Search

August 21, 2016

Connect to Microsoft VPN from Ubuntu 16.04 Xenial Xerus

I recently upgraded from Ubuntu 14.04 on my main desktop machine and discovered that my VPN connection to Windows 2008 Server no longer worked. The bugaboo turned out to be the routing table which no longer requires a gateway entry. Here I have rewritten my post originally written for 12.10 to reflect the new configuration.

If you have ever tried to configure a linux machine to connect to a Microsoft-based VPN, you know that it is not as straightforward as it could be. It is more of a voodoo ritual than a science. I figured it would be a good idea to capture the steps for future reference.

This first part is adapted from the Ubuntu Wiki for posterity. You can check out the original at https://wiki.ubuntu.com/VPN under the heading VPN setup in Ubuntu 9.10. Apparently this originates from a Ubuntu forums post by user sweisler at http://ubuntuforums.org/showpost.php?p=8261958&postcount=6. Thanks sweisler, wherever you are.

First, there was no need to install any additional packages, apparently everything needed is included by default.

  • Open VPN configuration screen:
    • Click on the network icon in the upper right of the desktop
    • Go to the VPN Connections menu
    • Select Configure VPN…
  • Add a new PPTP connection
  • On the VPN tab, set the following:
    • Connection name (whatever you want)
    • Gateway (this is the VPN server)
    • User name (for domain-based user accounts, use domain\username)
    • Do not set Password; do change the pulldown to Always Ask
    • Do not set NT Domain
  • PPTP Advanced Options (Advanced button from the VPN tab)
    • Uncheck all authentication methods except MSCHAPv2
    • Check Use Point-to-Point encryption (MPPE)
    • Leave Security set at All Available (Default)
    • Check Allow stateful inspection
    • Uncheck Allow BSD data compression
    • Uncheck Allow Deflate data compression
    • Uncheck Use TCP header compression
    • Uncheck Send PPP echo packets (this setting works either way, check it for debugging purposes)

At this point save it and test it. Once the VPN connection is working you may want to try to tweak it further as described below.

One problem with the VPN I connect to is that all traffic ends up using the VPN when I am connected. This is less than ideal if you are connecting to servers on the internet while the VPN is connected since the traffic goes through the VPN server before coming to you. The following describes the settings for routing only the proper traffic to the VPN. (Read them all the way through first to make sure you have all the necessary information.)

  • On the IPv4 Settings tab
    • Set Additional DNS servers using the IP address of the DNS server for the VPN. (You may need to ask your IT guy for this; there should be a way to discover it when connecting as above but it escapes me.)
    • Set Additional search domains. Set this to the domain suffix of the machines on the VPN. For example, if the machines are named like dbserver.example.com then set it to example.com.
  • Click the Routes button.
    • Check Use this connection only for resources on its network
    • Add a route:
      • For Address, use the internal IP address of the VPN server applied against the netmask below, e.g. if the VPN server is 10.23.34.89 and the netmask is 255.255.255.0, use 10.23.34.0. Again, this should be the internal IP address for getting to the machine in the intranet, not the external IP address for getting to the machine from the internet.
      • For Netmask, use the netmask of your intranet. (If you are confused, ask your IT guy what to use for both this and the Address.) For most networks this will be 255.255.255.0, but for many it will be different.
      • For Gateway, use 0.0.0.0 or simply leave it blank.
      • Do not set the Metric unless you know what you are doing.

OK, so now when you connect you should see regular traffic going directly to the internet and intranet traffic directed to the VPN server. You can test this out with traceroute (which you may need to install). You should also be able to refer to machines on the intranet using their short names (e.g. dbserver instead of dbserver.example.com).

Let me know how these instructions work for you and what type of systems you’ve been able to connect.