Help setting up VPN client

[doritos]

Hi Folks,

I'm trying to setup a VPN connection, but I don't want all my traffic being redirected to the VPN iface, I only need traffic for a specific subnet to go thuru this VPN

What I did so far

Code: Select all

root@Gargoyle:~# cat /etc/config/network
...
config 'interface' 'vpn'
        option 'ifname'       'pptp-vpn'
        option 'proto'        'pptp'
        option 'username'     '<LOGIN>'
        option 'password'     '<PASSWORD>'
        option 'server'       '<HOST>'
        option 'buffering'    '1'
        option 'defaultroute' '0'

note that I set defaultroute to '0', otherwise it would replace the default route every time the VPN connects. It's ok so far.


I've tried to add vpn to the 'wan' firewall zone, hopping that this would allow all traffic between lan and vpn

Code: Select all

root@Gargoyle:~# cat /etc/config/firewall
...
config 'zone'
        option 'name' 'wan'
        option 'network' 'wan vpn'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'

But here comes the problem. The VPN connection is stabilished, but I can't ping the remote end point

Code: Select all

root@Gargoyle:~# ifconfig pptp-vpn
pptp-vpn  Link encap:Point-to-Point Protocol
          inet addr:192.168.10.4  P-t-P:192.168.10.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2626 (2.5 KiB)  TX bytes:542 (542.0 B)

Code: Select all

root@Gargoyle:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
189.125.x.x     10.0.0.1        255.255.255.255 UGH   0      0        0 eth0.2
192.168.10.2    *               255.255.255.255 UH    0      0        0 pptp-vpn
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
default         10.0.0.1        0.0.0.0         UG    0      0        0 eth0.2

What am I missing?

[Eric]

The problem is likely that you installed OpenVpn, and -- more importantly -- the tun kernel module using opkg. For userspace stuff it doesn't matter, but for kernel modules, you need to have a version built for the EXACT same kernel version... and you're not going to have that if you're installing via opkg. If you run top, I bet you're seeing OpenVpn sucking up 100% of cpu, right? That's another symptom of the same problem.

The solution is to build a version of Gargoyle/OpenWrt from source with kmod-tun package (and while you're at it OpenVpn) enabled.

[doritos]

I didn't use OpenVpn, should I?

I only intalled pptp, kmod-gre and kmod-mppe via opkg.

[Eric]

Ah sorry... I really read your post too quickly. I just know that the issue mentioned above can occur when using OpenVpn and installing via opkg.

I'm not certain what's wrong in your case but I suspect that the problem mentioned above -- kernel version mismatch with installed kernel modules -- is also the problem here. kmod-gre and kmod-mppe are kernel modules. I would suggest rebuilding from source with those kernel modules enabled.

[doritos]

Sorry, I didn't make it clear I was using PPTP.

The point is: everything is working, apart the routing/firewall issue. I can connect, get a remote IP, the connection is stable, I simple cannot ping the remote point

The mods and kernel versions match (I know they are not built at the same time, but.. )

root@Gargoyle:~# opkg info kernel
Package: kernel
Version: 2.6.32.27-1

root@Gargoyle:~# opkg info kmod-mppe
Package: kmod-mppe
Version: 2.6.32.27-1
Depends: kernel (= 2.6.32.27-1)

[ng3700v2]

doritos:
You installed kmod-gre via opkg, and it probably "installed" fine. But have you ever been able to get the modules to LOAD correctly?

Have you tried loading them with: insmod kmod-gre or insmod ip_gre? or with a router reboot?

Issue a "dmesg" command before and after any of those insmod commands and see if you get an error message relating to missing symbols...

If you do an "lsmod" command, do you see anything related to gre? Probably not... If you don't see those kernel modules loaded, then you won't be able to handle the GRE protocol which is required for pptp to function. If you search this forum on my username, you will see that I have been battling this problem for over a year now...

[doritos]

Have you tried loading them with: insmod kmod-gre or insmod ip_gre? or with a router reboot?

Yes, you're right, It give me some simbol errors and doesn't load.

I'm compiling last version from source to see what happens if using the same opkg, next try would be building the kmod and pptp as a built in module.. hope to not need, because every build takes hours on my VM

[doritos]

Successfully loaded GRE and MPPE, but still no luck

Code: Select all

root@Gargoyle:~# lsmod | grep -E 'gre|ppp|mppe'
ppp_mppe                4864  2
ip_gre                 11376  0
ppp_async               6400  1
pppoe                   8304  2
crc_ccitt                976  1 ppp_async
pppox                   1216  1 pppoe
ppp_generic            18848 12 ppp_mppe,ppp_async,pppoe,pppox
slhc                    4160  1 ppp_generic

[ng3700v2]

Doritos, I think you have made some good progress!

Was your success just from compiling from source and including all of the correct packages/modules?

I think there are a few more modules that you need for it all to work correctly. Here is a list of ALL of the packages you may need to include when you build your image from scratch:

kmod-gre
kmod-ipt-conntrack
kmod-ipt-conntrack-extra
kmod-ipt-nat
kmod-ipt-nat-extra
kmod-ipt-nathelper
kmod-ipt-nathelper-extra

From one of my earlier posts, I mention a list of kernel modules from the Tomato-USB firmware running on my WRT54-GL that has GRE/PPTP support built-in. That list contains the following:
The "lsmod" output from my WRT54GL running tomato has these extra kernel modules loaded:
nf_nat_pptp
nf_conntrack_pptp
nf_nat_proto_gre
nf_conntrack_proto_gre

Also, if you look at the original black manticore article: http://www.blackmanticore.com/51f359dfe ... 633e2e7c2b
You me need to add some statements to your firewall to actually forward the GRE protocol after all of the necessary kernel modules are loaded...

I'm pretty sure I understand the theory of what needs to happen, I just haven't been able to solve the technical side (packages, kernel modules loaded, firewall rules). Hopefully we can get this working together! I have tried many different things with no avail!

[doritos]

Doritos, I think you have made some good progress!

Was your success just from compiling from source and including all of the correct packages/modules?

Yes, you need to compile those modules built in. Even if you generate separated IPKs, you'll receive a segfault when you try to insmod, you must choose 'Y' at menuconfig for these modules.

I'm done for today, maybe this week I'll try more, but for me is even more complicated because I dont know all the openwrt/gargoyle firewall rules, maybe I should flush all rules and start from scratch, there are too many possibilities for a dummie