Can't connect to PPTP VPN (Peer failed CHAP authentication)

peci1 · October 6, 2016, 8:09am

I try to setup PPTP VPN tunnel to my Omnia. I already have a similar tunnel set up on Raspbian (and that one works), so I mostly just copied the config. But on Omnia, any connection attempt fails with “Peer … failed CHAP authentication”. Could you please help me solving this issue?

Of course, /etc/ppp/chap-secrets contains rows with my specified username and password of form
user pptp-server password *

And I’m pretty sure I enter the very same password on the client (the password only consists of letters, digits and an underscore, so I hope bad escaping does not come into play here).

Here’s the server log from a failed connection attempt:

debug pptpd[22536]: CTRL: pppd speed = 115200
debug pptpd[22536]: CTRL: pppd options file = /var/etc/options.pptpd
info pptpd[22536]: CTRL: Starting call (launching pppd, opening GRE)
debug pptpd[22565]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
info pppd[22565]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
notice pppd[22565]: pptpd-logwtmp: $Version$
notice pppd[22565]: pppd 2.4.7 started by root, uid 0
debug pppd[22565]: using channel 22
info pppd[22565]: Using interface ppp1
notice pppd[22565]: Connect: ppp1 <–> /dev/pts/1
debug pppd[22565]: sent [LCP ConfReq id=0x1 <mru 1482> <magic 0x3d2cde3b>]
debug pppd[22565]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x27e0ae6c> ]
debug pppd[22565]: sent [LCP ConfRej id=0x1 <asyncmap 0x0> ]
debug pppd[22565]: rcvd [LCP ConfAck id=0x1 <mru 1482> <magic 0x3d2cde3b>]
debug pppd[22565]: rcvd [LCP ConfReq id=0x2 <magic 0x27e0ae6c>]
debug pppd[22565]: sent [LCP ConfAck id=0x2 <magic 0x27e0ae6c>]
debug pppd[22565]: sent [LCP EchoReq id=0x0 magic=0x3d2cde3b]
debug pppd[22565]: sent [CHAP Challenge id=0xad <079b70c5e0fc108cca85ee0100ca6045>, name = “pptp-server”]
debug pppd[22565]: rcvd [LCP EchoRep id=0x0 magic=0x27e0ae6c]
debug pppd[22565]: rcvd [CHAP Response id=0xad <92d6864f495ae88543a15f3620494b150000000000000000c716e445395e729a32975b428e7a297a172f94b4984e794600>, name = “peci1”]
warning pppd[22565]: Peer peci1 failed CHAP authentication
debug pppd[22565]: sent [CHAP Failure id=0xad “E=691 R=1 C=079b70c5e0fc108cca85ee0100ca6045 V=0 M=Access denied”]
debug pppd[22565]: sent [LCP TermReq id=0x2 “Authentication failed”]
debug pppd[22565]: rcvd [LCP TermReq id=0x3 “Failed to authenticate ourselves to peer”]
debug pppd[22565]: sent [LCP TermAck id=0x3]
debug pppd[22565]: rcvd [LCP TermAck id=0x2]
notice pppd[22565]: Connection terminated.
info pppd[22565]: Exit.
err pptpd[22536]: GRE: read(fd=6,buffer=263ac,len=8196) from PTY failed: status = -1 error = I/O error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

cat /etc/config/pptpd

config service 'pptpd’
option ‘enabled’ '1’
option ‘localip’ '192.168.18.1’
option ‘remoteip’ '192.168.18.8-10’
option ‘logwtmp’ ‘1’

config 'login’
option ‘username’ '…'
option ‘password’ '…'
option ‘remoteip’ ‘192.168.18.8’

cat /var/etc/options.pptpd

debug
logfile /var/log/pptp-server.log
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
chapms-strip-domain
mppe required,no40,no56,stateless
proxyarp
lock
ms-dns 192.168.18.1
mppe required,no40,no56,stateless

DooMMasteR · October 6, 2016, 8:49am

it is most likely that your credentials are bad or the endpoint uses additional information for auth (like the interfaces MAC)
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#chap_failure
gives a short overview of possible reasons of failure.

debug pppd[22565]: sent [CHAP Failure id=0xad "E=691 R=1 C=079b70c5e0fc108cca85ee0100ca6045 V=0 M=Access denied"]
EDIT: sry E=691 means wrong password, so the endpoint is even quite specific on the error occuring
there might be different source of the error, but generally it is a problem of not quoting the pw correctly, having a pw with spaces or other
do you have an option to crosscheck the exact credentials?

peci1 · October 6, 2016, 9:44am

Thanks. I’ve seen this page. I’ve now Ctrl+C’d Ctrl+V’d the password from the server to the client, so it is definitely the same. I even tried chanaging it to a letter-only password. Still the same, though.

DooMMasteR · October 6, 2016, 10:43am

may I ask what ISP and what connection type you are using?
some ISPs have weird prefixes and other stuff, they demand for their password and username, E691 could also be a generic answer for username not found, depending on the used auth backend of the ISP.

peci1 · October 6, 2016, 11:14am

It’s Vodafone VDSL in the Czech republic… But this shouldn’t be related to the ISP, should it? I know, both VPN and WAN are PPP connections, but I’d expect VPN to be treated as any other kind of internet traffic just using my ISP’s “wire”

Radovan_Haban · October 6, 2016, 1:34pm

Turris Omnia has a bug on PPPoE see https://www.turris.cz/doc/en/troubleshooting/erratum

peci1 · October 6, 2016, 1:49pm

Isn’t it just a Foris bug? I faced it, but I could correctly setup my PPPoE WAN in Luci. So at least one PPPoE connection works…

peci1 · November 25, 2016, 3:15am

Now I’ve found out that when I comment out the require-mschapv2 and mppe required,no40,no56,stateless config options, I can connect using CHAP protocol, but not MS-CHAPv2. So it is definitely not a firewall/bad credentials issue.

On the other hand, I can normally connect with MS-CHAPv2 auth to a Raspbian VPN server, so the client side is also okay.

Unfortunately, I can’t just copy/paste the working config from the Raspi, because it has different/incompatible versions of pppd (2.4.5, but with different config options syntax).

peci1 · December 30, 2016, 2:08am

See also: MSCHAP-V2 authentication broken for PPTP VPN (logs included)

peci1 · January 23, 2017, 1:44am

This bug has been fixed in Turris OS 3.5 (both for VPN client and server).