Thursday, 11 December 2008

UBC VPN


I need to document this.  Why do most help manuals and HOWTOs read like the author assumes the reader is an expert, and knows what he or she is doing?  I had a professor like that once in undergrad; he taught his course as though we all had already mastered the content.  We learned nothing.

I couldn't help thinking of him while trying to setup VPN access to UBC.  "It's easy, even in Linux" the HOWTO claims, but it is scarcely more than: 1. Setup VPN.  2. Add routes.  3. Done.  Steps 1 and 2 could use a few sub-points.



So here's what I did.  First, I enabled ppp_synctty, ppp_mppe, and ppp_generic in my kernel.  That's in "Device Drivers" -> "Network Device Support", and then:

  • PPP (point-to-point protocol) support

    • PPP support for sync tty ports

    • PPP MPPE compression (encryption) (EXPERIMENTAL)




The docs don't tell you, but sync tty is important.  PPTP fails badly without it.  Next, is to actually install PPTP.
# emerge pptpclient

Then run the pptp command line config thingy.  All the docs recommend using networkmanager, which is fine if you're in gnome, or knetworkmanager in kde.  But if you, like me, choose to use something else, networkmanager fails. So, the command line it is.
# pptp-command
1.) start
2.) stop
3.) setup
4.) quit
What task would you like to do?: 3

Choose, 3 to setup, then 4 to add a new PPTP tunnel, then 1 to create an "other" tunnel, no idea what that means, then it should look something like this:
1.) Other
Which configuration would you like to use?: 1
Tunnel Name: ubc
Server IP: vpn.ubc.ca
What route(s) would you like to add when the tunnel comes up?
This is usually a route to your internal network behind the PPTP server.
You can use TUNNEL_DEV and DEF_GW as in /etc/pptp.d/ config file
TUNNEL_DEV is replaced by the device of the tunnel interface.
DEF_GW is replaced by the existing default gateway.
The syntax to use is the same as the route(8) command.
Enter a blank line to stop.
route: add -net 142.103.0.0 netmask 255.255.0.0 dev TUNNEL_DEV
route: add -net 137.82.0.0  netmask 255.255.0.0 dev TUNNEL_DEV
route: add -net 128.189.0.0  netmask 255.255.0.0 dev TUNNEL_DEV
route: <press enter>
Local Name and Remote Name should match a configured CHAP or PAP secret.
Local Name is probably your NT domain\username.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name: YOUR CWL ID
Remote Name [PPTP]: ubc
Adding ubc - vpn.ubc.ca - YOUR CWL ID - ubc
Added tunnel ubc

Ok, so what did all that do?  Well, it created a file called 'ubc' in /etc/ppp/peers with all the above settings in it.  The tunnel name is used to identify the tunnel, it serves no other purpose.  The server IP is what we are connecting to.  The routes are blocks of IP addresses to forward through the tunnel.  In this case, for UBC, those are the class B IP ranges for the UBC campus.  Later, I added more to do things like forward connections to IEEE Xplore through the campus so I can access journal articals.  The Local Name, has two purposes: It helps identify which CHAP secret will be used for authentication, and it is also the username that is forwarded to the server, so this must be the UBC CWL ID.  The remote name can be anything.

Next step, edit /etc/ppp/chap-secrets, and add the following line:
YOUR CWL ID <space> ubc <space> YOUR CWL PASSWORD

You can use the pptp-command menus to do this too. This tells the local pppd that when you're using local name 'YOUR CWL ID' and remote name ubc, that it should use this password.

Are we there yet?, No, not quite.  Creating the tunnel also added a /etc/ppp/options.pptp file.  We now must edit this file.  Anywhere in the file, add the line:
nopcomp

And at the bottom, uncomment this line:
mppe required,stateless

Without doing that, the ppp connection spews errors about unknown packet types, took a little while digging through google to figure that one out.

Now the pptp-command can be invoked again to start the 'ubc' tunnel, and it should all work, at least it does for me.
# pptp-command start

And
# pptp-command stop

0 comments:

Post a Comment