Documentation/VPN

From openSUSE

This page describes how to make a VPN Connection to a VPN server. We all know how easy it was in Windows, so hopefully this page will make it as easy in Linux too.

First step is to get your connection info from your administrator:

Usually something like:

Interface name connection_name
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway ip_address
IPSec ID password
IPSec secret secret_key

Italic items should be filled in. Password is not your own password!

Now pick your preferred connection:

Connect to PPTP VPN

Use this if you used to connect with the nice dialer from Windows XP.

Easiest way is probably vpnc:

First goto your update manager and install everything with vpnc in its name

Open terminal window and type

su -
enter your password
kwrite /etc/vpnc.conf

Now copy paste the lines from above (Interface ... secret_key) and fill in with the data from your admin.

Now save and close, and back in the terminal type

vpnc

vpnc launches and asks for your username and password fill in, hit return and you have connection. If like in my case you get a port error, in stead of vpnc, type

vpnc --local-port 0

This will make vpnc use a random port in stead of the standard (possibly occupied) 500 port

Discussion of KVNPC, vpnc with graphical front end will follow.

PPTP for OpenSUSE 10.2

The easiest GUI VPN client to install and use for 10.2 is kvpnc. Download and install the kvpnc rpm for OpenSUSE 10.2 from here.

Launch Kvpnc from KMenu->System->Network.

Create a new profile for PPTP by selecting Profile->New Profile (wizard)

Choose Microsoft PPTP as your VPN Type

In the PPTP Settings Check Require MPPE, Refuse EAP and Get DNS from peer. Leave the authorization method as chap.

Fill in your VPN username and password in the next screen. Go with the default choices for the Network Settings and Network route screens Uncheck everything in the Connection status check screen. In the General Settings screen fill in a Profile Name (WITHOUT SPACES), Description and the VPN Gateway.

After Saving the profile edit it from the toolbar option. In Profile->General click on advanced and check "Enable advanced Settings", click on OK and then Apply in the Main screen. In Network->General uncheck user defined MTU. Click on Apply and OK.

Now configure the firewall as outlined in Step 6 of pptpclient docs for suse

You are now ready to try out the connection. For trouble shooting, as root Check the /var/log/messages file for clues to problems not listed here:

 cd /var/log
 tailf messages

Now try to connect to vpn using Kvpnc. If the connection fails open the connection profile in Kvpnc and try with different PPTP options. If it succeeds try to ping an IP address behind VPN. If it hangs then as root type the command (It will be slow):

 route

In the route listed try to ping the Gateway IP for the Iface ppp0 or ppp1. If that also fails check your firewall setup or restart Linux. If pinging the Gateway succeeds then run the command:

 route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

as mentioned in the Troubleshooting section of this document.

Now try to ping an IP behind VPN and it should work. The route command should also list the newly added route.

Instead of the route command above you can add the route to the VPN Profile. Go to the Network->Routes section and check "Use additional network routes". Click on Add.. Use Remote Network as 10.0.0.0/8. Check Use Interface and select ppp0 and save the changes. In your next login session the VPN connection should work without any additional commands. Verify the new route using the route command.

(Note: Sometimes when reconnecting the route does not work because ppp1 is used instead of ppp0. In that casue disconnect, quit kvpnc and bring down ppp Ifaces using the commands "ifconfig ppp0 down" and "ifconfig ppp1 down" or you can try using the route add -net command given earlier for the Iface used).

if your connection hangs after some accesses behind your firewall and the error in /var/log/messages looks like:

mppe_decompress[1]: osize too small! (have: 1004 need: 1005)

Then you have hit a kernel ppp bug which will be fixed in Kernel version 2.6.23. To keep the current kernel you can fix the bug in the Kernel source file ppp_generic.c and recompile a new kernel with a little effort. Following are the instructions.

Launch YAST, open Software management and search for kernel and install the kernel sources. Make the below two edits to /usr/src/linux/drivers/net/ppp_generic.c after saving the existing file:

1. Around line 1714 in the function ppp_decompress_frame after the statement if (proto == PPP_COMP) change the line:

		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);

to the lines:

		int obuff_size;

		switch(ppp->rcomp->compress_proto) {
		case CI_MPPE:
			obuff_size = ppp->mru + PPP_HDRLEN + 1;
			break;
		default:
			obuff_size = ppp->mru + PPP_HDRLEN;
			break;
		}

		ns = dev_alloc_skb(obuff_size);

2. Six lines below the previous edit at around line 1720 in original file change the lines:

		len = ppp->rcomp->decompress(ppp->rc_state, skb->data - 2,
				skb->len + 2, ns->data, ppp->mru + PPP_HDRLEN);

to:

		len = ppp->rcomp->decompress(ppp->rc_state, skb->data - 2,
				skb->len + 2, ns->data, obuff_size);

You can check the new and original files on my system for reference at:

http://jdatestamp.sourceforge.net/ppp_generic.c and http://jdatestamp.sourceforge.net/ppp_generic.c.org

Before you recompile the Kernel Get your X Server to the initial install state by uninstalling any additional X driver installed as modules (nvidia for external VGA for example). This is to avoid X startup problems after recompile which you will have to fix in console mode (You can still use Yast). Restart the machine to make sure your display is Ok.

Now recompile the Kernel to get a custom Kernel. There is an excellent Step by Step instructions for OpenSUSe at:

http://www.howtoforge.com/kernel_compilation_suse

The fixes to ksyms files mentioned in the above document are not required for 10.2. Give a different custom name like custppp instead of default so you can easily identify.

Your pptp connection should work with the new kernel.

For any driver modules like ndiswrapper to work please uninstall and reinstall for the new kernel.

Connect to other

empty