LINUX.ORG.RU

PPTP не пашет

 ,


1

1

Поднял сервер pptpd, запустил, заработало!
Потом поменял в /etc/ppp/chap-secrets пароль на секурный и тут началось...
Сервер не может поднять ppp0 интерфейс.

/etc/pptpd.conf:

###############################################################################
# $Id$
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
#	Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
#logwtmp

# TAG: bcrelay <if>
#	Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: delegate
#	Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#	These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than the value of connections,
#	   it will start at the beginning of the list and go until it
#	   gets connections IPs.  Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
localip 10.9.0.1
remoteip 10.9.0.2-200
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

/etc/ppp/pptpd-options:

###############################################################################
# $Id: options.pptpd,v 1.9 2005/08/02 11:33:32 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes 
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)


# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}


# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40	# enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}


# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 77.88.8.88
ms-dns 77.88.8.2

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp 

# Disable Van Jacobson compression 
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd, 
# which may trigger a loopback
nologfd

# put plugins here 
# (putting them higher up may cause them to sent messages to the pty)

LOG:

Nov 13 05:33:56 dg01 pptpd[23208]: MGR: connections limit (100) reached, extra IP addresses ignored
Nov 13 05:33:56 dg01 pptpd[23209]: MGR: Manager process started
Nov 13 05:33:56 dg01 pptpd[23209]: MGR: Maximum of 100 connections available
Nov 13 05:33:58 dg01 pptpd[23212]: CTRL: Client 94.25.164.228 control connection started
Nov 13 05:33:59 dg01 pptpd[23212]: CTRL: Starting call (launching pppd, opening GRE)
Nov 13 05:33:59 dg01 pppd[23213]: The remote system is required to authenticate itself
Nov 13 05:33:59 dg01 pppd[23213]: but I couldn't find any suitable secret (password) for it to use to do so.
Nov 13 05:33:59 dg01 pptpd[23212]: GRE: read(fd=6,buffer=7f1aebf5b4a0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Nov 13 05:33:59 dg01 pptpd[23212]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Nov 13 05:33:59 dg01 pptpd[23212]: CTRL: Reaping child PPP[23213]
Nov 13 05:33:59 dg01 pptpd[23212]: CTRL: Client 94.25.164.228 control connection finished
★★

Последнее исправление: Strannik-j (всего исправлений: 1)

Ответ на: комментарий от Strannik-j

Смотрите, что в /etc/ppp/options нет ничего лишнего. Изучайте chap-secrets под микроскопом. Если ничего не заметили, включите debug, тогда будет видно, под каким именем пытается подключится клиент и можно будет копи-пастой вытащить это имя и сделать по нему grep по файлу с паролями (может где опечатка и кирилица вместо латиницы).

mky ★★★★★
()
Ответ на: комментарий от mky

Вот в /etc/ppp/options я заглянул только после Вашего поста, стало быть, там ничего лишнего (но я на всяк случай ещё раз проверил).
chap-secrets создал с нуля.
debug включил, вот вывод:


Nov 17 06:10:43 dg01 pptpd[25590]: GRE: read(fd=6,buffer=7f3d318ed4a0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Nov 17 06:10:43 dg01 pptpd[25590]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Nov 17 06:10:43 dg01 pptpd[25590]: CTRL: Reaping child PPP[25591]
Nov 17 06:10:43 dg01 pptpd[25590]: CTRL: Client 94.25.164.31 control connection finished
Nov 17 06:10:45 dg01 pptpd[25625]: MGR: connections limit (100) reached, extra IP addresses ignored
Nov 17 06:10:45 dg01 pptpd[25626]: MGR: Manager process started
Nov 17 06:10:45 dg01 pptpd[25626]: MGR: Maximum of 100 connections available
Nov 17 06:10:47 dg01 pptpd[25627]: CTRL: Client 94.25.164.31 control connection started
Nov 17 06:10:48 dg01 pptpd[25627]: CTRL: Starting call (launching pppd, opening GRE)
Nov 17 06:10:48 dg01 pppd[25628]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Nov 17 06:10:48 dg01 pppd[25628]: pptpd-logwtmp: $Version$
Nov 17 06:10:48 dg01 pppd[25628]: pppd options in effect:
Nov 17 06:10:48 dg01 pppd[25628]: debug#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: dump#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: plugin /usr/lib/pptpd/pptpd-logwtmp.so#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: require-mschap-v2#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: refuse-pap#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: refuse-chap#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: refuse-mschap#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: name pptpd#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: remotenumber 94.25.164.31#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: pptpd-original-ip 94.25.164.31#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: 115200#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: lock#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: crtscts#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: local#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: asyncmap 0#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: lcp-echo-failure 4#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: lcp-echo-interval 30#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: show-password#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: novj#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: novjccomp#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: ipparam 94.25.164.31#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: 10.9.0.1:10.9.0.2#011#011# (from command line)
Nov 17 06:10:48 dg01 pppd[25628]: nobsdcomp#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: require-mppe-128#011#011# (from /etc/ppp/pptpd-options)
Nov 17 06:10:48 dg01 pppd[25628]: noipx#011#011# (from /etc/ppp/options)
Nov 17 06:10:48 dg01 pppd[25628]: pppd 2.4.5 started by strannik, uid 0
Nov 17 06:10:48 dg01 pppd[25628]: using channel 11162
Nov 17 06:10:48 dg01 pppd[25628]: Using interface ppp0
Nov 17 06:10:48 dg01 pppd[25628]: Connect: ppp0 <--> /dev/pts/0
Nov 17 06:10:48 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:10:48 dg01 pptpd[25627]: GRE: Bad checksum from pppd.
Nov 17 06:10:48 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:48 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:51 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:10:51 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:51 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:54 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:10:54 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:54 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:57 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:10:57 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:10:57 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:00 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:11:06 dg01 pppd[25628]: message repeated 2 times: [ sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]]
Nov 17 06:11:06 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:06 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:06 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:06 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:09 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:11:09 dg01 pppd[25628]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:09 dg01 pppd[25628]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4c972a8b>]
Nov 17 06:11:12 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:11:15 dg01 pppd[25628]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d6f9854> <pcomp> <accomp>]
Nov 17 06:11:18 dg01 pppd[25628]: LCP: timeout sending Config-Requests
Nov 17 06:11:18 dg01 pppd[25628]: Connection terminated.
Nov 17 06:11:18 dg01 pppd[25628]: Modem hangup
Nov 17 06:11:18 dg01 pppd[25628]: Exit.
Strannik-j ★★
() автор топика
Ответ на: комментарий от Strannik-j

Ошибка сейчас стала другая. Это просто от включения опции ″debug″?

Я рекомендую проверить подключение по pptp через локальную сеть, а то про yota много чего понаписано, что она блокирует GRE или просто глючит с ним.

mky ★★★★★
()
Ответ на: комментарий от mky

Да, похоже так и есть :(
Пробросил к этому серваку OpenVPN и уже по внутренней сети pptp подключается нормально.
Т.е. получается, что либо DigitalOcean, либо Yota режут GRE, и скорее всего второе...

Strannik-j ★★
() автор топика
Ответ на: комментарий от Strannik-j

Да, так и есть. Yota блокирует PPTP. Техподдержка говорит, что проблема в NAT, и они ничем помочь не могут.Инструкция, которой я пользовался при поднятии PPTP, рабочая. OpenVPN на йоте работает хорошо, но далеко не все смартфоны его поддерживают (почему-то даже CyanogenMod больше не поддерживает), поэтому как альтернативу, использую SSHTunnel с телефона до сервера с OpenVPN и белым IP.
Теперь бы ещё роутер найти с поддержкой OpenVPN.

Strannik-j ★★
() автор топика
Ответ на: комментарий от Pinkbyte

Желательно не слетать с гарантии. И мощи побольше. И не стоит забывать, что у роутера должно быть достаточно памяти, а то есть у меня TPLink старенький с OpenWRT, так на нём OpenVPN ставить некуда.
Мне вот Zyxel Keenetic Extra нравится, но в него нельзя ни OpenWRT поставить, ни сам OpenVPN, т.к. в новой версии прошивки эту возможность порезали.

Strannik-j ★★
() автор топика
Последнее исправление: Strannik-j (всего исправлений: 1)
Ответ на: комментарий от Strannik-j

Желательно не слетать с гарантии

Роутер на который можно вкатить OpenWRT и откатиться к заводской прошивке в случае чего

И не стоит забывать, что у роутера должно быть достаточно памяти, а то есть у меня TPLink старенький с OpenWRT, так на нём OpenVPN ставить некуда.

Если у роутера есть USB-порт - это решается выносом OverlayFS на него

А так, есть например Ubiquiti ERLITE-3. Там из коробки EdgeOS(вроде как форк Vyatta, но я ее щупал 2 минуты от силы и снес), внутри - обычный USB с самой что ни на есть обычной флешкой. OpenWRT я сам ставить туда не пробовал, но соответствующая страничка на wiki есть. В комплекте с роутером - флешка на 2 гигабайта.

Pinkbyte ★★★★★
()
Последнее исправление: Pinkbyte (всего исправлений: 2)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.