Configure Windows XP VPN to Linux PPTP

Basically, the routine is simply:

• run ./configure
• run make
• su as root on your system
• run make-install

Assuming you were able to build ok, this will install three binaries that are the core of the poptop package.

• /usr/local/sbin/pptpd ( may also be saved in /usr/sbin )
• /usr/local/sbin/pptpctrl
• /usr/local/sbin/bcrelay

What I did was to install these in /usr/sbin and then create symbolic links to them from /usr/local/sbin. Now you have the binaries installed and you'll need to configure things to make it work.

pptpd configuration

The configuration for the pptpd daemon is stored in /etc/pptpd.conf. This file only has a few parameters but the defaults almost certainly will not work and so you'll need to do some work here. Below is a copy of the file with my changes
highlighted.

###############################################################################
# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
# Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam

# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: delegate
# Delegates the allocation of client IP addresses to pppd.
#
# Without this option, which is the default, pptpd manages the list of
# IP addresses for clients and passes the next free address to pppd.
# With this option, pptpd does not pass an address, and so pppd may use
# radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
# Limits the number of client connections that may be accepted.
#
# If pptpd is allocating IP addresses (e.g. delegate is not
# used) then the number of connections is also limited by the
# remoteip option. The default is 100. Matches remote ip's allocated below
connections 10


# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# These options are ignored if delegate option is set.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than the value of connections,
# it will start at the beginning of the list and go until it
# gets connections IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
# (Recommended)
localip 192.168.1.50
remoteip 192.168.1.51-60

The localip is an address on your local sub-net that the pptpd will use as its ip address. The remoteip specify the range of addresses alloated to clients as they connect. Note that there are 10 available and this matches the connections parameter above. I chose to simply use addresses that were part of my subnet ( 192.168.1.x ) this way I can avoid having to do any NAT or fancy routing on the linux box to make the remote clients work. To do this I just needed to set proxyarp in the options file which is next.

The pptpd.conf file refers to the ppp options file. In this case, it is stored in /etc/ppp/options.pptpd. This file will need to be configured next.

configuration of options.pptpd

The options.pptpd file is shown below with the changes I made highlighted.

###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################

# Authentication
# noauth if your insane and want anybody to connect without authentication


# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)

# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}

# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}

# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# local dns on the remote domain -or- just set to some dns
ms-dns 192.168.1.1
ms-dns 24.924.92.188.17

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100

# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump

# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp

# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd

# put plugins here
# (putting them higher up may cause them to sent messages to the pty)

The only change I made here was to set the ms-dns values. These will get passed to clients that connect so they can resolve addresses on the remote domain. You can set the wins server here if you have one. Next we need to setup the users and provide them with a username/password pair for using the system. This gets set in the chap-secret file.

configure chap-secret

The /etc/ppp/chap-secret file is where you define you users and their passwords. For security, this file should not be readable by anyone other than root.

tbalon@kenosis:~> ll /etc/ppp/chap-secrets
-rw------- 1 root root 742 2007-06-20 10:24 /etc/ppp/chap-secrets

The file itself is very simple. You select a username then the server name (which was set in the pptpd.conf file) then list the password in plain-text and the ip-address. Again, my entries are highlighted.

# Secrets for authentication using CHAP
# client server secret IP addresses

# OUTBOUND CONNECTIONS
# Here you should add your PPP Login and PPP password to connect to your
# provider via pap. The means that the entry(login and passoword may be
# used for ANY host you connect to.
# Thus you do not have to worry about the foreign machine name. Just
# replace password with your password.
#hostname password

# PREDIFINED CONNECTIONS
# These are user and password entries for publically accessible call-by-call
# Internet providers in Germany. If they confict with your config, remove them.
# READ_IN_CALLBYCALL_SECRETS

# INBOUND CONNECTIONS
#client hostname <password> 192.168.1.1
user1 pptpd "mypassWord"
user2 pptpd "theirpassword"

start the pptpd daemon

Fire up the daemon by becoming root (I used sudo) then starting it up.

% sudo /usr/sbin/pptpd

You can check the status to see if it started up fine by looking at the message log. The daemon will post messages to syslog. My syslog output is stored in /var/log

% grep pptpd /var/log/messages

Jun 21 16:52:55 kenosis pptpd[3951]: MGR: Manager process started
Jun 21 16:52:55 kenosis pptpd[3951]: MGR: Maximum of 10 connections available

If the server didn't start up cleanly, go back and check the files again. You'll have to open ports on your firewall to allow PPTP connections from remote clients. If your running NAT, this can be tricky since PPTP uses multiple ports and protocols. It's best to check your firewall documentation to see how to open up PPTP access to your server.

PPTP protocol basic firewall requirements

1. TCP Port 1723 should be passed through to your server
2. IP Protocol ID of 47 (0x2F) (not port 47) needs to be passed. This is not TCP or UDP it's a packet type used to support GRE (Generic Routing Encapsulation)

Once the firewall has these ports open, you should be able to connect with the Microsoft PPTP/VPN client.