Because PPTP isn't a native Linux protocol, installing and using it on a Linux system may require jumping through some unusual hoops. The PoPToP server itself isn't very unusual, but it must communicate with pppd , the Linux PPP daemon. To provide security, the entire system must also use encryption features that aren't a standard part of pppd , so you must replace the standard pppd with an expanded one. Clients for both Linux and Windows are available, but of course they're configured and used differently.
Obtaining and Installing PoPToP
PoPToP ships with some Linux distributions, such as Debian and Mandrake, usually under the package name pptpd or pptpd-server . If your distribution ships with a PoPToP package, try using it first, because it will probably be easier to install and configure than a generic PoPToP package. If your distribution doesn't ship with a PoPToP package, you can obtain it from the main PoPToP Web site (http://poptop.lineo.com). This site hosts the software in the form of a source tarball, source RPMs, and binary RPMs for x 86 systems.
Although you can install and run the PoPToP package on a standard Linux system, the default Linux and PoPToP combination provides a VPN with little in the way of security features. This is because PPTP relies on special PPP encryption features that aren't part of the standard Linux pppd . In particular, PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol. In order to enable encryption, you must obtain and install MPPE encryption patches for the standard Linux pppd and for your Linux kernel. Unfortunately, this process is tedious and tricky. It's described in the upcoming section, "Enabling Encryption Features."
PoPToP Server Configuration
Once you've downloaded and installed the PoPToP package, you can activate it as follows :
At this point, PoPToP should be running, and you should be able to connect to the system using a PPTP client, as described in the upcoming section "PPTP Client Configuration." Without enabling encryption features, though, you may need to disable encryption on your client in order to make a connection. The next section describes enabling PoPToP encryption.
Additional PPTP-specific options are controlled through the pptpd.conf file, which normally resides in /etc or /etc/ppp . Some options you might want to set in this file include the following:
Enabling Encryption Features
PoPToP relies on pppd , which in turn relies upon the kernel. In PoPToP's implementation, encryption features require support from pppd , and pppd requires that the Linux kernel include appropriate encryption features. For this reason, using encryption with PoPToP requires patching or replacing both pppd and your kernel.
You may need to obtain patches and packages from several different locations in order to activate PPTP encryption support with PoPToP. Precisely how you go about this depends on the specific packages you install.
The easiest approach is to use a prepatched version of pppd and a prepatched Linux kernel. You can obtain both of these from http://mirror.binarix.com/ppp-mppe/. In particular, you must download two files:
The http://mirror.binarix.com/ppp-mppe/ site favors binary packages built for the Mandrake distribution, so your best chance of using these packages is if you use Mandrake. It's possible that some of these packages, and particularly the ppp package, can be made to work with other distributions, particularly other RPM-based distributions.
Another source of prepatched utilities is the PPTP-Linux site, http://pptpclient. sourceforge .net. This site hosts PPTP client software, as described shortly, and the ppp-mppe packages are pppd programs prepatched with MPPE support. These packages also include kernel modules with MPPE support. Consult the Web site to determine what kernel versions are supported when you download the file; the 2.4.0-4 packages available when I wrote this supported the 2.2.19 kernel on updated Red Hat 6.2 and 7.0 systems. Because 2.4. x kernels are now more common, this approach may not be desirable unless the files have been updated by the time you read this.
If you can't or don't want to use prebuilt binaries, you must patch both PPP and your kernel. You'll need to obtain and use at least five things:
Unfortunately, many of these patches and utilities are very version-specific. It's best to begin with the patch files and locate the exact kernel and pppd packages they support to avoid problems caused by version changes. To patch and use these tools, you'll need to uncompress the kernel and pppd source code packages, uncompress the patch files (with gunzip filename.patch.gz ), patch the source code (with cd source-dir ; patch -p1 < patchfile.patch ), configure the packages (with make menuconfig or make xconfig for the Linux kernel and ./configure for pppd ), compile the packages (with make bzImage and make modules for the Linux kernel and make for pppd ), and install the packages (with make modules_install and LILO configuration for Linux and make install for pppd ).
Whether you install your new encryption support from prebuilt binaries, by patching and compiling your tools yourself, or by a mixture, you'll need to reboot your computer to use the new kernel before your encryption support will be available.
PPTP Client Configuration
If your PPTP clients are Windows systems, using them with a PoPToP VPN is fairly straightforward because Windows includes PPTP support. Linux clients require an extra software package. In either case, once the VPN connection is made, it's as if the VPN client is part of the local network, at least from a logical point of view. (As noted earlier, speed is likely to be well below true local network speed.)
Using Linux PoPToP Clients
PoPToP is a Linux PPTP server. To link a Linux system (or a Linux router) to a PoPToP or other PPTP server, you need another package: PPTP-Linux (http://cag.lcs.mit.edu/~cananian/Projects/PPTP/ or http://pptpclient.sourceforge.net). The second site includes PPTP-Linux source code in tarball and RPM formats, as well as binary RPMs for x 86 and Alpha CPUs. You should download and, if necessary, compile one of these packages, then install it.
Like PoPToP, PPTP-Linux relies upon pppd and the Linux kernel for MPPE encryption. Therefore, you must install appropriate kernel and pppd changes before you can use an encrypted connection. The preceding section, "Enabling Encryption Features," describes how to do this. The PPTP-Linux site includes appropriate tools. Specifically, the ppp-mppe package is an MPPE-patched pppd program and kernel modules (for the 2.2.19 kernel, as of ppp-mppe version 2.4.0-4).
The PPTP-Linux package includes a setup script called pptp-command . To use this tool, follow these steps:
At this point, PPTP-Linux is configured to use your PPTP server. You can bring up the PPTP VPN link by using the same pptp-command program you used to set up the link. Instead of choosing option 3 at the first prompt, though, pick option 1 ( start ). The program asks for a tunnel number. Enter it (probably 1 ) and pptp-command brings up the PPTP VPN link.
You can test your VPN link by using route to view your routing table, and by attempting to contact servers on the VPN system. If you can't reach your VPN servers, try pinging the VPN router. You might also try using traceroute to see if your packets are going over the VPN link. If traceroute shows packets traversing your normal (non-VPN) Internet connection, then something is wrong with your routing table. There should be a path to the VPN systems via the VPN's PPP link. If there isn't, Linux will try to route the packets to that network via its normal Internet connection.
Using Windows PPTP Clients
Frequently, PPTP clients are Windows computers belonging to frequent travelers, telecommuters, or others who need to work away from an office. Windows 9 x /Me and Windows NT/2000/XP include PPTP clients, although they're usually not installed by default. The PPTP software works only after you have a working Internet connection, be it via a broadband ISP, a dial-up PPP ISP, or some other mechanism. The procedure for running a Windows Me PPTP client is as follows:
A new icon now appears in the Dial-Up Networking window. When you double-click this icon, Windows displays the Connect To dialog box shown in Figure 26.4. You should enter the username and password you use on the VPN server, and you may adjust the VPN server's name or IP address, if desired. When you click Connect, Windows initiates the connection, which may take a few seconds. Thereafter, your system has an additional IP address, corresponding to one on the VPN server's network. You can access systems on that network as if they were local, including performing actions such as browsing the network in My Network Places (Network Neighborhood in earlier versions of Windows) and using any resources that are available only to local computers. Remember, though, that the physical networking is not local, so you don't get the same sort of speed that you would get if your system were directly connected to the same networking medium as the VPN systems.
Figure 26.4. You can control a VPN link from the Connect To dialog box.
You can change some features of the VPN from the Connect To dialog box before initiating a connection. As shown in Figure 26.4, you can elect to have Windows remember (save) your password. If you do this, you can have Windows initiate the connection whenever it starts up by selecting Connect Automatically. Further options are available by clicking Properties. This brings up a dialog box named after your VPN connection, as shown in Figure 26.5. The most interesting options are on the Networking and Security tabs. From the Networking tab, you can control whether the system uses software compression or keeps a log of the session. You can also control what network protocols are passed through the VPN. If you click TCP/IP Settings, you can tell the system to obtain its IP address from the PPTP server or request a particular address itself, and do the same for DNS server addresses. The Security tab lets you set the username, password, and NetBIOS domain names. It also lets you enable or disable password and data encryption (both are enabled by default, and disabling them removes much of the benefit of a VPN).
Figure 26.5. You can control many details of a PPTP VPN from the client's configuration tools.