VPN Encryption & Linux

[Gravillon]

Hello,

I am trying to set up my VPN under Linux Gentoo, and I would like to point a problem with the tutorial that you released for the Linux configuration. On step 5 on this tutorial, in the advanced configuration, you recommend these options :
- MSCHAP auth
- MSCHAP-v2 auth
- Use Point-to-Point encryption (MPPE)
- and some other compression options

I am trying this configuration, and this does not work for me. Let me show you.

If I activate MPPE, the protocol needs a MSCHAP-v2 authentication. Alright, let's try it (I use PPP/PPTP in debug mode to see what happens):

workstation # pon PureVPN debug dump nodetach logfd 2
using channel 35
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth eap> <magic 0x185c2989> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfRej id=0x1 <callback CBCP> <mrru 1614>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <auth eap> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x2 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x3 <mru 1400> <auth chap MD5> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x3 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x4 <mru 1400> <auth chap MD5> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x4 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x5 <mru 1400> <auth chap MD5> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x5 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x6 <mru 1400> <auth chap MD5> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x6 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x7 <mru 1400> <auth chap MD5> <magic 0x185c2989> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfRej id=0x7 <auth chap MD5>]
rcvd [LCP TermReq id=0x8 18 5c 29 89 00 3c cd 74 00 00 03 97]
sent [LCP TermAck id=0x8]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d7de06c> <pcomp> <accomp>]
Script pptp us1.purevpn.net --nolaunchpppd finished (pid 9974), status = 0x0
Modem hangup
Connection terminated.

Interesting lines there are :

rcvd [LCP ConfReq id=0x3 <mru 1400> <auth chap MD5> ...
sent [LCP ConfNak id=0x3 <auth chap MS-v2>]

In clear, PureVPN server is offering CHAP MD5 authentication when my client is requesting CHAP MS-v2. Problem : VPN server seems not to accept CHAP MS-v2 and so, without authentication, no possible connection

Alright, I noticed the problem and so I updated my settings to accept the offered chap MD5 authentication by the server :

workstation # pon PureVPN debug dump nodetach logfd 2
using channel 36
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x5be42ea5> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x5be42ea5> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth eap> <magic 0x230a4252> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfRej id=0x1 <callback CBCP> <mrru 1614>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <auth eap> <magic 0x230a4252> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x2 <auth chap MD5>]
rcvd [LCP ConfReq id=0x3 <mru 1400> <auth chap MD5> <magic 0x230a4252> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfAck id=0x3 <mru 1400> <auth chap MD5> <magic 0x230a4252> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
rcvd [CHAP Challenge id=0x0 <ff501d1c4bf51b333619dc960668cb01>, name = "WIN-VQQ3GRBBDL2"]
sent [CHAP Response id=0x0 <28fb63dfa9cecedc279dbb86546bc475>, name = "purevpnXXXXXXX"]
rcvd [CHAP Success id=0x0 "\nAuthentication Successful.\n"]
CHAP authentication succeeded: ^JAuthentication Successful.^J
CHAP authentication succeeded
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -L -D +C>]
Discarded non-LCP packet when LCP not open
rcvd [IPCP ConfReq id=0x6 <addr 192.168.2.2>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2 "MPPE required but not available"]
Connection terminated.
Waiting for 1 child processes...
script pptp us1.purevpn.net --nolaunchpppd, pid 10000
Script pptp us1.purevpn.net --nolaunchpppd finished (pid 10000), status = 0x0

That looks much better ! There, the authentication succeeded with chap MD5 but to be able to use the MPPE encryption, PPTP needs the MS-CHAP[v2] authentication, which was rejected by the server in the previous test... We can see that PureVPN Server offers MPPE encryption (rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -L -D +C>]), which is rejected by the PPTP client (Discarded non-LCP packet when LCP not open). So logically, the connection is ended since the encryption is required but impossible.

Let's finally try a connection with chap MD5 but without encryption, we never know...

workstation # pon PureVPN debug dump nodetach logfd 2
using channel 37
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1cc96704> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1cc96704> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth eap> <magic 0x4b6651c> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfRej id=0x1 <callback CBCP> <mrru 1614>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <auth eap> <magic 0x4b6651c> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfNak id=0x2 <auth chap MD5>]
rcvd [LCP ConfReq id=0x3 <mru 1400> <auth chap MD5> <magic 0x4b6651c> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
sent [LCP ConfAck id=0x3 <mru 1400> <auth chap MD5> <magic 0x4b6651c> <pcomp> <accomp> <endpoint [local:90.ef.3d.47.cc.65.4a.3e.8f.7e.66.96.3a.cc.2b .d5.00.00.00.00]>]
rcvd [CHAP Challenge id=0x0 <449e355c08b425a47222fc240768cb01>, name = "WIN-VQQ3GRBBDL2"]
sent [CHAP Response id=0x0 <952d916db9aa45bc58d04ac6ff0aba8e>, name = "purevpnXXXXXXX"]
rcvd [CHAP Success id=0x0 "\nAuthentication Successful.\n"]
CHAP authentication succeeded: ^JAuthentication Successful.^J
CHAP authentication succeeded
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -L -D +C>]
sent [CCP ConfReq id=0x1]
sent [CCP ConfRej id=0x5 <mppe +H -M -S -L -D +C>]
rcvd [IPCP ConfReq id=0x6 <addr 192.168.2.2>]
sent [IPCP ConfAck id=0x6 <addr 192.168.2.2>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [CCP ConfAck id=0x1]
rcvd [CCP TermReq id=0x7 04 b6 65 1c 00 3c cd 74 00 00 02 dc]
sent [CCP TermAck id=0x7]
rcvd [IPCP ConfNak id=0x2 <addr 192.168.2.37>]
sent [IPCP ConfReq id=0x3 <addr 192.168.2.37>]
rcvd [IPCP ConfAck id=0x3 <addr 192.168.2.37>]
local IP address 192.168.2.37
remote IP address 192.168.2.2
Script /etc/ppp/ip-up started (pid 10018)
Script /etc/ppp/ip-up finished (pid 10018), status = 0x0
sent [CCP ConfReq id=0x1]
rcvd [CCP TermAck id=0x1]
sent [CCP TermReq id=0x2"No compression negotiated"]
rcvd [CCP TermAck id=0x2"No compression negotiated"]

Uh oh, it works ! Yes... but... no encryption in my VPN (MPPE rejected by my client due to lack of MSCHAP-v2 "sent [CCP ConfRej id=0x5 <mppe +H -M -S -L -D +C>]") And to be honest, VPN without encryption is useless for me.

To summarize, PPTP and PPP connection is possible under my Linux system, with chap MD5 authentication, but without MPPE encryption, which is really annoying, not satisfying.

Do you know any way to arrange this, any way to make the MPPE working on Linux ? I must add that same behavior occurs when I use the graphical interface of network-manager (as shown in your tutorial).

To be more precise, could you post a model of Linux configuration using L2TP/IPSEC please ? I also think it would be fine to update the Linux Tutorial to correct the advanced setting page (step 5), to avoid other Linux users to waste 3 days of investigations and tests...

Thanks

[PurevpnTECH]

Dear Gravillon,

Thank you for posting on our forums. I think you missed the point on our packages, as noted we offered both CHAP MD5 and MS CHAPv2 in one account. Following locations should offer you MS CHAPv2 with industry standard encryption

Los Angeles, California server (offered in SIlver package)
London, UK server (offered in SIlver package)
Dallas, Texas server (offered in Silver package)
Maidenhead, UK server (offered in SSTP package)
NewYork, US server (offered in SSTP package)

Please open a support ticket if you want us to point out specific IPs so you can connect,

Kind Regards,
The PureVPN Team

[Gravillon]

Hello

Thank you for your support, I really appreciate it. Actually, I tried all servers I received in my subscription email but I do not have the IPs of LA and NY servers. I will open a ticket for that.

On the other hand, I found that the us-texas server is able to answer MSCHAPv2, but only this server. Not the other ones :

workstation ~ # pon PureVPN debug dump logfd 2 nodetach
pppd options in effect:
debug # (from command line)
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
refuse-chap # (from /etc/ppp/options.pptp)
refuse-mschap # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name purevpnXXXXXXX # (from /etc/ppp/peers/PureVPN)
remotename PureVPN # (from /etc/ppp/peers/PureVPN)
# (from /etc/ppp/options.pptp)
pty pptp us-texas.purevpn.net --nolaunchpppd # (from /etc/ppp/peers/PureVPN)
ipparam PureVPN # (from /etc/ppp/peers/PureVPN)
defaultroute # (from /etc/ppp/options.pptp)
require-mppe-128 # (from /etc/ppp/options.pptp)
using channel 10
Using interface ppp0
Connect: ppp0 <--> /dev/pts/3
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcb3542e3> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <auth eap> <magic 0x72175931> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:b1.48.67.8e.96.92.44.01.89.21.04.14.15.02.33 .dc.00.00.00.00]>]
sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xcb3542e3> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth eap> <magic 0x72175931> <pcomp> <accomp> <endpoint [local:b1.48.67.8e.96.92.44.01.89.21.04.14.15.02.33 .dc.00.00.00.00]>]
sent [LCP ConfNak id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <auth chap MS-v2> <magic 0x72175931> <pcomp> <accomp> <endpoint [local:b1.48.67.8e.96.92.44.01.89.21.04.14.15.02.33 .dc.00.00.00.00]>]
sent [LCP ConfAck id=0x2 <mru 1400> <auth chap MS-v2> <magic 0x72175931> <pcomp> <accomp> <endpoint [local:b1.48.67.8e.96.92.44.01.89.21.04.14.15.02.33 .dc.00.00.00.00]>]
rcvd [CHAP Challenge id=0x0 <b1674315bab5b2f749e2dda33549996a>, name = "NEWTECH1"]
sent [CHAP Response id=0x0 <2a7b6a60304bf27a07c21cb40559741d00000000000000002 52352bf474e7a7eeb64b1a82d61827a079418890ab456b900> , name = "purevpnXXXXXXX"]
rcvd [CHAP Failure id=0x0 "E=649 R=0 "]
MS-CHAP authentication failed: E=649 No dialin permission
CHAP authentication failed
sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x4 "r\027Y1\000<\37777777715t\000\000\002\37777777611 "]
sent [LCP TermAck id=0x4]
rcvd [LCP TermAck id=0x2 "Failed to authenticate ourselves to peer"]
Connection terminated.
Waiting for 1 child processes...
script pptp us-texas.purevpn.net --nolaunchpppd, pid 6528
Script pptp us-texas.purevpn.net --nolaunchpppd finished (pid 6528), status = 0x0

As you can see, on this server the MSCHAPv2 works, but it seems my account is not allowed to dialin through this server (error E649)... Is it normal ? Why Isn't it possible to authenticate myself in MSCHAPv2 on all your other servers? I subscribed a pure Silver offer.

Best Regards,

Gravillon

[PurevpnTECH]

Hi again Gravillon,

Thank you for getting back. Yes as said PureVPN serves different markets for example VOIP unblock, social media unblock and TV streaming abroad in addition to the regular security requirements - We have thus distributed loads on different servers such that security seekers are on different servers, VOIP and streaming on different ones and so on. TV streaming + VOIP not always require security so customers have every option and all possibilities are open for all.

Since you need both security in addition to the said purposes then my proposed servers' are the best one's for you - Please would you open up a support ticket : http://billing.purevpn.com/submitticket.php so we can reveal the IP addresses and all.

Also post your user so i can check for dial in permission issues,

Sincerely,
The PureVPN Team