Configuring VPN client

In this post you can read how to configure a VPN client in Fedora Core 10. I tried to configure VPN client in NetworkManager, but there was no success. I turned off NetworkManager with chkconfig and uncheck Controlled by NetworkManager in system-config-network. In my case, VPN server is on Microsoft platform, so my domain must precede the user name.

Contents
  1. Install pptp RPM package
  2. Create script /etc/ppp/peers/my_vpn
  3. Add line to the /etc/ppp/chap-secrets
  4. Start VPN connection
  5. Add route to the ppp0 device
  6. Conclusion

1. Install pptp RPM package
pptp establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). This is a small package – about 70KB.

yum install pptp

2. Create script /etc/ppp/peers/my_vpn
For a detailed explanation of the settings, please read “man pppd”.

# set the name of the local system for authentication purposes
name <domain>\\<username>
# set the assumed name of the remote system for authentication purposes
remotename <server_name>
# specifies that the command script is to be used to communicate
pty "pptp <x1.y1.w1.z1> --nolaunchpppd"
# require the use of MPPE, with 128-bit encryption
require-mppe-128
# ask the peer for up to 2 DNS server addresses
usepeerdns
# options used by PPP when a connection is made by a PPTP client (provided by pptp package)
file /etc/ppp/options.pptp

3. Add line to the /etc/ppp/chap-secrets
Replace all fields in < > with your settings. Client_name, server_name and IP address should be the same as name, remotename and pty IP address in my_vpn file.

# client_name         server_name   secret     IP addresse
<domain>\\<username> <server_name> <password> <x1.y1.w1.z1>

# example
DOM\\dbunic ms_vpn potato 123.123.123.123

4. Start VPN connection
In my case pon script did not have permission to execute, so I had to run chmod 755 before starting VPN connection. Pon script is provided by pptp RPM package.

# start VPN connection
cd /etc/ppp/peers
/usr/share/doc/ppp-2.4.4/scripts/pon my_vpn

# stop VPN connection
/usr/share/doc/ppp-2.4.4/scripts/poff

5. Add route to the ppp0 device
Now you should have eth0, lo and ppp0 devices listed with ifconfig and you are ready for routing traffic to the ppp0 device.

route add -net x2.y2.w2.0 netmask 255.255.255.0 dev ppp0

6. Conclusion
As you can see, it is not difficult to establish a VPN connection in Fedora Core 10. If something goes wrong, first look in the /var/log/messages. To disconnect from the VPN server, start poff script. poff script must have execute permission as well as pon script.

If you want to have only one script to start a VPN connection, please read Fedora VPN client and routing post. There you will find a few PHP lines and configuration of ip-up.local file.

2 thoughts on “Configuring VPN client

  1. Hi. Thank you for instructions. Can you help me? How can I make NAT (or MASQUERADE) other VPN. I have local net and only one IP address?

  2. Konstantin,
    I’m not a network expert, but I have experience with Linux Wireless Gateway on my local network. This is somehow similar to your environment and I will try to give you some hints. Lets assume that you have fixed public IP address and you want to set one Linux box as gateway. Gateways usually have more than one network devices. In my case, I had wireless and network card, and in your case you will have at least two network cards. First network (eth0) device should be configured for your local network (for example set IP 10.0.0.1 and define range 10.0.0.0/24), while second network device (eth1) should have public IP – something like 1.2.3.4

    OK, now it’s time to enable IP forwarding on the gateway box. To do this, add the following line to the file /etc/sysctl.conf:
    net.ipv4.ip_forward = 1

    You will have to reboot Linux because this ensures IP forwarding starts every time you reboot the machine. To start it without rebooting, type the following command:
    echo 1 > /proc/sys/net/ipv4/ip_forward

    Next, enable Source Network Address Translation (SNAT) so that your local network can use the Internet transparently.
    iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to 1.2.3.4

    Now your clients will have an open road to the Internet ;) just set their default gateway to the 10.0.0.1

    I will strongly advice you to set a firewall on gateway to protect a your local network. Please see how I described firewall for the Web server LAMP setup: Beginning | Firewall … You can delete lines with ports 80 and 22 and below line:
    -A INPUT -i lo -j ACCEPT
    add a line to accept all traffic from the local network:
    -A INPUT -i eth0 -j ACCEPT

    Hope this comment will give useful informations …

Leave a Comment