New Member
Posts: 19
Registered: ‎06-19-2014

Troube with VPN on ERL/CLI

I just bought a ERL has the new 1.4.1 software, i'm pretty good with routers but havent messed with much linux routing. Anyway i signed up to a VPN service to hide my ip address. On most consumer routers you just type in the info and it goes. I have to my best knowledge followed what i could find, when i set it up how most people suggest and i turn on the NAT rule to goto pptpc0 i lose all internet. When i goto routing it shows 2 default routes the normal one and the one i setup which seems confusing to me. I want ALL my internet to route through the VPN as it seems the least difficult way to route it. Or if its just as easy i have one interface that really needs to go through it. Here is my config. I have purposely left the NAT on eth1 because I wont have access to talk to you guys if I dont. Been messing with this for two days any help would be appeciated.

 

 

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Troube with VPN on ERL/CLI

You should remove and repaste your config with passwords, etc sanitized.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI

Is the vpn tunnel up?  The config looks basically sane expect for missing nat.  In my case I only want to send my work subnet over vpn, so my nat looks like:

admin@stig-home# show service nat 
 rule 5000 {
     description "masq to VPN"
     destination {
         address 10.1.0.0/16
     }
     outbound-interface pptpc0
     type masquerade
 }
 rule 5001 {
     description "masq to WAN"
     outbound-interface eth0
     type masquerade
 }

 

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

How do I tell.if its up?
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

I mean when I check.it says connected but I have no way of knowing its just a service to mask ip....
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

Also when I add the static route should I leave the other one in there? It looks conflicting? I dont know how to remove it either.
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI


@srmiller82 wrote:
Also when I add the static route should I leave the other one in there? It looks conflicting? I dont know how to remove it either.

If you take out the default route to your ISP then it won't know how to get to your vpn end-point.  Maybe remove the ISP gateway and replace with:

configure
delete system gateway-address
set protocols static route 108.177.165.2/32 next-hop 172.249.136.17
commit
save
exit

 

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

I actually thought about that earlier but thought it might cause a loop. What about how to tell if tunnel is up if it says connected that mean all is well?
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI

[ Edited ]

@srmiller82 wrote:
How do I tell.if its up?

When I do a show interface I see mine says UP and packet counts in both directions and I can ping the peer address.

admin@stig-home:~$ show interfaces pptp-client pptpc0 
pptpc0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1488 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ppp 
    inet 10.242.1.4 peer 10.255.254.0/32 scope global pptpc0

    RX:  bytes    packets     errors    dropped    overrun      mcast
        785548       5350          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
        835873       3459          0          0          0          0

 Also when I look at the end of the log I see:

admin@stig-home:~$ show interfaces pptp-client pptpc0 log 
[SNIP]
CHAP authentication succeeded
sent [CCP ConfReq id=0x10 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x10 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1f <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <addr 10.255.254.0>]
ipcp: returning Configure-ACK
sent [IPCP ConfAck id=0x1 <addr 10.255.254.0>]
rcvd [IPCP ConfNak id=0x1f <addr 10.242.1.4>]
sent [IPCP ConfReq id=0x20 <addr 10.242.1.4>]
rcvd [IPCP ConfAck id=0x20 <addr 10.242.1.4>]
ipcp: up
Script /etc/ppp/ip-pre-up started (pid 26378)
Script /etc/ppp/ip-pre-up finished (pid 26378), status = 0x0
local  IP address 10.242.1.4
remote IP address 10.255.254.0
LCP: Timeout event in state 9!
Script /etc/ppp/ip-down finished (pid 26332), status = 0x0
Script /etc/ppp/ip-up started (pid 26472)
Script /etc/ppp/ip-up finished (pid 26472), status = 0x0

 

 

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

Oh I.dont think that server will accept a ping.
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

One more question I checked status and the peer is different than the one they told me to configure with is that normal ?
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI


@srmiller82 wrote:
One more question I checked status and the peer is different than the one they told me to configure with is that normal ?

I think that's normal.  In my case for the pptp server-ip for interface pptpc0 is a public address, but when the pptpc0 interface comes up it get assigned a private address and the peer address is private (at least in my case).

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

ok thanks ALOT for the help that got the VPN going, i have another question if you dont mind, this vpn turns out to be crap as far as pings i get them spiking as high 400ms at times which wont work, but i think i found one that will work much closer to me, to take out some of the routing confusion, if i setup a next hop gateway like you had me do again but leave out the default route cause i only have one client i need it to run through, if i changed the gateway on the client to whatever the ip of the vpn, then have a gateway setup in the router would this also work? Instead of routing all traffic through the vpn just the one client?

New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

[ Edited ]

Also how to remove the gateway/ kernel routing that was put in when i made the original vpn seems like there are IP's lingering around i cant get rid of.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI

[ Edited ]

@srmiller82 wrote:

ok thanks ALOT for the help that got the VPN going, i have another question if you dont mind, this vpn turns out to be crap as far as pings i get them spiking as high 400ms at times which wont work, but i think i found one that will work much closer to me, to take out some of the routing confusion, if i setup a next hop gateway like you had me do again but leave out the default route cause i only have one client i need it to run through, if i changed the gateway on the client to whatever the ip of the vpn, then have a gateway setup in the router would this also work? Instead of routing all traffic through the vpn just the one client?


Instead of changing the default route on the client I'd use source based routing for that client.  If the client was 1.1.1.1 on LAN eth2:

configure
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface ppptc0
set firewall modify sbr rule 1 source address 1.1.1.1
set firewall modify sbr rule 1 modify table 1
set interfaces ethernet eth2 firewall in modify sbr
commit

 

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

Ok add default but also a firewall, your the best I will give that a try thanks for all the help.
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

What's the eth 2 for ?
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI


@srmiller82 wrote:
What's the eth 2 for ?

You create a modify policy and then apply it to the LAN firewall in modify.  Replace eth2 with whatever LAN your client is behind.

EdgeMAX Router Software Development
New Member
Posts: 19
Registered: ‎06-19-2014

Re: Troube with VPN on ERL/CLI

says my srb rule is not configured?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Troube with VPN on ERL/CLI


@srmiller82 wrote:

says my srb rule is not configured?


sbr not srb.

EdgeMAX Router Software Development