Having an issue with my VPN setup and I’m not sure if it’s client facing or server facing.
Network and VPN is setup as so: The servers are setup on a private 192.168 network NO internet access. all servers are on 192.168.0.x VPN access is handed out on the 192.168.1.x ip range and the subnet is set to 255.255.245.0 so both can talk to each other just fine.
Using my laptop remotely (OS X 10.9 FYI) I can VPN to the network connects just fine and I can access the servers in the 192.168.0.x range without fail. I am given a 192.168.1.x IP and can access the internet via my local 10.1.10.x connection (not through the VPN). And thats where the problem arrises. The local internet will work fine for about 10-20 minutes and then for no reason that I can see or log, the whole system will feed 100% of network traffic through the VPN and I loose all internet access. I still have access to the servers and all computers on the 192.168 network just cannot ping outside that network. Only resolution is to disconnect VPN and reconnect and the clock starts over.
I’m assuming this is an issue on my local machine (i.e. client side) however I have other VPN connections that are similar and work just fine. Not sure what other info you may need but I’ll be happy to update. VPN system is a linux based system running off a Synology NAS server. The same server is also running the DHCP for the private 192.168 network.
UPDATE: I found the issue (I think, 1:30 of uptime so far!). It looks like running a privacy tunnel via your browser causes a conflict with the active VPN. I installed ZenMate a while back and forgot about it. didn’t think that the issue was only when I opened Chrome. I was on Safari and everything was working as planned, I pulled up a dev link via chrome to verify a UI change and BAM! no access. Went back to Safari and it was connected just fine. Started to dig into Chrome and noticed the little shield lit up in the plugins bar. disabled that and hello internet. I feel dumb now.
Current Issue: I’m still working on moving over to OpenVPN or L2TP. I can connect to L2TP and get an IP address of 192.168.3.x. However I cannot hit the 192.168.0.x network. I think my subnet is wrong but I’m not sure what the correct settings should be. Right now it’s 255.255.248.0. Any advice on that and I’ll be happy to ditch PPTP. NEVER MIND! A reboot of the DHCP server fixed this. I’m all good =)
I would start with comparing routing tables. Do this command in Terminal when it’s working how it should and then when it stops working:
netstat -n -r
also as soon as it stops working, do this command
dmesg | tail -n 50
Show us the routing tables you get; and see if there are any network related words in the dmesg output.
It does sound like you have an issue with split routes not working correctly (you want only 192.168.1/24 traffic sent to the VPN, not all traffic). I guess I’d double check to be sure that you’re not pushing a route from the remote side which is somehow poisoning your local routing table. The flaw has to be in your routing table(s) somewhere if it’s quasi functioning like you mention.
Also – PPTP is horrible, use OpenVPN if you can.
thanks. I’ll update once it stops working
#####
######
####
Here’s the linked section Security from Wikipedia article Point-to-Point Tunneling Protocol :
PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment. PPTP is (as of October 2012) considered cryptographically broken and its use is no longer recommended by Microsoft[citation needed].
A summary of these vulnerabilities is below:
MSCHAP-v1 is fundamentally insecure. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange.
When using MSCHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.
MSCHAP-v2 is vulnerable to dictionary attack on the captured challenge response packets. Tools exist to perform this process rapidly.
In 2012, it was shown that brute-force attack on MSCHAP-v2 is equivalent to single DES key brute-force attack. Online service was presented, which is capable to restore MSCHAP-v2 passphrase’s MD4 in 23 hours.
MPPE uses RC4 stream cipher for encryption. There is no method for authentication of the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without poss …
(Truncated at 1500 characters)
^(about) ^| ^/u/woprdotmil ^can ^reply ^with ^‘delete’. ^Will ^delete ^on ^comment ^score ^of ^-1 ^or ^less. ^| (http://www.reddit.com/r/autowikibot/comments/1ux484/ask_wikibot/)
Thanks, I have now blocked ptpp via the firewall and enabled L2TP.
Thanks for that. This is only for my small company (read: 4 employees) and I’m the sysadmin, developer, owner and sales guy. So suffice to say this is all trial and error on my part. Still having issues with the L2TP seeing the 192.168.1.x network. It’s an issue/bug I’m seeing with the Synology system where if I plot out a subnet of say 255.255.248.0 the system blocks out all IP’s up to 192.168.7.x for DHCP. So I have to rename the subnet to 255.255.255.0 then set the VPN IP ranges then re-setup the subnet back to 248.0 so the VPN IP’s can be within the subnet range. I haven’t done that yet because the web server uses iSCSI drives off the Synology for it’s DB and large storage sites. So messing with the DHCP will kick off iSCSI (probably not the best configuration setup). So to get L2TP to work, I have to shut down the servers to redo the DHCP settings. So for now I’m just trying to troubleshoot the PPTP then once I figure that out, then I’ll mess with the L2TP.
Also note: this whole VPN is only for me. The only reason I have VPN enabled here is for me to remote manage servers and settings. No one else will use the VPN. So having L2TP is not a huge priority since it’s just me accessing, but I am aware of the DDoS and other vulnerabilities of PPTP.