This document describes how to set up a Point-to-Point tunneling protocol (PPTP)
VPN server (and client) using Slackware Linux [www.slackware.com] and PoPToP
[www.poptop.org]. PPTP - a Microsoft protocol - may not be the most advanced
protocol for setting up VPN, but is relatively easy to set up and isn't as
intrusive to your system as other VPN solutions such as OpenSwan. Another
plus is that it is supported by nearly every Windows version in their default
installation, making it a breeze for your clients to connect.
A word of warning before getting started:
MPPC, the compression protocol used for PPTP, is a patented technology.
Therefore, it may be illegal in your country to use this technology without
the consent of Hifn Inc (
target="_blank">http://www.hifn.com/), the patent holder for MPPC.
With the legal chit-chat out of way, let's get going!
***************************************************
Table of contents
***************************************************
***************************************************
1. Requirements
2. Installing and configuring the server end
2.1 Installing MPPC/MPPE support in the kernel
2.2 Installing poptop
2.3 Configuring poptop
2.3.1 Setting up IP-addressing
2.3.2 Configuring the pptp daemon
2.3.3 Adding users
3 Installing and configuring the client end
3.1 Installing the Linux pptp client
3.2 Configuring the Linux pptp client
***************************************************
*****************
1 Requirements
*****************
The installation of the PPTP
href="http://www.linuxquestions.org/linux/answers/Networking/PPTP_VPN_on_Slackware_How_to" target="_top">server and client requires the following packages
on your system:
- Kernel sources
- ppp (from the "n" series of packages)
For the remainder of this document we are going to assume that your kernel sources
are installed in /usr/src and that the ppp package installed is the default Slackware
ppp package, which is already equipped with MPPE support.
Apart from these requirements this document also assumes some basic knowledge of
TCP/IP networking and familiarity with Linux kernel compilation.
*********************************************
2 Installing and configuring the server end
*********************************************
************************************************
2.1 Installing MPPC/MPPE support
in the kernel
************************************************
The first step is making sure that our kernel has support for MPPC/MPPE.
The PoPToP project provides several methods for installing MPPC/MPPE support,
but these are for older kernels. Therefore we are going to do things by hand
using the MPPC/MPPE patch from http://www.polbox.com/h/hs001/
Download the appropriate MPPE/MPPC patch for your kernel version from
http://www.polbox.com/h/hs001/#AEN56 and place it in /usr/src.
- Note 1 : The patch assumes the path of your kernel sources
to be /usr/src/linux-$VERSION, but since /usr/src/linux is
usually a symlink to this directory this should not be much of a problem.
- Note 2 : If there is no patch for your kernel version, you can try
downloading the patch with a version
number closest to yours and
making a symlink like this:
ln -s /usr/src/linux-$MYVERSION /usr/src/linux-$MPPE-MPPC-PATCH-VERSION
Apply the patch to your kernel sources:
cd /usr/src
zcat linux-$VERSION-mppe-mppc-1.3.patch.gz | patch -p0
configure the kernel:
cd /usr/src/linux
make menuconfig
in the kernel configuration menu go to Device drivers --> networking support
make sure the configuration options for ppp look like this:
[...]
PPP (point-to-point protocol) support
[ ] PPP multilink support (EXPERIMENTAL)[*] PPP filtering
PPP support for async serial ports
PPP support for sync tty ports
PPP Deflate compression
PPP BSD-Compress compression
Microsoft PPP compression/encryption (MPPC/MPPE)
[...]
Next go to Cryptographic options in the kernel configuration menu and enable
SHA1 and RC4 algorithms.
Exit menuconfig and save your configuration.
Compile your new kernel and modules. For this I use "make modules modules_install bzImage"
and handle post compilation tasks by hand, but feel free to compile the new kernel in a way you feel comfortable with. Reboot your system and verify that your new kernel functions OK.
Add the following lines to /etc/modules.conf:
alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldics-14 ppp_synctty
alias ppp-compress-18 ppp_mppe_mppc
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
alias tty-ldisc-14 ppp_synctty
This concludes the kernel part of the installation.
***********************
2.2 Installing poptop
***********************
Grab the latest stable pptpd sources from
target="_blank">http://sourceforge.net/project/showf...group_id=44827
compile and install pptpd:
tar zxvf pptpd-$VERSION.tar.gz
cd pptpd-$VERSION
./configure
make
su
make install (or use checkinstall (available from "extra" series of packages) to generate a slackpack)
************************
2.3 Configuring poptop
************************
********************************
2.3.1 Setting up IP-addressing
********************************
Now that we've got all the packages installed in the correct location we can start configuring poptop.
First we are going to define an IP-address for the pptp server and IP-addresses to assign to our clients. We can chose to either assign a separate IP-address for the server to be used for every incoming connection, or we can use a single IP address to be used for each connection. In this example we will use a single IP address on the server end.
In /etc/pptpd.conf add the following lines:
localip 10.0.0.1
remoteip 10.0.0.2-20
This assigns the IP-address 10.0.0.1 to the pptp server, note that this ip-address does not get assigned to any of the physical interfaces on the server, it is used purely for virtual interfaces. You should, of course, use an IP-range appropriate for your subnet.
The second line defines a range of ip-addresses to be assigned to clients.
***********************************
2.3.2 Configuring the pptp daemon
***********************************
With the IP-addressing sorted, we can move along to the configuration of our server. We are going to configure pptpd using the file /etc/ppp/options.pptpd. We have to make sure pptpd reads this file by adding the following line to /etc/pptpd.conf:
option /etc/ppp/options.pptpd
Next, add the following lines to /etc/ppp/options.pptpd:
name pptpd
ipparam PoPToP
lock
mtu 1490
mru 1490
ms-wins $YOUR WINS SERVER IP, IF APPLICABLE, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR PRIMARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR SECONDARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
multilink
proxyarp
auth
require-mschap
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
require-mppe-128
nopcomp
noaccomp
Remember to inspect the ms-wins and ms-dns options and assign the appropriate ip-addresses if necessary. ms-wins is only required if windows clients are going to access windows servers on the other end of the tunnel.
Note that this configuration allows only 128 bit encryption, some versions of Windows need an 128-bit encryption pack installed for this to work. This pack is available from Microsoft.com. It is also possible to set the cypher strength to 40 bits:
require-mppe-40
This will allow any Windows client to connect, but it is, of course, inherently less secure.
********************
2.3.3 Adding users
********************
Next we are going to set up user accounts. There are several ways to authenticate users on the pptp server, including radius and Samba. In this how-to we'll stick to using ppp's chap-secrets file.
Users are added to the file /etc/ppp/chap-secrets in the following manner:
username pptp-server-name password ip-address
So a valid user entry would look like this:
joesixpack pptpd somepassword *
This allows user "joesixpack" to authenticate with server "pptpd" using the password "somepassword". Once joesixpack is logged in and connection has been established, his machine will be assigned the first available ip-address as defined in the previous step. It is also possible to assign each user his or her own ip-address.
Note that passwords
containing special characters have to be quoted.
We can now start the pptp daemon:
/usr/sbin/pptpd
You can now test your connection using a Windows machine. If you don't have a Windows machine for testing (hey, that's understandable ;-)), read on through the next section to set up a pptp linux client.
*********************************************
3 Installing and configuring the client end
*********************************************
The client end has the same requirements as the server end. It requires the MPPE/MPPC patch to be applied to the kernel and also requires the ppp package to be installed. For instructions on applying the kernel patch, see section 2.1.
**************************************
3.1 Installing the Linux pptp client
**************************************
If all went well you should have an MPPE/MPPC enabled kernel. We can proceed with the installation of the pptp client.
First, grab the sources from [http://pptpclient.sourceforge.net/#download]
unpack the sources:
tar zxvf pptp-linux-$VERSION.tar.gz
compile the software and install the binaries:
cd pptp-linux-$VERSION
make
su
make install
***************************************
3.2 Configuring the Linux pptp client
***************************************
Create a file called /etc/ppp/options.pptp and put the following line in it:
lock noauth nodeflate nobsdcomp
Add the following line to /etc/ppp/chap-secrets:
username pptpd password *
Substitute username and password for the credentials you want to use to connect to the pptp server.
Now create a file called /etc/ppp/peers/YOURTUNNELNAME, replacing YOURTUNNELNAME with whatever
name you want to use to identify your tunnel. Place the following
lines in this file:
pty "pptp YOURPPTPSERVER --nolaunchpppd"
name YOURUSERNAME
mtu 1490
mru 1490
remotename pptpd
require-mschap
require-mschap-v2
require-mppe-128
file /etc/ppp/options.pptp
ipparam YOURTUNNELNAME
persist
Where YOURPPTPSERVER is the address of the pptp server you want to connect to, YOURUSERNAME speaks for itself and YOURTUNNELNAME should be the same name as the file you just created in /etc/ppp/peers.
There is one last detail to be handled, which is routing.
To make sure our traffic gets routed to the other end of the tunnel, create a file called ip-up in /etc/ppp and add the following lines to this file:
#!/bin/sh
/sbin/route add -net REMOTE-NET-IP netmask REMOTE-NET-MASK dev ppp
In which you have to replace the IP-address and the mask with those of the subnet on the other end of the tunnel. If there is no network on the other side, but just the pptp server,
you can use -host instead of -net. When your done, save the file and make it executable:
chmod +x /etc/ppp/ip-up
Now that all is set up we can start the tunnel:
pppd call YOURTUNNELNAME
If all has gone well you should see something along the lines of:
Mar 16 19:25:53 feike pppd[7319]: local IP address 10.0.0.5
Mar 16 19:25:53 feike pppd[7319]: remote IP address 10.0.0.1
in /var/log/messages and you should be able to ping across the tunnel.
VPN server (and client) using Slackware Linux [www.slackware.com] and PoPToP
[www.poptop.org]. PPTP - a Microsoft protocol - may not be the most advanced
protocol for setting up VPN, but is relatively easy to set up and isn't as
intrusive to your system as other VPN solutions such as OpenSwan. Another
plus is that it is supported by nearly every Windows version in their default
installation, making it a breeze for your clients to connect.
A word of warning before getting started:
MPPC, the compression protocol used for PPTP, is a patented technology.
Therefore, it may be illegal in your country to use this technology without
the consent of Hifn Inc (
target="_blank">http://www.hifn.com/), the patent holder for MPPC.
With the legal chit-chat out of way, let's get going!
***************************************************
Table of contents
***************************************************
***************************************************
1. Requirements
2. Installing and configuring the server end
2.1 Installing MPPC/MPPE support in the kernel
2.2 Installing poptop
2.3 Configuring poptop
2.3.1 Setting up IP-addressing
2.3.2 Configuring the pptp daemon
2.3.3 Adding users
3 Installing and configuring the client end
3.1 Installing the Linux pptp client
3.2 Configuring the Linux pptp client
***************************************************
*****************
1 Requirements
*****************
The installation of the PPTP
href="http://www.linuxquestions.org/linux/answers/Networking/PPTP_VPN_on_Slackware_How_to" target="_top">server and client requires the following packages
on your system:
- Kernel sources
- ppp (from the "n" series of packages)
For the remainder of this document we are going to assume that your kernel sources
are installed in /usr/src and that the ppp package installed is the default Slackware
ppp package, which is already equipped with MPPE support.
Apart from these requirements this document also assumes some basic knowledge of
TCP/IP networking and familiarity with Linux kernel compilation.
*********************************************
2 Installing and configuring the server end
*********************************************
************************************************
2.1 Installing MPPC/MPPE support
in the kernel
************************************************
The first step is making sure that our kernel has support for MPPC/MPPE.
The PoPToP project provides several methods for installing MPPC/MPPE support,
but these are for older kernels. Therefore we are going to do things by hand
using the MPPC/MPPE patch from http://www.polbox.com/h/hs001/
Download the appropriate MPPE/MPPC patch for your kernel version from
http://www.polbox.com/h/hs001/#AEN56 and place it in /usr/src.
- Note 1 : The patch assumes the path of your kernel sources
to be /usr/src/linux-$VERSION, but since /usr/src/linux is
usually a symlink to this directory this should not be much of a problem.
- Note 2 : If there is no patch for your kernel version, you can try
downloading the patch with a version
number closest to yours and
making a symlink like this:
ln -s /usr/src/linux-$MYVERSION /usr/src/linux-$MPPE-MPPC-PATCH-VERSION
Apply the patch to your kernel sources:
cd /usr/src
zcat linux-$VERSION-mppe-mppc-1.3.patch.gz | patch -p0
configure the kernel:
cd /usr/src/linux
make menuconfig
in the kernel configuration menu go to Device drivers --> networking support
make sure the configuration options for ppp look like this:
[...]
[ ] PPP multilink support (EXPERIMENTAL)[*] PPP filtering
[...]
Next go to Cryptographic options in the kernel configuration menu and enable
SHA1 and RC4 algorithms.
Exit menuconfig and save your configuration.
Compile your new kernel and modules. For this I use "make modules modules_install bzImage"
and handle post compilation tasks by hand, but feel free to compile the new kernel in a way you feel comfortable with. Reboot your system and verify that your new kernel functions OK.
Add the following lines to /etc/modules.conf:
alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldics-14 ppp_synctty
alias ppp-compress-18 ppp_mppe_mppc
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
alias tty-ldisc-14 ppp_synctty
This concludes the kernel part of the installation.
***********************
2.2 Installing poptop
***********************
Grab the latest stable pptpd sources from
target="_blank">http://sourceforge.net/project/showf...group_id=44827
compile and install pptpd:
tar zxvf pptpd-$VERSION.tar.gz
cd pptpd-$VERSION
./configure
make
su
make install (or use checkinstall (available from "extra" series of packages) to generate a slackpack)
************************
2.3 Configuring poptop
************************
********************************
2.3.1 Setting up IP-addressing
********************************
Now that we've got all the packages installed in the correct location we can start configuring poptop.
First we are going to define an IP-address for the pptp server and IP-addresses to assign to our clients. We can chose to either assign a separate IP-address for the server to be used for every incoming connection, or we can use a single IP address to be used for each connection. In this example we will use a single IP address on the server end.
In /etc/pptpd.conf add the following lines:
localip 10.0.0.1
remoteip 10.0.0.2-20
This assigns the IP-address 10.0.0.1 to the pptp server, note that this ip-address does not get assigned to any of the physical interfaces on the server, it is used purely for virtual interfaces. You should, of course, use an IP-range appropriate for your subnet.
The second line defines a range of ip-addresses to be assigned to clients.
***********************************
2.3.2 Configuring the pptp daemon
***********************************
With the IP-addressing sorted, we can move along to the configuration of our server. We are going to configure pptpd using the file /etc/ppp/options.pptpd. We have to make sure pptpd reads this file by adding the following line to /etc/pptpd.conf:
option /etc/ppp/options.pptpd
Next, add the following lines to /etc/ppp/options.pptpd:
name pptpd
ipparam PoPToP
lock
mtu 1490
mru 1490
ms-wins $YOUR WINS SERVER IP, IF APPLICABLE, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR PRIMARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR SECONDARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
multilink
proxyarp
auth
require-mschap
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
require-mppe-128
nopcomp
noaccomp
Remember to inspect the ms-wins and ms-dns options and assign the appropriate ip-addresses if necessary. ms-wins is only required if windows clients are going to access windows servers on the other end of the tunnel.
Note that this configuration allows only 128 bit encryption, some versions of Windows need an 128-bit encryption pack installed for this to work. This pack is available from Microsoft.com. It is also possible to set the cypher strength to 40 bits:
require-mppe-40
This will allow any Windows client to connect, but it is, of course, inherently less secure.
********************
2.3.3 Adding users
********************
Next we are going to set up user accounts. There are several ways to authenticate users on the pptp server, including radius and Samba. In this how-to we'll stick to using ppp's chap-secrets file.
Users are added to the file /etc/ppp/chap-secrets in the following manner:
username pptp-server-name password ip-address
So a valid user entry would look like this:
joesixpack pptpd somepassword *
This allows user "joesixpack" to authenticate with server "pptpd" using the password "somepassword". Once joesixpack is logged in and connection has been established, his machine will be assigned the first available ip-address as defined in the previous step. It is also possible to assign each user his or her own ip-address.
Note that passwords
containing special characters have to be quoted.
We can now start the pptp daemon:
/usr/sbin/pptpd
You can now test your connection using a Windows machine. If you don't have a Windows machine for testing (hey, that's understandable ;-)), read on through the next section to set up a pptp linux client.
*********************************************
3 Installing and configuring the client end
*********************************************
The client end has the same requirements as the server end. It requires the MPPE/MPPC patch to be applied to the kernel and also requires the ppp package to be installed. For instructions on applying the kernel patch, see section 2.1.
**************************************
3.1 Installing the Linux pptp client
**************************************
If all went well you should have an MPPE/MPPC enabled kernel. We can proceed with the installation of the pptp client.
First, grab the sources from [http://pptpclient.sourceforge.net/#download]
unpack the sources:
tar zxvf pptp-linux-$VERSION.tar.gz
compile the software and install the binaries:
cd pptp-linux-$VERSION
make
su
make install
***************************************
3.2 Configuring the Linux pptp client
***************************************
Create a file called /etc/ppp/options.pptp and put the following line in it:
lock noauth nodeflate nobsdcomp
Add the following line to /etc/ppp/chap-secrets:
username pptpd password *
Substitute username and password for the credentials you want to use to connect to the pptp server.
Now create a file called /etc/ppp/peers/YOURTUNNELNAME, replacing YOURTUNNELNAME with whatever
name you want to use to identify your tunnel. Place the following
lines in this file:
pty "pptp YOURPPTPSERVER --nolaunchpppd"
name YOURUSERNAME
mtu 1490
mru 1490
remotename pptpd
require-mschap
require-mschap-v2
require-mppe-128
file /etc/ppp/options.pptp
ipparam YOURTUNNELNAME
persist
Where YOURPPTPSERVER is the address of the pptp server you want to connect to, YOURUSERNAME speaks for itself and YOURTUNNELNAME should be the same name as the file you just created in /etc/ppp/peers.
There is one last detail to be handled, which is routing.
To make sure our traffic gets routed to the other end of the tunnel, create a file called ip-up in /etc/ppp and add the following lines to this file:
#!/bin/sh
/sbin/route add -net REMOTE-NET-IP netmask REMOTE-NET-MASK dev ppp
In which you have to replace the IP-address and the mask with those of the subnet on the other end of the tunnel. If there is no network on the other side, but just the pptp server,
you can use -host instead of -net. When your done, save the file and make it executable:
chmod +x /etc/ppp/ip-up
Now that all is set up we can start the tunnel:
pppd call YOURTUNNELNAME
If all has gone well you should see something along the lines of:
Mar 16 19:25:53 feike pppd[7319]: local IP address 10.0.0.5
Mar 16 19:25:53 feike pppd[7319]: remote IP address 10.0.0.1
in /var/log/messages and you should be able to ping across the tunnel.
Post a Comment