Thursday, June 22, 2017

Ubuntu - Connecting to a PPTP VPN server using the terminal

Situation:

I was away from Islamabad and needed to download some scientific papers. This required me to connect to my University's VPN which was of the PPTP variety. I tried using the Network Manager applet in Ubuntu 14.04 which would successfully connect but the moment I would open a page on Chrome the VPN connection would fail.


Solution:

Connect to the VPN from the terminal using instructions that were written for Ubuntu 7.04 (https://wiki.ubuntu.com/VPN) and were supposed to have become outdated 7 years ago. But what is in the command line can never die.

Based on help from https://superuser.com/a/459906/306711 and http://www.wikihow.com/Add-or-Change-the-Default-Gateway-in-Linux with a little tweaking I was able to successfully connect to the VPN in a stable fashion.


Details:
  1. Install pptp package: sudo apt-get install pptp-linux

  2. Create a peers file. I named mine 'comsats' so I created: /etc/ppp/peers/comsats with the following content
        pty "pptp <vpn server ip address> --nolaunchpppd"
        debug
        nodetach
        logfd 2
        noproxyarp
        ipparam comsats
        remotename comsats
        name <vpn username>
        require-mppe-128
        nobsdcomp
        nodeflate
        lock
        noauth
        refuse-eap
        refuse-chap
    
    This file needs to be executable (sudo chmod +x /etc/ppp/peers/comsats). Note the 'remotename' and the 'ipparam' which are set to 'comsats'. These will be used to activate the connection and to run automated scripts when the connection is setup and torn down.

  3. Add your VPN credentials to /etc/ppp/chap-secrets in the following format:
        * <vpn username> * <vpn password>
    At this point you can check your vpn connection by executing:
        sudo pon comsats
    For debugging the connection look at /var/log/syslog. At this stage your internet will NOT be forwarded over the vpn because the routes haven't been set up for it.

    To close the connection Ctrl+C is supposed to work but it didn't for me so I had to use ps -A | grep ppp to find the pid of the connection process and then sudo kill -KILL <pid> to kill it.

  4. To forward your internet packets over the VPN you must first find the ip addresses of the gateways for your internet interface (wlan0 in my case) and the vpn interface (ppp0). Simply use ipconfig. In my case my wifi gateway was 192.168.0.1 and the vpn gateway was 192.168.3.1. To take a look at the current routes issue the route command, it will show you the current default gateway.
    The first step is the delete the current default gateway:
        sudo route delete gw 192.168.0.1 wlan0
    Note the use of my wlan0 gateway ip address (192.168.0.1).
    Now switch to using the ppp0 gateway as the default so that all outgoing internet traffic is sent via the vpn:
        sudo route add gw 192.168.3.1 ppp0
    You can confirm the switch to using the VPN by looking at your external IP address (I simply navigate to https://www.icanhazip.com and a whois to confirm).

  5. After closing the vpn connection you will have to revert the changes to the routes to get your normal internet access back (the Network Manager applet does all of this automatically, when it works) as follows:
        sudo route delete gw 192.168.3.1 ppp0
        sudo add gw 192.168.0.1 wlan0

  6. To automate the route changes one can add files to the /etc/ppp/ip-up.d and /etc/ppp/ip-down.d folders that are automatically run when the connection is setup and torn down respectively.
    Create and populate /etc/ppp/ip-up.d/comsats:
        #!/bin/sh
    
        [ "$PPP_IPPARAM" = "comsats" ] || exit 0
        route delete default gw 192.168.0.1 wlan0
        route add default gw 192.168.3.1 ppp0
    
    Note how we use the $PPP_IPPARAM to match against the same we defined in /etc/ppp/peers/comsats to make the code run only when this connection is set up.
    Similarly create and populate /etc/ppp/ip-down.d/comsats:
        #!/bin/sh
    
        [ "$PPP_IPPARAM" = "comsats" ] || exit 0
        route delete default gw 192.168.3.1 ppp0
        route add default gw 192.168.0.1 wlan0
    
    Finally comment out nodetach in /etc/ppp/peers/comsats to run the connection as a deamon and use sudo poff comsats to close the connection when you need to. This connection is not as stable as I would like it (usable however) so I use tail -F /var/log/syslog | ccze -A to keep an eye on the connection while I am using it, restarting it as needed.

No comments:

Post a Comment