The Problem
So we couldn't find any documentation on getting a Mac OS X VPN client to connect to our Linksys router using PPTP, so we thought we'd post a short guide. We used Mac OS X Tiger 10.4.6 and a Linksys WRT54GL running DD-WRT v23 SP1, but these steps should work with any router running DD-WRT.
Following the guides we've found will result in Internet Connect aborting with the error, "Could not negotiate a connection with the remote PPP server".
The problem is that OS X's pppd gets confused about MPPE encryption and fails to properly start negotiate the encryption:
$ tail /var/log/ppp.log
Sat Jun 10 02:43:15 2006 : Refusing MPPE stateful mode offered by peer
Sat Jun 10 02:43:15 2006 : MPPE required but peer negotiation failed
Enabling encryption in OS X actually requires encryption. DD-WRT's default PPTP config enables encryption but does not force it. The problem is that OS X's pppd will fail on encryption negotiation unless the server requires encryption.
Instead of disabling encryption altogether, we need to change DD-WRT's PPTP config to force encryption. The easiest way to do this is to create a startup script that overwrites the default PPTP config. The complete steps follow.
Router Configuration
1) Install the most recent version of the dd-wrt firmware for your router.
2) Click on Administration, Services. In the PPTP section, enable PPTP Server. At the bottom, hit Save Settings.
Now that we have enabled the PPTP server, we must configure it.
3) Click on Administration, Services. In the PPTP section, enter the LAN address of your router (probably 192.168.1.1). In the Client IP(s) section, enter a range of one or more IP addresses that do not overlap with the DHCP address range. For example: "192.168.1.10-20". In the CHAP-Secrets section, enter a list of username/password combinations in the following file format:
user * password *
bob * bobspassword *
Also, note that the root username/password is also allowed to connect via PPTP. At the bottom, hit Save Settings.
The PPTP Server is now configured. However, we need to create a startup script to overwrite one of the PPTP config files.
3) Click on Administration, Diagnostics. In the Commands text area, paste the following script:
echo 'lock' > /tmp/pptpd/options.pptpd
echo 'name *' >> /tmp/pptpd/options.pptpd
echo 'proxyarp' >> /tmp/pptpd/options.pptpd
echo 'ipcp-accept-local' >> /tmp/pptpd/options.pptpd
echo 'ipcp-accept-remote' >> /tmp/pptpd/options.pptpd
echo 'lcp-echo-failure 3' >> /tmp/pptpd/options.pptpd
echo 'lcp-echo-interval 5' >> /tmp/pptpd/options.pptpd
echo 'deflate 0' >> /tmp/pptpd/options.pptpd
echo 'auth' >> /tmp/pptpd/options.pptpd
echo '-chap' >> /tmp/pptpd/options.pptpd
echo '-mschap' >> /tmp/pptpd/options.pptpd
echo '+mschap-v2' >> /tmp/pptpd/options.pptpd
echo 'mppe required' >> /tmp/pptpd/options.pptpd #this line forces encryption and fixes OS X
echo 'mppe stateless' >> /tmp/pptpd/options.pptpd
echo 'mppc' >> /tmp/pptpd/options.pptpd
echo 'ms-ignore-domain' >> /tmp/pptpd/options.pptpd
echo 'chap-secrets /tmp/pptpd/chap-secrets' >> /tmp/pptpd/options.pptpd
echo 'ip-up-script /tmp/pptpd/ip-up' >> /tmp/pptpd/options.pptpd
echo 'ip-down-script /tmp/pptpd/ip-down' >> /tmp/pptpd/options.pptpd
echo 'ms-dns 192.168.1.1' >> /tmp/pptpd/options.pptpd #enter your router's ip here
echo 'mtu 1450' >> /tmp/pptpd/options.pptpd
echo 'mru 1450' >> /tmp/pptpd/options.pptpd
Make sure to replace "192.168.1.1" with your the LAN IP of your router, if it's different. Click Save Startup. The router is configured, let's setup the VPN connection in OS X.
OS X Configuration
1) Open Internet Connect. In the File menu, select New VPN Connection. Pick PPTP and click Continue.
2) Under Server address, enter the WAN IP or hostname of your router. For Account Name and Password, you can use any of the accounts specified earlier, or the root username/password that is used to login to the router.
3) In the Connect menu, select Options. Disable Send all traffic over VPN connection and hit OK.
4) Click the Connect button and enjoy your VPN.
37 comments:
This is an excellent article - thanks, for me it worked first time - couldn't believe it.
I am using a WRT54GS with OPENWRT and a MacBook Pro to connect to my router at home from work.
Although I can pring hosts at home, I was actually hoping to be able to use the setup to be able to surf from the web and send email from work through the encrypted PPTP link using my router at home.
After connecting I tried a number of combinations setting safari to use the linksys as a proxy server and also inserting the router as the DNS server but all to no avail. I then tried routing all traffic through the vpn but again to no avail.
Does anyone have any solutions to this as I am sure it is probably just a simple routing issue. Thanks.
Oops ... that should be DD-WRT (not openWRT) I am using to successfully connect.
Worked for me on the first try... but the VPN connection only and always lasts for 20 seconds. I have connected as the router user account and as an account that I specified in the CHAP-Secrets field. The folowing is my /var/log/ppp.log from a sucessful then disconnected connection. I use the exact same startup script as specified above (changing my router IP to the correct value of 10.0.0.1)
Mon Aug 7 22:52:51 2006 : PPTP connecting to server 'SERVER NAME' (IP)...
Mon Aug 7 22:52:51 2006 : PPTP connection established.
Mon Aug 7 22:52:51 2006 : Using interface ppp0
Mon Aug 7 22:52:51 2006 : Connect: ppp0 <--> socket[34:17]
Mon Aug 7 22:52:51 2006 : MPPE 128-bit stateless compression enabled
Mon Aug 7 22:52:54 2006 : route_interface: write routing socket failed, File exists
Mon Aug 7 22:52:54 2006 : local IP address 10.0.0.10
Mon Aug 7 22:52:54 2006 : remote IP address 10.0.0.1
Mon Aug 7 22:52:54 2006 : primary DNS address 10.0.0.1
Mon Aug 7 22:52:54 2006 : secondary DNS address 10.0.0.1
Mon Aug 7 22:53:11 2006 : LCP terminated by peer (MPPE disabled)
Mon Aug 7 22:53:11 2006 : Connection terminated.
Mon Aug 7 22:53:11 2006 : Connect time 0.4 minutes.
Mon Aug 7 22:53:11 2006 : Sent 1004 bytes, received 156 bytes.
Mon Aug 7 22:53:11 2006 : PPTP disconnecting...
Mon Aug 7 22:53:11 2006 : PPTP disconnected
Any ideas?
Here is a more verbose section of the end of the error log output. I am running OS X 10.4.7 on a G4 Powerbook with all security updates installed.
Mon Aug 7 23:27:18 2006 : ipcp: up
Mon Aug 7 23:27:18 2006 : route_interface: write routing socket failed, File exists
Mon Aug 7 23:27:18 2006 : local IP address 10.0.0.30
Mon Aug 7 23:27:18 2006 : remote IP address 10.0.0.1
Mon Aug 7 23:27:18 2006 : primary DNS address 10.0.0.1
Mon Aug 7 23:27:18 2006 : secondary DNS address 10.0.0.1
Mon Aug 7 23:27:34 2006 : rcvd [LCP TermReq id=0x4 "MPPE disabled"]
Mon Aug 7 23:27:34 2006 : LCP terminated by peer (MPPE disabled)
Mon Aug 7 23:27:34 2006 : ipcp: down
Mon Aug 7 23:27:34 2006 : sent [LCP TermAck id=0x4]
Mon Aug 7 23:27:34 2006 : rcvd [LCP TermReq id=0x5 "MPPE disabled"]
Mon Aug 7 23:27:34 2006 : sent [LCP TermAck id=0x5]
Mon Aug 7 23:27:35 2006 : Connection terminated.
Mon Aug 7 23:27:35 2006 : Connect time 0.4 minutes.
Mon Aug 7 23:27:35 2006 : Sent 590 bytes, received 0 bytes.
Mon Aug 7 23:27:35 2006 : PPTP disconnecting...
Mon Aug 7 23:27:35 2006 : PPTP disconnected
if you get "route_interface: write routing socket failed, File exists" in your ppp.log and your connection drops after 20 seconds, it is probably because your current IP and the IP address assigned to you by the VPN connection (in this case, 10.0.0.10) are on the same subnet. the system can't figure out how to set up the routing correctly, and the connection times out. this happens to me if i try to connect to my VPN from inside my own network, because i'm already on the same subnet.
to be a little more specific - in my case i have an address like 192.168.1.103 that i get when connecting to my wireless router. if i try to connect via pptp to the same router, it tries to assign me another address in the same subnet, like 192.168.1.190. it also wants to set up my default route for 192.168.1.* to be over the ppp connection. which it can't, because there is already a default route for 192.168.1.* over my wireless connection.
I hope that the VLAN and VPN features can be used to allow a wireless user to only be able to connect to the hardwired Cat5 clients via VPN.
The WAN is one VLAN.
The hardwired VLAN is a second.
The WLAN is a third.
The VPN is a fourth.
I'm not sure what the difference is between my configuration and that described above (I'm running Mac OS X client v10.4.7 as well), but I didn't find that I needed the fix outlined. I was able to connect via PPTP without making any changes to DD-WRT at all.
As posted above, this really is a great article.
Very well written, concise, and worked on the first try.
Nice job.
First of all, thanks! That finally allowed me to connect to the router. The only thing now, is that when I am connected, I can't browse any other computers on the network (don't show up in "Network" in the finder) and I can't manually connect to any of them either (using the Go>Connect to Server menu). I am connected to the router via VPN, but it's like I'm not on the same LAN as all the other computers on the network. Any suggestions?
I have an IP in the same range as all the others, btw.
Just wanted to mention that this allowed me to connect my linux (Ubuntu) pptp client to my DD-WRT VPN.
I assume it was for the same reason that you couldn't connect with your Mac.
Thanks a mil for this guide - I'd been strugling to get this done all day but once I plugeds in your startup script it all works 100%!
Thanks
Andrew Caw
GadgetMan.co.za
just piling on some more thanks...your well-written article was very helpful.
Thanks for the write-up. It worked for me with one small problem. I needed to run this command to get the pptpd config file to save.
nvram commit
Once I did that I was able to connect. Now I have the problem of only staying connected for a few seconds.
Ok, nevermind my last comment. I didn't need "nvram commit". My problem was that I didn't click on "Save Startup" when I was entering the commands. I only clicked on "Run Commands". I guess I should read a bit more carefully. Sorry for the command spam.
Like other previous posts, I'm trying to connect to my network
via a VPN connection coming from a different wireless network.
My router address on the DD-WRT network is set to: 192.168.1.1
My normal ip assignment range is set from 192.168.1.100 with 50 users
My VPN ip assignment range is 192.168.1.200-205
I see via the posts that others have had trouble as well but I don't
quite understand exactly what I should change to make it work.
Could you be more specific to a DD-WRT neophyte like myself.
Thanks much
-tp
This is what I'm getting:
Sun Aug 26 11:07:25 2007 : PPTP connecting to server '71.63.189.157' (71.63.189.157)...
Sun Aug 26 11:07:25 2007 : PPTP connection established.
Sun Aug 26 11:07:25 2007 : Using interface ppp0
Sun Aug 26 11:07:25 2007 : Connect: ppp0 <--> socket[34:17]
Sun Aug 26 11:07:28 2007 : MPPE 128-bit stateless compression enabled
Sun Aug 26 11:07:29 2007 : route_interface: write routing socket failed, File exists
Sun Aug 26 11:07:29 2007 : local IP address 192.168.1.200
Sun Aug 26 11:07:29 2007 : remote IP address 192.168.1.1
Sun Aug 26 11:07:29 2007 : primary DNS address 192.168.1.1
Sun Aug 26 11:07:29 2007 : secondary DNS address 192.168.1.1
Sun Aug 26 11:07:48 2007 : LCP terminated by peer (MPPE disabled)
Sun Aug 26 11:07:49 2007 : Connection terminated.
Sun Aug 26 11:07:49 2007 : Connect time 0.4 minutes.
Sun Aug 26 11:07:49 2007 : Sent 0 bytes, received 0 bytes.
Sun Aug 26 11:07:49 2007 : PPTP disconnecting...
Sun Aug 26 11:07:49 2007 : PPTP disconnected
This worked great for me, but I was one of those who hit "Run" instead of "Save" and then had the options.pptpd file reset. I realized that just the one line in the file was needing to be added (the ms-dns was already right) so rather then rewriting the whole file each time I added this to the startup instead:
sed -i 's/^mppe /mppe required\nmppe /' /tmp/pptpd/options.pptpd
It also has the virtue of being shorter (in number of characters) so it take up less space in the nvram.
excellent post.
these three lines did the trick:
echo 'mppe required' >> /tmp/pptpd/options.pptpd #this line forces encryption and fixes OS X
echo 'mppe stateless' >> /tmp/pptpd/options.pptpd
echo 'mppc' >> /tmp/pptpd/options.pptpd
really glad you took the time to put this together
Can anyone shed light on how to get the router to forward DNS queries? My VPN setup per these instructions works fine, except that DNS is a dead end. I've tried configuring the Static DNS settings under Basic Setup/Network Address Server Settings. Also, under Management/DNS Masq/Additional DNS Options I tried to add a 'nameserver' both through the command line argument --server= and through a .conf file with --resolv-file=. I'm so close; someone please give me the final nudge...
Just wanted to confirm this fixed my iPhone too.
I'll add the error string so this can be found by fellow googlers :)
could not negotiate connection with remote ppp server
Why is this not included in the standard dd-wrt release? After making these configuration changes, I've successfully connected from iPhone 2.2, OS X 10.5.6, Windows 2003 R2 SP2, and Windows XP SP3 without any troubles. There may be reasons to not make this the default but given the large number of iPhones being sold, as well as the continued increase in OS X usage, I would imagine this would be a nice value proposition for dd-wrt.
Has anyone let Brainslayer know about this possible improvement to dd-wrt?
I'm using the DD-WRT v24 std and can't get my clients to connect to the router. Should I reboot the router after setup?
@Rob, what error message did you get?
I'm not able to connect to the router, is there a port that must be open ?
Is there a firewall between you and the router?
For those who want their traffic to be sent through the VPN: (using OSX Leopard)
"Open Network Preferences">> Choose the VPN connection... Click on "Advanced" In the options area. Check the "Send all traffic over VPN connection"
Hope this helps
Thank you for this great post. It really helped me on the server side. In addition to connecting a PC client, I would like now to connect another DD-WRT as a client in another location. The client PC connects fine, but the DD-WRT router is having trouble.
I don't know Linux at all...would anyone be willing to post a similar script that would connect the router on the client side as PPTP router and force all internet traffic from that client router to the router on the server side (enrypted of course).
Appreciate the effort,
Contact me via email if you're able to help please,
Thanks,
Ali
Any help for those of us whom this didn't work? i.e. the 'get disconnected after a minute' problem?
This helped me to get VPN working from my MacBook Pro running OS X 10.4.11. The issue was that my laptop's DHCP-assigned IP address (192.168.1.100) was on the same subnet as the network to which I was trying to connect. This caused the "route_interface: write routing socket failed, File exists" error message.
I solved this by changing my LinkSys WRT54G router's IP address from 192.168.1.1 to 192.168.0.1. I did this by entering 192.168.1.1 in my web browser, entering the router password (default is admin) and then changing the Local IP Address setting in the router. After a minute, my laptop had acquired a new IP address (192.168.0.100) and my VPN connection now works.
Thanks for your help.
I always recommend NOT using 192.168.1.x as an address for networks where somebody dials in via VPN. Most users or small networks use that already.
btw: I have 10.5.7 and cannot connect to my WRT anymore with 2.4 sp1 VPN firmware. Don't know why. Script is active. PC can connect and settings as described are done.
I can recommend a provider if you guys want to test:
https://www.anonine.com/en
For some reason the problem was with the "ppp authentication" method. It was trying to authenticate with the IAS using ms-chap-v1 and chap but not pap. I had to explicitly enable pap and disable ms-chap-v1 and chap. Then everything worked fine.
VPN
I like using vpn's, but this is just too tedious. I know use the VPN at Torrent Privacy. It is simple to use and makes me completely invisible on the net.
iphone 4.3 bug
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration#iOS.2FiPhone
I appreciate your honest service...
vpn on mac
Thanks for manual.Good job.
top10-bestvpn.com
Post a Comment