Learn to install and configure a PPTP VPN connection with open source Poptop

by Justin Fielding | Jan 26, 2006 8:36:00 PM

Tags: VPNs, UNIX, Operating systems, Network security, Justin Fielding, open source, PopTop, OpenBSD, PPTP, Financial Service IT Newsletter

5 comment(s)

Takeaway: This tutorial, by Financial Services IT blogger Justin Fielding, will show you how to implement a VPN connection using the open source Poptop PPTP server solution for Linux.

In this article, I'll cover the configuration of a VPN implementation using the Point-to-Point Tunnelling Protocol (PPTP). This allows users to access files or services on an internal corporate network from any Internet connection. The great thing about PPTP vs. other remote "dial-in" types of VPN is that Microsoft Windows (95/98/Me/NT/2000/XP/Vista) has a PPTP client built in, which means administrators don't have to deal with any additional client software and the problems that normally accompany it.

By far the most popular Open-Source PPTP server offering is Poptop. Poptop has the following features:

Microsoft compatible authentication and encryption (MSCHAPv2, MPPE 40 - 128 bit RC4 encryption).
Support for multiple client connections.
Seamless integration into a Microsoft network environment (LDAP, SAMBA) using RADIUS plugin.
Works with Windows 95/98/Me/NT/2000/XP PPTP clients.
Works with Linux PPTP client.
Poptop is, and will remain, totally free under the GNU General Public License.

Tips in your inbox

Stay up to date with the latest IT news and information affecting the world of finance with TechRepublic's free Financial Services IT newsletter, delivered each Wednesday.

Automatically sign up today!

While there isn't source for OpenBSD on the Poptop project page, a port of Poptop is made available in the OpenBSD packages archive. I'm going show you how to install and configure Poptop on an almost clean OpenBSD 3.7 installation. (In fact, it's the exact same system which I have just used in the IPSec tutorials, presented in my Financial Services Networking and Security blog).

I found the Poptop package here. While I should use the UK mirror (I'm located in London), it's slow and often incomplete, and the German mirror sites are usually fast and exact! Note that this is the package for OpenBSD 3.7. If you're using another release of OpenBSD, then be sure to get the package from the correct branch. I don't think there would be a problem but the packaging system may have been modified between releases.

Configuring Poptop

Getting Poptop running is not as simple as it initially sounds. This is the basic process:

Recompile BSD Kernel for GRE support and additional tun devices.
Create additional tun devices.
Install package.
Configure Poptop to run with full strength encryption.
Allow Poptop traffic through the firewall.

I know that recompiling the kernel can sound quite scary to someone who hasn't done this before. It did to me. This was required when I first performed a Poptop installation with OpenBSD 3.6. I believe this is still a requirement with OpenBSD 3.7. You don't need to do this for every system built, however. I recompiled the first time and then kept a copy of the new kernel to use on later installations.

The following process is just one way in which Poptop can be configured, but I'm sure you can discover other ways to configure it. I found this quite difficult the first time; various mailing lists and forum posts gave conflicting information. I hope that my guide brings all of the correct information together into one place.

First, copy and unzip the system source files to your /usr/src directory. (I won't go in to too much detail with explaining simple actions like this; I'm assuming your ability to perform basic operations in BSD.) The source will be located in files called src, tar.gz, and sys.tar.gz, located either on your installation CD or downloaded from the OpenBSD FTP servers.

# tar �xzf src.tar.gz �C /usr/src/

# tar �xzf sys.tar.gz �C /usr/src/

Move to the platform-independent config directory and create a copy of the GENERIC config file:

# cd /usr/src/sys/conf

# cp ./GENERIC ./Custom-Poptop-build

Now we need to edit the config,

# vi ./Custom-Poptop-build

First comment out the inbuilt GRE support:

#pseudo-device� gre�� ���������# GRE encapsulation interface

Second, increase the number of tun devices to match the maximum number of concurrent users you expect to have connected. I have set this to 50 (see the example in Figure A), which is many more than I will ever need (I would say that 10 are enough for my needs):

pseudo-device�� tun���� 50������ # network tunneling over tty

Figure A

Now let's rebuild the kernel; we need to create a copy of the platform-dependent configuration file:

# cd /usr/src/sys/arch/i386/conf

# cp ./GENERIC ./Custom-Poptop-build

Edit this config file to point to the previously modified platform independent config:

# vi ./Custom-Poptop-config

Replace this:

include "../../../conf/GENERIC"

With this:

include "../../../conf/Custom-Poptop-build"

Now start the building process:

# config ./Custom-Poptop-build

# cd ../compile/Custom-Poptop-build

# make depend && make

Hopefully you shouldn't get any nasty errors thrown up. Once the build process has completed you should find the kernel (filename is simply bsd) with the size 4.9MB. Let's now replace the default kernel:

# cp /bsd /bsd.old

# cp./bsd /bsd

Now, a reboot will verify that all is working okay. After you log on, you should see the name of your new kernel (Custom-Poptop-build) to the right of the timestamp. Well that's the kernel recompiled; it wasn't as tricky as it sounds was it?

Creating additional tun devices

The next step is to create the additional tun devices (Virtual Point-to-Point network devices) and finish installing and configuring Poptop.

Let's get started: tun0 � tun3 exist by default, so create additional devices with the following:

# cd /dev

# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4 - tun49 to create the 50 concurrent devices that I enabled in the kernel.

Flying along now, we can get down to installing the Poptop package. Download the package from the repository of your choice and install with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are thrown, but they aren't anything to worry about. Let's get down to the Poptop configuration. The first file to edit is /etc/pptpd.conf in Listing A.

Now /etc/ppp/ppp.conf needs to be configured to handle encryption via a loop back, as in Listing B.

We need to create the file /etc/ppp/secure and add the following content:

#!/bin/sh

exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames and passwords for your dial-in users. The format is quite simple:

username       password       *

username       password       staticip

username       password       *

This file needs to have chmod 0400 performed on it after editing. The asterisk (*) denotes that this user will be automatically allocated a free IP address; you can alternatively specify a static address for this user.

It's nice to have any PPP log messages sent to it's own log file, as this makes debugging easier and keeps things tidy. Add the following lines to /etc/syslog.conf :

!ppp

*.*                    /var/log/ppp.log

Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log

# kill �HUP (syslogd PID)

Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you need to use the one running as root.

Poptop can be launched manually; the �d switch will enable debug output.

# /usr/local/sbin/pptpd -d

To start Poptop automatically during boot, the following lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then

    echo -n " pptpd";    /usr/local/sbin/pptpd -d

fi

I would recommend doing this as it would be easy to forget to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall (Packet Filter). We need to allow inbound tcp connections on port 1723 on the external IP, inbound and outbound connections of type gre on the external IP, and also all traffic to tun* devices as in Listing C.

Testing the connection

Now all that's left is to test it. Reboot the machine to make sure that everything is started cleanly. We just need to create a PPTP client connection and make sure it actually connects.

I'm using Windows XP as an example. Start the New Connection Wizard, and select the option Connect To The Network At My Workplace. Then, you should select Virtual Private Network Connection. Enter any name for the connection; the suggestion is "Company Name". There is an option at this stage to have an initial connection dialed before making the VPN connection. I prefer to disable this option, but the choice is yours. At the next step, enter the IP address or hostname of your gateway machine. This is the address seen by the outside world. In our example (Figure B), this is 10.21.7.63, the IP specified in /etc/pptpd.conf with the listen directive.

Figure B

That's the final step. Initiate the connection and enter a username/password from the ppp.secret file.

Once the connection is made, you should be able to find your locally allocated IP in the VPN Status window, and you should also be able to ping an internal address (in my example 20.1.1.1 responds just fine, Figure C).

Figure C

I hope this has been an easy-to-follow guide to configuring PPTP access using OpenBSD and Poptop. If you have any problems following this guide then let me know, by responding in my blog, or by clicking the Discussion link at the end of this article.

5 comment(s)