PPTP

NOTE: I am no longer attempting to maintain MPPE patches for current Linux kernel's and pppd. I recommend that you refer to the following URLs for information about installing MPPE into your kernel and pppd.

The Linux PPTP client project has a nice GUI for configuring and managing VPN connections where your Linux system is the PPTP client. This is what I currently use. I am no longer running PoPToP but rather I use the PPTP Server included with XP Professional (see PPTP Server running behind your Firewall below).

    http://pptpclient.sourceforge.net (Everything you need to run a PPTP client).
    http://www.poptop.org (The 'kernelmod' package can be used to quickly install MPPE into your kernel without rebooting).

I am leaving the instructions for building MPPE-enabled kernels and pppd in the text below for those who may wish to obtain the relevant current patches and "roll their own".


Shorewall easily supports PPTP in a number of configurations:

1. PPTP Server Running on your Firewall

I will try to give you an idea of how to set up a PPTP server on your firewall system. This isn't a detailed HOWTO but rather an example of how I have set up a working PPTP server on my own firewall.

The steps involved are:

  1. Patching and building pppd
  2. Patching and building your Kernel
  3. Configuring Samba
  4. Configuring pppd
  5. Configuring pptpd
  6. Configuring Shorewall

Patching and Building pppd

To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

You will need the following patches:

You may also want the following patch if you want to require remote hosts to use encryption:

Un-tar the pppd source and uncompress the patches into one directory (the patches and the ppp-2.4.1 directory are all in a single parent directory):

You will need to install the resulting binary on your firewall system. To do that, I NFS mount my source filesystem and use "make install" from the ppp-2.4.1 directory.

Patching and Building your Kernel

You will need one of the following patches depending on your kernel version:

Uncompress the patch into the same directory where your top-level kernel source is located and:

Now configure your kernel. Here is my ppp configuration:

Configuring Samba

You will need a WINS server (Samba configured to run as a WINS server is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:

[global]
workgroup = TDM-NSTOP
netbios name = WOOKIE
server string = GNU/Linux Box
encrypt passwords = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 65
domain master = True
preferred master = True
dns proxy = No
wins support = Yes
printing = lprng

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes

Configuring pppd

Here is a copy of my /etc/ppp/options.poptop file:

ipparam PoPToP
lock
mtu 1490
mru 1490
ms-wins 192.168.1.3
ms-dns 206.124.146.177
multilink
proxyarp
auth
+chap
+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless

Notes:

Here's my /etc/ppp/chap-secrets:

Secrets for authentication using CHAP
# client        server    secret    IP addresses
CPQTDM\\TEastep *         <shhhhhh> 192.168.1.7
TEastep         *         <shhhhhh> 192.168.1.7

I am the only user who connects to the server but I may connect either with or without a domain being specified. The system I connect from is my laptop so I give it the same IP address when tunneled in at it has when I use its wireless LAN card around the house.

You will also want the following in /etc/modules.conf:

     alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate

Configuring pptpd

PoPTop (pptpd) is available from http://poptop.lineo.com/.

Here is a copy of my /etc/pptpd.conf file:

option /etc/ppp/options.poptop
speed 115200
localip 192.168.1.254
remoteip 192.168.1.33-38

Notes:

I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:

#!/bin/sh
#
# /etc/rc.d/init.d/pptpd
#
# chkconfig: 5 12 85
# description: control pptp server
#

case "$1" in
start)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    modprobe ppp_async
    modprobe ppp_generic
    modprobe ppp_mppe
    modprobe slhc
    if /usr/local/sbin/pptpd; then
        touch /var/lock/subsys/pptpd
    fi
    ;;
stop)
    killall pptpd
    rm -f /var/lock/subsys/pptpd
    ;;
restart)
    killall pptpd
    if /usr/local/sbin/pptpd; then
        touch /var/lock/subsys/pptpd
    fi
    ;;
status)
    ifconfig
    ;;
*)
    echo "Usage: $0 {start|stop|restart|status}"
    ;;
esac

Configuring Shorewall

Often there will be situations where you want multiple connections from remote networks with these networks having different firewalling requirements.


Here's how you configure this in Shorewall:

/etc/shorewall/zones:

ZONE DISPLAY COMMENTS
net Internet The Internet
loc Local Local Network
vpn1 Remote1
Remote Network 1
vpn2
Remote2
Remote Network 2
vpn3
Remote3
Remote Network 3

/etc/shorewall/interfaces:

ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918
loc eth2 192.168.10.255  
- ppp+  -  

/etc/shorewall/hosts:

ZONE HOST(S) OPTIONS
loc eth2:192.168.1.0/24
vpn1
ppp+:192.168.1.0/24  
vpn2
ppp+:192.168.2.0/24

vpn3
ppp+:192.168.3.0/24

Your policies and rules can now be configured using separate zones (vpn1, vpn2, and vpn3) for the three remote network.

2. PPTP Server Running Behind your Firewall

If you have a single external IP address, add the following to your /etc/shorewall/rules file:

ACTION SOURCE DEST PROTO DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
DNAT net loc:<server address> tcp 1723    
DNAT net loc:<server address> 47 -    

If you have multiple external IP address and you want to forward a single <external address>, add the following to your /etc/shorewall/rules file:

 
ACTION SOURCE DEST PROTO DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
DNAT net loc:<server address> tcp 1723 - <external address>
DNAT net loc:<server address> 47 - - <external address>

3. PPTP Clients Running Behind your Firewall

You shouldn't have to take any special action for this case unless you wish to connect multiple clients to the same external server. In that case, you will need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. I recommend that you also add these two lines to your /etc/shorewall/modules file:

loadmodule ip_conntrack_pptp
loadmodule ip_nat_pptp

4. PPTP Client Running on your Firewall.

The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    Rather than use the configuration script that comes with the client, I built my own. I also build my own kernel as described above rather than using the mppe package that is available with the client. My /etc/ppp/options file is mostly unchanged from what came with the client (see below).

The key elements of this setup are as follows:

  1. Define a zone for the remote network accessed via PPTP.
  2. Associate that zone with a ppp interface.
  3. Define rules for PPTP traffic to/from the firewall.
  4. Define rules for traffic two and from the remote zone.

Here are examples from my setup:

/etc/shorewall/zones

ZONE DISPLAY COMMENTS
cpq Compaq Compaq Intranet

/etc/shorewall/interfaces

ZONE INTERFACE BROADCAST OPTIONS
- ppp+    

/etc/shorewall/hosts

ZONE HOST(S) OPTIONS
- ppp+:!192.168.1.0/24  

/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)

ACTION SOURCE DEST PROTO DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
ACCEPT fw net tcp 1723    
ACCEPT fw net 47 -    

/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)

TYPE
ZONE
GATEWAY
GATEWAY ZONE
pptpclient
net
0.0.0.0/0


I use the combination of interface and hosts file to define the 'cpq' zone because I also run a PPTP server on my firewall (see above). Using this technique allows me to distinguish clients of my own PPTP server from arbitrary hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918 Class C subnet.

I use this script in /etc/init.d to control the client. The reason that I disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet and reject the initial TCP connection request if I enable ECN :-(

#!/bin/sh
#
# /etc/rc.d/init.d/pptp
#
# chkconfig: 5 60 85
# description: PPTP Link Control
#
NAME="Tandem"
ADDRESS=tunnel-tandem.compaq.com
USER='Tandem\tommy'
ECN=0
DEBUG=

start_pptp() {
    echo $ECN > /proc/sys/net/ipv4/tcp_ecn
    if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
        touch /var/lock/subsys/pptp
        echo "PPTP Connection to $NAME Started"
    fi
}

stop_pptp() {
    if killall /usr/sbin/pptp 2> /dev/null; then
        echo "Stopped pptp"
    else
        rm -f /var/run/pptp/*
    fi

    # if killall pppd; then
    # echo "Stopped pppd"
    # fi

    rm -f /var/lock/subsys/pptp

    echo 1 > /proc/sys/net/ipv4/tcp_ecn
}


case "$1" in
start)
    echo "Starting PPTP Connection to ${NAME}..."
    start_pptp
    ;;
stop)
    echo "Stopping $NAME PPTP Connection..."
    stop_pptp
    ;;
restart)
    echo "Restarting $NAME PPTP Connection..."
    stop_pptp
    start_pptp
    ;;
status)
    ifconfig
    ;;
*)
    echo "Usage: $0 {start|stop|restart|status}"
    ;;
esac

Here's my /etc/ppp/options file:

#
# Identify this connection
#
ipparam Compaq
#
# Lock the port
#
lock
#
# We don't need the tunnel server to authenticate itself
#
noauth

+chap
+chapms
+chapms-v2

multilink
mrru 1614
#
# Turn off transmission protocols we know won't be used
#
nobsdcomp
nodeflate

#
# We want MPPE
#
mppe-128
mppe-stateless

#
# We want a sane mtu/mru
#
mtu 1000
mru 1000

#
# Time this thing out of it goes poof
#
lcp-echo-failure 10
lcp-echo-interval 10

My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq traffic through the PPTP tunnel:

#/bin/sh

case $6 in
Compaq)
    route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
    route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
    route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
    ...
    ;;
esac

Finally, I run the following script every five minutes under crond to restart the tunnel if it fails:

     #!/bin/sh
restart_pptp() {
/sbin/service pptp stop
sleep 10
if /sbin/service pptp start; then
/usr/bin/logger "PPTP Restarted"
fi
}

if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
exit 0
fi

echo "Attempting to restart PPTP"

restart_pptp > /dev/null 2>&1 &

Here's a scriptand corresponding ip-up.local from Jerry Vonau that controls two PPTP connections.

5. PPTP Client running on your Firewall with PPTP Server in an ADSL Modem

Some ADSL systems in Europe (most notably in Austria) feature a PPTP server built into an ADSL "Modem". In this setup, an ethernet interface is dedicated to supporting the PPTP tunnel between the firewall and the "Modem" while the actual internet access is through PPTP (interface ppp0). If you have this type of setup, you need to modify the sample configuration that you downloaded as described in this section. These changes are in addition to those described in the QuickStart Guides.

Lets assume the following:
The changes you need to make are as follows:

1. Add this entry to /etc/shorewall/zones:

ZONE DISPLAY COMMENTS
modem
Modem ADSL Modem
That entry defines a new zone called 'modem' which will contain only your ADSL modem.

2. Add the following entry to /etc/shorewall/interfaces:
ZONE INTERFACE BROADCAST OPTIONS
modem
eth0
192.168.1.255
 dhcp
You will of course modify the 'net' entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface as described in the QuickStart Guide corresponding to your setup.

3. Add the following to /etc/shorewall/tunnels:

TYPE
ZONE
GATEWAY
GATEWAY ZONE
pptpclient modem
192.168.1.1


That entry allows a PPTP tunnel to be established between your Shorewall system and the PPTP server in the modem.

Last modified 10/11/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.