Page 1 of 3
Help setting up VPN client
Posted: Wed Mar 14, 2012 8:10 am
by doritos
Hi Folks,
I'm trying to setup a VPN connection, but I don't want all my traffic being redirected to the VPN iface, I only need traffic for a specific subnet to go thuru this VPN
What I did so far
Code: Select all
root@Gargoyle:~# cat /etc/config/network
...
config 'interface' 'vpn'
option 'ifname' 'pptp-vpn'
option 'proto' 'pptp'
option 'username' '<LOGIN>'
option 'password' '<PASSWORD>'
option 'server' '<HOST>'
option 'buffering' '1'
option 'defaultroute' '0'
note that I set defaultroute to '0', otherwise it would replace the default route every time the VPN connects. It's ok so far.
I've tried to add vpn to the 'wan' firewall zone, hopping that this would allow all traffic between lan and vpn
Code: Select all
root@Gargoyle:~# cat /etc/config/firewall
...
config 'zone'
option 'name' 'wan'
option 'network' 'wan vpn'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
But here comes the problem. The VPN connection is stabilished, but I can't ping the remote end point
Code: Select all
root@Gargoyle:~# ifconfig pptp-vpn
pptp-vpn Link encap:Point-to-Point Protocol
inet addr:192.168.10.4 P-t-P:192.168.10.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2626 (2.5 KiB) TX bytes:542 (542.0 B)
Code: Select all
root@Gargoyle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
189.125.x.x 10.0.0.1 255.255.255.255 UGH 0 0 0 eth0.2
192.168.10.2 * 255.255.255.255 UH 0 0 0 pptp-vpn
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0.2
What am I missing?
Re: Help setting up VPN client
Posted: Wed Mar 14, 2012 11:50 am
by Eric
The problem is likely that you installed OpenVpn, and -- more importantly -- the tun kernel module using opkg. For userspace stuff it doesn't matter, but for kernel modules, you need to have a version built for the EXACT same kernel version... and you're not going to have that if you're installing via opkg. If you run top, I bet you're seeing OpenVpn sucking up 100% of cpu, right? That's another symptom of the same problem.
The solution is to build a version of Gargoyle/OpenWrt from source with kmod-tun package (and while you're at it OpenVpn) enabled.
Re: Help setting up VPN client
Posted: Thu Mar 15, 2012 6:10 pm
by doritos
I didn't use OpenVpn, should I?
I only intalled pptp, kmod-gre and kmod-mppe via opkg.
Re: Help setting up VPN client
Posted: Fri Mar 16, 2012 2:40 am
by Eric
Ah sorry... I really read your post too quickly. I just know that the issue mentioned above can occur when using OpenVpn and installing via opkg.
I'm not certain what's wrong in your case but I suspect that the problem mentioned above -- kernel version mismatch with installed kernel modules -- is also the problem here. kmod-gre and kmod-mppe are kernel modules. I would suggest rebuilding from source with those kernel modules enabled.
Re: Help setting up VPN client
Posted: Fri Mar 16, 2012 8:11 am
by doritos
Sorry, I didn't make it clear I was using PPTP.
The point is: everything is working, apart the routing/firewall issue. I can connect, get a remote IP, the connection is stable, I simple cannot ping the remote point
The mods and kernel versions match (I know they are not built at the same time, but.. )
root@Gargoyle:~# opkg info kernel
Package: kernel
Version: 2.6.32.27-1
root@Gargoyle:~# opkg info kmod-mppe
Package: kmod-mppe
Version: 2.6.32.27-1
Depends: kernel (= 2.6.32.27-1)
Re: Help setting up VPN client
Posted: Sat Mar 17, 2012 11:03 am
by ng3700v2
doritos:
You installed kmod-gre via opkg, and it probably "installed" fine. But have you ever been able to get the modules to LOAD correctly?
Have you tried loading them with: insmod kmod-gre or insmod ip_gre? or with a router reboot?
Issue a "dmesg" command before and after any of those insmod commands and see if you get an error message relating to missing symbols...
If you do an "lsmod" command, do you see anything related to gre? Probably not... If you don't see those kernel modules loaded, then you won't be able to handle the GRE protocol which is required for pptp to function. If you search this forum on my username, you will see that I have been battling this problem for over a year now...
Re: Help setting up VPN client
Posted: Sat Mar 17, 2012 5:37 pm
by doritos
ng3700v2 wrote:
Have you tried loading them with: insmod kmod-gre or insmod ip_gre? or with a router reboot?
Yes, you're right, It give me some simbol errors and doesn't load.
I'm compiling last version from source to see what happens if using the same opkg, next try would be building the kmod and pptp as a built in module.. hope to not need, because every build takes hours on my VM
Re: Help setting up VPN client
Posted: Sun Mar 18, 2012 6:46 pm
by doritos
Successfully loaded GRE and MPPE, but still no luck
Code: Select all
root@Gargoyle:~# lsmod | grep -E 'gre|ppp|mppe'
ppp_mppe 4864 2
ip_gre 11376 0
ppp_async 6400 1
pppoe 8304 2
crc_ccitt 976 1 ppp_async
pppox 1216 1 pppoe
ppp_generic 18848 12 ppp_mppe,ppp_async,pppoe,pppox
slhc 4160 1 ppp_generic
Re: Help setting up VPN client
Posted: Sun Mar 18, 2012 7:06 pm
by ng3700v2
Doritos, I think you have made some good progress!
Was your success just from compiling from source and including all of the correct packages/modules?
I think there are a few more modules that you need for it all to work correctly. Here is a list of ALL of the packages you may need to include when you build your image from scratch:
kmod-gre
kmod-ipt-conntrack
kmod-ipt-conntrack-extra
kmod-ipt-nat
kmod-ipt-nat-extra
kmod-ipt-nathelper
kmod-ipt-nathelper-extra
From one of my earlier posts, I mention a list of kernel modules from the Tomato-USB firmware running on my WRT54-GL that has GRE/PPTP support built-in. That list contains the following:
The "lsmod" output from my WRT54GL running tomato has these extra kernel modules loaded:
nf_nat_pptp
nf_conntrack_pptp
nf_nat_proto_gre
nf_conntrack_proto_gre
Also, if you look at the original black manticore article:
http://www.blackmanticore.com/51f359dfe ... 633e2e7c2b
You me need to add some statements to your firewall to actually forward the GRE protocol after all of the necessary kernel modules are loaded...
I'm pretty sure I understand the theory of what needs to happen, I just haven't been able to solve the technical side (packages, kernel modules loaded, firewall rules). Hopefully we can get this working together! I have tried many different things with no avail!
Re: Help setting up VPN client
Posted: Sun Mar 18, 2012 11:05 pm
by doritos
ng3700v2 wrote:Doritos, I think you have made some good progress!
Was your success just from compiling from source and including all of the correct packages/modules?
Yes, you need to compile those modules built in. Even if you generate separated IPKs, you'll receive a segfault when you try to insmod, you must choose 'Y' at menuconfig for these modules.
I'm done for today, maybe this week I'll try more, but for me is even more complicated because I dont know all the openwrt/gargoyle firewall rules, maybe I should flush all rules and start from scratch, there are too many possibilities for a dummie
