Recently I was trying to connect to a PPTP VPN from my home workstation, which has fedora 30 installed and I wasn't able to. So I researched online about it and figured how to create a VPN connection using 'Network Manager' tool nmcli.
Create Connection
[spameggs@foobar ~]$ sudo nmcli connection add connection.id VPN_2 connection.type vpn connection.interface-name wlp2s0 connection.permissions spameggs vpn.service-type pptp vpn.data gateway=199.202.117.191
[spameggs@foobar ~]$ sudo nmcli connection modify VPN_2 vpn.user-name numb vpn.secrets password=damisk76
We can check the connection details from the related file VPN_2.nmconnection created in the below location.
[spameggs@foobar system-connections]$ pwd
/etc/NetworkManager/system-connections
[spameggs@foobar system-connections]$ sudo cat VPN_2.nmconnection
[sudo] password for spameggs:
[connection]
id=VPN_2
uuid=1342c044-108a-447c-8712-de988346fccb
type=vpn
interface-name=wlp2s0
permissions=user:spameggs:;
[vpn]
gateway=199.202.117.191
service-type=org.freedesktop.NetworkManager.pptp
user-name=numb
[vpn-secrets]
password=damisk76
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
Test Connection
I could not connect the VPN and I see the following logs from journalctl.
Started the VPN service, PID 6152
Saw the service appear; activating connection
VPN connection: (ConnectInteractive) reply received
VPN plugin: state changed: starting (3)
VPN plugin: failed: connect-failed (1)
VPN plugin: state changed: stopping (5)
VPN service disappeared
Load Modules
I did further research and found that we need to load some modules. There are two methods for this process. For temporary use we can run the following command from a privileged user.
[root@drone ~]# for module in nf_nat_pptp nf_conntrack_pptp
> do
> modprobe $module;
> done
Or we can load these modules on boot permanently by adding the above module names in the file /etc/modules-load.d/netfilter.conf as follows.
[spameggs@foobar ~]$ sudo cat /etc/modules-load.d/netfilter.conf
nf_nat_pptp
nf_conntrack_pptp
We need to reboot for the changes to occur.
Configure Firewall Rules
There is no need to make any changes in Selinux. However, we have to add few rules in the firewall to allow PPTP connections. [spameggs@foobar ~]$ sudo firewall-cmd --permanent --add-port=1723/tcp
[spameggs@foobar ~]$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
[spameggs@foobar ~]$ sudo firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre -j ACCEPT
[spameggs@foobar ~]$ sudo firewall-cmd --permanent --add-masquerade
[spameggs@foobar ~]$ sudo firewall-cmd --reload
Reconnect Successfully
We can see below that the connection is finally established successfully. [spameggs@foobar ~]$ nmcli connection up VPN_2
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
Verify Connection
We can verify by checking the output of ifconfig. A new ppp0 interface has been automatically created with the IP address 192.168.101.149.
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet 192.168.101.149 netmask 255.255.255.255 destination 192.168.101.150
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 1271 bytes 1398779 (1.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1213 bytes 127555 (124.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The command ip addr also shows the ppp0 interface.
[foobar@drone system-connections]$ ip addr
12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 192.168.101.149 peer 192.168.101.151/32 scope global ppp0
valid_lft forever preferred_lft forever
We can check the routes for the VPN traffic by running ip route and route commands.
[spameggs@foobar ~]$ ip route
default dev ppp0 proto static scope link metric 50
default via 192.168.100.1 dev wlp2s0 proto dhcp metric 600
192.168.100.0/24 dev wlp2s0 proto kernel scope link src 192.168.100.29 metric 600
192.168.100.1 dev wlp2s0 proto static scope link metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
192.168.101.149 dev ppp0 proto kernel scope link src 192.168.101.148 metric 50
199.202.117.191 via 192.168.100.1 dev wlp2s0 src 192.168.100.29
199.202.117.191 via 192.168.100.1 dev wlp2s0 proto static metric 600
[spameggs@foobar ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 0.0.0.0 0.0.0.0 U 50 0 0 ppp0
default _gateway 0.0.0.0 UG 600 0 0 wlp2s0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
_gateway 0.0.0.0 255.255.255.255 UH 600 0 0 wlp2s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.101.149 0.0.0.0 255.255.255.255 UH 50 0 0 ppp0
199.202.117.191 _gateway 255.255.255.255 UGH 0 0 0 wlp2s0
199.202.117.191 _gateway 255.255.255.255 UGH 600 0 0 wlp2s0
Disconnect VPN
Now we disconnect the VPN connection by issuing the below command.
[spameggs@foobar ~]$ nmcli connection down VPN_2
Connection 'VPN_2' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.