Gpptp enhancements for doing PIA VPN - [ New version ]

[jafadmin]

I finally got a PIA account so I can test Gpptp VPN with it. Some info:

1) in order to set the default path through the VPN tunnel you'll need to be using the versions listed below. This is not a Gpptp problem. This is a problem with the pppd/ppp/pptp, and "route" compiled components within the kernel forks. Gpptp is just a GTK2 front-end for those utilities.

***** [ UPDATE NOV 9, 2014 ] *****

Tested OK versions of puppy:
All Lucid and Precise versions, Quirky Tahr, and Quirky Unicorn.
These versions of puppy will work right with PIA type (anonymous) VPNs. In other words, these are the only versions of puppy that support setting the default route to the VPN ppp0.

[Update]
We have found the problem in the pptp binary in Slacko and Wary versions of puppy AND Quirky 6.1. Below are patch pets for all puppy versions with the routing problem that fix this issue. I have not had the opportunity to test on all puppies with the problem, but feel free to try it.

However, Gpptp v2.0 will install and run on these versions for all other VPN connections that don't need the default route set to the VPN. A company VPN server, for instance, will work fine just routing the RFC 1918 networks through it.

The Gpptp-v2.0.pet below will install correctly on all the 32 bit puppy versions. For FatDog64 go here and check the 5th post down on the page.


2) VPN disconnections!!! Wow. These VPN's disconnect and leave your normal IP exposed and connected. Huge problem. Almost defeats the purpose. So here's a workaround:

Gpptp v2.0 .. search tags: ppp, pptp, vpn, msvpn, ms vpn

I've updated this version of Gpptp to enable the user to set their routing choices from the gpptp gui using radio buttons.

There is a full explanation in the readme file in /etc/ppp/gpptp after installing v2.0

Good luck and safe surfing ...

[jafadmin]

Carolina needs the pptp patch as well as the v2.0 pet

So far, all puppies tested will work. Some need the pptp patch. If you can't set the default route to the VPN connection, install the pptp patch.

Slacko needs the pptp patch and patched routing scripts due to the fact that Slacko doesn't have yaf-splash.


I will use this space to let everyone know when I do minor fixes to the v2.0 pet

The most current update is on 11-8-2014. Added icons, a ".desktop" file and updated documentation.


.

[bark_bark_bark]

I don't think pptp is very secure, but I wish I knew where to find information to back it up. Also what settings should when using qbittorrent with it.

[jafadmin]

It has been requested that I make a .pet package to make it easier to set up Gpptp for PIA type VPN. So here it is.

*** THIS HAS ONLY BEEN TESTED ON Precise 5.7.1 & Lucid 5.28 ***

Here's what it does:
1) Installs a new gpptp binary that allows you to load a cached key/password without typing it in the open
2) A command line utility called mk-vpn-key that creates an encrypted cache for your key/password.
3) installs the vpn-watch utility to work with Gpptp.
4) installs symlinks, etc to make everything work right.

Here's what you do:
1) Install the .pet
2) Edit the /etc/ppp/vpn_servers file to add your PIA servers (I just added all the servers for N America in mine - from their web site ..)
3) Edit the /etc/ppp/vpn_userids file to add your PIA usernames.
4) Run the mk-vpn-key utility from the console and put in your PIA key/password. (This step isn't necessary, just useful.)

If you have done the above and have a live network connection, start Gpptp from the "Network" menu,

The drop-down lists should have your server and user names. Type in your password in the password field, OR, just type the word "mykey".

If you type in "mykey", Gpptp will load your encrypted password created with the mk-vpn-key tool. Why do this? PIA generates your passwords for you. You can go to your control panel and have it generate a new one every day if you wish. When you generate a new one, cache it with the mk-vpn-key tool and you don't have to keep trying to memorize new passwords. Just type "mykey" into the password field. Depending on the frequency of disconnects, this can be really handy.

[jafadmin]

How I test.

I boot puppy in pfix=ram mode, set up networking, install the .pet package, and see if I can connect VPN by entering server, userid, and password information manually when I run Gpptp from the network menu.

If all connects ok, I then edit the vpn_userids and vpn_servers files in /etc/ppp, and run the mk-vpn-key utility to help with automation.

I figure that if it works like that from pfix=ram mode, all should be good.

[jafadmin]

I don't think pptp is very secure, but I wish I knew where to find information to back it up. Also what settings should when using qbittorrent with it.

For doing PIA/Anon Proxy type VPN you only tunnel to that service provider. They anonymize your session then it is unencrypted to the rest of the WWW, just like normal.

So you are only worried about the security between your session and PIA, not the rest of the web. For anon browsing it should work fine.

[jafadmin]

here is a screen shot of a sanitized "vpn_servers" file in /etc/ppp/Gpptp that has all my PIA servers organised so I can open it in geany and see the extra info I copied off the PIA website regarding their server clusters.

Always make sure to put the comment '#' delimiter right after the server name or weird stuff happens with the drop down list width. This only applies if you're adding comments in the file like I have. You may choose to just have the server names.

(I just copied and pasted their server list from here: https://www.privateinternetaccess.com/pages/network/

[jafadmin]

Here is a cool script that you can paste into /etc/ppp/gpptp/Custom.route
that will calculate and set a /24 route to the subnet your VPN IP address is on.

This doesn't care whether the ip address is a private or public address.

Code: Select all

#!/bin/sh 
#
#  This Custom.route will automatically create a route to the subnet of the IP
#      address we are assigned by the server.  It assumes a 24 bit subnet.
#   
#    So if we are assigned: 172.18.21.101 as an IP address by the server, it will 
#       set a route to: 
#              route add -net 172.18.21.0 netmask 255.255.255.0 gw 172.18.21.101
#
MYPPP="ppp" 

ppp_count=$(ifconfig |grep -c ppp)       # Find highest ppp* number which is the one we want. 

if [ $ppp_count -gt "0" ]                     # It MUST find a ppp* before we set routes 
then 
    ppp_count=`expr $ppp_count - 1` 	# Decrement the count by one to match dev number

  	MYPPP="$MYPPP$ppp_count"			# Append dev number to the ppp variable	

	 # Retrieve the ip address of the connection.
  	MYVPNIPADDR=$(ifconfig $MYPPP | grep inet|awk {'print $2'} |cut -d":" -f2)

  	# Get subnet address. Assume 24 bit 
  	MYVPNSUBNET=$(ifconfig $MYPPP | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | cut -d. -f1,2,3 | awk '{ print $1}')
  	MYVPNSUBNET=$MYVPNSUBNET.0

     # Set a route for that subnet to the VPN address.
     route add -net $MYVPNSUBNET netmask 255.255.255.0 gw $MYVPNIPADDR	
  	
fi 

[pelican]

Thank you for this. I started to try puppy a couple of years ago but gave up because I couldn't get a standard PPTP VPN to work.

Even now, I can't get your Gpptp v2.0 to work in Lucid 5.2.8 but it's fine in Precise 5.7.1 and Precise 5.7.1 retro so that should probably cover any of the XP laptops that my family want to use with Linux.

In Lucid, the VPN connects OK but then there's no internet access; however I've only tried with eth0 but I assume it would be no different with wlan0 wifi.

What is a little strange to me is that the original Gpptp would be included as standard in, say, slacko when it appears it's difficult to make it work in that version. As a beginner, I'd started off assuming that anything included as standard should have a reasonable chance of working OK if the hardware is reasonable.

[jafadmin]

It works ok in all my Lucid 5.28 installs. Perhaps we can determine why it doesn't work in yours. When you run gpptp in 5.28 does it say v2.0 in the title bar?

Also, please understand Gpptp is just a GTK front end for the pppd utility. In the Slacko versions of puppy things break when the DEFAULT ROUTE is set to the ppp0 device created for the VPN session. You can set STATIC ROUTES to ppp0 and they work ok.

So with Gpptp v2.0, the first radio button will break it, the other 2 will work. Read the readme in /etc/ppp/gpptp for a detailed explaination.

[pelican]

I regret my knowledge is very limited and my use of terminology may not be correct but I'll try to make it as clear as I can in my non-tech way.

In my previous post I originally tried using Gpptp v2.0 with wired eth0 for Precise 5.7.1 and the new revitalized Lucid 5.2.8.6; I've now added in the older Lucid 5.2.8.005 in further trials. For all 3 versions I've now tried Gpptp v2.0 using both wired eth0 and wifi wlan0.

I confirm I've definitely used Gpptp v2.0 and the first radio button "Default".

For all three versions and with using both eth0 and wlan0 connections, Gpptp v2.0 connected to the VPN properly in every case i.e. VPN "created" and the VPN monitoring box showing green. This applied to 2 VPN services, PrivateInternetAccess and Boxpn. I checked the IP address and internet performance before and after connection (internet performance before the VPN connection was good in every case).

What surprised me were the results ...

Precise 5.7.1 ..... with both eth0 and wlan0, the new VPN IP showed up immediately with the myip command. Internet performance, although obviously slower than before, was still reasonable using the VPN.

Lucid 5.2.8.6 ..... with both eth0 and wlan0, although GPPTP showed a proper VPN connection, there was no response to the myip command in the terminal i.e. before connecting to the VPN, the myip command showed the original IP address immediately; after connecting there was no response to the myip command. Looking at a browser it seemed a connection had been made but it was very, very, very, very slow. After disconnecting from the VPN the performance went back to normal.

Lucid 5.2.8.005 ..... using eth0 was similar to Lucid 5.2.8.6 i.e. a VPN connection was indicated by Gpptp but it seemed to me the connection was working but was very, very, very, very slow with no IP address being indicated etc. Using wlan0 was better; the VPN IP address could be found with the myip command but internet performance was very variable with it being very slow most of the time.

This was using an Asus eee box, Atom N270, 2GB and with booting puppy from USB sticks. Precise and the two Lucids appear to function properly ootb except the Lucids need a small amout of effort to get wlan0 to work. Although I've heard that checking internet speed is probably not that reliable, it seems to me that the speed I get (without using VPN) from the installed XP is about 50% faster than I get from any of the 3 puppy versions booting from USB sticks.

Not sure whether any of the above helps. I use one of the commercial VPN services when I'm travelling and up to now it's been good on my XP laptops; also I prefer PPTP; the encryption is enough for me and usually it's faster than Openvpn. Therefore, to replace XP, I was hoping I'd find a puppy that had a reliable method of making PPTP connections.

[jafadmin]

Wow. Yes, this helps very much. Thank you for all your help with testing. I'm going to download and test 5.28.005 and above to figure it out.

[Edit]

I downloaded the 5.2.8.6 iso and booted it clean. I set up my network and checked my ip address with ifconfig. I then installed the Gpptp v2.0 pet.

Everything worked. I connected to my PIA VPN, ran myip again and had the new IP address. Cruised to some websites.

ifconfig showed my ppp0 connector, and the route command showed default route set to ppp0.

was able to ping 8.8.8.8, and google.com with no problems.

I encourage you to try this same experiment and tell me your results.

Regards,

jafa

[pelican]

I still get get similar results as before. However a few more tests ...

I set up a fresh clean copy of Lucid 5.2.8.6. Booted it in 3 different PCs; an Asus eee box as before; an Asus 901 netbook; a 12 year old Samsung laptop. All with 2GB and using wifi connections.

In all 3, tested using Seamonkey; whatismyipaddress.com; speedof.me; ping 8.8.8.8; general browsing.

Using Lucid, without connecting to a PPTP VPN, in all 3 PCs, the ip address displayed properly and the internet worked well.

Using Lucid, connecting to a PPTP VPN, in all 3 PCs, the VPN pppo was created successfully with Gpptp v2.0; ping 8.8.8.8 worked OK with (I think - remember my knowledge is limited) minimal increase in latency; myip command gave no result. When trying to browse, Seamonkey definitely indicated that it was trying to connect (small blue icon showing movement) and there was no "internet connection not available" type of message.

If I left Seamonkey working at downloading the whatismyipaddress.com site for about 20 minutes it finally displayed the correct ip address and location for the pptp vpn server I had expected to connect to. Therefore I assume that, from the ping result and the very long delayed display from whatismyipaddress, the vpn connection is definitely being made. However in my case with my 3 PCs it appears that something in Lucid 5.2.8 is slowing internet speed to a very slow crawl when connected to pptp vpn.

I don't get this problem at all with Precise 5.7.1 or with XP.

I don't understand any of the stuff I get from ifconfig.
Without the VPN connection I get a wlan0 section and a lo section. With vpn I get those 2 sections plus a ppp0 section. As far as I can see there's no difference between the wlan0 and lo sections with or without vpn running.

However when I run Lucid, either with or without vpn, ifconfig shows an extra line at the bottom of the eth0 or wlan0 section which says "Interrupt:n *****" e.g. "Interrupt:5 Memory:d0200000-d0200fff" or "Interrupt:29 Memory:fbfc0000-fc000000" or "Interrupt:19". Precise ifconfig does not have this extra Interrupt line. If that makes any sense to you.

For me, Precise works OK with or without pptp vpn ... Lucid works OK without vpn but the internet slows to a very, very slow crawl with pptp vpn. Presumably this "Interrupt" showing up in Lucid ifconfig wlan0 and eth0 may be the difference but that is way, way beyond any knowledge that I have.

[pelican]

Incidentally, what I find quite amazing is that it appears no linux organization has taken advantage of the current climate of XP being no longer supported and government snooping on private internet stuff. Where is the linux distro that promises the ease of use of XP plus security and privacy? Various versions of Linux may attempt to provide a full equivalent XP experience and claim improved security etc but I have yet to find any Linux distro that gives me confidence that it provides an efficient, easily managed privacy environment with vpn etc. As far as I'm concerned, forget pretty desktops, forget a massive range of available software etc etc etc ..... I, and I think many others, want an OS which provides an easily managed, stable, secure, efficient and private online environment. Regrettably, so far, it seems I've yet to find a linux distro that complies ..... sorry, rant over.

[jafadmin]

It's very important to test the way I say so we can find the problem.

If you boot a LiveCD and just connect to the network and install the v2.0 pet, does it work for you?

If you can ping 8.8.8.8 after the VPN connects, but cannot ping google.com, that means you are connecting via VPN, but DNS is not working right.

If this is the case we need to figure out what is breaking DNS.

ps: The "Interrupt:xx" line can be ignored. That version of ifconfig outputs that info and is irrelevant to our issue.

[pelican]

Thank you for your pateince. I now understand a little bit more and I've managed to get the Lucid vpn working but only under a particular circumstance. Sorry this is long winded but one of my old PCs does better with Lucid rather than Precise so I'm hoping to get Lucid vpn working.

As I say, my knowledge is very limited. I knew that I could ping the google IP address 8.8.8.8 to check an internet connection and that's what I thought you meant previously. From your last post I now understand I should also ping the domain name google.com.

In the last couple of days, I'm very sure that Lucid has created a vpn connection using Gpptp v2.0. The Lucid readout from Gpptp and from ifconfig has been similar to the readout I get for creating a vpn connection in Precise. The difference has been that Lucid internet either doesn't function or slows to a crawl but Precise works OK.

However I now know I can check by pinging a domain name therefore .....

Test No 1
With a Lucid vpn connection, "ping 8.8.8.8" works OK; "ping google.com" produces a message "ping: bad address google.com". I searched for that problem (ping IP works OK; ping domain name doesn't work) and found it may be something to do with DNS and my router. I disconnected Lucid vpn from Gpptp v2.0; switched off my wifi router; switched it back on again; connected to vpn with Gpptp; and, voila, the vpn connection in Lucid worked i.e. ping domain name works, myip works, browsing works.

Test No 2
However when I powered off the PC; rebooted Lucid; connected to vpn with Gpptp v2.0; I was back to where I was before i.e. ping google.com gave the 'bad address' message. With Lucid still running, as Test 1, when I disconnected vpn and turned the wifi router off/on and then reconnected to vpn it worked OK i.e. ping google.com was OK.

Test No 3
Powered off the PC; turned wifi router off/on; then rebooted Lucid; connected to vpn; ping google.com gave 'bad address' message. As Test 2, with Lucid running, disconnected vpn; turned router off/on; connected vpn; ping google.com was OK.

Conclusion
Lucid without vpn is OK with my router. Lucid with vpn has a problem with my router. However if I turn the router off/on with Lucid running then Lucid with vpn works OK. Precise with or without vpn has no problems at all with my router.

I have no idea what it is that Lucid, when connected to vpn, doesn't like about my router and why it is that the problem can be solved by turning the router off/on after Lucid has booted. Precise, win XP, 7, 8 all work OK with vpn and current router.

[jafadmin]

Ok, I understand. However I need you to test with a LiveCD to determine if it's a hardware problem, or something is wrong with your frugal installs.

Could you please repeat the test you just did, but with a LiveCD?

It sounds like something is breaking your DNS. I need to know if it happens with a LiveCD

Also, when it can not ping google.com, type the command: "cat /etc/resolv.conf" (without quotes) and report what happens or copy the output for us.

[pelican]

I've always used a liveusb stick but I've now burnt a LiveCD and used that. Installed Gpptp v2.0 and confirmed the connection to vpn was made.

Ping google.com produced the following

# ping google.com
ping: bad address 'google.com'
# cat /etc/resolv.conf
# Generated by dhcpcd from ra0
# /etc/resolv.conf.head can replace this line
nameserver 203.198.23.208
nameserver 218.102.32.208
# /etc/resolv.conf.tail can replace this line
#

ifconfig produced

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2960 (2.8 KiB) TX bytes:2960 (2.8 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.1.1 P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1486 Metric:1
RX packets:278 errors:0 dropped:0 overruns:0 frame:0
TX packets:563 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:120161 (117.3 KiB) TX bytes:62313 (60.8 KiB)

ra0 Link encap:Ethernet HWaddr 00:22:43:13:37:78
inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50777 errors:0 dropped:0 overruns:0 frame:0
TX packets:25224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52983147 (50.5 MiB) TX bytes:2537101 (2.4 MiB)
Interrupt:17

[pelican]

With Lucid running; switch router off/on and reconnect to vpn.
VPN worked OK as follows ........

# ping google.com
PING google.com (173.194.127.230): 56 data bytes
64 bytes from 173.194.127.230: seq=0 ttl=55 time=18.958 ms
64 bytes from 173.194.127.230: seq=1 ttl=55 time=19.440 ms
64 bytes from 173.194.127.230: seq=2 ttl=55 time=245.509 ms
64 bytes from 173.194.127.230: seq=3 ttl=55 time=148.254 ms
64 bytes from 173.194.127.230: seq=4 ttl=55 time=18.106 ms
# cat /etc/resolv.conf
# Generated by dhcpcd from ra0
# /etc/resolv.conf.head can replace this line
nameserver 192.168.1.1
# /etc/resolv.conf.tail can replace this line

[pelican]

To complete the information I have.

Using Precise 5.7.1 on the same PC and router as Lucid 5.2.8.6. Gpptp v2.0 connects to vpn. Ping google.com works OK immediately and the following applies ......

# cat /etc/resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220

Therefore vpn immediately works OK with Precise. I think I'll give up on Lucid and use Precise (or perhaps Precise retro)