This section helps the reader to set up a Linux machine to be a PPTP client. This section also details how to enable an IPMASQ server and/or a strong IPCHAINed firewall server (NO solution is available for 2.4.x kernels with IPTABLES) to properly forward PPTP traffic.
Most typical Windows VPN clients that FORCE all network traffic through the VPN connection if it's up and running. Linux VPNs don't require this. This flexibility lets you keep your personal traffic on your own Internet connection while work traffic only goes over the VPN connection. Some Corporate IT people consider this a security issue and it CAN BE if your PPTP client machine is not secured. Yet, if you have properly followed most aspects of TrinityOS, you are pretty secure. :-)
Currently, this section makes TWO assumptions:
When compiling up the various PPTP client software, you will NEED to have the kernel source code installed on your machine, configured via "make config", and the "make dep" process completed. There isn't any direct (need to actually compile the kernel or any kernel modules. In my case, I have the generic Linus 2.4.18 kernel installed with the sources saved under the "/usr/src/kernel/linux" path.
NOTE:
You SHOULDN'T need to recompile your kernel unless:
Download both the "pptpclient" client and the "ppp-mppe" PPP shim software from the URLs found in Section 5. I recommend to save these files in the "/usr/src/archive/pptp/" directory.
Before you start, it is critical to know that your kernel supports PPP via kernel modules and NOT via being built monolithically into the kernel. To verify this, you should get a directory listing of the following directory for your given kernel version:
For a 2.4.18 kernel:
# ls /lib/modules/2.4.18/kernel/drivers/net/ bsd_comp.o ppp_async.o ppp_generic.o slhc.o dummy.o ppp_deflate.o ppp_synctty.o
You need to have the "ppp_async" and "ppp_generic" modules listed. If you don't have these options, you'll need to recompile the kernel with modularized PPP options. For more information, please see Section 12.
MPPE stands for Microsoft Point-to-Point Encryption which we need to add to PPPd. This and a few other kernel modules makes Linux interoperate with Microsoft's 40-bit and 128-bit PPTP servers.
As you'll see, this package comes with PPPd 2.4.0, which is already outdated since 2.4.1 has been released. In my case, my Linux distribution comes with PPPd version 2.4.1 so installing MPPE downgraded it to 2.4.0. I didn't really care as 2.4.0 seems to work just fine. In the future I supposed they will release a ppp-mppe version with PPPd 2.4.1.
To compile and install the various PPTP software, first be sure you are ROOT. Then run these commands:
cd /usr/src/archive/im tar xzvf ppp-mppe-2.4.0-4.tar.gz cd ppp-mppe-2.4.0-4 . unpack.sh cd ppp-2.4.0 ./configure make
Now let's save original PPP programs from your Linux distribution (please note that your distribution might place these files in different directories).
cp /usr/sbin/chat /usr/sbin/chat.bak cp /usr/sbin/pppd /usr/sbin/pppd.bak cp /usr/sbin/pppdump /usr/sbin/pppdump.bak cp /usr/sbin/pppstats /usr/sbin/pppstats.bak
Now, let's install the new versions of PPPd:
make install cd linux-kernel
NOTE: When compiling the MPPE kernel module:
edit the "kmodbuild.sh" script and find the "ARGS" line change it to read: ARGS="TREE=/usr/src/kernel/linux"
Ok.. now compile the kernel module:
./kmodbuild.sh
The final compile output from the above step should look something like:
There is a script in kernel-modules that can do this for you. To use it to install your newly built kernel modules, type: kernel-modules/kmodinst.sh kernel-modules/new-2.4.18
Check the bottom line displayed on your system when you ran the "./kmodbuild.sh" script. The name of the directory will be different from the one displayed below depending on the kernel version installed on your machine.
From the message received from above, run the following command for a generic 2.4.18 kernel:
kernel-modules/kmodinst.sh kernel-modules/new-2.4.18
NOTE:
Now finished with MPPE section, lets get into the PPTPCLIENT installation
cd ../..
The PPTP client software is actually a VERY complex Perl script. Though I suppose I could have wrote something simple up on my own, this tool works just fine and offers some advanced features some users might like.
To install it, do the following commands:
tar xzvf pptp-linux-1.1.0-1.tar.gz cd pptp-linux-1.1.0-1 #Yes, this is weird to have a tar in a tar but that's how the archive comes # tar xvzf pptp-linux-1.1.0.tar.gz cd pptp-linux-1.1.0 make cp pptp /usr/sbin
Finishing up:
cd .. cp pptp-command /usr/sbin
NOTE:
Some users had to edit this "pptp-command" Perl script file and remove the "-T" option at the top of the Perl script file (I didn't):
old: #!/usr/bin/perl -wT new: #!/usr/bin/perl -w
Ok, from the PPTP archive, copy over the example OPTIONS file:
cp options.pptp /etc/ppp
The above installed "ptp-command" Perl script can be run without any command line arguments and run as an interactive program. Instead, I recommend to simply create the following files and edit them when required to match your setup.
So, copy the following text and save it as the file "/etc/ppp/peers"
NOTE:
/etc/ppp/peers
# # PPTP Tunnel configuration for tunnel MyEmployer # Server IP: 220.1.2.3 # Route: add -net 172.16.0.0 netmask 255.240.0.0 dev TUNNEL_DEV # # # Tags for CHAP secret selection # name YourUserNameHERE remotename REMOTE-PPTP-CHAP-HERE # # Include the main PPTP configuration file # file /etc/ppp/options.pptp
Now, make this new file the default PPPd peers file:
ln -s /etc/ppp/peers/MyEmployer /etc/ppp/peers/__default
Now edit the CHAP secrets file and put in your PPTP username and password.
VERY IMPORTANT NOTE:
Currently, your PPTP password will be saved in CLEARTEXT which is VERY BAD. I plan on updating this section to prompt for your password and NOT store it anywhere. Until then, just be sure that you fix the permissions of this file as shown below.
Please change the:
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP # # client server secret IP addresses # YourUserNameHERE REMOTE-PPTP-CHAP-HERE 'PPTP-Passwd'
IMPORTANT:
As mentioned above, be sure to only allow the ROOT user to be able access this file as your PPTP password is stored in there.
chmod 600 /etc/ppp/chap-secrets
When the PPTP VPN connection is up, you need to make sure you use the DNS servers on the other side of the VPN so you can reach the intended private systems. Without this, nothing would resolve and thus, you wouldn't be able to connect to any internal machines by NAME though by IP would work.
NOTE:
Save your original "/etc/resolv.conf" as "/etc/resolv.conf.real"
cp /etc/resolv.conf /etc/resolv.conf.real
Next, create a "/etc/resolv.conf.pptp" file from the example text below. Please change the IP addresses here to reflect the correct INTRANET DNS servers that are on the other side of your VPN connection (myemployer.com).
/etc/resolv.conf.pptp
search MyEmployer.com nameserver 172.24.244.10 nameserver 172.24.245.10
As a heads up, when you run "pptp-command start" script, the script will make a backup of your /etc/resolv.conf file and then copy the "/etc/resolv.conf.pptp" file over it. When you disconnect from the PPTP VPN with the "pptp-command stop" command, the script will copy the backup "resolv.conf.real" file back to to "resolv.conf".
The first time you run the "pptp-command" script, I recommend to activate PPP's "debug" option. To do this, add the following line at the of beginning of the "/etc/ppp/options.pptp" file:
debug
In a different terminal/xterm, run the "logit" script from Section 9 to see what happens in real-time.
Your system might or might not automatically install the following kernel modules automatically. Try running "pptp-command start" as show below and see if things work. If not, try the following:
/sbin/modprobe mppe /sbin/modprobe ppp_async
After you do this, make sure that the following kernelmodules are loaded by running the "/sbin/lsmod" command. Please note that ALL of these modules are CRITICAL even if this isn't over a modem connection, etc. Trust me!
mppe 20416 0 (unused) ppp_async 6128 0 (unused) ppp_generic 15088 0 [mppe ppp_async] slhc 4272 0 [ppp_generic]
Ok.. try it out:
pptp-command start
The script will start in background after a while... don't forget to check your log file to see what happens optionally using the LOGIT script.
To shut down the tunnel, run the following command:
pptp-command stop
Once you are sure the PPTP setup is working, be sure to REMOVE that "debug" option mentioned above.
If you are running a strong IPCHAINS ruleset for firewalling or IPMASQ and firewalling (TrinityOS firewall, etc.), you need to add the following firewall commands to your rc.firewall ruleset to let the PPTP and GRE traffic through:
An example of a IPCHAINS firewall (not MASQing):
#portions of this ruleset are from TrinityOS(tm) #pptp.Myemployer.com SECUREHOST="220.1.2.3" # -- INPUT SECTION -- # # For just a strong firewall on the PPTP client itself # echo " * Allowing $SECUREHOST INPUT for PPTP, GRE" /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 -d $EXTIP /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p 47 -s $SECUREHOST -d $EXTIP # -- OUTPUT SECTION -- # echo " * Allowing $SECUREHOST OUTPUT for PPTP and GRE" /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP -d $SECUREHOST 1723 /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p 47 -s $EXTIP -d $SECUREHOST
An example of a IPCHAINS Firewall with MASQing:
#portions of this ruleset are from TrinityOS(tm) #pptp.myemployer.com SECUREHOST="220.1.2.3" #your EXTERNAL IP address -- change this to be your PPTP client's IP address #PPTPCLIENT=$EXTIP PPTPCLIENT="1.2.3.4" # -- INPUT SECTION -- # # For just a strong firewall on the PPTP client itself # echo " * Allowing $SECUREHOST INPUT for PPTP, GRE" /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 -d $EXTIP /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p 47 -s $SECUREHOST -d $EXTIP # -- OUTPUT SECTION -- # echo " * Allowing $SECUREHOST OUTPUT for PPTP and GRE" /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP -d $SECUREHOST 1723 /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p 47 -s $EXTIP -d $SECUREHOST # -- FORWARD SECTION -- # /sbin/ipchains -A forward -j MASQ -i $EXTIF -p 47 -s $PPTPCLIENT -d $SECUREHOST
If you are running a Linux / Windows /etc. PPTP client BEHIND an Linux IPMASQ server, you will have to apply, recompile, and reboot the MASQ server's kernel with the PPTP MASQ kernel patches. These patches allow Linux to:
Please see the PPTP VPN URL in Section 5 to get the required patches for your kernel. Once the kernel has been patched, you will then have to configure the kernel with the following "Network" option:
IP: PPTP masq support (CONFIG_IP_MASQUERADE_PPTP) [Y/m/n/?] Y
NOTE:
If you get stuck on item #8 from the Advanced Troubleshooting PPTP URL from Section 5, try this:
modprobe ppp_generic modprobe mppe
Final NOTE (whew!):