PPTP VPN on Ubuntu Jaunty Dies When Using Samba

Recently I began dual booting my laptop with Ubuntu 9.04 (Janty) to mess around with Linux again.  There were a few things that didn't work quite right with previous versions of Ubuntu (wireless card wouldn't work and sound wouldn't work without a lot of tweaking).

One thing that I really like about Ubuntu/Linux is the fact that it is relatively secure from viruses and all those popups online about your computer being infected with viruses and spyware.  It is also very stable and doesn't seem to slow down the longer you leave the computer on.

Another big plus is the cool Compiz Fusion desktop effects – ranging from 3D cubes, animations, and many other features.  While this is just "eye candy", when anyone else sees these features, they are intrigued and they all want those effects for their computer!

However, I have fallen on to one problem with Ubuntu 9.04 (Jaunty) that is somewhat of a problem for me – PPTP VPN and moving large files or big chunks of data.  Using the built-in Network Manager in Ubuntu, there are a few packages you need to install to allow you to use a PPTP VPN.  The neat thing about the way it is setup is that the network icon on your panel can be clicked – then there is a VPN menu in there and it is quick and easy to connect to a VPN connection.

To install the needed features to get a PPTP vpn to work, issue the following command:

sudo apt-get install network-manager-pptp

 After installing the PPTP items for VPN, you can then configure your VPN by left-clicking the network icon in your panel, go to VPN Connections, and then Configure VPN.  In there, you will setup your new VPN connection with all of the items you need.  One issue that was a problem previously was the fact that you couldn't disable EAP authentication.  In the new Network Manager, you can disable this feature.  I only select the one authentication method I allow for VPN and uncheck the rest.  Under the IPv4 settings, there is a Routes button.  In here, I ensure to check the "ignore automatically obtained routes" and "Use this connection only for resources on its network."  I then have to specify the route I want by clicking in each of the fields in the box above.  This will ensure that anytime I enter an IP address within that network range, it routes it over the VPN instead of the connection being attempted over the default route (regular Internet).

I then can connect up to the VPN and it works just fine!  However, I found a slight problem – the VPN will fail and disconnect anytime I attempt to transmit a large amount of information!  Specifically, when I attempt to use VPN to connect to a Samba server on the network, it fails.  I can open up the Samba share and see all the shared files/folders, but the moment I attempt to copy or delete a file on the share, the VPN would fail.  Every now and then, the VPN would also fail if I used the Terminal Services Client in Ubuntu to connect to a VNC connection on the network.  However, it does appear that I was able to use SSH fine through the VPN – but I rarely need that use versus the ability to move and transfer files.

After working on the problem for a bit, the error logs were showing the following when the disconnect happened:

Jul 31 10:20:16 Desktop pptp[5449]: nm-pptp-service-5440 warn[decaps_gre:pptp_gre.c:331]: short read (-1): Message too long

 After a little bit of tweaking using a manual method of making a PPTP connection, I discovered that the problem was the MTU (Maximum Transmission Unit) seemed to be too large.  When connecting to a VPN using the Network Manager, it sets the MTU at 1400.  The MTU on the Ethernet connection is 1500.  I played with the MTU/MRU numbers in a manual configuration file for a little while until I discovered that an MTU/MRU of 1250 was the highest I could set it.  If it Iset it at 1275, the connection would also fail when attempting to move data to a Samba share over the VPN.

So, needless to say, I am having to manually connect to VPN for the time being.  I'm surprised that the VPN Network Manager in Ubuntu will not allow you to set the MTU of the connection.  If this could be done, this problem would be easily resolved by allowing users to change it to what is the most stable.  Below I will illustrate the steps I used to get the VPN to work manually.

 First, you will need to open your chap-secrets file as the root user (/etc/ppp/chap-secrets).  Make an entry similar to the following:

USER     PPTP     PASSWORD     *

Ensure to set USER to the username for the connection and PASSWORD to the password for the connection.  PPTP says that it will be used on the PPTP connection and the * (asterisk) indicates that the username/password will be used for any PPTP connection you make to any server.  You can also change this specifically to the IP address or server where the connection will be made.  Now save and close the chap-secrets file.

The next file to change will be your options.pptp file (/etc/ppp/options.pptp).  If you use MPPE encryption, you will want to ensure to remove the hash sign (#) from in front of the appropriate command.  If you use 128-bit MPPE, remove the has in front of the "require-mppe-128" line.  Also, ensure that your configured authentication type is allowed.  In the configuration file, the default authentication types are all refused:


After you have your settings updated, click Save and close the file.

Now, there is one more file you need to modify – this one you actually will need to create.

Go into your /etc/ppp/peers folder.  In there, create a new file.  You will have to have root access in order to get into this folder.  For simplicity, I would make it one word – maybe just VPN.  Now, here is a copy of the file I made.  I named mine VPN as well:

pty "pptp SERVER  –nolaunchpppd"
remotename PPTP
file /etc/ppp/options.pptp
ipparam VPN
mru 1250
mtu 1250

Let's go over some of those settings.  The first line has SERVER in it.  Ensure this is changed to the IP address or fully qualified domain name of the VPN server you will connect to.  For the name line, ensure you change the USERNAME to the username you use to connect to vpn.  For the remotename line, PPTP is shown here.  This corresponds back to the /etc/ppp/chap-secrets file (remember where PPTP was put in?).  Lastly, the ipparam line, VPN is the name of this file you saved.  So, since I named mine VPN, it says VPN.  You can see also that I pushed the settings of the MRU and MTU to 1250 – which are the two lines needed to keep the VPN running stable.  Now, save and close this file.

You are all done with the manual method of a PPTP VPN connection!

In order to run the VPN connection, you will then run the following command as root:

pon VPN

Again, ensure VPN is the name of the file you saved in the /etc/ppp/peers folder with your connection settings.

After connecting to VPN, I bet you notice that nothing is working!  This now because you need to tell yoru computer what to route through the VPN.  This can be done by the following:

sudo route add -net dev ppp0

Ensure you put in the network range that your VPN uses.  When I connect to VPN, I get a 192.168.254.x IP address – and I know that the network all is within that range.

If you want the route to be automatically be added when the connection is made, this can also be done.  This alleviates an extra command that has to be entered whenever you make a connection.

To have the route added automatically, navigate to your /etc/ppp/ip-up.d folder.  In there, create a new file called route-traffic.  Type in the following:

route add -net dev ppp0

Close and save the file.  Now ensure that it is executable by running:

sudo chmod 755 route-traffic

The file will then run whenever your VPN connection is created.

So, you are now fully connected to your VPN!  Now, to disconnect, enter the following command as root:

poff VPN

Again, where VPN is the name of the file you saved in /etc/ppp/peers.

This is definitely a long work-around for VPN, but once it is setup, it is just a matter of issuing the two commands to connect (or one if you made the route-traffic file), and the one to disconnect.  I am hoping that they will fix t he Network Manager to allow users to put in their own MTU levels sometime shortly.