Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Bring up the Link
VPN PPP-SSH Mini-HOWTO
PrevNext

6. Bring up the Link

Everything should now be set up. Now it's time to take a deep breath and try to bring up the link.

  1. Become root on the client machine and execute the vpn-pppssh script. 

    client# /usr/local/bin/vpn-pppssh start

  2. It will take a while to connect, but then it should come back with something like the following

    Using interface ppp1
Connect: ppp1 <--> /dev/pts/1
local  IP address 192.168.3.1
remote IP address 192.168.3.2

  3. Did it work? First try pinging the client's VPN interface:

    client$ ping 192.168.3.2

  4. If this worked, then you can reach the interface on the client OK. Don't get excited yet -- that was the easy part. Now, try pinging the server's VPN interface:

    client$ ping 192.168.3.1

    If you get echoes back, then congratulations! Your PPP-SSH VPN appears to be healthy. Packets are successfully travelling the route in both directions. You might want to log into your server and try initiating pings from the server to the client, but at this stage of the game, that's almost guaranteed to work.

You bring the VPN down with "vpn-pppssh stop".

Now that the tunnel works, you might want to integrate it into your system so it comes up automatically as described in Section 7. Also, if you want to forward packets from an entire subnet over the link (rather than just the packets originating on the client and server as we have set up now) see Section 8.

6.1. Troubleshooting

The script itself is fairly simple. The entire system, however, involves a lot of small parts. If any one of them is misconfigured, it can prevent your VPN from working without so much as a message why. Here is a list of things to check if you run into difficulties:

  • Double and triple check your network values. Try running "vpn-pppssh config" to ensure the configuration is correct and the shell hasn't ruined any of your values.

  • Go back over each step and make sure that it all checks out.

  • Try temporarially turning off any firewalls on the client, on the server, and on any machines in between to see if any of them are getting in the way (not likely if you can SSH between the two machines).

  • Ensure that your routes are correct. You can list your routes using "route -n". See the Linux Network Administrators Guide and http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html for more.

6.1.1. sendto: Operation not permitted

When you try to ping the VPN interfaces, if you get a "sendto: Operation not permitted" error, you are probably running into a firewall on the local machine that is denying packets before they even reach the VPN network interface. Your firewall must allow SSH traffic over your regular network and it must allow all traffic over your VPN interfacess.

The ipchains commands to smash a hole in your firewall for your PPP interface will something like this:

ipchains -I input  1 -i ppp1 -s 192.168.3.0/24 -j ACCEPT
ipchains -I output 1 -i ppp1 -d 192.168.3.0/24 -j ACCEPT

ppp1 must, of course, be the network interface of your PPP-SSH VPN, and the IP addresses must match the address of the local interface. Make sure that packets are allowed on both the client and server.

See the Linux Firewall HOWTO, the IPChains HOWTO for kernel 2.2, or documentation on iptables for kernel 2.4.

PrevHomeNext
Configure the Client Integrating the VPN into your system