How to connect to a Windows VPN-server using Linux? In my case PPTP was not allowed; I was required to use L2TP and a certificate (plus domain\user and password of course). All my attempts with OpenVPN, Network Manager and Mac OS X were in vain – only Windows VPN clients seemed to work. I wanted to connect from Linux, and was successful with the following strategy:
- Install Windows 2000 under Qemu
- Configure VPN in virtual machine and share it
- Route VPN traffic to virtual Windows machine
My linux machine is located behind a NAT (192.168.0.2) on the 192.168.0.* network.
The network behind VPN is 10.2.*.
Windows and Qemu
I will not write a guide on how to install Windows on Qemu. But, Windows 2000 or later should work. Pick up TinyXP if you dont have a problem with it. Older version of Windows means less disk/ram usage, and you will only use it as a VPN-client anyways. On 2000/XP check out MS knowledge base article 818043.
I used real network mode in Qemu (ie a tap-device). So, I configured a bridge (br0) device, that you I connected both eth0 and tap0 to. See example below for some help. Perhaps -net user can work as well (but be aware that the Windows must have IP=192.168.0.1, see below).
Configure and Share VPN in Windows
Configuring Windows to connect to the VPN should be very easy. When you are done, right-click on your VPN connection and choose the Sharing-tab. Check “Enable Internet Connection Sharing for this connection”. Now happens something weird – the Windows machine has to have IP=192.168.0.1! You have to accept that, and hopefully your local network can be 192.168.0.* and the network you want to connect to is not 192.168.0.*.
Route VPN-traffic to Windows machine
For me, the following command on the linux machine is enough:
sudo route add -net 10.2.0.0/16 gw 192.168.0.1
Now try to ping or ssh to something on the 10.2-network. You might want to change your DNS to a DNS on the VPN.
Qemu-startup-script
I use the following script to start my Qemu machine:
sudo route add -net 10.2.0.0/16 gw 192.168.0.1 sudo tunctl -t tap1 # sudo brctl addif br0 tap1 sudo qemu -m 128 -net nic -net tap,ifname=tap1 vpn2000.qcow # sudo brctl delif br0 tap1 sudo tunctl -d tap1 sudo route del -net 10.2.0.0/16 gw 192.168.0.1
I really have no idea why I dont need to connect br0 to tap1, but it happens automatically 🙂
My working routing table looks like this:
Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 br0 10.2.0.0 192.168.0.1 255.255.0.0 UG 0 0 0 br0 link-local * 255.255.0.0 U 1000 0 0 br0 default 192.168.0.2 0.0.0.0 UG 100 0 0 br0
Was trying do to this with a virtualbox but just couldn’t get it to work.
Turns out I hadn’t enabled internet sharing, and I would never have thought of it myself so thank you for pointing me in the right direction 🙂