Debian Configuration :: Tunnel All Traffic Through PPTP VPN
Dec 12, 2010
I installed the PPTP Client [URL] and can successfully connect to my VPN (creates interface ppp0). The problem is, I'm trying to tunnel all of my traffic on my system through the connection. I've seen conflicting howtos and scripts including pptpclient's documentation (the ip-up and ip-down scripts don't work). How does one simply (even if I type it manually) tunnel the traffic?
System Info:
OS: Debian Squeeze, Kernel 2.6.32-5-686
GUI: Gnome (standard one from netisnt unstable install)
Main interface: eth1
PPTP interface: ppp0
I am in serious situation involving PPTP protocol VPN in Debian 8 Jessie stable. I recently became a paid VPN subscriber. Using PPTP; Is there a way to automatically route all traffic through ppp0? Im getting the vpn service killed (ip address goes back to normal unmasked state) whenever there is a power outage (modem reset) and there are alot of those where I live, Im going to get astabilizer and I need a software solution for the situation as well. Theres gotta be a way to route all traffic through the VPN route ppp0 . I tried adding persist and maxfail 0 to the pptp config file but it did not do what i wanted.
On a second note, its clear to add that I basically need a way to also auto load the line
pppd call blabla.net and route add default dev ppp0
On system startup by default so the computer does not use "Wired" connection ^at all^ when not through ppp0. Any other way of not losing VPN anonymity ever due to hardware malfunction.
Is there a way to do this? Ive looked on the net and everything seems like its either from the nineties or can fry my pc , Im no debian expert, less than a year at linux..
Need it to use wired only if ppp0 is being used so if its no vpn, no connection at all period,
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
Unfortunately I have followed a misleading guide to set ssh and scp in order not to supply password everytime and...I messed up my ssh/scp settings as it does not work anymore.Well, in my attempt:
I moved to Code: Select allcd ~/.ssh then I created a rsa key Code: Select allssh-keygen -t rsa
Then I tried tunnelling and...it didn't work. So, ok, I tried to recover previous settings erasing all the items in the folder ~/ .ssh/. After I tried copying a file with the "usual" command that used to work before (i.e. scp file user-id@server) and...I've found out it does not work anymore!
I get this error message: ssh_exchange_identification: Connection closed by remote host
We have an Apache Subversion (http) server for hosting our codes, and, for the 3 next month, we are behind a DSL connection (max upload 100 kB/s).
When a remote co-worker try to download a new fresh copy of our projects on his computer directly over http, the transfer goes fine : with a bandwidth monitor (gnome-system-monitor or bwm-ng) we can see that the server is trying to send ~95kB/s and the connection remains usable for others task in parallel (just a bit slower, which is normal).
But : when the remote co-worker is connected through SSH to this server, and uses tunneling to communicate with Apache Subversion, the server is sending more than 200kB/s : the connection is not usable for other tasks during the transfer as with ~102kB/s actually transferred through the DSL Line, it's completely congested and more than fifty percents of the packets are lost.
I think that I understand why : TCP/IP auto-detects the max amount of successfully transmitted bytes per second, and try not send more than this maximum value.
When the Apache server is connected to the local instance of openssh-server through localhost, packets are transmitted successfully between them. Only after, openssh-server try to send it to the client (and should retry if it's not successfull) but during that time, Apache is already giving the next one... giving this saturation effect (Apache is not aware of the saturation, or at least, not enough)
My Debian server is used by people to set up ssh-tunnels for use as a local proxy ( on their remote machines).Since only the tunnel is setup, and no shell is used, I can't use "who" to see which users have an active ssh-tunnel on my server, but I would like to have an idea about who is active etc. I think I should be able to determine this from the auth.log file, but then I would have to use some script to determine what connection is still active. Is there an easy way to see what users have active ssh-tunnels on my Debian server at any given moment?
everything works fine, clients can connect to the vpn server with no problems and they can ping local machines! but no internet access through the vpn connection unless i uncheck the default gateway option on my client machine which is not what i want. I want my clients to get my server's ip address. my server is behind a router (router's ip : 192.168.0.1 | server's local ip: 192.168.0.100) so i used localip 192.168.0.100 & remoteip 192.168.0.234-238 in pptpd.conf. it think there is something wrong with routing or firewall rules, because it seems that the DNS resolution works .. when i try to browse a website my browser says "Waiting for xxxxx.com..." and it stays on that stage forever ! the funny part is that google.com works fine (don't know how).
p.s : * I have already opened the port in on my router. I even tried it locally to make sure that the router is not the problem here. * already added ms-dns 208.67.222.222 / ms-dns 208.67.220.220 to pptpd-options. (found another guide that suggested to do this, before adding these two lines even dns resolution was not working.)
I currently run openVPN on my Debian box that provides secure ipv4 routing from my laptop to my VPS in a different country (and from there the internet via this box). This works fine. However, id like to sort out ipv6 through this VPN as well as IPV4 and not overly sure how to do it. The remote server itself has native ipv6 configured on device eth0 and it works (ping6, traceroutes all fine,incoming to web servers etc) nicely on dual stack.
How would i go about modifying the config (both client and server if needed) to enable openVPN to act as a tunnel broker to enable the laptop to use the ipv6 through the server as well as the old v4? (the internet connection laptop end will not/does not have native ipv6 from the ISP. Currently im using he-net tunnel broker but id like to run myself through my existing openVPN). VPN config details: Its using UDP, port 1194, creates a TUN interface, redirect-gateway etc and the rest is normal config. Edit:- if it matters the clients are all running windows so i cant use sh scripts to set up stuff client end.
I know this has probably been solved multiple times, but I've searched the forum to no avail. I have a PPTP server setup properly with all ports forwarded correctly. A remote machine can connect and authenticate just fine. They get their IP assigned and everything.
The problem is that no traffic is being routed through the tunnel. Or, rather it is but the server doesn't seem to handle it. In a web browser I just get an error message. On a windows client I ran ipconfig and found a gateway address had not been assigned through the VPN tunnel. Could this be the problem? If so, how can I fix it?
I'm new to iptable configuration. I've set up a VPN using DD-WRT on my router and it works fine. However the VPN company does not allow port 25 traffic (in case of spammers) so now I can't get my emails sent out.
I'm guessing I can add some rules to my iptable so that all traffic except port 25 traffic can go out through the VPN tunnel. And hopefully, all port 25 traffic will go out through the normal Internet connection.code...
I'm currently tunnelling to my Ubuntu pc at home from my laptop in order to bypass my schools false-positive prone filter. Is there a way to record traffic that both comes to and is delivered by my pc?
I use a PPTP VPN for privacy and bittorrent. I have been over all very happy, only taking about a 1/4 hit to my over all network speed. However, I recently downgraded my VPN package, and the new sever I connect through is sometimes unstable with a high throughput. Because of this I am trying to find a way to block ALL (HTTP, bittorrent, email, etc) outgoing network traffic when the VPN fails, and then resume the traffic when the VPN reconnects. Essentially forcing all data through the VPN, and creating the illusion of simply having no network connection to the outside world at all when the VPN is offline/re-connecting. This is opposed to the current situation when the VPN will fail, all my traffic will switch to direct (visible) access through my ISP, and the VPN will re-establish sometime later (2-3mins, normally. Unless I manually restart it sooner).
I have tried Google, but have only been finding information on configuring local web access outside of the VPN for the sake of speed. Information of which I cannot seem to find a way to apply to this.
This is what is in my /etc/network/interfaces right now.
Code: auto eth0 iface eth0 inet static address 67.202.x.x gateway 67.202.x.1 netmask 255.255.255.0 auto lo iface lo inet loopback My server.conf code....
I can get the VPN server running and everything connects fine from the client. I just don't know how to tunnel all the traffic through the VPS because it involves making the bridge which I'm having trouble with. What exactly am I supposed to put in /etc/network/interfaces?
I have a question regarding Traffic Shaping in Linux, Suppose I have a server on the internet (web, email or ftp) and I want to shape outgoing traffic per IP, say 256k for each destination IP. I've seen examples on the internet on how to shape traffic per IP by adding a queue for each IP, and some examples by using u32 hash if I have e.g. a /24 network, but if I have a server and I want to shape the traffic by destination IP, and of course... since it is a server on the internet I can't manually define any IPs of subnets. An example using the tc command?
I'm running OpenVPN service on both debian server and client. When start connection between client and server, I expect all the computer traffic (except ARP and DHCP requests) go through created tunnel. However, when I capture packets on wlan0 on client (the only connection going outside host) using Wireshark, I can see DNS requests visible and sometimes incoming TCP traffic as well, but most of the traffic is going through tunnel as expected. I provide both configurations of client and server and client routing table for inspection. I changed server address to avoid server exploitation in the case of some big configuration mistake.
Commands to run OpenVPN services are: Code: Select allFor client: sudo openvpn --config /etc/openvpn/client.conf & For server: sudo openvpn --config /etc/openvpn/server.conf &
**Client routing table when VPN is OFF** Code: Select allKernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 1024 0 0 wlan0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
[code]...
I searched through many forums and documentation and I found, that for all the traffic going via VPN is command: *push "redirect-gateway def1"* neccessary, however, I have leaks despite this command being in place. I already spent over 2 days with this and tried to configure it in many ways, now I have no clue what I'm missing.
I need to be able to do the following: Physical Router located at 192.168.40.1 On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2 eth1 with static ip 192.168.40.3 eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this) register phone number B at 192.168.50.1 register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I have a laptop connected to internet via wlan0. I also have eth0 interface and with it I share internet. I want to modify/filter all the traffic passing by the first laptop, something like this:
I know that in FreeBSD it is possible to use ipfw for that purpose, because it build-in into kernel. We set for example rule Code: Select allipfw add divert 2000 ip from any to 1.0.1.1
and we can use our own application to process those packets, reinject them forward etc. It will work also fast, because as I said, it build into kernel.
Is there any standart Linux-based solution to do the same? I found some info about netmap-ipfw. Is this a correct solution? Or I have to use for example IP-aliases and iptables to do that?
I need to process all the IP-packets, not only TCP/UDP/etc-protocol. Solution also must be very fast.
I would like to redirect traffic coming from a machine A through a SOCKS proxy (setted on machine B)Machine B run "ssh -D 4242". So that create a SOCKS proxy on machine B.Machine A would like to connect on the internet, but the only way is to use machine B SOCKS proxy. The problem is machine A don't know how to use SOCKS Proxy. (Actually, i can just set ip, netmask and gateway on machine A).So, I would like to set up something on machine B that will redirect all traffic coming from machine A throught the SOCKS proxy.
I am running on debian squeeze 6.0.2. I have been using it for the last id say 3 weeks and really am enjoying it.
I generally use transmission-gtk to share files over the internet. Normally I seed torrents at 110-160kb/s for hours at a time. However after messing around with firestarter my upload speed for seeding torrents rarely peaks over 70kb/s. I have purged firestarter with no success of my regular upload speed, and am very confused as to what happened. I also notice sometimes when it will get to about 70kb/s it will immediately drop down to the 20-30kb/s range.
For incoming bittorrent connections I use port 37294. I have set port 37294 to be allowed in my firewall, and forwarded in my router (since purging firestarter did not help I just reinstalled it).
I have also read allowing ports 6881-6889 is important, but I have never done that in my history of using torrents, and I have never experienced a decrease in UL speed like this.
Have I done something incorrect? I have never had this issue on other machines?
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80 iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080 iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -j DROP
I am running Debian Squeeze on an old pc (AMD K62-500) which serves as my multiwan router and torrent box. Internet uplink is provided via a dsl line and 2 wireless canopy modules.
Setup has been generally fine except when connecting/downloading as free user from sites like rapidshare, hotfile, filesonic, etc. The problem arises when I am connected to these sites using the wireless uplinks because of the shared public ip. I don't really download that much using direct download methods so I don't really see myself being a premium user from these sites.
If these sites are on a specific ip or ip range, an entry on the static routing table would have been fine but when I tried using ping, a different ip would appear to reply each time.
I wonder if there can be a solution like using iptables where in traffic to and from these sites will only use the NIC connected to the dsl line.
How can I forward all traffic from a public IP to another public IP. Let's say I have a first debian box named box1 with eth0 = 1.1.1.1 and eth0:1 = 1.1.1.2 and I want to forward all traffic from 1.1.1.2 to "box2" located somewhere else over the internet and having for eth0 2.2.2.2 Both 1.1.1.0/24 and 3.3.3.0/24 are public IP ranges.
I've got problem with configuration of 6to4 tunnel. I do it like they do here using iproute2 HTML Code: [URL] And still I can't ping ipv6.google.com: I' ve got Destination unreachable: Address unreachable
eth0: 62.2.2.x (public on the internet) GW: 62.2.2.1 (cisco router)
i want to configure my ppptp server to allow users access internet with their own public ips of class 62.2.3.0 62.2.4.0 62.2.5.0
every time i configure my server all users can get thier IPs but they only go out with my server IP same as NAT not routing.
can you show me the proper configuration to make my users connect with public IP and have internet access. use specific DNS ( i did this but some users can not brows by DNS)
is there any way to specify an expired date for each pptp user.
I'm trying to connect to a Microsoft ISA PPTP server from my Linux box. The box I'm connecting from is itself a router. I have no problem connecting a Windows XP machine to the VPN via this machine. This is fine, but I would rather connect via the Linux machine, giving me far more advanced routing options (i.e. no to send every packet from the XP box completely unnecessarily via the PPTP tunnel). The Linux router is running Debian Lenny.
I've checked iptables. There were initially some issues. I've fixed those.
Invoking pppd from the console, I can see that authentication succeeds, but then some negotiation goes wrong and the server terminates the connection. Here's the output from pppd, with the more sensitive stuff removed:
Code: <hostname>:~# pppd call <peer> nodetach debug using channel 19 Using interface ppp0 Connect: ppp0 <--> /dev/pts/2 sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe3e45f75> <pcomp> <accomp>] code....
