Configuring PPTP in Linux

Because PPTP isn't a native Linux protocol, installing and using it on a Linux system may require jumping through some unusual hoops. The PoPToP server itself isn't very unusual, but it must communicate with pppd , the Linux PPP daemon. To provide security, the entire system must also use encryption features that aren't a standard part of pppd , so you must replace the standard pppd with an expanded one. Clients for both Linux and Windows are available, but of course they're configured and used differently.

Obtaining and Installing PoPToP

PoPToP ships with some Linux distributions, such as Debian and Mandrake, usually under the package name pptpd or pptpd-server . If your distribution ships with a PoPToP package, try using it first, because it will probably be easier to install and configure than a generic PoPToP package. If your distribution doesn't ship with a PoPToP package, you can obtain it from the main PoPToP Web site (http://poptop.lineo.com). This site hosts the software in the form of a source tarball, source RPMs, and binary RPMs for x 86 systems.

Although you can install and run the PoPToP package on a standard Linux system, the default Linux and PoPToP combination provides a VPN with little in the way of security features. This is because PPTP relies on special PPP encryption features that aren't part of the standard Linux pppd . In particular, PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol. In order to enable encryption, you must obtain and install MPPE encryption patches for the standard Linux pppd and for your Linux kernel. Unfortunately, this process is tedious and tricky. It's described in the upcoming section, "Enabling Encryption Features."

PoPToP Server Configuration

Once you've downloaded and installed the PoPToP package, you can activate it as follows :

1. Edit the /etc/ppp/options file. This file controls the Linux pppd program, which handles the network link between the VPN router and remote PPTP systems. The file should contain entries like the following:

    debug     name  servername  auth     require-chap     proxyarp  192.168.1.1:   192.168.1.100  

   Most of these items set critical PPTP options. The last line is optional; it sets the address used by the VPN router on its local network ( 192.168.1.1 ) and the address to be assigned to a VPN client ( 192.168.1.100 ). If you omit this line, you can specify the IP address to be used in the VPN client's configuration. The servername is the hostname of the VPN server.

2. Edit the /etc/ppp/chap-secrets file to specify the username and password you intend to use for VPN logins, one entry per line. An example, specifying a username of vpn1 and a password of vpnpass , is:

    vpn1   *   vpnpass   * 

WARNING

The passwords stored in /etc/ppp/chap-secrets are not encrypted. This file is therefore extremely sensitive and should be protected as well as is possible. Normally, root owns the file and it's readable only to root . If your PoPToP server is compromised, though, this file might be read, giving others remote access to your network. For this reason, you should run as few servers as possible on your VPN router.

3. Look for a reference to pptpd in your /etc/inittab file. If you find such a reference, disable it by adding a pound sign ( # ) to the start of the line, then type telinit Q to activate this change. This allows you to manually start pptpd to test its configuration changes. Once you've settled on a working configuration, you can re-enable pptpd in /etc/inittab or start it like a more conventional server, as described in Chapter 4.

4. Type pptpd as root to start the server.

At this point, PoPToP should be running, and you should be able to connect to the system using a PPTP client, as described in the upcoming section "PPTP Client Configuration." Without enabling encryption features, though, you may need to disable encryption on your client in order to make a connection. The next section describes enabling PoPToP encryption.

WARNING

Although connecting to PoPToP without encryption is a useful first step in testing your configuration, you should not run it in this way as a routine matter. One of the primary reasons for running a VPN is to provide secure connections, and when you disable encryption, you lose these security benefits.

Additional PPTP-specific options are controlled through the pptpd.conf file, which normally resides in /etc or /etc/ppp . Some options you might want to set in this file include the following:

• debug Entering this option causes PoPToP to log more data to the system log, which can be useful if you're having problems getting a connection to work.

• localip PPTP works by using two IP addresses per client, one for use on the local network and one for use by the client remotely. The PPTP router responds to the local address itself, and passes data for it to the remote address. This is similar to a network address translation (NAT) setup. You can specify the local IP addresses with the localip option, using a comma-separated list or a range with a dash. For instance, localip 192.168.9.7,192.168.9.100-150 assigns 192.168.9.7 and all the addresses from 192.168.9.100 to 192.168.9.150. Be sure that other computers on your local network don't use these addresses.

• remoteip This option specifies the IP addresses to be used by the remote clients. They're normally addresses on a private IP address block. You specify IP addresses in the same format as for the localip option.

• listen You can have pptpd listen for connections on only one interface by listing the IP address associated with that interface with this option. By default, PoPToP listens to all interfaces, which permits PPTP connections within PPTP connections.

Enabling Encryption Features

PoPToP relies on pppd , which in turn relies upon the kernel. In PoPToP's implementation, encryption features require support from pppd , and pppd requires that the Linux kernel include appropriate encryption features. For this reason, using encryption with PoPToP requires patching or replacing both pppd and your kernel.

You may need to obtain patches and packages from several different locations in order to activate PPTP encryption support with PoPToP. Precisely how you go about this depends on the specific packages you install.

The easiest approach is to use a prepatched version of pppd and a prepatched Linux kernel. You can obtain both of these from http://mirror.binarix.com/ppp-mppe/. In particular, you must download two files:

• The Linux kernel Prepatched Linux kernels are available under the filenames that begin with kernel , such as kernel-2.4.9-13mppe. i386.rpm . Some of these packages are precompiled binary kernels for specific system types, and others are kernel source packages. If you download a source package, you must configure and compile it for your system.

• The ppp package Prepatched pppd packages have filenames like ppp-2.4.1-3mdk.i586.rpm . You may be able to install such a package directly over your existing pppd package.

The http://mirror.binarix.com/ppp-mppe/ site favors binary packages built for the Mandrake distribution, so your best chance of using these packages is if you use Mandrake. It's possible that some of these packages, and particularly the ppp package, can be made to work with other distributions, particularly other RPM-based distributions.

TIP

If you run a distribution that doesn't use RPM, you may be able to use the alien utility to convert package formats. This program is a standard part of Debian, and it allows you to convert between RPM, Debian packages, and tarballs.

Another source of prepatched utilities is the PPTP-Linux site, http://pptpclient. sourceforge .net. This site hosts PPTP client software, as described shortly, and the ppp-mppe packages are pppd programs prepatched with MPPE support. These packages also include kernel modules with MPPE support. Consult the Web site to determine what kernel versions are supported when you download the file; the 2.4.0-4 packages available when I wrote this supported the 2.2.19 kernel on updated Red Hat 6.2 and 7.0 systems. Because 2.4. x kernels are now more common, this approach may not be desirable unless the files have been updated by the time you read this.

If you can't or don't want to use prebuilt binaries, you must patch both PPP and your kernel. You'll need to obtain and use at least five things:

• The Linux kernel You can obtain a standard Linux kernel source package from a site like http://www.kernel.org. I recommend using a standard Linux kernel, rather than a kernel from a Linux distribution, because the latter have often been modified with their own patches. This can make applying new patches difficult.

• The pppd source code Go to ftp://cs.anu.edu.au/pub/software/ppp/ to obtain the original pppd source code.

• OpenSSL The MPPE patches require that you have OpenSSL and the OpenSSL header files installed on your system. You can obtain these from http://www.openssl.org.

• Linux kernel patches You can obtain Linux kernel patches from http://mirror.binarix.com/ppp-mppe/. Look for files that begin with linux and end with patch.gz , such as linux-2.4.16-openssl-0.9.6b-mppe.patch.gz .

• pppd patches The pppd patches are also available from http://mirror.binarix.com/ppp-mppe/. These files have names that begin with ppp and end in patch.gz , such as ppp-2.4.1-openssl-0.9.6-mppe-patch.gz . There are variants of many of these, such as a special version for Alpha CPUs.

Unfortunately, many of these patches and utilities are very version-specific. It's best to begin with the patch files and locate the exact kernel and pppd packages they support to avoid problems caused by version changes. To patch and use these tools, you'll need to uncompress the kernel and pppd source code packages, uncompress the patch files (with gunzip filename.patch.gz ), patch the source code (with cd source-dir ; patch -p1 < patchfile.patch ), configure the packages (with make menuconfig or make xconfig for the Linux kernel and ./configure for pppd ), compile the packages (with make bzImage and make modules for the Linux kernel and make for pppd ), and install the packages (with make modules_install and LILO configuration for Linux and make install for pppd ).

Whether you install your new encryption support from prebuilt binaries, by patching and compiling your tools yourself, or by a mixture, you'll need to reboot your computer to use the new kernel before your encryption support will be available.

PPTP Client Configuration

If your PPTP clients are Windows systems, using them with a PoPToP VPN is fairly straightforward because Windows includes PPTP support. Linux clients require an extra software package. In either case, once the VPN connection is made, it's as if the VPN client is part of the local network, at least from a logical point of view. (As noted earlier, speed is likely to be well below true local network speed.)

Using Linux PoPToP Clients

PoPToP is a Linux PPTP server. To link a Linux system (or a Linux router) to a PoPToP or other PPTP server, you need another package: PPTP-Linux (http://cag.lcs.mit.edu/~cananian/Projects/PPTP/ or http://pptpclient.sourceforge.net). The second site includes PPTP-Linux source code in tarball and RPM formats, as well as binary RPMs for x 86 and Alpha CPUs. You should download and, if necessary, compile one of these packages, then install it.

Like PoPToP, PPTP-Linux relies upon pppd and the Linux kernel for MPPE encryption. Therefore, you must install appropriate kernel and pppd changes before you can use an encrypted connection. The preceding section, "Enabling Encryption Features," describes how to do this. The PPTP-Linux site includes appropriate tools. Specifically, the ppp-mppe package is an MPPE-patched pppd program and kernel modules (for the 2.2.19 kernel, as of ppp-mppe version 2.4.0-4).

The PPTP-Linux package includes a setup script called pptp-command . To use this tool, follow these steps:

1. Start the script by typing pptp-command .

2. The script displays a list of four options: start , stop , setup , and quit . Type 3 to use the setup procedures.

3. The script displays a list of nine items that you may configure. Type 2 to select Add a New CHAP secret .

4. The system asks for your local name. This is the name your system will have on your VPN-mediated network. If the VPN router is a Windows system, you must include a NetBIOS domain name. For instance, you might type arbor \\ maple to give your system the name maple in the arbor domain.

5. The system asks for your remote name. In most cases, you can leave this at the default (an empty string). You only need to use this if your network has multiple entries with the same local name but different passwords.

6. The system asks for a password. This is the password that you entered in your PoPToP or other VPN server configuration, such as Step 2 in "PoPToP Server Configuration."

7. The script again displays the list of nine items you can set up. Select option 5, Add a NEW PPTP Tunnel .

8. The system displays a list of predefined tunnels. This will most likely be empty, including only an option called Other . If you see a tunnel that's correct for you, select it; but most likely you'll need to select Other .

9. The system prompts for assorted pieces of information related to your tunnel definition, such as the tunnel's name (use whatever you like), the VPN server's IP address, and routing commands to be used with the tunnel. The latter are similar to those used with the route command (described in Chapter 2, TCP/IP Network Configuration). For instance, add -host 172.19.87.1 gw DEF_GW sets up the system to use 172.19.87.1 as its default gateway, and add -net 172.19.0.0/16 TUNNEL_DEV tells it to pass all data for the 172.19.0.0/16 network through the tunnel.

10. Once again, you see the list of nine items you can configure. Select option 7, Configure resolv.conf .

11. Select the tunnel configuration you created in Step 9. The system will ask you for DNS information that would ordinarily go in /etc/resolv. conf (as described in Chapter 2). Enter this information.

12. The 9-item list of options to configure appears again. Select option 8, Select a default tunnel .

13. The system asks for the name of a default tunnel. Select the one you created in Step 9 (or some other tunnel if you're creating multiple tunnels).

14. At the next appearance of the 9-item list, select option 9, Quit . This terminates the setup program.

At this point, PPTP-Linux is configured to use your PPTP server. You can bring up the PPTP VPN link by using the same pptp-command program you used to set up the link. Instead of choosing option 3 at the first prompt, though, pick option 1 ( start ). The program asks for a tunnel number. Enter it (probably 1 ) and pptp-command brings up the PPTP VPN link.

NOTE

Bringing up the VPN link requires the existence of a regular network connection. Thus, you may need to configure your system to use a regular connection, as described in Chapter 2, or bring up a dial-up PPP link, before you can activate your VPN link.

You can test your VPN link by using route to view your routing table, and by attempting to contact servers on the VPN system. If you can't reach your VPN servers, try pinging the VPN router. You might also try using traceroute to see if your packets are going over the VPN link. If traceroute shows packets traversing your normal (non-VPN) Internet connection, then something is wrong with your routing table. There should be a path to the VPN systems via the VPN's PPP link. If there isn't, Linux will try to route the packets to that network via its normal Internet connection.

Using Windows PPTP Clients

Frequently, PPTP clients are Windows computers belonging to frequent travelers, telecommuters, or others who need to work away from an office. Windows 9 x /Me and Windows NT/2000/XP include PPTP clients, although they're usually not installed by default. The PPTP software works only after you have a working Internet connection, be it via a broadband ISP, a dial-up PPP ISP, or some other mechanism. The procedure for running a Windows Me PPTP client is as follows:

1. Double-click Add/Remove Programs from the Control Panel. This produces the Add/Remove Programs Properties dialog box.

2. Click the Windows Setup tab in the Add/Remove Programs Properties dialog box.

3. Double-click the Communications item in the list of component types. This brings up the Communications dialog box.

4. Check the Virtual Private Networking item in the Communications dialog box.

5. Click OK in both the Communications and Add/Remove Programs Properties dialog boxes. Windows will install the PPTP software, and will probably require you to reboot the computer. Do so.

6. After the system reboots, open the Dial-Up Networking folder in the Control Panel.

7. Double-click the Make New Connection icon. This produces the Make New Connection Wizard (shown in Figure 26.3).

   Figure 26.3. Be sure to choose the Microsoft VPN Adapter when creating a VPN link, not the modem over which the connection goes.

   

8. Type an identifying name for the link and select the Microsoft VPN Adapter device, as shown in Figure 26.3.

9. Click Next. The Make New Connection window now provides a text entry field in which you type the hostname or IP address of the VPN server. Enter this information.

10. Click Next. The system now informs you that the new device is available. Click Finish to dismiss the Make New Connection window.

A new icon now appears in the Dial-Up Networking window. When you double-click this icon, Windows displays the Connect To dialog box shown in Figure 26.4. You should enter the username and password you use on the VPN server, and you may adjust the VPN server's name or IP address, if desired. When you click Connect, Windows initiates the connection, which may take a few seconds. Thereafter, your system has an additional IP address, corresponding to one on the VPN server's network. You can access systems on that network as if they were local, including performing actions such as browsing the network in My Network Places (Network Neighborhood in earlier versions of Windows) and using any resources that are available only to local computers. Remember, though, that the physical networking is not local, so you don't get the same sort of speed that you would get if your system were directly connected to the same networking medium as the VPN systems.

You can change some features of the VPN from the Connect To dialog box before initiating a connection. As shown in Figure 26.4, you can elect to have Windows remember (save) your password. If you do this, you can have Windows initiate the connection whenever it starts up by selecting Connect Automatically. Further options are available by clicking Properties. This brings up a dialog box named after your VPN connection, as shown in Figure 26.5. The most interesting options are on the Networking and Security tabs. From the Networking tab, you can control whether the system uses software compression or keeps a log of the session. You can also control what network protocols are passed through the VPN. If you click TCP/IP Settings, you can tell the system to obtain its IP address from the PPTP server or request a particular address itself, and do the same for DNS server addresses. The Security tab lets you set the username, password, and NetBIOS domain names. It also lets you enable or disable password and data encryption (both are enabled by default, and disabling them removes much of the benefit of a VPN).