Can't connect to PPTP VPN (Peer failed CHAP authentication)

I try to setup PPTP VPN tunnel to my Omnia. I already have a similar tunnel set up on Raspbian (and that one works), so I mostly just copied the config. But on Omnia, any connection attempt fails with “Peer … failed CHAP authentication”. Could you please help me solving this issue?

Of course, /etc/ppp/chap-secrets contains rows with my specified username and password of form
user pptp-server password *

And I’m pretty sure I enter the very same password on the client (the password only consists of letters, digits and an underscore, so I hope bad escaping does not come into play here).

Here’s the server log from a failed connection attempt:

debug pptpd[22536]: CTRL: pppd speed = 115200
debug pptpd[22536]: CTRL: pppd options file = /var/etc/options.pptpd
info pptpd[22536]: CTRL: Starting call (launching pppd, opening GRE)
debug pptpd[22565]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
info pppd[22565]: Plugin /usr/lib/pptpd/ loaded.
notice pppd[22565]: pptpd-logwtmp: $Version$
notice pppd[22565]: pppd 2.4.7 started by root, uid 0
debug pppd[22565]: using channel 22
info pppd[22565]: Using interface ppp1
notice pppd[22565]: Connect: ppp1 <–> /dev/pts/1
debug pppd[22565]: sent [LCP ConfReq id=0x1 <mru 1482> <magic 0x3d2cde3b>]
debug pppd[22565]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x27e0ae6c> ]
debug pppd[22565]: sent [LCP ConfRej id=0x1 <asyncmap 0x0> ]
debug pppd[22565]: rcvd [LCP ConfAck id=0x1 <mru 1482> <magic 0x3d2cde3b>]
debug pppd[22565]: rcvd [LCP ConfReq id=0x2 <magic 0x27e0ae6c>]
debug pppd[22565]: sent [LCP ConfAck id=0x2 <magic 0x27e0ae6c>]
debug pppd[22565]: sent [LCP EchoReq id=0x0 magic=0x3d2cde3b]
debug pppd[22565]: sent [CHAP Challenge id=0xad <079b70c5e0fc108cca85ee0100ca6045>, name = “pptp-server”]
debug pppd[22565]: rcvd [LCP EchoRep id=0x0 magic=0x27e0ae6c]
debug pppd[22565]: rcvd [CHAP Response id=0xad <92d6864f495ae88543a15f3620494b150000000000000000c716e445395e729a32975b428e7a297a172f94b4984e794600>, name = “peci1”]
warning pppd[22565]: Peer peci1 failed CHAP authentication
debug pppd[22565]: sent [CHAP Failure id=0xad “E=691 R=1 C=079b70c5e0fc108cca85ee0100ca6045 V=0 M=Access denied”]
debug pppd[22565]: sent [LCP TermReq id=0x2 “Authentication failed”]
debug pppd[22565]: rcvd [LCP TermReq id=0x3 “Failed to authenticate ourselves to peer”]
debug pppd[22565]: sent [LCP TermAck id=0x3]
debug pppd[22565]: rcvd [LCP TermAck id=0x2]
notice pppd[22565]: Connection terminated.
info pppd[22565]: Exit.
err pptpd[22536]: GRE: read(fd=6,buffer=263ac,len=8196) from PTY failed: status = -1 error = I/O error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

cat /etc/config/pptpd

config service 'pptpd’
option ‘enabled’ '1’
option ‘localip’ '’
option ‘remoteip’ '’
option ‘logwtmp’ ‘1’

config 'login’
option ‘username’ '…'
option ‘password’ '…'
option ‘remoteip’ ‘’

cat /var/etc/options.pptpd

logfile /var/log/pptp-server.log
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
mtu 1482
mru 1482
mppe required,no40,no56,stateless
mppe required,no40,no56,stateless

it is most likely that your credentials are bad or the endpoint uses additional information for auth (like the interfaces MAC)
gives a short overview of possible reasons of failure.

debug pppd[22565]: sent [CHAP Failure id=0xad "E=691 R=1 C=079b70c5e0fc108cca85ee0100ca6045 V=0 M=Access denied"]
EDIT: sry E=691 means wrong password, so the endpoint is even quite specific on the error occuring
there might be different source of the error, but generally it is a problem of not quoting the pw correctly, having a pw with spaces or other
do you have an option to crosscheck the exact credentials?

Thanks. I’ve seen this page. I’ve now Ctrl+C’d Ctrl+V’d the password from the server to the client, so it is definitely the same. I even tried chanaging it to a letter-only password. Still the same, though.

may I ask what ISP and what connection type you are using?
some ISPs have weird prefixes and other stuff, they demand for their password and username, E691 could also be a generic answer for username not found, depending on the used auth backend of the ISP.

It’s Vodafone VDSL in the Czech republic… But this shouldn’t be related to the ISP, should it? I know, both VPN and WAN are PPP connections, but I’d expect VPN to be treated as any other kind of internet traffic just using my ISP’s “wire”

Turris Omnia has a bug on PPPoE see

Isn’t it just a Foris bug? I faced it, but I could correctly setup my PPPoE WAN in Luci. So at least one PPPoE connection works…

Now I’ve found out that when I comment out the require-mschapv2 and mppe required,no40,no56,stateless config options, I can connect using CHAP protocol, but not MS-CHAPv2. So it is definitely not a firewall/bad credentials issue.

On the other hand, I can normally connect with MS-CHAPv2 auth to a Raspbian VPN server, so the client side is also okay.

Unfortunately, I can’t just copy/paste the working config from the Raspi, because it has different/incompatible versions of pppd (2.4.5, but with different config options syntax).

See also: MSCHAP-V2 authentication broken for PPTP VPN (logs included)

This bug has been fixed in Turris OS 3.5 (both for VPN client and server).