[SOLVED] Cannot get VPN server working....

[Bosse_B]

I am trying to set up my Pi as a PPTP VPN server for secure connection into my home network.
I have a DLINK DIR-655 router hooked to a fiber connection for 100/10 Mbit/s speed.
I have set up a port forward rule on the DLINK for TCP port 1723 to the Pi IP address 192.168.0.150.
And I have registered the router for the DLINK free DynDns service so I have a hostname pointing to my router.
I believe this is working OK, since I have other port forwards that actually work fine (like a Synology Diskstation NAS web interface).

In order to set up the VPN server I have used information from two tutorials I have found on the Internet:
1: RaspberryPiHelp
2: James Slootweg

Both of these are based on raspbian running on the Pi, but I have raspbmc (version 2013-12-23). Don't know if this is the cause of my problems.
Based on the tutorials I have done as outlined below.
I first went through tutorial #1 and then when it failed to deliver I modified the files according to #2.
I have marked the lines with 1, 2 or 1+2 depending on if they are used in the respective tutorial:

Code: Select all

Procedure to set up PPTP on Pi (via SSH login using PuTTY):
-----------------------------------------------------------

1) sudo apt-get update

1) sudo modprobe ppp-compress-18

#if errors in modprobe then try this (was not needed for me):
1) sudo apt-get upgrade

1+2) sudo apt-get install pptpd

1+2) sudo nano /etc/pptpd.conf
at end of file enter:
localip 192.168.0.150  (IP of RPi)
remoteip 192.168.0.80-89  (Range of IP to feed to clients)

1+2) sudo nano /etc/ppp/pptpd-options
at end of file add:
1+2) ms-dns 192.168.0.129  (IP of router's DNS)
2) nobsdcomp
1+2) noipx
1+2) mtu 1490
1+2) mru 1490

1+2) sudo nano /etc/ppp/chap-secrets
add login users on the form:
<username><TAB>*<TAB><password><TAB>*
I added two logins

1) sudo service pptpd restart
Note: tutorial #2 ends in a complete Pi restart, hence did not have this

1) sudo nano /etc/sysctl.conf
uncomment or add the following line:
net.ipv4.ip_forward=1

1) sudo sysctl -p

1+2) sudo nano /etc/rc.local
add line(s) above the exit 0 line, where the IP addresses are the first handout IP and the Pi's own address:
1) sudo iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -o eth0 -j SNAT --to 192.168.0.150

2) sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
2) sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Network router setup:
---------------------
Configure port forwarding so that TCP port 1723 is forwarded to 192.168.0.150 (IP of the RPi)

Starting up service:
--------------------
2) sudo shutdown -r now (to restart Pi)

When I try to connect with my Samsung Galaxy S4Mini phone via a new VPN connection it just hangs and never completes, finally showing "Disconnected"
When I try to connect from a Win7 laptop basically the same happens even though I get an error dialog showing the error:

Win7 VPN error

VPN_on_Pi_Error.png (31.2 KiB) Viewed 5035 times

What can I do to continue?
Are there some log files on the Pi that I can inspect to tell me more about what happened?
Any other advice from someone?
Can the raspbmc distro not be used as a PPTP VPN server?

I have posted the same problem over at STMLabs and the XBMC Forum but so far no replies....

[Bosse_B]

Just got a hunch that I could not use handout IP addresses in the same network as the one the Pi sits on.
So I changed the IP specifications as follows:

Code: Select all

1+2) sudo nano /etc/pptpd.conf
at end of file enter:
localip 192.168.0.150  (IP of RPi)
remoteip 192.168.10.100-109  (Range of IP to feed to clients)

and also here:

Code: Select all

1+2) sudo nano /etc/rc.local
add line(s) above the exit 0 line, where the IP addresses are the first handout IP and the Pi's own address:
1) sudo iptables -t nat -A POSTROUTING -s 192.168.10.100/24 -o eth0 -j SNAT --to 192.168.0.150

Then I restarted the pptpd service.
But unfortunately this did not work either....

Is there someone who knows where the Pi keeps logfiles so that I can see if a connection attempt is actually reaching the Pi???

HELP!
After rebooting the Pi with the edits above it is no longer accessible on my LAN.
The XBMC interface is still there and I can navigate (with difficulty) using a mouse, but the XBMC remote Android/IOS apps cannot connect either. The IP 192.168.0.150 no longer responds.
How could this have happened???

[Bosse_B]

I managed to resolve the Pi disappearing act...
It has used IP address 192.168.0.150 for "ages" and now it suddenly changed to 142...
Had to struggle with the Pi and my DLINK router until I had set up a reservation for the Pi at 150 that actually worked.
Many confirmation buttons to press until it really "took". But now the pi is back at 150 and the router port 1723 forwarding points at this address.

Still I am at the same place as before with the handout addresses changed to the 192.168.10.0 network, everything else the same according to tutorial #1 and I always get timeouts on my VPN connection tries from my phone.

What could I look at now?
Are there any logs on the Pi at all so I can see what activity (if any) is happening???

[Bosse_B]

Seems like noone is reading this thread....
Did I post in the wrong sub-forum?

Anyway, I have finally made it work and the solution was given by dandnsmith over at the STMLabs forum where I also have posted a thread on this topic.

The reason for my problems was that in recent builds of raspbmc the operating system switches on a firewall that blocks external accesses!!!
Noone has mentioned this in any of the tutorials I have read!
Had to use the Pi setup add-on in XBMC to find a place to disable the firewall and than also restart the Pi for it to work.
But then the VPN server on Pi started working....
Thanks to all that contributed! (No-one on this forum though... )

[konradsa]

Hi Bo,

Sorry to revive the old thread, but I have the same problem you did. PPTP works fine inside my network, but I get the same problems you did when trying to connect form the outside. I looked at your other thread, but I don't understand what the actual solution is and how you solved it. Can you please elaborate how you disabled the firewall causing the issues? I am running the latest version of rasbian. Thanks

[Bosse_B]

Well,
what I did in the end was that I got myself a new Pi B+ running RaspBian (do not use RaspBMC for this!), which is dedicated to be used as a server for various purposes:
- PPTP VPN Server
- OpenVPN server (better than PPTP because it connects virtually everywhere whereas PPTP has trouble in many WiFi hotspots).
- CUPS Printer server
- SAMBA disk server

For PPTP I can share my notes on how I did it (I used these notes when setting up a VPN server at my daughter's so we can connect to each other both ways). Notice that these notes use my network setup:
Router IP=192.168.0.129
DHCP address range: 130..199
This is not a really good choice (using 192.168.0.x as network) if possible you should choose a different base IP more likely not colliding with the IP of a public WiFi hotspot.

Code: Select all

Raspberry Pi as a PPTP VPN server
==============================================================
Source information:
1) http://raspberrypihelp.net/tutorials/21-pptp-vpn-server-raspberry-pi

2) http://jamesslootweg.com/view/Using_your_Raspberry_Pi_as_a_VPN_access_point

In the procedure below the source of actions are shown by the numbers above.


Procedure to set up PPTP on Pi (via SSH login using PuTTY):
-----------------------------------------------------------

1) sudo apt-get update
-----------------------------------------------------------
1) sudo modprobe ppp-compress-18

#if errors then try this (was not needed for me):
sudo apt-get upgrade

-----------------------------------------------------------
1+2) sudo apt-get install pptpd

-----------------------------------------------------------
1+2) sudo nano /etc/pptpd.conf
at end of file enter:
localip 192.168.0.150  (IP of RPi)
remoteip 192.168.0.80-89  (Range of IP to feed to clients)

-----------------------------------------------------------
1+2) sudo nano /etc/ppp/pptpd-options
at end of file add:
1+2) ms-dns 192.168.0.129  (IP of router DNS)
2) nobsdcomp
1+2) noipx
1+2) mtu 1490
1+2) mru 1490

-----------------------------------------------------------
1+2) sudo nano /etc/ppp/chap-secrets
add login users on the form:
<username><TAB>*<TAB><password><TAB>*
In my case:
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1*	passwd1	*
user2*	passwd2	*
user3*	passwd3	*

(Obviously here you will have to enter your own users/passwords)
-----------------------------------------------------------
1) sudo service pptpd restart

-----------------------------------------------------------
1) sudo nano /etc/sysctl.conf
uncomment or add the following line:
net.ipv4.ip_forward=1

1) sudo sysctl -p

-----------------------------------------------------------
1+2) sudo nano /etc/rc.local
add this line above the exit 0 line, where the to IP address is that of Pi:
1) sudo iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -o eth0 -j SNAT --to 192.168.0.150
2) sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
2) sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

In fact it seems like this is not needed at all!
-----------------------------------------------------------

Network router setup:
---------------------
Configure port forwarding so that TCP port 1723 is forwarded to 192.168.0.150 (IP of the RPi)

Dynamic DNS setup
---------------------
In order to make the VPN server accessible over the internet a hostname is needed.
An account at a dynamic dns service which allows for several non-expiring hostnames is what we need to acquire.
I started by using dnsdynamic.org, but soon after they stopped their non-expiring service so youy need to find another provider.

Then on the Pi we also need an updater which runs at regular intervals to update the (changing) IP address
against the dns servers. There is such an updater available called ddclient:

sudo apt-get update
sudo apt-get install ddclient  (fill in the requested info)

Then check and modify the conf data, especially the use= directive..

sudo nano /etc/ddclient.conf

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

daemon=600
mail-failure=<your email address>
protocol=dyndns2
#use=if, if=eth0
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
server=<ip of selected dynamic dns provider>
login=<your login at the provider>
password='<your passwd>'
yourdomain.dnsprovider.com  (enter your dynamic domain name here)

Note that the web use is better than specifying an interface!
The daemon entry specifies how often an update will be made in seconds (here 10 minutes)


Starting up service:
--------------------
2) sudo shutdown -r now (to restart Pi)

NOTICE:
=======
On recent builds of raspbmc the operating system enables the firewall so that port 1723 is not allowed to connect.
So one has to disable this firewall, which can be most easily done using the XBMC Program add-on RASPBMC Settings.
Go to System Configuration/Disable Firewall (way at the bottom of the list) and activate the disable.

Or better yet: Use a separate Pi running RaspBian instead!

[konradsa]

Thanks for the update Bo.

You were talking about a firewall explicitly that blocks connections from the outside, that seems to be my issue too. I can connect fine from inside my network, but from the outside it doesn't work, even though my router is configured correctly. So either my mobile network operator blocks PPTP, or something else is messed up in the firewall configuration. I am guessing the latter, since I see the requests in syslog, but with a bad GRE checksum error.

So I think I will give OpenVPN a try if I can't figure out how to make PPTP work.

[Bosse_B]

PPTP is also vulnerable to router brands, because some brands do not pass the GRE protocol properly.
I have experienced such problems as a router only accepting one single PPTP connection at a time too.
OpenVPN on the other hand uses UDP datagrams and in my experience is more reliable when it comes to connections.
I have yet to find a location where I could not connect OpenVPN, whereas I had several such problems while traveling in the Austrian Alps last spring.
It is a bit more involved to set up an OpenVPN server, which I found out on my RaspBMC Pi, but if you move to a RaspBian Pi instead before trying to install OpenVPN it will be much simpler.

[konradsa]

Thanks, switched to OpenVPN, and while setup is a little more involved, it seems to work much more reliably. Not really happy though with the performance I am getting on my iPhone 5 over LTE using the OpenVPN client... oh well, can't have it all I guess.

EDIT: Performance is much better now, slowness seems to have been caused by using ziproxy for HTTPS connections. Using it only for HTTP connections it's much better.