ---> Networking support ---> [*] PPP (point-to-point protocol) support [*] PPP filtering [M] PPP support for async serial ports [M] PPP support for sync tty ports [M] PPP Deflate compression [M] PPP BSD-Compress compression [M] PPP MPPE compression (encryption) (NEW)
To build an older kernel with MPPE support, patch kernel source code with the MPPE patch and compile a new kernel from it. Alternatively you may in some cases obtain a pre-compiled kernel from the PPTP-Linux web site (http://pptpclient.sourceforge.net/). Please beware that in either case, this will probably prevent your kernel from being automatically updated with security updates from your distribution. Set the new kernel to be the default in your boot loader and reboot.
Make sure that the kernel module ppp-compress-18 is loaded by running this command:
modprobe ppp-compress-18 && echo success
Install software
Install the PPP (http://ppp.samba.org/) and PPTP Client (http://pptpclient.sf.net/) software. The exact process will vary based on your distribution. In certain cases, you will need PPP version 2.4.4 or higher (NOT 2.4.3 as stated on the PPTP Client web page) for reasons described below (if you use Method 2 in step 5). This may require you to compile the latest version of PPP on your machine from source, or else find a packaged version that has been "backported" to your distribution.
Configure the PPTP Client software.
It is recommended that you do this "by hand" by editing the appropriate text files in the /etc/ppp directory, not with the graphical pptpconfig utility. A description of how to do this is given (http://pptpclient.sourceforge.net/howto-debian.phtml#configure_by_hand) only for the Debian distribution, but those instructions should be applicable to most other distributions as well. The values to use are as follows:
- $SERVER is vpn.princeton.edu
- $TUNNEL can in principle be whatever you like; we suggest you use tunnel for consistency with the remainder
of these instructions
- $DOMAIN is princeton (although it is optional)
- $USERNAME is your OIT NetID
- $PASSWORD is your OIT Windows Domain password
- You WILL need to use the require-mppe-128 option.
Configure Routing
Add scripts to route all Internet traffic on your machine through the VPN. This can be done by putting ip-up and ip-down scripts into the /etc/ppp directory. The suggested scripts are available here (http://pptpclient.sourceforge.net/routing.phtml#all-to-tunnel). In these scripts, you will want to use vpn.princeton.edu for the value of $SERVER. For the value of $PRIMARY, you will most likely want to use eth0 if you have a broadband network connection, wlan0 if you're on wireless, or ppp0 if you dial in to an ISP by modem. In the first two cases, your VPN connection will be configured on ppp0, and in the last case, on ppp1.
Be sure not to overwrite any existing ip-up or ip-down scripts provided by your distribution. You may want to insert the routing scripts into pre-existing scripts (before any exit 0 statement). Alternatively, some Linux distributions have /etc/ppp/ip-up.d and /etc/ppp/ip-down.d directories into which you can drop the routing scripts. Make sure that you set the routing scripts to be executable (chmod +x).
For these scripts to work, you will need the route command available on your computer; it is part of the net-tools software package.
Modify Routing
Because the Princeton VPN server is configured to supply the same IP address for itself on the VPN as on the public Internet, you will need to modify the routing tables a little bit. Exactly how you do this may depend on the type of network your are connecting from.
Method 1:
After being unable to get Method 2 to work for me, I was able to get this working when connecting from Dormnet and from off-campus. First, in the ip-up script, change the
route add -host ${SERVER} dev ${PRIMARY}
line to read
route add -host ${SERVER} gw ${GATEWAY} dev ${PRIMARY}
where ${GATEWAY} is your default gateway on ${PRIMARY}.
If you do not know your default gateway, you can find it by running the command route -n:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 140.180.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 140.180.128.1 0.0.0.0 UG 0 0 0 eth0
The bolded entry corresponds to what you should use for a gateway (i.e., the entry under gateway after the 0.0.0.0 Destination).
Additionally, pppd puts an entry in the routing table which creates a loop, so you need to delete it by adding the following line in your ip-up script:
route del ${SERVER} ${TUNNEL}
Finally, in your ip-down file, you need to restore the gateway. Change
route add default dev ${PRIMARY}
to
route add default gw ${GATEWAY} dev ${PRIMARY}
Method 2:
Another solution that has been reported to work is to add an additional /etc/ppp/ip-pre-up script. This is what requires version 2.4.4 or higher of PPP (earlier versions do not execute ip-pre-up scripts). The script should read as follows:
#!/bin/sh
# ip-pre-up routing script
SERVER=vpn.princeton.edu
PRIMARY=eth0 # change to ppp0 if you are on dial-up
if [ "$6" = "tunnel" ] ; then
route add ${SERVER} dev ${PRIMARY}
fi
exit 0
# end of ip-pre-up script
Finally, regardless of which method you chose above, to clean up the
routing table when disconnecting from the VPN, you should insert this
command just before the final fi in the ip-down routing script:
route del vpn.princeton.edu dev ${PRIMARY}
Bringing up VPN
Once you have all of the above set up, you may connect to the VPN (running as root) with the command pon tunnel, and disconnect with the command poff tunnel. You can test whether you are successfully connected to the VPN by visiting the OIT Help Desk's web page (http://helpdesk.princeton.edu/home/) in a web browser. The bottom of the page should show a line that reads You are connecting from: VPN-CLIENT-xxxx.PRINCETON.EDU for some value of xxxx.
If this is not the case, you should read the diagnostics page (http://pptpclient.sourceforge.net/howto-diagnosis.phtml) on the PPTP Client web site. You may also want to look at the non-operating-system specific technical comments (http://www.net.princeton.edu/vpn/pptp.html) about Princeton's VPN.
Configuring DNS
In many instances, your DNS server will be your ISP's DNS server. When your computer tries to issue DNS queries, it will direct the DNS traffic through the VPN tunnel, and the DNS server will think that the requests are coming from Princeton and refuse to answer them. If you are having problems with name lookups, you should change your /etc/resolv.conf file to specify Princeton's DNS servers after you bring up the VPN tunnel:
nameserver 128.112.129.111 nameserver 128.112.129.32 nameserver 128.112.128.1
Final notes
Finally, be aware that if you are running servers on your Linux machine, they will be inaccessible to the outside world at your usual IP address while the VPN is connected. Hence remember to run poff tunnel as soon as you are finished using it. While you are connected to the VPN, your computer will however be externally accessible at the VPN address it is assigned. To find out this address, type ifconfig at the command line and look at the output for ppp0 or ppp1. The IP address for your machine while it is connected to the VPN will be shown in the email after the text inet addr:. (The IP address shown after P-t-P: is that of vpn.princeton.edu, currently 128.112.64.56.)
If more than one person uses your Linux machine, you may want to let one of them use the VPN sitting at the console, while the other is still able to log in to it remotely. This can be accomplished by letting all users of the machine know the updated IP address each time the machine is connected to the VPN. To do so, you may insert a line similar to the following (one for each user) just before the final fi in the ip-up routing script:
ifconfig ${TUNNEL} | mail -s "My VPN IP address" username@princeton.edu
with username@princeton.edu of course being the user's email address. Elaborations on this command (involving ddclient and dyndns.org, for instance) are left as exercises for the reader.
This article was originally put together as a suggested KnowlegeBase Solution (http://helpdesk.princeton.edu/kb/search.plx) by Kevin McCarty (mailto:kmccarty@princeton.edu). Our appreciation goes out to him. It has been adapted for use on this Wiki.
Remember, Linux is not fully supported on the VPN by OIT, and this article is provided only as a convenience. Please contact the PPTP Client authors or the Unix-list if something does not work correctly for you. Be sure to mention that you followed the steps on this web page, and give them all of the PPTP and PPP configuration information for your system.
