DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default poptop on OpenBSD 4.3

Hello,

I am having issues connecting from my Mac and XP PPTP clients to my poptop server. They try and connect and are dropped right away. I have a feeling my issue has to do with how I am configuring ppp.
I am running OpenBSD 4.3 and poptop-1.3.0. ( installed using pkg_add)

The OpenBSD box is acting as a firewall/router doing nat with pf. My internal ip address on the OBSD box is 192.168.1.1.

I loosely followed the instructions found here:

http://blogs.techrepublic.com.com/networking/?p=48
and here:
http://koychev.com/Setup-OpenBSD-PP...ver-with-Poptop

However, in part 1 on the top link the author states to remove:
pseudo-device gre # GRE encapsulation interface

Which does not make sense, because PopTop uses gre and when I did remove gre, it gave me the error:

(May 16 18:21:40 cerberus pptpd[2412]: PPTPD: failed to allow GRE, errno=42) and would not start pptpd.

Therefore, I recompiled my kernel with gre. I am now able to start pptpd, but I am now receiving a new error when I try to connect:

CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
pptpd[1277]: GRE: read(fd=7,buffer=3c0046a0,len=8196) from PTY failed: status = 0 error= No error

In my ppp.log I receive this error:
ppp[12874]: Warning: Label ipparam rejected -direct connection: Configuration label not found


Here are my config files.

/etc/ppp/ppp.conf:

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhostpploop
set dial
set login
set mppe * stateful
set ifaddr 192.168.1.2 192.168.1.234-192.168.1.254 255.255.255.255
set server /var/tmp/loop "" 0177



loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct


pptp:
load loop
# Disable unsecured auth
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
set device !/etc/ppp/secure

/etc/ppp/secure:

#!/bin/sh

exec /usr/sbin/ppp -direct loop-in


/etc/pptpd.conf:
option /etc/ppp/ppp.conf
debug
logwtmp
localip 192.168.1.2
remoteip 192.168.1.234-254
listen xx.xx.xx.xxx
pidfile /var/run/pptpd.pid

I can make a successful telnet session to my external IP on port 1723 so it does not look like pf is an issue. However, here is what I am doing in pf.conf.

#PPTP
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all
#End PPTP

Any help would be appreciated!

Cheers,

JD
Reply With Quote
  #2   (View Single Post)  
Old 24th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Add "log" argument to ALL your pass and block rules in your pf.conf, run

Code:
# pfctl -F all -vf pf.conf
and then run the command ...
Code:
# tcpdump -eni pflog0
and re-run the connect attempt and post tcpdump's output in forum.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #3   (View Single Post)  
Old 24th May 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
...Therefore, I recompiled my kernel with gre....
As is typical with those who follow HowTo documents they find on the Internet ... the documentation is out-of-date.

For 3 years 5 months (OpenBSD 3.7 thru OpenBSD 4.2), the poptop port remained unchanged -- poptop 1.1.4b4p1. For 4.3, poptop was updated to 1.3.0, and GRE is automatically enabled at runtime.

Return to a GENERIC kernel, and you can eliminate your custom kernel as a point-of-error.

Disclaimer: I am not a poptop user, I merely read the log for the port's Makefile. Here is a link: http://www.openbsd.org/cgi-bin/cvswe...optop/Makefile

Note: your koychev link is broken.
Reply With Quote
  #4   (View Single Post)  
Old 24th May 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

I note the port includes a README file. You can find it in /usr/local/share/doc/poptop/README.OpenBSD
Reply With Quote
  #5   (View Single Post)  
Old 24th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by s2scott View Post
Add "log" argument to ALL your pass and block rules in your pf.conf, run

Code:
# pfctl -F all -vf pf.conf
and then run the command ...
Code:
# tcpdump -eni pflog0
and re-run the connect attempt and post tcpdump's output in forum.

/S
Nothing was output.

-bash-3.2# tcpdump -eni pflog0
tcpdump: listening on pflog0, link-type PFLOG

Thoughts?


I will recompile the kernel to the GENERIC to see if that fixes anything. However, I only took out some unnecessary device drivers, so I am not too certain that will fix anything, but who knows.
Reply With Quote
  #6   (View Single Post)  
Old 24th May 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by bartman View Post
I will recompile the kernel to the GENERIC to see if that fixes anything. However, I only took out some unnecessary device drivers, so I am not too certain that will fix anything, but who knows.
In general, the OpenBSD project does not support custom kernels:

http://openbsd.org/faq/faq5.html#Why

...& we follow this same cultural decision here as well. Installing a kernel with the same version number from a mirror would alleviate any remaining questions as to whether customizing is still contributing unexpected behaviors. If & when you do respond again with new information, please provide the output of the following command:

$ sysctl kern.version
Reply With Quote
  #7   (View Single Post)  
Old 25th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

-bash-3.2$ sysctl kern.version
kern.version=OpenBSD 4.3 (GENERIC) #0: Sat May 24 20:54:05 PDT 2008
root@cerberus.underachievement.biz:/usr/src/sys/arch/i386/compile/GENERIC


I recompiled the kernel to be GENERIC and I am seeing the same behavior.
Reply With Quote
  #8   (View Single Post)  
Old 25th May 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by bartman View Post
I recompiled the kernel to be GENERIC and I am seeing the same behavior.
Are you using a modified version of GENERIC or the default installed during installation?
Reply With Quote
  #9   (View Single Post)  
Old 25th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Code:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
, right?
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 25th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by s2scott View Post
Code:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
, right?
Yes. The box has successfully been acting as a firewall/router for a few weeks now.

I also wanted to point out that the tcpdump is working ok.

tcpdump -eni pflog0
tcpdump: listening on pflog0, link-type PFLOG
06:58:14.499988 rule 39/(match) block in on vr0: 128.97.xx.xx.52314 > 76.91.xx.xx.80: [|tcp] (DF)
06:58:41.566078 rule 39/(match) block in on vr0: 128.97.xx.xx.52316 > 76.91.xx.xx.80: [|tcp] (DF)
06:59:02.872598 rule 39/(match) block in on vr0: 128.97.xx.xx.52317 > 76.91.xx.xx.23: [|tcp] (DF)
06:59:20.535997 rule 39/(match) block in on vr0: 128.97.xx.xx.52318 > 76.91.26.1xx.xx: [|tcp] (DF)

Therefore, I am pretty sure the issue has to do more with ppp rather than firewall issues. Perhaps something I missed in my config.

Lastly, I doubt this matters, but I created extra tun devices.

cd /dev
sh ./MAKEDEV tun5
sh ./MAKEDEV tun6
ect...
Reply With Quote
Old 25th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ocicat View Post
Are you using a modified version of GENERIC or the default installed during installation?
Sorry, I missed this post before. Yes I am using the GENERIC used during installation. After I recompiled my custom kernel, I removed the generic one. Therefore, I recompiled the GENERIC kernel that came with the OS. The kernel name I was using before was KERNLITE.

I realized that I could have just downloaded the GENERIC kernel from openbsd (which would have been faster), but that was an after thought. I am up at the future in-laws right now, so clear uninterrupted thinking is in short supply. =\
Reply With Quote
Old 27th May 2008
funtaff funtaff is offline
Real Name: David Hasson
New User
 
Join Date: May 2008
Location: Los Angeles, CA
Posts: 2
Thanked 0 Times in 0 Posts
Default

Try adding a "noipparam" in pptpd.conf.

This link talks more about it, as experienced by one user:

http://www.pingle.org/2006/04/11/get...er-freebsd-5-6
Reply With Quote
Old 29th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

No dice, it is displaying the same error as before, but without the leading ipparam before it.
Reply With Quote
Old 30th May 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

I read all through the article that funtaff provided, but I am still seeing the same issues. Does anyone else have any suggestions? I have been looking around quite a bit, but I am somewhat at a loss.
Reply With Quote
Old 8th June 2008
bartman bartman is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 0 Times in 0 Posts
Default

When I run pptpd in the forground using -f I see the error

plugin: Configuration label not found

When I try and connect. From the research that I have done, it suggested that I am missing pptp: in my ppp.conf file. However, I have that section in. I have even tried changing my config files around quite a bit, stripping them of all extra stuff and I am seeing the same errors.

If anyone could provide some insight that would be great. I feel like I am just spinning my wheels and nothing is changing.

Thanks.
Reply With Quote
Old 22nd September 2008
MarkJu MarkJu is offline
New User
 
Join Date: Sep 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default Use pptpd's "-e" option

1. create a little script "/etc/ppp/pppd":

#!/bin/sh
/usr/sbin/ppp -direct pptp

2. start pptpd with "-e /etc/ppp/pppd"

this seems to solve the coordination problems between pptpd/pppd/ppp
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick