Hi!

I’m trying to connect to my workplace VPN, which is a PPTP VPN. I know it’s old and not very secure, but this is the choice they made…

My VPN connection is almost working, failing with this message :

mar 28 12:05:16 Linux-iMac pptp[27705]: nm-pptp-service-27687 log[ctrlp_disp:pptp_ctrl.c:900]: Received Outgoing Call Reply.

mar 28 12:05:16 Linux-iMac pptp[27705]: nm-pptp-service-27687 log[ctrlp_disp:pptp_ctrl.c:938]: Outgoing call established (call ID 32731, peer’s call ID mar 28 12:05:46 Linux-iMac pppd[27691]: LCP: timeout sending Config-Requests
mar 28 12:05:46 Linux-iMac NetworkManager[27691]: LCP: timeout sending Config-Requests mar 28 12:05:46 Linux-iMac NetworkManager[27691]: Connection terminated.

mar 28 12:05:46 Linux-iMac pppd[27691]: Connection terminated.

I did try a few things I saw while searching for a solution.

Here is my reference: PPTP Client

modprobe ppp-compress-18

Return no error message, which is good according to what I’ve read.

strings ’which pppd’|grep -i mppe|wc --lines

return 44, I think this is OK too [they say 38, but can vary]

That’s about it [I tried some other things that are not worth mentionning]

Help would be welcome!

Thanks in advance!

Does it work alright when you go to Zorin Menu > Settings > Network > Firewall Configuration and turn your firewall off?

If so, you've got to open the necessary ports in gufw (the firewall) or whitelist the VPN application. Contact your VPN administrator for the ports to use.

I allowed in ufw all the traffic from the IP of the VPN.

But even so, I did try to disable the firewall to check, but I got the same error.

Thanks for the advise, could have been the error.

Does your net admin provide an openVPN config file? If so it's simple to import the config into a new network, which you can connect to from the wifi menu.

Without knowing the configuration it makes it difficult to troubleshoot. I'm sure the company would not like you posting it here either (please DON'T do that).

To troubleshoot this yourself, regardless if you know what's going on, create a web search using this template:

<error code: error description> pptp vpn Ubuntu 20

It doesn't have to read like a book, or sentence. It should start pointing you in the right direction.

Also, some companies only allow connections during certain times, this is something they should have told you when they gave you the configuration.

I should have mentioned more details, my bad.

This connexion was working a few days ago, and I did not change the config.
I did install a newer kernel on my Zorin installation though, but even after that it was working ok.
I know this could be the source of the problem, but I've rebooted after the installation, and my VPN for work did connect.

I will search again on the web, I did not use the version of Ubuntu in my previous search.

Another info, from the syslog:

portmaster-start[961]: #033[33m230330 08:36:02.172 on/nfq/nfq:190 WARN 839#033[0m nfqueue: failed to parse payload: Unable to decode PPPType 49185

I did not see this before, maybe it could help diagnose the problem (but I found nothing with a Google search).

Try this:
lsmod | grep -i nfqueue

If it returns nothing, try:
modprobe nfqueue

If that gives "modprobe: FATAL: Module nfqueue not found", given that you've stated that you've installed a new kernel... have you rebooted? The old modules for the running kernel aren't kept around.

Anyway, next, try:
find /lib/modules -iname '*nf*queue*'

That should give a list of modules that you can try to modprobe, to see if your connection starts working.

Result of the find:

/lib/modules/5.15.0-60-generic/kernel/net/netfilter/nfnetlink_queue.ko
/lib/modules/5.15.0-60-generic/kernel/net/netfilter/xt_NFQUEUE.ko
/lib/modules/5.15.0-60-generic/kernel/net/netfilter/nft_queue.ko
/lib/modules/5.15.0-67-generic/kernel/net/netfilter/nfnetlink_queue.ko
/lib/modules/5.15.0-67-generic/kernel/net/netfilter/xt_NFQUEUE.ko
/lib/modules/5.15.0-67-generic/kernel/net/netfilter/nft_queue.ko
/lib/modules/6.1.12-060112-generic/kernel/net/netfilter/nfnetlink_queue.ko
/lib/modules/6.1.12-060112-generic/kernel/net/netfilter/xt_NFQUEUE.ko
/lib/modules/6.1.12-060112-generic/kernel/net/netfilter/nft_queue.ko

But I can start nfqueue

modprobe: FATAL: Module nfqueue not found in directory /lib/modules/6.1.12-060112-generic

Do sudo modprobe on each of those, so for instance:
sudo modprobe nfnetlink_queue

Then check your connection.

If none of those work, then remove them, so for instance:
sudo modprobe -r nfnetlink_queue

If that doesn't work, we'll have to figure something else out.

I tried with the three related to kernel 6.1.12 :
nfnetlink_queue
xt_NFQUEUE
nft_queue

I was unable to remove them between each modprobe though, since they were in use and it refuses to execute the deletion. None worked...

Something else comes to my mind, I did install Zerotier in the mean time, as an alternative to be able to connect to my work (and it's working OK).
I shutdown Zerotier before trying to connect to the VPN, since I think it's not a good idea to connect to a VPN while using ZT.

Have you allowed GRE (port 47) through the firewall?

First, install nautilus-admin
sudo apt install nautilus-admin

Navigate to /etc/ufw/before.rules, right click that file and select "Edit as Administrator". Enter your password, then enter:

# gre
-A ufw-before-input -p 47 -j ACCEPT
-A ufw-before-output -p 47 -j ACCEPT

Be sure to put that above the line that states:
# drop INVALID packets (logs these in loglevel medium and higher)

Or, to be more secure, if your VPN server uses only a single IP address (and let's say for this purpose that it's 10.10.10.10):

-A ufw-before-input -p 47 -s 10.10.10.10 -j ACCEPT
-A ufw-before-output -p 47 -s 10.10.10.10 -j ACCEPT

Now only port 47 packets from your VPN server are allowed through the firewall.

Save the file, exit out of the text editor, then go to Zorin menu > Settings > Network > Firewall Configuration, enter your password, then turn the firewall off, then turn it back on.

That should allow GRE through the firewall, which this error message:

mar 28 12:05:46 Linux-iMac NetworkManager[27691]: LCP: timeout sending Config-Requests mar 28 12:05:46 Linux-iMac NetworkManager[27691]: Connection terminated.

...indicates is needed.

Or, if your VPN uses only a single IP address, you can enter an exception for that IP address. Let's say your VPN server's IP address is 10.10.10.10:
sudo ufw allow from 10.10.10.10

Then reboot, and all traffic from that server is allowed through the firewall.

You might be able to get the VPN server's IP address from your logs. If not, contact your VPN server administrator.

No worries. Next reboot, they won't load... unless the system needs them, which may be why they're already in use, in which case they will load.

The IP address of the VPN was allowed in my ufw config, but still, I did add the lines you provided me to the before.rules.
Stopped and enable ufw and try to connect, same error...

To be sure, I rebooted and started "clean". Same error again.

More log, maybe something usefull for you there !

Mar 30 14:05:16 Linux-iMac portmaster-start[957]: #033[33m230330 14:05:16.207 on/nfq/nfq:190 WARN 053#033[0m nfqueue: failed to parse payload: Unable to decode PPPType 49185
Mar 30 14:05:18 Linux-iMac systemd[1]: NetworkManager-dispatcher.service: Succeeded.
Mar 30 14:05:19 Linux-iMac pppd[6979]: LCP: timeout sending Config-Requests
Mar 30 14:05:19 Linux-iMac NetworkManager[6979]: LCP: timeout sending Config-Requests
Mar 30 14:05:19 Linux-iMac NetworkManager[6979]: Connection terminated.
Mar 30 14:05:19 Linux-iMac pppd[6979]: Connection terminated.
Mar 30 14:05:19 Linux-iMac NetworkManager[931]: [1680199519.2143] vpn-connection[0x55ec23d822e0,57991e14-861d-4399-bb81-5a550c747a48,"xxxxx",0]: VPN service disappeared
Mar 30 14:05:19 Linux-iMac pptp[6984]: nm-pptp-service-6975 warn[decaps_hdlc:pptp_gre.c:226]: short read (-1): Input/output error

The Unable to decode PPPType 49185 seems likes a hint, but I may be wrong ! Didnt find anything usefull searching with it though.

Thanks for all your help so far by the way !

If you've got the VPN server whitelisted, it may be that the VPN server isn't sending back the LCP packets (contact your VPN administrator) or your ISP has changed something that's blocking those packets (contact your ISP) or you've made a change on your router that's blocking those packets.

Those packets should be making it through the firewall, but with the VPN whitelisted, the firewall can't be the issue. It's got to be further upstream.

It isn't connecting to the server at all, that is why you are getting the

, unless they allow the offering of the config.
Maybe missing a flag or statement on the pptp configuration based on:

If it was working, then you installed Zerotier, it may be that it's configuration changed the manual configuration. While it isn't ideal, try removing Zerotier, delete the manual configuration you had, and reconfigure it with what was given to you. The test. Again, this may not work outside the permitted hours.

Ensure network connectivity to TCP port 1723 by allowing it in the firewall.

If the local network you are connected to is using the 192.168.0.0/24 and 192.168.1.0/24 subnets, you are going to run into issues because that is what the PPTP server uses by default. Change your home network IP range to either 10.0.0.0/8 or 172.16.0.0/16|24. Since PPTP VPNs use local DNS, unless configured differently on the server, using the same private network range will confuse your computer, indicating the VPN server is local.

My work is a small organism, and I can access the servers myself. It's a server running Windows server 2012r2. The VPN was setup by our external helpdesk for the work at home at the start of the pandemic, and with no change to this date.

I checked my router/modem config. I dont see anything wrong there. The only thing I modified is portforwarding for Torrents.

I will try @337harvey advise, and remove Zerotier. Since I started trying to resolve this issue with the VPN today, it's not working anymore... It says I'm connected, but impossible to open my RDP connexion with Remmina.

I'm now connecting through Google Remote Desktop (which I hate), but I must work so I'm happy to have this alternative !

I will give feedback later.

Thanks to all, your help is appreciated !

It didn't work after removing Zerotier. Since I don't know what to do more than this to be able to use again the VPN, I will stick with ZT.
I don't want to reinstall everything from scratch for now, but I think I will have to one day.
I like to try and install new things like upgrading the kernel, try other Graphical Interfaces, new software not always available in package, etc... Sometimes you messed up, it's the price to pay to be curious in Linux ! Try and fail, search to repair and learn more about the system.

Two solutions are suggested here:
https://discussions.apple.com/thread/2676762

I wonder if either might apply to your situation.

@doalex This may be trivial or implied as done and completed, just trying to help with a different set of eyes/fingers:

Please correct me harshly if I'm wrong here but if I understand the error correctly - and sorry for spelling it out in my own baby-ish terms - it seems like your machine's client sends out a request to match configuration with that provided by your work's VPN server. That request to match heartbeats is not answered or matched with what the server wants. That said...

• Did you happen to try reproducing the error while connected to a different network? Do you have the ability to create a WiFi hotspot with your phone or another device and connect your machine to that WiFi signal? Is the error reproduced when connected to this new network?
• Based on what you've said regarding your ability to log into/access the remote server yourself;
  • What about ensuring that your server's PPTP protocol is enabled?
    • With your set of Admin credentials, can you check the remote access control settings of the server to ensure the protocol is even enabled and that it accepts connections from your machine?
    • What about if you try this with another machine?
• I read that the 2012WindowsServer includes a built-in PPTP client that allows users to connect to PPTP VPN servers without the need for any additional software; allowing users with the Remote Access role in Windows Server 2012 R2 to configure and set up PPTP connections for other users.
  • Do your previously-mentioned Admin credentials used to log-in/access the server provide you the same level of access included in the Windows role mentioned above?
  • Do you think it's possible that the way in which the Windows-based server natively handles PPTP configurations might be the culprit - exposing a possible compatibility issue w/Linux?
• I remember seeing that you tried modifying firewall configs, but do you maybe also have some sort of anti-virus software running?
  • Do you think it possible that another piece of software exists on the server-side which might be affecting routing/gating of the traffic? Like the previously mentioned client-side check of firewall/anti-virus settings?