Sunday, May 27, 2007

VPN in Ubuntu using Network Manager

UPDATE: I found a better way to connect to a VPN. Check this post.

Imagine you have a Windows Network at work and you're stuck at home waiting for the plummer to fix the sink. No problem, just connect via VPN to your workplace, launch a Remote Desktop and in no time you're working in that piece of code you must deliver yesterday. Being this such a useful and common scenario, how come it is so hard to set up in Ubuntu?

Here's how I managed to connect to my workplace via VPN using Ubuntu. Let me say upfront that I'm not particularly happy with the result, and I'll try to do it some other way in the near future. But if you're desperate this will do. This is not an How To, but rather a step by step description of the tries and failures. Maybe it can help someone that finds the same error messages I've encountered. Well, here goes:

First I tried pptpconfig. Everything seemed to be properly configured, but all I got was the error message:

Cannot determine ethernet address for proxy ARP (Update: Actually this is not a problem. Just add noproxyarp to the pppd parameters.)

So I decided to install the Network Manager PPTP package:

sudo apt-get install network-manager-pptp

And restarted everything that depended on the package:

sudo /etc/dbus-1/event.d/25NetworkManager restart
sudo /etc/dbus-1/event.d/26NetworkManagerDispatcher restart
killall gnome-panel
nm-applet &

The killall and nm-applet commands are there to restart the Network Manager icon on your gnome panel. If for some reason the Network Manager icon does not appear (happened to me) just execute:

sudo /etc/dbus-1/event.d/25NetworkManager start
killall gnome-panel
nm-applet &

If you click the Network Manager icon now, you should have a "VPN Connections" entry. Just configure your own VPN connection and it should appear in the list of VPNs. Click it. If it works, you're in luck. If it doesn't, keep reading.

To keep an eye on what's going on with the VPN connection, just tail syslog:

sudo tail -f /var/log/syslog

That's how I found this error message:

(...) no currently active network device, won't activate VPN.

I googled for a while and found that if you want to use Network Manager to take care of your VPN, you cannot have a Wireless Connection manually configured. Oh boy... So I opened the manual configuration, saved my current configuration and in the properties of the Wireless connection ticked the box "Enable roaming mode". Because I have a somewhat odd configuration of routers at home, I also had to reconfigure all the routers, but I won't bother you with that.

My main problem with the roaming mode is that it stores the WEP password in the keyring. That's all fine and safe, but it means that when I login, besides having to enter my username and password I also have to put my keyring password! Very annoying!

On with the show. Connect VPN. More mysterious errors in syslog:

LCP terminated by peer (+ bunch of characters blogger won't let my type)

This is a funny one! First because it was a bit lost in the middle of a bunch of error messages. Second because, at least to me, it means absolutely nothing! Using a bit of intuition I thought it might be an authentication problem, so I just ticked all the boxes in the "Authentication" tab in the VPN configuration dialog and... it worked! I have a VPN connection to my workplace!

Just for wrap up, here's what I didn't like about all this:
  1. It's a lot of work for something so common.
  2. Because the WEP is in the keyring I must enter the keyring password each time I login.
  3. I must use roaming for my wireless connection. This means the router must do the configuration, and my routers suck at that.
  4. PPTP logs are there for the people who know the code or the protocol by heart.
  5. I'll probably just revert to my old configuration and try a new way of connecting via VPN.I got back to my old configuration and managed to configure the VPN in a different way.


alex smith said...

The reason for this turns out to be because the default behaviour of the included vpn client is to re-use the IP address that the Hotspot network has assigned to the machine's wireless connection for the VPN connection. The VPN server doesn't like that.

icon manager said...

its a nice blog.