November 15, 2016

Connect to Microsoft VPN from Fedora 24

New box, new OS, time for another edition of trying to connect to Microsoft's VPN software. This time it is Fedora's turn.

This first part is adapted from my previous editions for Ubuntu and ultimately are sourced from an Ubuntu forums post by user sweisler at Thanks sweisler, wherever you are.

First, there was no need to install any additional packages, apparently everything needed is included by default.

  • Open VPN configuration screen:
    • Click on the network icon in the upper right of the desktop
    • Expand the VPN menu
    • Select VPN Settings
    • Select Configure VPN…
  • Add a new PPTP connection
  • In the Identity section, set the following:
    • Connection name (whatever you want)
    • Gateway (this is the VPN server)
    • User name (for domain-based user accounts, use domain\username or username)
    • Do not set Password; do change the pulldown (hidden in the help icon) to Always Ask
    • Set NT Domain if it is a domain-based account and you feel like it (I tried with User name as plain username and no NT Domain set, with User name as domain\username and no NT Domain and with User name as plain username and NT Domain set and everything worked - a far cry from when I was first trying to connect years ago).
  • PPTP Advanced Options (Advanced button from the Identity section)
    • Uncheck all authentication methods except MSCHAPv2
    • Check Use Point-to-Point encryption (MPPE)
    • Leave Security set at All Available (Default)
    • Check Allow stateful inspection
    • Uncheck Allow BSD data compression
    • Uncheck Allow Deflate data compression
    • Uncheck Use TCP header compression
    • Uncheck Send PPP echo packets (this setting works either way, check it for debugging purposes)
    • Leave Use custom unit number unchecked.

Normally at this point we would save and test the connection, but for Fedora there are additional steps. We need to configure the firewall to allow connections on the GRE protocol.

Note that GRE is a protocol like TCP or UDP, not a particular port.

The Fedora firewall demon allows you to make changes in two modes: permanent changes which affect the configuration but not the running instance and temporary changes which affect the running instance but not the configuration. To enable GRE traffic through your firewall, use the following command:

sudo firewall-cmd --add-protocol=gre sudo firewall-cmd --query-protocol=gre

Now test out your VPN connection. If it is working, save the changes to the configuration of the firewall:

sudo firewall-cmd --permanent --add-protocol=gre sudo firewall-cmd --permanent --query-protocol=gre

Note that if you have multiple network connections (e.g. wireless vs wired), it may be necessary to configure the firewall for each one.

Once the VPN connection is working you may want to try to tweak it further as described below.

One problem with the VPN I connect to is that all traffic ends up using the VPN when I am connected. This is less than ideal if you are connecting to servers on the internet while the VPN is connected since the traffic goes through the VPN server before coming to you. The following describes the settings for routing only the proper traffic to the VPN. (Read them all the way through first to make sure you have all the necessary information.)

Start by opening the IPv4 Settings section in the configuration of your VPN.

  • Set Additional DNS servers using the IP address of the DNS server for the VPN. (You may need to ask your IT guy for this; there should be a way to discover it when connecting as above but it escapes me.)
  • In the Routes section, add a new route:
    • For Address, use the internal IP address of the VPN server applied against the netmask below, e.g. if the VPN server is and the netmask is, use Again, this should be the internal IP address for getting to the machine in the intranet, not the external IP address for getting to the machine from the internet.
    • For Netmask, use the netmask of your intranet. (If you are confused, ask your IT guy what to use for both this and the Address.) For most networks this will be, but for many it will be different.
    • For Gateway, use
    • Do not set the Metric unless you know what you are doing.
  • If necessary, add additional routes. E.g. you might have a DMZ in the network in the VPN you are connecting to.
  • Check Use this connection only for resources on its network
  • In other versions of the NetworkManager configuration tool, there was a field for Additional search domains. This field is missing on Fedora 24 and some experimenting and testing seems to indicate we don't need it.

OK, so now when you connect you should see regular traffic going directly to the internet and intranet traffic directed to the VPN server. You can test this out with traceroute (which you may need to install).

Let me know how these instructions work for you and what type of systems you’ve been able to connect.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.