VPND Frequently Asked Questions
$Header: /pack/anoncvs/vpnd/FAQ.TXT,v 1.16 2002/03/21 10:33:49 ast Exp $
Please DO NOT email the developers/FAQ maintainer directly with questions
concerning VPND & its operation. Please email the mailing list instead.
VPND developers: Andreas Steinmetz - Primary/Original Developer of VPND
(See Website for current list of developers)
FAQ Maintainer: Robert Hardy, C.E.O. Webcon, Inc.
Table Of Contents:
1. Introduction
2. Checklist of required elements
3. VPND Return Codes and Debugging
4. Known Good Configurations
5. Known Problems
6. What is a good Linux distribution for use with VPND?
7. Will VPND do this (Fill in blank)?
8. How do I get VPND to handle multiple clients?
9. Where can I get Redhat style init scripts?
10. Does this work with a Windows Box?
11. Can I use this with Microsoft Virtual Private Networking?
12. Can I use this to hookup Windows style LANs (and get browsing
working)?
13. Why am I seeing so many overruns on my slip device (Linux specific)?
14. How do I make Windows Neighbourhood Networking work over VPND?
15. How do I connect to a remote network through VPND when the
remote peer is part of this network?
1. Introduction:
This file will attempt to answer all the frequently asked questions
which
have gone through the VPND mailing list, attempt to provide solutions
to
common problems, and provide debugging information for VPND.
Please read this document throughly before asking questions on the
mailing
list. If you are looking for commercial paid consulting, it is
available
mail the author for details.
2. Checklist of required elements: (elements required for proper
operation)
-Both zlib & zlib-devel must be installed and be at least version 1.1.4
(1.1.3 will do but has a security flaw!!!).
-/dev/random and/or /dev/urandom must be present.
-slip & cslip support must either be compiled into the kernel or
(perhaps preferably) compiled as modules and loaded for normal
operation.
-A common encryption key must be present on both client & server
-client & server must be separate machines with IP connectivity
3. VPND Return Codes and Debugging:
Some of the return codes have an offset of 128 in the source code.
Thus return code 105 may show up as 233 in the source code.
-If you see "Crypto init failed, reason "
You may be missing /dev/random or /dev/urandom
-If you see "Crypto init failed reason 1" it means Key/IV send failed.
Could be either a key mismatch or in combination with the above errors
point to a bad TCP connection. VPND can do this for several minutes
before it successfully brings back up a hung VPND link. Please note
that
this may be caused by still filled transmission buffers though it
isn't
clear yet.
-If you see "slip link failed, reason 4" it means Connect/Listen
failed.
This indicates either the client can't reach the server (server not
running, server didn't detect connection loss) or the server couldn't
bind the socket (e.g. another VPND already running). If I remember
correctly this error may occur if the 'suspend' option is used and an
automatic disconnect is initiated. It can indicate that you have not
properly configured your kernel for SLIP or you are missing CSLIP
support
in your kernel. If you are using Linux and have compiled your SLIP
support as modules make sure they are loaded with lsmod.
-If you see "Peer link failed, reason 105" it means Data receive
failed.
This is typically either a bad TCP connection (lost packets and
retransmits exceed time limits, 'rxmax' and 'sendbuf' tuning may help
in
this case) or a missing zlib (build without zlib, CVS code now does a
startup syslog message with version and compression info, the -h
command
line option gives now compression info, too) on the receiving end. As
another test, try disabling compression with the nocompress option
(see
vpnd.conf). If the problem goes away you are either using an old
version
of zlib or you are missing part of the zlib package. When using
Redhat,
this frequently happens if you have the zlib RPM installed but do not
have the zlib-devel RPM installed.
-If you see "Peer link failed, reason 106" you are seeing a Peer read
Data send failed, probably bad TCP connection (see reason 105 above).
4. Known Good Configurations:
Redhat 6.2, Kernel V2.2.17, VPND V1.1.1
Suse 6.3, Kernel V2.2.14, VPND V1.1.1
The following operating systems are supported:
Linux 1.2.x (1.2.9 tested)
Linux 2.0.x (2.0.35 tested)
Linux 2.2.x (2.2.1 & 2.2.12-17 tested)
FreeBSD (3.3-RELEASE tested)
NetBSD (1.4.1 tested)
OpenBSD (2.6 tested)
5. Known Problems:
You will need to use 'rndcontrol' on FreeBSD systems to be able
to generate key files on FreeBSD systems.
Version 1.1.0 is the first version for FreeBSD, version 1.1.1
is the first version for NetBSD and OpenBSD, so there may be
bugs lurking (serial line functionality is untested for *BSD,
please report success/failure).
Error recovery can be slow on flaky physical networks. It is sometimes
necessary to restart VPND to speed recovery. Diagnostics can be
difficult
due to the use of cryptic error codes which aren't fully explained
here.
Fortunately there is always the source and the mailing list.
6. What is a good Linux distribution for use with VPND?
I'm sure that this is a religious issue for some but I recommend:
The latest stable Redhat distribution along with the latest stable
kernel.
This is currently, Redhat 6.2 and Linux V2.2.17. See
http://www.redhat.com for Redhat Mirrors (or to buy a CD). See you
local
kernel.org mirror for kernel source see http://www.kernel.org.
7. Will VPND do this (Fill in blank)?
Please read this FAQ and if you still don't know the answer to your
question, mail the mailing list. See http://sunsite.dk/vpnd/ for
details.
8. How do I get VPND to handle multiple clients?
The simple answer is, in its current configuration, you don't. VPND in
its
current configuration is really a peer to peer system. Please don't
misunderstand this. You can hook up a large number of machines with
VPND
but it must be done on a point to point basis. We have found that the
simplest way to plan this out is to assign a port to each circuit in a
virtual private network. Below is a typical VPN layout. Note that each
connection requires a client and server VPND process. Also note each
peer
does not need to know anything about the other peers if it doesn't
connect
to them (as long as you manage IP conflicts properly).
VPN Design Documentation
Client Port Server Port
Peer1 30001 Peer2 30001
Peer1 30002 Peer3 30002
Peer3 30003 Peer2 30003
Peer2 30004 Peer4 30004
Peer3 30005 Peer4 30005
Networks
192.168.0. -> Peer1's Network
192.168.1. -> Peer2's Network
192.168.2. -> Peer3's Network
192.168.3. -> Peer4's Network
Connection IPs
192.168.0.1 -> Peer1's IP
192.168.0.2 -> Peer2's Network
192.168.0.3 -> Peer3's Network
192.168.0.4 -> Peer4's Network
9. Where can I get Redhat style init scripts?
One or more VPN init script(s) are now available.
See samples/README.initscripts.
10. Does this work with a Windows Box?
Yes, but not directly. It is not designed to run on Windows. It is
designed to run on Unix style server which can be accessed by any
TCP/IP
style client.
If you want to hook your Windows boxes into your private network, the
simplest solution seems to be to use Microsoft Virtual Private
Networking
software to connect your Windows workstation to a PoPToP server running
on
your server. Your server(s) should still be linked using VPND or VTun.
PoPToP can be found here: http://www.moretonbay.com/vpn/pptp.html
VTun can be found here: http://vtun.sourceforge.net/
11. Can I use this with Microsoft Virtual Private Networking?
While VPND can co-exist with other servers which use Microsoft VPN,
it is designed to only communicate directly with other VPNDs.
See PoPToP discussion in 10.
12. Can I use this to hookup Windows style LANs (and get browsing
working)?
Yes. Once VPND is properly configured work-group browsing in Windows
should
work properly over VPND. If you are using Samba you may have to use its
Remote Browse List Synchronization features.
13. Why am I seeing so many overruns on my slip device (Linux specific)?
What is getting reported as overruns is probably compressed slip
packets.
Some ifconfig binaries do not label the fields properly for slip
devices.
To fix the problem, you should find and install the latest version of
ifconfig suitable to your kernel (2.0.x vs. 2.2.x etc.).
14. How do I make Windows Neighborhood networking work over VPND?
You must setup Linux/Samba so that NetBIOS gets routed properly. If you
can access a machine on a different, masqueraded network using UNC
naming,
e.g. \\server, but you cannot see it or any machines in your Network
Neighborhood, then chances are the NetBIOS broadcasts necessary for
Network Neighborhood to work are not crossing the networks.
See here for details:
http://www.linuxplanet.com/linuxplanet/tutorials/1159/1/
You will also want the nbfw patch from here:
http://malt-whisky.student.utwente.nl/nbfw/download.html
15. How do I connect to a remote network through VPND when the
remote peer is part of this network?
First you must use a VPND routing option (route1 to route9)
to route all traffic to the remote network through VPND.
Then you must add a host route to the remote peer to the
interface connecting you to the Internet to prevent a
routing loop. There are two ways to do this: If your local system
has a constant Internet connection, e.g. a leased line or
a dialup connection attached to a ethernet interface, you
should use the peerroute configuration option of VPND.
If you use a demand dialup connection with dynamic IPs,
let's say e.g. diald and pppd, you will have to add
a host route to the VPND peer to the diald proxy interface with a
metric
of 1 and then use the ip-up and ip-down scripts of pppd
to add/remove a host route to the VPND peer to/from the ppp
interface with a metric of 0.
Please note that either way all connections to the remote
peer will be direct and unencrypted, connections to all
other systems on the remote network will be encrypted through VPND.
if you need to reach the remote peer encrypted, you will have
to assign the remote peer a second IP and use this IP
for an encrypted connection.