LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Linux Answers > Networking
User Name
Password

Notices


By djbanaan at 2005-03-16 17:06
This document describes how to set up a Point-to-Point tunneling protocol (PPTP)
VPN server (and client) using Slackware Linux [www.slackware.com] and PoPToP
[www.poptop.org]. PPTP - a Microsoft protocol - may not be the most advanced
protocol for setting up VPN, but is relatively easy to set up and isn't as
intrusive to your system as other VPN solutions such as OpenSwan. Another
plus is that it is supported by nearly every Windows version in their default
installation, making it a breeze for your clients to connect.

A word of warning before getting started:

MPPC, the compression protocol used for PPTP, is a patented technology.
Therefore, it may be illegal in your country to use this technology without
the consent of Hifn Inc (http://www.hifn.com/), the patent holder for MPPC.

With the legal chit-chat out of way, let's get going!

***************************************************
Table of contents
***************************************************
***************************************************
1. Requirements
2. Installing and configuring the server end
2.1 Installing MPPC/MPPE support in the kernel
2.2 Installing poptop
2.3 Configuring poptop
2.3.1 Setting up IP-addressing
2.3.2 Configuring the pptp daemon
2.3.3 Adding users
3 Installing and configuring the client end
3.1 Installing the Linux pptp client
3.2 Configuring the Linux pptp client
***************************************************



*****************
1 Requirements
*****************

The installation of the PPTP server and client requires the following packages
on your system:

- Kernel sources
- ppp (from the "n" series of packages)

For the remainder of this document we are going to assume that your kernel sources
are installed in /usr/src and that the ppp package installed is the default Slackware
ppp package, which is already equipped with MPPE support.

Apart from these requirements this document also assumes some basic knowledge of
TCP/IP networking and familiarity with Linux kernel compilation.

*********************************************
2 Installing and configuring the server end
*********************************************

************************************************
2.1 Installing MPPC/MPPE support in the kernel
************************************************

The first step is making sure that our kernel has support for MPPC/MPPE.
The PoPToP project provides several methods for installing MPPC/MPPE support,
but these are for older kernels. Therefore we are going to do things by hand
using the MPPC/MPPE patch from http://www.polbox.com/h/hs001/

Download the appropriate MPPE/MPPC patch for your kernel version from
http://www.polbox.com/h/hs001/#AEN56 and place it in /usr/src.

- Note 1 : The patch assumes the path of your kernel sources
to be /usr/src/linux-$VERSION, but since /usr/src/linux is
usually a symlink to this directory this should not be much of a problem.

- Note 2 : If there is no patch for your kernel version, you can try
downloading the patch with a version number closest to yours and
making a symlink like this:

ln -s /usr/src/linux-$MYVERSION /usr/src/linux-$MPPE-MPPC-PATCH-VERSION

Apply the patch to your kernel sources:

cd /usr/src
zcat linux-$VERSION-mppe-mppc-1.3.patch.gz | patch -p0

configure the kernel:

cd /usr/src/linux
make menuconfig
in the kernel configuration menu go to Device drivers --> networking support
make sure the configuration options for ppp look like this:

[...]
<M> PPP (point-to-point protocol) support
[ ] PPP multilink support (EXPERIMENTAL)[*] PPP filtering
<M> PPP support for async serial ports
<M> PPP support for sync tty ports
<M> PPP Deflate compression
<M> PPP BSD-Compress compression
<M> Microsoft PPP compression/encryption (MPPC/MPPE)
[...]

Next go to Cryptographic options in the kernel configuration menu and enable
SHA1 and RC4 algorithms. Exit menuconfig and save your configuration.

Compile your new kernel and modules. For this I use "make modules modules_install bzImage"
and handle post compilation tasks by hand, but feel free to compile the new kernel in a way you feel comfortable with. Reboot your system and verify that your new kernel functions OK.

Add the following lines to /etc/modules.conf:

alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldics-14 ppp_synctty
alias ppp-compress-18 ppp_mppe_mppc
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
alias tty-ldisc-14 ppp_synctty

This concludes the kernel part of the installation.

***********************
2.2 Installing poptop
***********************

Grab the latest stable pptpd sources from http://sourceforge.net/project/showfiles.php?group_id=44827

compile and install pptpd:

tar zxvf pptpd-$VERSION.tar.gz
cd pptpd-$VERSION
./configure
make
su
make install (or use checkinstall (available from "extra" series of packages) to generate a slackpack)

************************
2.3 Configuring poptop
************************

********************************
2.3.1 Setting up IP-addressing
********************************

Now that we've got all the packages installed in the correct location we can start configuring poptop.

First we are going to define an IP-address for the pptp server and IP-addresses to assign to our clients. We can chose to either assign a separate IP-address for the server to be used for every incoming connection, or we can use a single IP address to be used for each connection. In this example we will use a single IP address on the server end.

In /etc/pptpd.conf add the following lines:

localip 10.0.0.1
remoteip 10.0.0.2-20

This assigns the IP-address 10.0.0.1 to the pptp server, note that this ip-address does not get assigned to any of the physical interfaces on the server, it is used purely for virtual interfaces. You should, of course, use an IP-range appropriate for your subnet.

The second line defines a range of ip-addresses to be assigned to clients.

***********************************
2.3.2 Configuring the pptp daemon
***********************************

With the IP-addressing sorted, we can move along to the configuration of our server. We are going to configure pptpd using the file /etc/ppp/options.pptpd. We have to make sure pptpd reads this file by adding the following line to /etc/pptpd.conf:

option /etc/ppp/options.pptpd

Next, add the following lines to /etc/ppp/options.pptpd:

name pptpd
ipparam PoPToP
lock
mtu 1490
mru 1490
ms-wins $YOUR WINS SERVER IP, IF APPLICABLE, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR PRIMARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
ms-dns $YOUR SECONDARY DNS SERVER, GETS ASSIGNED TO WIN CLIENTS
multilink
proxyarp
auth
require-mschap
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
require-mppe-128
nopcomp
noaccomp

Remember to inspect the ms-wins and ms-dns options and assign the appropriate ip-addresses if necessary. ms-wins is only required if windows clients are going to access windows servers on the other end of the tunnel.

Note that this configuration allows only 128 bit encryption, some versions of Windows need an 128-bit encryption pack installed for this to work. This pack is available from Microsoft.com. It is also possible to set the cypher strength to 40 bits:

require-mppe-40

This will allow any Windows client to connect, but it is, of course, inherently less secure.

********************
2.3.3 Adding users
********************

Next we are going to set up user accounts. There are several ways to authenticate users on the pptp server, including radius and Samba. In this how-to we'll stick to using ppp's chap-secrets file.

Users are added to the file /etc/ppp/chap-secrets in the following manner:

username pptp-server-name password ip-address

So a valid user entry would look like this:

joesixpack pptpd somepassword *

This allows user "joesixpack" to authenticate with server "pptpd" using the password "somepassword". Once joesixpack is logged in and connection has been established, his machine will be assigned the first available ip-address as defined in the previous step. It is also possible to assign each user his or her own ip-address.

Note that passwords containing special characters have to be quoted.

We can now start the pptp daemon:

/usr/sbin/pptpd

You can now test your connection using a Windows machine. If you don't have a Windows machine for testing (hey, that's understandable ;-)), read on through the next section to set up a pptp linux client.

*********************************************
3 Installing and configuring the client end
*********************************************

The client end has the same requirements as the server end. It requires the MPPE/MPPC patch to be applied to the kernel and also requires the ppp package to be installed. For instructions on applying the kernel patch, see section 2.1.

**************************************
3.1 Installing the Linux pptp client
**************************************

If all went well you should have an MPPE/MPPC enabled kernel. We can proceed with the installation of the pptp client. First, grab the sources from [http://pptpclient.sourceforge.net/#download]

unpack the sources:

tar zxvf pptp-linux-$VERSION.tar.gz

compile the software and install the binaries:

cd pptp-linux-$VERSION
make
su
make install

***************************************
3.2 Configuring the Linux pptp client
***************************************

Create a file called /etc/ppp/options.pptp and put the following line in it:

lock noauth nodeflate nobsdcomp

Add the following line to /etc/ppp/chap-secrets:

username pptpd password *

Substitute username and password for the credentials you want to use to connect to the pptp server.

Now create a file called /etc/ppp/peers/YOURTUNNELNAME, replacing YOURTUNNELNAME with whatever
name you want to use to identify your tunnel. Place the following lines in this file:

pty "pptp YOURPPTPSERVER --nolaunchpppd"
name YOURUSERNAME
mtu 1490
mru 1490
remotename pptpd
require-mschap
require-mschap-v2
require-mppe-128
file /etc/ppp/options.pptp
ipparam YOURTUNNELNAME
persist

Where YOURPPTPSERVER is the address of the pptp server you want to connect to, YOURUSERNAME speaks for itself and YOURTUNNELNAME should be the same name as the file you just created in /etc/ppp/peers.

There is one last detail to be handled, which is routing.

To make sure our traffic gets routed to the other end of the tunnel, create a file called ip-up in /etc/ppp and add the following lines to this file:

#!/bin/sh
/sbin/route add -net REMOTE-NET-IP netmask REMOTE-NET-MASK dev ppp

In which you have to replace the IP-address and the mask with those of the subnet on the other end of the tunnel. If there is no network on the other side, but just the pptp server, you can use -host instead of -net. When your done, save the file and make it executable:

chmod +x /etc/ppp/ip-up

Now that all is set up we can start the tunnel:

pppd call YOURTUNNELNAME

If all has gone well you should see something along the lines of:

Mar 16 19:25:53 feike pppd[7319]: local IP address 10.0.0.5
Mar 16 19:25:53 feike pppd[7319]: remote IP address 10.0.0.1

in /var/log/messages and you should be able to ping across the tunnel.

by Monkey Magic on Mon, 2005-09-12 23:15
Does polbox have any mirrors? I've been trying to contact http://www.polbox.com/h/hs001/ for the last few weeks with no luck (it times out). Are other people still seeing polbox?

by Monkey Magic on Tue, 2005-09-13 17:39
OK, per chance, it worked today. The new link for the MPPC stuff is http://mppe-mppc.alphacron.de/

by eder_michael11 on Mon, 2006-06-05 13:54
sorry..djbanaan
i configured all for slackware server...

but wen i try to connect from windows client appear
error 800 unable to conecto to client..

do you know if at windows do i have to soecific something??? on the propieties..??

by eder_michael11 on Mon, 2006-06-05 14:16
i turned off the firewall the questions that i have are....

at the menu config ... in the kernel the options for PPP i selected like this

<M>PPP (point-to-point protocol) support
[ ] PPP multilink support (EXPERIMENTAL)[*] PPP filtering
<M>PPP support for async serial ports
<M>PPP support for sync tty ports
<M>PPP Deflate compression
<M>PPP BSD-Compress compression[*]Microsoft PPP compression/encryption (MPPC/MPPE)

if this is ok??

well other think i think could be the error for not connect the client windows to my server linux is that

/etc/pptpd.conf didnt exist at my slackware i have to copied from the directory /pptp-2../samples to /etc

other thing the file /etc/ppp/options.pptpd doesnt exist only existe
/etc/ppp/option .. i have to copied to this location from the samples too

my slackware version is 10.0
can you helpe to find wich is the error?? i can answer all you ask me please...

by lukki on Fri, 2006-07-07 08:07
A problem!
I did everything as written in Djbanaan's article and ... found two problems:
1. libwrap.so.0 is missing and I can't find it for Slackware (???). Problem occurs when pptpd is started "properly" (/usr/sbin/pptpd). However, when I start pptpd directly from command line, it doesn't ask for libwrap.so.0 and runs.
2. when pptpd is running I can't connect using windows xp sp2 client. Returned error code is 619. Firewall is, of course, off.

What is wrong?

(slackware 10.2)

Greets, Lukas

by mikese on Wed, 2009-05-20 13:01
I haven't ran slackware since around 1999 i've been on ubuntoo lately or whatever it's called. But setting up a VPN on a shared hosting account isn't that fun you should just get a dedicated server if you can afford it maybe split the cost with some friends.

by socialmaker on Tue, 2009-07-07 04:24
Although i'm not a big fan of slackware linux i know it's the toughest one of them all (along with debian if i'm not mistaking). People now are starting to use linux more and more (which is a good thing) but the similarities between linux and windows (i'm referring to the graphical user interface) are just annoying. I know they must make it pretty and all but cmon...
Anyway I'll always love linux and my web hosting plans run under linux really well.

by arubin on Sun, 2009-11-08 07:22
I have just configured my PC to connect to my daughter's University using VPN.

The steps I needed were these

1. Install pptd package from slackbuilds

2. add to rc.modules
/sbin/modprobe ppp_mppe

3. mkdir /etc/ppp/peers

4. symlink bin/ip to sbin/ip

5. Create file

/etc/ppp/ip-up

Quote:
#!/bin/sh

/sbin/route add -host
and make it executable

6. pptpsetup --create imperial --server NETWORK_ADDRESS --username USERNAME --password PASSWORD

7. pppd call imperial dump debug logfd 2 nodetach require-mppe

this gets ppp0 running

8. /sbin/ip route add default dev ppp0

This adds ppp0 to the routing table

9. We can then connect to her folder using konquereor

smb://icfs.cc.ic.ac.uk/username

10. login as ic.ac.uk\username

by trumpet_tom on Wed, 2010-02-24 05:57
I just used your guide arubin to connect to bristol university vpn. Thanks a lot!

Just a couple of things I noticed though:

The package you want from slackbuilds is "pptp" not "pptd"

When I ran
Code:
pppd call imperial dump debug logfd 2 nodetach require-mppe
the last line of output was
Code:
Can't execute /etc/ppp/ip-up: Invalid argument
I tried running
Code:
route add -host
as root in a separate console and it doesn't do anything. I tried connecting without the ip-up script present and it worked fine.

Either way I can access my files stored at uni now, thanks again!

by doyen on Mon, 2010-08-09 08:40
I'm trying to connect from my home to my vpn service ipredator.se using slackware 13.1.

I managed to set up the client correctly and it connects to the vpn.
This is the output from /var/logs/messages:

pppd[3307]: CHAP authentication succeeded
pppd[3307]: MPPE 128-bit stateless compression enabled
pppd[3307]: local IP address 93.182.149.27
pppd[3307]: remote IP address 93.182.149.2

This is output of ifconfig:


ppp0 Link encap:Point-to-Point Protocol
inet addr:93.182.149.27 P-t-P:93.182.149.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:62 (62.0 B) TX bytes:79893 (78.0 KiB)

My problem is setting up the routing for the connection to go from the vpn server to eth0

when I type:
route add -net 93.182.149.0 netmask 255.255.255.0 dev ppp0

that doesn't work. If anyone could help it would be much appreciated
Thanks


  



All times are GMT -5. The time now is 04:56 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration