ssh from Server to Client through PPTP tunnel

Question

I was able to set up a small PPTP VPN with a Server and two clients. All machines run Ubuntu 14.04.

The connection works great and is reliable. I can ping all machines from everywhere. Also HTTP access from the browser works flawless.

However I'm not able to SSH from any machine to any other machine.

I have not installed any custom firewall rules, since the entire setup is behind external firewalls.

I would appreciate any hint how to enable SSH over PPTP.

Thanks!

Update

I enabled logging on the client by calling ssh -v myuser@10.0.0.1 and on the server by changing the following two lines in /etc/ssh/sshd_config:

# Logging
SyslogFacility DAEMON
LogLevel DEBUG

I can see in the log files that a connection can be established. However the process always get stuck somewhere along the way:

Client log

debug1: Connecting to 10.0.0.1 [10.0.0.1] port 22.
debug1: Connection established.
...
debug1: SSH2_MSG_KEXINIT sent

Server log

Aug 28 02:21:53 lemaker sshd[2130]: Connection from 10.0.0.11 port 60666 on 10.0.0.1 port 22
...
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]

This is where the connection get stuck for a minute or so, before they disconnect.

If you do a 'netstat -an | grep 22' do you see a listener on either 0.0.0.0 or your tunnel address? If not, check /etc/ssh/sshd_config and make sure you're listening on the tunnel IP. — Brandon Xavier, Aug 27 '15 at 17:33
yes, there is a listener on 0.0.0.0; but in order to be on the safe side, I explicitly added in sshd_config also a listener on the tunnel's ip. But it still doesn't work. — dh1tw, Aug 27 '15 at 18:09
You solved this question about your scenario. What I am wondering is, why you have chosen to setup a PPTP server, instead of say openvpn. Especially since all your devices are recent Ubuntu. — Alex Stragies, Aug 27 '15 at 21:20
pptp is imho way easier to set up. I don't mind about the reduced strength of encryption, since I'm not transmitting any confidential data over the VPN. I also choose PPTP because it's natively supported on iOS devices, and they say it's less resource intensive. Some of the devices which are connected are Raspberry Pis. — dh1tw, Aug 27 '15 at 21:46

score 2 · Accepted Answer · answered Aug 27 '15 at 19:46

2

I finally solved the problem. I had to reduce the MTU from 1492 to 1392 of my PPTP connection.

In order to find the right MTU size, try different values directly in your shell by executing ifconfig ppp0 mtu 1200 (or any other value / interface).

To make the changes permanent, add the following lines to /etc/ppp/pptpd-options :

mtu 1392
mru 1392

Then restart the service sudo service pptpd restart

and verify with ```ifconfig```` that the mtu has been reduced.

At least in my case, I can now finally open a SSH session.

answered Aug 27 '15 at 19:46

dh1tw

131
6

This worked for me too, thanks a million. Just for the record: in Raspbian (and probably also in Debian) you have to edit /etc/ppp/options instead. – Fran Marzoa Sep 05 '15 at 18:12
What is the underlying reason in which PPTP requires a smaller MTU/MRU? Is it due to additional headers that expand packet sizes such that SSH can't deal with them? Also it's not a problem with all SSH servers, just some. – Nimrod Jan 08 '18 at 03:00

ssh from Server to Client through PPTP tunnel

1 Answers1