search

danfruehauf / nagios-plugins

Nagios Plugins I maintain, currently only check_vpn and check_sql
GNU General Public License v2.0
29 stars 31 forks source link

Critical: VPN (pptp) connection failed to 'vpn.com': '' #15

Closed rakotak closed 9 years ago

rakotak commented 9 years ago

Hello, I am trying to configure the plugin to run on the pptp server itself:

./check_vpn -t pptp -H vpn.com -u user -p pass -- mru 1410 mtu 1410 novj novjccomp nobsdcomp Critical: VPN (pptp) connection failed to 'vpn.com': ''

I have set the ppp device to eth0 (gre0 is disabled, only eth0 is up and running) in pptp.sh.

declare -r PPTP_DEVICE_PREFIX=eth0

and I still get the above error. Do you have any ideas what might be wrong? strace shows me it probably cannot recognize the correct ppp adapter to work with. I am able to connect to the pptp server using the standard pptp client. pptp vpn.com --nolaunchpppd ~�}#�!}!}!} }=}!}$}$�}"}&} } } } }#}%�#�}

danfruehauf commented 9 years ago

@rakotak I suggest leaving PPTP_DEVICE_PREFIX=ppp, as this is usually the case.

Can you please run the above but with:

/bin/bash -x ./check_vpn -t pptp -H vpn.com -u user -p pass -- mru 1410 mtu 1410 novj novjccomp nobsdcomp

Then you can paste the output. Please sanitize it first as it may contain your username/password.

danfruehauf commented 9 years ago

BTW, is your VPN server on vpn.com? Because this is where you try to connect to.

rakotak commented 9 years ago

Hello,

I omitted the real vpn host (it is not vpn.com) for security reasons. Here is more verbose output as requested:

I added this in iptables:

0     0 ACCEPT     all  --  ppp1   eth0    0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  eth0   ppp1    0.0.0.0/0            0.0.0.0/0

still no luck

danfruehauf commented 9 years ago

@rakotak I'll need the full output when running with /bin/bash -x, please sanitize it and paste it in a pastebin so I can have a look at it. Those 10 lines you pasted virtually give me no clue about what the problem is.

rakotak commented 9 years ago

Hello,

Here is the requested output.

http://pastebin.com/UMAE5qjb

Thank you very much.

Regards, rakotak

danfruehauf commented 9 years ago

So eventually it boils down to running this command which is pretty standard:

pptp --debug us1.vpn.*******.com -- lock debug unit 0 nodefaultroute noauth user user password pass mru 1410 mtu 1410 novj novjccomp nobsdcomp

This I assume fails, because /something/. :)

Have a look also at /var/log/messages (depending on your distro) and paste also the pptp/pppd related lines. Debugging PPTP is always a pain.

rakotak commented 9 years ago

Hello,

The distro is debian Feb 28 01:47:23 vpn-us pppd[28177]: pppd 2.4.5 started by root, uid 0 Feb 28 01:47:23 vpn-us pppd[28177]: Using interface ppp0 Feb 28 01:47:23 vpn-us pppd[28177]: Connect: ppp0 <--> /dev/pts/0 Feb 28 01:47:23 vpn-us pppd[28176]: pppd 2.4.5 started by root, uid 0 Feb 28 01:47:23 vpn-us pppd[28176]: Using interface ppp1 Feb 28 01:47:23 vpn-us pppd[28176]: Connect: ppp1 <--> /dev/pts/3 Feb 28 01:47:25 vpn-us pppd[28177]: CHAP authentication succeeded Feb 28 01:47:25 vpn-us pppd[28176]: peer from calling number ... authorized Feb 28 01:47:25 vpn-us pppd[28177]: LCP terminated by peer (MPPE required but peer negotiation failed) Feb 28 01:47:25 vpn-us pppd[28176]: Connection terminated. Feb 28 01:47:25 vpn-us pppd[28176]: Connect time 0.1 minutes. Feb 28 01:47:25 vpn-us pppd[28176]: Sent 10 bytes, received 32 bytes. Feb 28 01:47:25 vpn-us pppd[28176]: Exit. Feb 28 01:47:25 vpn-us pppd[28177]: Modem hangup Feb 28 01:47:25 vpn-us pppd[28177]: Connection terminated. Feb 28 01:47:26 vpn-us pppd[28177]: Exit.

I think this here is the culprit - Feb 28 01:47:25 vpn-us pppd[28177]: LCP terminated by peer (MPPE required but peer negotiation failed)

I can confirm that require-mppe-128 is set in /etc/ppp/pptpd-options

Thank you.

Regards, rakotak

danfruehauf commented 9 years ago

Seems like what you're missing is just require-mppe-128 in your command line.

So try with:

pptp --debug us1.vpn.*******.com -- lock debug unit 0 nodefaultroute noauth user user password pass mru 1410 mtu 1410 novj novjccomp nobsdcomp require-mppe-128
rakotak commented 9 years ago

Hello, I seem to have made some progress including require-mppe in the arguments passed to the script. -- require-mppe mru 1410 mtu 1410 novj novjccomp nobsdcomp

Now I am getting Warning: VPN (pptp) up, connectivity check failed to 'http://www.google.com'|time=0.000s;size=0B

Regards, rakotak

danfruehauf commented 9 years ago

Great news! So now you need to make sure that you are allowing routing via the PPP device. The PPP connection succeeded, however it couldn't access www.google.com through the VPN.

This is for you to tune on the PPTP server so it allows traffic from VPN clients. Or alternatively change the checking URL to something else, i.e. not www.google.com.

rakotak commented 9 years ago

Hello, Thank you for all your help. I will manage from this point on. Case closed.

Regards, rakotak

danfruehauf commented 9 years ago

@rakotak Good luck! :)