Basic questions about connecting TO a VPN server FROM an Open SuSE laptop

I have read a gazillion articles on VPN, but none of them seem to be able to talk down to my level of understanding of VPNs, so I am hoping someone can full in some gaps in my knowledge.

I have set up my Raspberry Pi running as a VPN server. It’s just with PPTP.

As far as I can make out I need to use Network Management Settings to set up a new VPN connection.I am hoping someone can confirm I am doing the right thing.

My router is connected to the internet (obviously) and has a fixed IP address. I am calling it aaa.bbb.ccc.ddd as I’m not sure whether it’s a good idea to give the real address away.

I have this setup:

Pi (192.168.0.5) <–> (192.168.0.2) Router (aaa.bbb.ccc.ddd) <–> My ISP <–> The internet

(Laptop)<–> (Mobile Phone/Different ISP) <–> The Internet

When I make the new connection I choose PPTP connection and in the gateway I put aaa.bbb.ccc.ddd ie the fixed IP address me IP gave me.

I have opened up 192.168.0.5’s 1723 port on the router than is connected to the Internet on my LAN so I should be able to get through to the Raspberry Pi. I put the username and password I setup on the Pi in the “Additional” part of the first tab. In the ip4 tab I choose manual and I put in 192.168.0.5 as the IP address and 255.255.255.0 as the mask. I do not fill anything else in. Maybe I should of course, maybe someone could advise please?

Anyway, after all that, when I try to connect it just says connection failed.

So:

  1. Am I missing something in the setup?
  2. Are there logs somewhere that can tell me what is wrong rather than just saying it failed?

Many thanks.

Have you tried it without changing or setting anything the ipv4 tab?
If I got your description right, you were setting the ip address of your laptop to the same address your vnp server uses. So you would have 2 machines with the same ip address in your vpn. That can’t work.

FWIW, I connect to a company (PPTP) VPN frequently. I use NM to connect with, and have only the VPN gateway defined, (along with username and password credentials of course). You should get some idea about what is failing while trying to connect by observing what is recorded in /var/log/NetworkManager.

Many thanks for the replies. I tried it without putting the IP address in. I had misunderstood what the IP4 tab was about by the sounds of it. I assume that this gets filled with the IP address the remote server gives to me if the connection is successful.

I’m getting the following error in /var/log/NetworkManager (thanks for that information!)

Mar 10 09:49:39 linux-dbat NetworkManager[721]: <info> Starting VPN service 'pptp'...
Mar 10 09:49:39 linux-dbat NetworkManager[721]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 24920
Mar 10 09:49:39 linux-dbat NetworkManager[721]: <info> VPN service 'pptp' appeared; activating connections
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <info> VPN plugin state changed: starting (3)
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <info> VPN connection 'Pi' (Connect) reply received.
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Plugin /usr/lib/pppd/2.4.5/nm-pptp-pppd-plugin.so loaded.
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Using interface ppp0
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Connect: ppp0 <--> /dev/pts/2
Mar 10 09:49:42 linux-dbat NetworkManager[721]: nm-pptp-service-24920 warn[open_inetsock:pptp_callmgr.c:329]: connect: Connection refused
Mar 10 09:49:42 linux-dbat NetworkManager[721]: nm-pptp-service-24920 fatal[callmgr_main:pptp_callmgr.c:127]: Could not open control connection to aaa.bbb.ccc.ddd
Mar 10 09:49:42 linux-dbat NetworkManager[721]: nm-pptp-service-24920 fatal[open_callmgr:pptp.c:479]: Call manager exited with error 256
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Modem hangup
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Connection terminated.
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <warn> VPN plugin failed: 1
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <warn> VPN plugin failed: 1
Mar 10 09:49:42 linux-dbat NetworkManager[721]: Script /usr/sbin/pptp aaa.bbb.ccc.ddd --nolaunchpppd --loglevel 0 --logstring nm-pptp-service-24920 finished (pid 24926), status = 0x1
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <warn> VPN plugin failed: 1
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <info> VPN plugin state changed: stopped (6)
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <info> VPN plugin state change reason: 0
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Mar 10 09:49:42 linux-dbat NetworkManager[721]: <info> Policy set 'Wired connection 2' (usb0) as default for IPv4 routing and DNS.
Mar 10 09:49:48 linux-dbat NetworkManager[721]: <info> VPN service 'pptp' disappeared


I can ping the server though. I’ll do dome Googling around to see if i can make sense of the error messages. I’m 200 miles from home at the moment so I can’t see what the Pi’s logs say! It looks like the connection was refused by the Pi, I need to find out *why. *

“Connection refused” should be a decent clue that you need to inspect your Server setup, whether you’re configuring router/FW port forwarding and NAT properly. Unfortunately the actual issue may not be relevant to the exact error message, many times the error is deliberately generic to leak as little info to hackers as possible.

Could be any kind of cause from networking to authentication to mis-configured service. Recommend testing with another client machine or even from within the LAN.

TSU

I tried a slightly different way of doing this in that I am using the router as the VPN connection directly. That works really nicely and connects straight up. However, even though ppp0 says its IP address is 192.168.0.200 and the Pi’s is 192.168.0.5 the laptop cannot ping the Pi. I am still connected using the phone of course usb0 is saying its IP address is 192.168.42.255. So, I am guessing I need to force the laptop to use the ppp0 connection to access the Pi. Is that correct and if so, how do I do that please?

I tried Googling this, but either no-one has described it or I am not wording my Google search correctly.

Thanks!

When describing your topology, you need to be pain-staking detailed about connections and IP addresses. I find myself guessing a lot when I read your description.

So, let’s take your Server setup first because that’s where I suspect your problem is, not on the client end.
You’ll need to verify that it’s set up properly. if your router supports PING from the LAN side, verify connectivity between your RPi and the router.
Also, from yorr RPi try to connect to a remote resource on the Internet, it won’t verify incoming configuration issues but will verify basic networking to the Internet and your network settings are configured and working properly.

Once you have established basic networking functionality is working, then you can start to verify incoming connectivity. Don’t use PING, particularly if you’re also doing NAT behind your router, PING is often not supported or blocked by default. Instead, deploy a common service like a webserver on your RPi and configure forwarding (incoming) through your router. Then, from the Internet you can try connecting using a common browser or tcptraceroute. Unlike the regular traceroute which like ping uses ICMP packets, tcptraceroute enables testing routes and connecting to a TCP port (like port 80) which is less likely to be blocked than ICMP. Note that if you connect to a service like HTTP, you should either get a service banner or a response of some sort, clearly different than “denied” or “unavailable.”

I also recommend <not> using your connection through your phone for testing unless and until you are <very> confiident you have it working properly… If you don’t have an alternative network connection, use any of the various public services on the Internet to do the test for you.

<Only after> you are <very sure> you have your Server configuration setup,
Setting up the client should be fairly easy with Network Manager… Typically you only need to install the required packages for the type of VPN, then open NM and create a VPN network entry.

Note how I’ve described a recommended course of action that starts with solving smaller parts of the problem (the Server side, testing for basic connectivity before trying to set up a VPN) before attempting configuring additional parts (eg Client) and simplifying your testing (eg using publicly available services if you don’t have a simple way connecting to the Internet).

TSU

If you can’t ping your VPN server from the client machine, then you may need to check the router to make sure that VPN ‘passthrough’ is enabled. Your underlying internet connection should make no difference here. (BTW, please bear in mind that PPTP is inherently less secure than using L2TP/IPsec or OpenVPN.)

OK, the set up I have now is this:

Laptop <–> Phone <–> Internet (192.168.42.59)

Pi (192.168.0.5) <–> (192.168.0.2) Router (aaa.bbb.ccc.ddd) <–> Internet

Laptop is connected to Internet via usb0 (my Android phone) and has given it an IP address of 192.168.42.59 (not .255, that was a mistake, sorry).

I can then connect to my Router and set up a ppp0 connection. ifconfig tells me the ppp0 address is as follows:

inet 192.168.0.202 (which makes sense as the router is set up to dole out address from 192.168.0.200 on the pptp link. P-t-P is 192.168.0.2 which is the LAN address of the router. I lose the connection every 300s of inactivity which exactly ties up with the router’s settings.

From the Pi I can ping bbc.co.uk and get replies happily. I cannot see anything in any of the router’s set-up menus about passthrough other than when you’re using the router as a NAT device, which, in this case I am not (I think).

If I try and mount this (as root, obv):

mount.cifs //192.168.0.5/Data /homerobertw/Data/ -o username=robertw

I get an error(115)

I can happily connect to the Pi using the same command when on the LAN.

You taking about web servers made me think of trying something which does work though! I can connect to the router’s web page from the laptop while the ppp0 connection is up, which proves that the basic connection is up. Also, if I type my Mageia desktop’s IP address into the browser on the laptop it comes up with a web page that says “It works”. Same thing happens if I do that on a different computer on the LAN. (I have no recollection whatsoever of setting up a web server of my desktop, so I assume this is a default Mageia thing). So, all this points to the the VPN basically working I suppose.

I wondered about Firewall, but I can happily connect the the Pi’s samba shares from computers on the LAN.

I do realise pptp is much less secure than openvpn, but I’m trying to take baby steps!

Many thanks.

I’m at the limits of my knowledge with this. I work with Mikrotik routers a lot and we use EiIP tunnels typically. I think the configuration of your router is key here. The following guide is for Mikrotik-centric PPTP connectivity, but may serve to give you a graphical idea about what is required to get a working PPTP tunnel.

http://www.mikrotik.com/testdocs/ros/2.9/interface/pptp.php#5.29.6

In particular, read the ‘Connecting a Remote Client via PPTP Tunnel’ section in the applications examples given. Maybe that will help with determining some missing or incorrect step.

Many thanks for all suggestions. I have it working now, I can even connect to the Pi using the router simply as a gateway. I can connect to my samba shares too, using the mobile phone as the modem on the laptop and can access the data. Once I installed Apache on the Pi, that just sprang to life while using the router as pptp access point.

There were a few salient points for getting it working with the Pi and not simply using the router:

  1. In NetworkManager, where you set up the VPN connection, in IP4 tab, Method needed to be Automatic (VPN) addresses only and DNS server needed to be set to my router’s address.
  2. In advanced settings on the main page of NetworkManager ensure Use MPPE Encryption is clicked and 128 bit selected.
  3. This blog had a couple of important set-ups on the Pi which other guides didn’t seem to have.

Unvexed: Stuff that Works: How to set up a real, encrypted VPN through your Raspberry Pi

I will have a go with openvpn next, now this is going.

The router set-up was incredibly easy actually, if they had openvpn on that, I suspect it would be the best way to go.

Glad you got it working. Most of what is required in configuring the VPN client depends on how the VPN server is set up, so the MPPE Encryption will be specific to your Raspberry Pi set up. The ‘Automatic VPN’ method just means that DHCP is working on your server, so no need to specify addresses, subnet mask and gateway explicitly. Anyway, it looks likes you’ve learned a lot during this exercise. Well done.