Linux PPTP server

This week I will be mainly fooling with VPN’s. First off is a PPTP server so the Windows 2k and XP laptops can connect. I’ve found this little daemon which seems to work perfectly well for XP, 2K machines and my Mac OS X (10.1.3) Powerbook and Imac.

The only fiddly bits with installing poptop is that you need a patched up version of pppd so that you can support all the of Microsoft extensions and force the link to be encrypted.

The first step in creating my pptp server was to install a recent patched up version of pppd, which I found here. Installing this is as easy as installing any other RPM and required no post installation fiddling.

Next up was to install the MPEE (Microsoft Point-to-Point Encryption) support, this comes as a set of kernel modules from the pptpclient project. Their documentation, and download page is here. I used this rpm, because our RedHat 9 machine had been patched up to the 2.4.20-20.9 kernel and is a SMP box.

The final bit of software needed to make all this work was the actually poptop binaries, I could not find a RPM for these so I had to install them from source. Rather than using their current (1.1.4-b4) beta I prefered to use the current stable release (1.1.3) which can be downloaded from here. When I install an application from source I always install the application in accordance to the OFA (Optimal Flexible Architecture) standard, more details of which can be found on Dannys site. Rather than just unpack the source and run ./configure && make && make install as root I use a couple of simple scripts, so that the compile is repeatable and at a later date I can tell exactly what options were used. Below is my Build script

gunzip -c pptpd-1.1.3-20030409.tar.gz | tar xvf -
cd poptop
./configure --prefix=/usr/local/app/poptop-1.1.3
make

and the Install script:

cd poptop
make install

Once poptop was installed I needed to write a couple of simple config files, the options and how all this fits together is documented very well on the poptop home page in their Documentation section, so I will not explain all the options here, but I will include my config files for reference:

/etc/pptpd.conf

speed 115200
option /etc/ppp/pptp-options
debug
localip 10.1.1.100-199
remoteip 10.1.2.100-199
listen 213.52.209.13
pidfile /var/run/pptpd.pid

/etc/ppp/pptp-options

debug
name pptp
domain install.mydomain
auth
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
ms-dns 172.16.2.11

/etc/ppp/chap-secrets

myusername   pptp    mypassword   10.1.2.100

The final bit of the puzzle was to sort out a nice redhat style start stop script, I couldnt find an existing one so I’ve written one, which you can grab here.

After the daemon has been started its a simple matter of configuring your 2k/XP clients to connect. A nice tutorial of how to configure 2K can be found here.

One last note, if you are connecting to a machine which runs iptables or some similar firewall you will need to allow PPTP into the machine, we run a iptables firewall on our PPTP server, the following rules will allow it through:

iptables -A INPUT -p tcp --destination-port 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT

That is all I needed to do to get my clients connecting. It should be noted that the clients were all behind adsl routers (Dlink DSL 504, with forward PPTP turned on), More work needs to be done if your clients are behind a linux NAT box.