Trials and tribulations

When I set out to connect to the work network from home, I thought it’d be a fairly easy thing to do™. All too soon, I was to find out, this is certainly not the case. I am convinced that “VPN” stands for “Very Painful Networking” rather than “Virtual Private Network.”

Before anyone asks the obvious question, “why would you want to work from home anyway?” imagine being able to do a full day’s work but managing to avoid the traffic. This is what I wanted to achieve; pyjama working, sleeping in, far less petrol consumption.

By detailing what I did, hopefully someone else who has experienced the same problem can fix theirs. There is a lot of people experiencing what seems to be the same problems I had, but all the possible fixes out there never worked for me, and in some instances, seemed to make things worse.

Connections between Macs and PPTP VPNs

Ingredients

  • MacBook with OS X Leopard (10.5.6)
  • Netgear DG834G v2 with latest firmware
  • PPTP VPN (provided by employer, with several details unknown)
  • Time. Lots and lots of time.

Method

  1. Manually assign IP of MacBook in the Netgear router (we’ll be forwarding a port to it soon)
  2. Open PPTP (port 1723) on TCP in the Netgear router, forwarding to the IP of the MacBook
  3. Open “System Preferences”
  4. Select “Network”
  5. Select the plus button by the bottom left-hand corner of the window, to create a new service
  6. Select the drop-down box marked “Interface” and select “VPN”
  7. Select the drop-down box marked “VPN Type:” and select “PPTP”
  8. Change the “Service Name:” to “PPTP VPN” (or whatever other name of your choice) and select “Create”
  9. Within this service’s details, select the drop-down box marked “Configuration:” and select “Add Configuration…”
  10. Enter the “Name:” as the name of your company (or whatever other name of your choice) and select “Create”
  11. Enter the IP of your “Server Address:”
  12. Enter the username of your “Account Name:”
  13. Select the “Authentication Settings…” button
  14. Depending on the security settings of your VPN (your employer’s IT staff should have told you) enter whatever is necessary and select “OK”
  15. Select the “Advanced” button, and make sure “Send all traffic over VPN connection” and “Use verbose logging” is checked, and select “OK”

When I tried to connect, it connected and authenticated just fine. However, when I tried to access anything, I was disconnected immediately. I checked my PPP connection logs (Go to /Applications/Utilities/Console.app and select “ppp” in the left column) but it didn’t tell me much.

So, what now? The IT staff weren’t amazingly forthcoming at helping me out, which is fair enough: there could be a lot on my end that is causing the problem(s). Next step: Google.

What happened next

  1. I disabled Parallels’ Virtual Network Adapters because there’s a post by Akita On Rails that claims they interfere with the VPN connection
  2. This did not work
  3. I updated libssl.0.9.dylib and libcrypto.0.9.dylib as described on Mac-Windows’ tips and report on Leopard Virtual Private Networks, claiming upgrading from OS X Tiger to OS X Leopard accidentally replaces these files with PPC versions
  4. This did not work
  5. I tried updating the related libssl.0.9.7.dylib and libcrypto.0.9.7.dylib afterwards, in addition to the previous *.dylib files
  6. This did not work; I think it actually made it worse

I was about to up/downgrade the version of pppd, or finding out more on how to customise its options in OS X (lots of documentation about customising it on Linux, but the same instructions didn’t work in OS X,) when I had a thought. Something I should have done in the first place.

Ask Heydon

What OS X users around the world were asking on forums, no techie was adequately answering.

Heydon answered it in one line:

The GRE data is fucked … because that is pretty much always the problem with PPTP VPNs.

To which I replied, Yay! shortly followed by, Fucked as in, proper fucked?, always taking the chance to quote some silly one-liner from any movie at all (Snatch, if you didn’t realise.)

He goes on to tell me that over normal network (PPP, I’m assuming) you can send 1500 bytes per packet over it. That if you send 1500 bytes over a VPN, the VPN sticks its own bit of data on top, making it over 1500 bytes. Since it isn’t able to fragment it, it drops the packet.

So what am I meant to do? Set the VPN interface to never send more than 1450 bytes or so. To test if this is the problem, send through packets of various sizes and see which ones get through. Start with pinging 50 bytes, then 1000, then 1400, 1500, and basically trial and error until it breaks. If it breaks at a bit less than 1500, you know it’s MTU.

I read up a bit more, when I find my magic number: 1391 (plus an extra 8, 1399. At 1392, which is 1400, it breaks.) According to the Microsoft support site, in an article about changing default MTU sizes for PPP or VPN connections, it tells me that Microsoft Windows Server 2003, Microsoft Windows 2000, and Microsoft Windows XP [ … ] use a fixed MTU size of 1400 bytes for all VPN connections. 1400. Great. So how do I change it for my PPTP VPN connection, but keep my regular PPP stuff the same? I didn’t want to change it on my router across the board, and there was no configuration to only change it for VPN traffic.

In OS X Leopard, as at 10.5.6, you can change an Ethernet connection’s MTU size (you can also change a wireless connection’s MTU size, but no ability to change it just for the VPN connection.) Clicking on the Ethernet or wireless connection, then the Advanced button, then the Ethernet tab, shows you can customise the MTU.

Also doesn’t help if you don’t want to do it across the board on your machine, either. So I set up a new Location, “Home + PPTP VPN” and added the PPTP VPN connection in there, and changed the MTU size of my Ethernet connection there, to 1400.

Screenshot of customised MTU size via advanced network settings for Built-in Ethernet

Whenever I need to connect to the VPN, I move from my regular “Home” Location to the “Home + PPTP VPN” Location, and everything’s fine and dandy. Connected for hours and counting. There’s a momentary disconnection from the internet when switching between Locations, but that’s expected.

Problem solved! I’m going to buy Heydon a bottle of wine … or some hookers and cigars.

This entry was posted in techthings and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *