HOWTO: PPTP VPN Server with MPPE, including Shorewall config

texas1emt · Last edited by texas1emt on Sun Jun 18, 2006 2:45 pm; edited 2 times in total

HOWTO: PPTP VPN Server with MPPE, including Shorewall configuration

Goal of this HOWTO:

The goal of this howto is to create a PPTP VPN server on a Gentoo workstation or server so that you can access resources behind your firewall when you are away. You can use clients such as pptpclient, Windows XP, or OS X to connect to this VPN securely. Also, you can access the internet using your VPN server's internet connection, which is handy if you're in a location with unsecured wireless.

Packages For This HOWTO:

PoPToP VPN Server - http://www.poptop.org/
Point To Point Protocol (PPP) - http://samba.org/ppp/
Gentoo Patched Kernel 2.6.16 (or later) - http://dev.gentoo.org/~dsd/genpatches/
Shorewall (optional) - http://www.shorewall.net/

Step 1: Preparing Your Kernel Modules

Microsoft Point To Point Encryption

Polbox MPPE-MPPC patch

Code:

# emerge sync
# emerge gentoo-sources

As of the writing of this HOWTO, the latest stable gentoo-sources kernel is 2.6.16-r7 but your results may vary. If you already have a 2.6.16 kernel, then keep on going in the HOWTO. If you just upgraded your kernel from another kernel by running the previous two commands, then please be sure to configure your kernel to support your hardware first, then move on to the next paragraph.

Inside your kernel configuration, be sure to enable the following:

PPP Support:

Code:

Device Drivers -> Network Device Support
<*> PPP (point-to-point protocol) support
[*] PPP multilink support (EXPERIMENTAL)
[*] PPP filtering
<*> PPP support for async serial ports
<*> PPP support for sync tty ports
<*> PPP Deflate compression
<*> PPP BSD-Compress compression
<*> PPP MPPE compression (encryption) (EXPERIMENTAL)
<*> PPP over Ethernet (EXPERIMENTAL)

Crypto Support: (I generally modularize all of the crypto modules, just in case)

Code:

Cryptographic API
[*] HMAC support
<M> Null algorithms
<M> MD4 digest algorithm
<M> MD5 digest algorithm
--- SHA1 digest algorithm
<M> SHA256 digest algorithm
<M> SHA384 and SHA512 digest algorithms
<M> Whirlpool digest algorithms
<M> Tiger digest algorithms
<M> DES and Triple DES EDE cipher algorithms
<M> Blowfish cipher algorithm
<M> Twofish cipher algorithm
<M> Serpent cipher algorithm
<M> AES cipher algorithms
<M> AES cipher algorithms (i586)
<M> CAST5 (CAST-128) cipher algorithm
<M> CAST6 (CAST-256) cipher algorithm
<M> TEA, XTEA and XETA cipher algorithms
--- ARC4 cipher algorithm
<M> Khazad cipher algorithm
<M> Anubis cipher algorithm
<M> Deflate compression algorithm
<M> Michael MIC keyed digest algorithm
<M> CRC32c CRC algorithm
<M> Testing module

Netfilter Support for Shorewall: (If you're not going to use Shorewall, then skip this step)

Code:

Networking Options -> Network packet filtering (replaces ipchains)
Make sure everything within this area is compiled in [*]

Exit the kernel configuration, save your changes, and compile your kernel:

Code:

make && make modules_install

Copy your kernel over to /boot. If you upgraded a kernel during this procedure be sure to change your bootloader configuration! Reboot your box and continue to step 2.

Step 2: Install Packages

net-dialup/ppp (compiles in < 2 minutes on a P3 900)
net-dialup/pptpd (compiles in < 1 minute on a P3 900)

DO NOT

Polbox MPPE-MPPC patch

Code:

# emerge -pv ppp pptpd
[ebuild N ] net-dialup/ppp-2.4.2-r15 -activefilter -atm -dhcp -ipv6 -mppe-mppc +pam -radius 0 kB
[ebuild N ] net-dialup/pptpd-1.2.3-r1 +tcpd 0 kB

Just emerge the packages now (takes less than 3 minutes on a P3 900):

Code:

emerge ppp pptpd

Step 3: Configure PoPToP/PPP

/etc/pptpd.conf

This file contains the basic instructions for the PPTPD process.

Code:

# This tells PPTPD to find its options in another file (which we will edit later)
option /etc/ppp/options.pptpd
# Turn on debug output until you get things working properly, then comment it later
debug
# Log the connects and disconnects to your system log
logwtmp
# Set your local and remote ip's (this is tricky - see info below)
localip 192.168.0.1
remoteip 192.168.0.210-220

Okay, so what's this deal about localip and remoteip? It is a bit tricky, indeed. You can read the comments from the authors of PoPToP there in your conf file, but they're a bit unclear.

First, I'll explain how my setup works, as it may be common. I have two interfaces: eth0 faces the internet and eth1 faces my internal NAT'ed network. My eth0 interface connects to a cable modem and it gets its networking information via DHCP. My eth1 interface connects into a switch and serves my internal network only. The internal network is 192.168.0.0/24 (or 192.168.0.1-192.168.0.255). The IP 192.168.0.1 is assigned to eth1 at all times. For those of you who are visual learners, enjoy my rudimentary network diagram:

Code:

/----------\ /---------------\ /--------\ /-----\
| Internet |---eth0---| Gentoo Router |---eth1---| Switch |---------| LAN |
\----------/ \---------------/ \--------/ \-----/
(dynamic ip) 192.168.0.1 192.168.0.0/24

Here's a few tips to keep in mind when you're setting up localip and remoteip:

For localip, specify the IP address of your internal interface.
For remoteip, specify the IP addresses that remote users are allowed to use. When remote users connect, they will be assigned IP's starting at the lowest end of the range you provide. In my example configuration above, my first remote user will be assigned 192.168.0.210.
The amount of connections allowed is the same as the number of remote IP's provided. If you want 10 remote users, provide 10 remote ip's.
The IP's for localip and remoteip MUST be on the same network interface and MUST be on the same subnet. For example, if the IP you provide for localip is on eth0 and the IP's for remoteip are on eth1, you will have connection issues.

/etc/ppp/options.pptpd
This file contains the instructions for PPP when someone tries to connect to your VPN.

Code:

# The name is pretty arbitrary, but it must match the entry in your chap-secrets
name pptpd
# These are really unsecure methods, so they're disabled
refuse-pap
refuse-chap
refuse-mschap
# This is the most secure handshake method
require-mschap-v2
# We want to force 128 bit encryption for the session
require-mppe-128
# Enable a lot of debugging to the syslog (comment it out once everything works)
debug
# Make a lock file while the connection is open
lock
# Disable compression (it's not available with your module)
nobsdcomp
# Don't log to your terminal window
nologfd

/etc/ppp/chap-secrets
This file contains login credentials for your remote users.

Code:

# client server secret IP addresses
mylogin pptpd mypassword *
googlebuddy pptpd googlebuddypass 216.239.32.0/19

The client is the username, the server defines which server the secret is meant for (see line 1 of /etc/ppp/options.pptpd), and the secret is the password. For IP addresses, the asterisk (*) means allow from all IP's. You can specify a single IP or CIDR block to limit access to certain IP addresses.

Step 4: Firewall Configuration

Borrowed From Experts-Exchange

Code:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723

ProTech made a good point (see first reply below) that the above instructions are for a VPN server that is NAT'd on an internal network. My mistake! ProTech made the suggestion to use these iptables commands to use a VPN server on the router/firewall itself:

Code:

iptables -A INPUT -p gre -d FIREWALL_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -d FIREWALL_IP -j ACCEPT

Since Shorewall is my favorite way to configure netfilter, this HOWTO is pretty Shorewall-centric. Luckily, you only need a few edits:

/etc/shorewall/interfaces

Code:

#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
gig eth1 192.168.0.255 dhcp
vpn ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The net zone connects to the internet on eth0, gig connects to the internal gigabit network on eth1, and vpn comprises all of the ppp interfaces. By using ppp+ in the file, you're telling shorewall to include ppp0, ppp1, ppp2, etc. in this zone.

/etc/shorewall/zones

Code:

#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
gig ipv4
vpn ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

I added the vpn zone here, and it is an IPv4 network.

/etc/shorewall/policy

Code:

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
fw gig ACCEPT
fw vpn ACCEPT
gig fw ACCEPT
gig net ACCEPT
gig vpn ACCEPT
vpn fw ACCEPT
vpn net ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE

The firewall, internal gigabit network, and vpn can talk between themselves and also to the internet. However, the internet isn't allowed to talk directly to any of them (unless I allow it in /etc/shorewall/rules).

/etc/shorewall/rules

Code:

ACCEPT net fw tcp 22,443,1723,10000

For the firewall, I'm allowing ssh, https, pptp vpn, and webmin in from the outside. Where's GRE Protocol 47? Check the next file.

/etc/shorewall/tunnels

Code:

#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver vpn 192.168.0.1

This tells shorewall to allow GRE traffic to go from the VPN's gateway (192.168.0.1) back out to the internet to our remote users.

Now, check your syntax and restart the firewall:

Code:

# shorewall check
# shorewall restart

Step 5: Starting PPTPD

Code:

# /etc/init.d/pptpd start
# rc-update add pptpd default

Now, test a connection. You should get something like this in the syslog. (I'm only displaying the non-debug output)

Code:

Jun 12 16:38:30 router pptpd[23810]: CTRL: Client xxx.xxx.xxx.xxx control connection started
pptpd[23810]: CTRL: Starting call (launching pppd, opening GRE)
pppd[23811]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[23811]: pppd 2.4.2 started by root, uid 0
pppd[23811]: Using interface ppp0
pppd[23811]: Connect: ppp0 <--> /dev/pts/1
pptpd[23810]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
pppd[23811]: MPPE 128-bit stateless compression enabled
pppd[23811]: found interface eth1 for proxy arp
pppd[23811]: local IP address 192.168.0.1
pppd[23811]: remote IP address 192.168.0.210

At this point, you should be a-okay! Check the common issues below if something doesn't seem right.

Common Issues:

The connection hangs on Connect: ppp0 <--> /dev/pts/x: Most likely, your localip and remoteip in /etc/pptpd.conf are on different interfaces or subnets. They have to be on the same interface and within the same subnet!
The connection hangs on CTRL: Ignored a SET LINK INFO packet with real ACCMs!: Your remote location might not be allowing GRE traffic in, or it might not be surviving a NAT properly. Confer with your network administrator at the remote location.

Step 6: How do I connect to the VPN?

Using Windows XP:

Go to File -> Settings -> Control Panel. Choose Network Connections.
Click Create a new connection.
When the wizard starts, click Next, Connect to the network at my workplace, then Next.
Click Virtual Private Network connection, Next, name the connection, then Next.
If it asks about dialing an initial connection, click Do not dial... unless you are using dialup to connect to the internet.
Enter the external address of your VPN server, click Next, choose an availability option, then Next and Finish.
Click Properties, the Networking tab, choose PPTP VPN from the drop down and double click Internet Protocol (TCP/IP).
Click Advanced and uncheck Use default gateway on remote network. If you leave it checked, ALL of your computer's traffic will be routed through your home network. This will cut off current connections, downloads, chats, etc.
Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK.
Double click the VPN network connection, enter your username and password from /etc/ppp/chap-secrets and connect!

Using OS X:

Double click your hard drive icon, then double click Applications, and then double click Internet Connect.
Click the VPN icon in the top bar and choose Edit Configurations from the drop down list.
Click the + under the list on the left and complete the description, server address, account name, and password fields.
Be sure to choose Maximum (128 bit only) from the Encryption drop down menu and click OK.
Click connect and your VPN should be connected.
With OS X, all of your traffic will get routed through the remote network. To fix this, drop to a terminal and execute:

Code:

$ sudo route add default 192.168.0.1
Change 192.168.0.1 to your local gateway so that only the traffic that needs to go over the VPN actually does go over the VPN.

Final Thoughts
If you have any questions or comments, reply to the post or contact me and I'll see what I can do to help.

Version History:

_________________
M. Hayden - San Antonio, TX

ProTech · Posted: Sun Jun 18, 2006 10:08 am Post subject:

Thanks for the HOWTO!

I will try this as soon as a hardened-sources-2.6.16 kernel get stabilized.

I have some questions about the firewall section. You can use iptables or shorewall, right? So if I'm using iptables already, I don't have to do anything with the sorewall section. I know nothing about shorewall...

I think the iptables section is for a VPN server not in the router/firewall, but in a NAT'ed machine inside your local net. For a VPN server in the router you have to add the something similar to the first two commands, like this (I didn't tried this):

texas1emt · Posted: Sun Jun 18, 2006 2:51 pm Post subject:

Vieri · l33t Joined: 18 Dec 2005 Posts: 872

DooMi

fr3akX · n00b Joined: 17 Oct 2005 Posts: 31 Location: LV

After this im getting on client machine gateway and ipadress the same! Client machine runs on winxp, how do i get to route all clients traffic thru VPN?
_________________
http://chown.lv

jhunholz · Posted: Wed Oct 04, 2006 5:51 pm Post subject:

I've set up my firewall like you say to above, but when I try to log on from a client at work, it gets to verifying the username/password, waits for a while, then asks if I want to try again. When I try to connect, I'm seeing this printed over and over in /var/log/messages on the server:

jhunholz · Posted: Wed Oct 04, 2006 6:34 pm Post subject:

After doing some investigating, it seems my problem is the firewall my company has in place. So I guess I'll have to find another way of connecting to my home network.
_________________
Member of the Gentoo Right Wing Conspiracy

RayVad · n00b Joined: 10 Nov 2005 Posts: 67 Location: Netherlands

Q: How should i setup my /etc/conf.d/net for PPTP? (This question came up to me since PPTP wasn't working at first)

A: I have two NICs in my system and like to use eth0 = LAN en eth1 =WAN.
My /etc/conf.d/net is configured as:

Jeff4321 · n00b Joined: 19 Dec 2006 Posts: 2

Huuuuuuge thanks to texas1emt for this guide. I had been pissing around for a day and a half before I finally found this easy to use guide and got my VPN server up and working.

One issue that I did have that no one has mentioned yet was that I could ping the two end-points of my VPN tunnel but my server was not forwarding the packets. For example: My VPN server has an address of 10.235.1.1 and my VPN client was assigned an address of 10.235.1.240. When I attempted to ping another device at 10.235.1.4 it did not work. My ICMP packets arrived at the VPN server and nothing happened. I made sure my IPTABLES forwarding rules were set correctly, made sure /proc/sys/net/ipv4/ip_forward had a '1' in it, etc.

My problem was resolved simply by setting proxyarp on in /etc/ppp/options.pptpd and restarting /etc/init.d/pptpd. I think that should be added to the original post as initially it is set in the default /etc/ppp/options.pptpd file but I commented it out and just used what the guide told me to use.

Other than that it is working great!

rottis · n00b Joined: 06 Jul 2004 Posts: 5

Hi!

Thanks for this great howto... I used this howto to be able to connect a windows xp client to a samba pdc and i ran into trouble.

I thought I would share my problem and solution for future references for me (I have a very short memory) and for other users.

Problem:
I could not get netbiosnames to work. I needed this to be able to add the computer to the domain but it is the same problem if you want to browse computers which are in your workgroup.

Solution in theory:
You have to add a wins-server in my case the samba pdc server. I tried to add it through the network settings and through the pptpd and it always showed up in the ipconfig /all but I couldn't talk to the other computers except for via dns or ip.

Solution in practice:
Add the wins-server and enable the netbios over tcp/ip on the vpn network connection and disable the netbios over tcp-ip on the external network card because windows gets confused when it is enabled on both and you will need it to be enabled on the vpn-connection.

/marcus

Brownstone · n00b Joined: 18 Aug 2006 Posts: 25

Thanks for this HOWTO! I have the following setup and it worked fine:

1. 3com ADSL Wireless Router -- Port 1723 open and pointing to my Gentoo server
2. Netgear 5 Port 1G Switch -- 3com + Server + Desktop all connected to this

Turns out I didn't need to do any of the IPTABLES or Shorewall stuff, since my Gentoo box is pretty much a file-server only. The 3com takes care of the routing well enough for the moment.

Thanks again!

EDIT - Turns out I *did* need to do one extra thing before I could ping other machines on the VPN:

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

What's mean this proposition ?

"Back in the Network Connections panel, choose Advanced -> Advanced Settings. Then move Remote Access Connections to the top spot. Click OK."

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

Hi there, thanks to texas1emt for this very article. His article spur me to improve my intranet server.

Not counting previous question, I have few more questions. May be someone can help me ...

I complete all instructions in this guide and have such problem :

Connection estableshed, but client can't ping any internet server ...

I suspect that something with iptables rules ...

Are any suggestions ?

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

If my question so simple or stupid, please say to me

xanas3712 · Guru Joined: 15 Oct 2004 Posts: 455

Just_Chris · n00b Joined: 20 Nov 2003 Posts: 23

Thanks for nice guide - I have got this working, sort of...

I dont use IPTABLES or any firewall as I only use this to access a private lab network from a secure corporate network. Like the poster above i had to do:

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

Hi
I'm using hardened kernel & profile
I did all steps, that texas1emt wrote
I'm not using any firewall at my server

The server use 1 lan card and receives internet traffic throw eth0 (from another server)
Also clients are on the same interface as a internet (eth0)

Connection going well established but clients can't ping any host in the internet.

server routing table:

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

what's wrong? does anybody can't help to man what just set up vpn server? what for that forum ?

here's my pptpd.conf

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

Hi, everyone.
Did anyone knows another HOWTO VPN SERVER ?

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

Hi again.
Does anybody know about peculiar properties of this howto in hardened-sources?
I have a problem with Incorrect mtu value.

JasonX · n00b Joined: 26 Jul 2006 Posts: 66 Location: Minsk

The problem was SOLVED see solution here and pptpd server were setted up with help of this howto.

Thanks everybody who tried to assist.