HOWTO PPTP VPN client (Microsoft-compatible with mppe)

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

This guide describes how to setup a pptp vpn connection.

It assumes some prior knowledge (Patching, Configuring and installing a kernel, Using portage, editing configuration files and managing services).

[edit] Kernel configuration

Warning: Use of this software in the US may violate patent law.


Note: Kernel version < 2.6.15 requires a patch from http://mppe-mppc.alphacron.de/
Note: Kernel version >= 2.6.15 supports MPPE but not MPPC. To use MPPC, you need to undo the 2.6.15 MPPE patch and apply the MPPE/MPPC patch.

[edit] Configure your kernel

The project developers recommend these features be compiled as modules. Not all are needed, but it does not harm to enable all of them.

Linux Kernel Configuration: Common kernel settings 
Networking Support -->
 Networking options -->
  <M> IP: GRE tunnels over IP
Cryptographic options  --->
 [*] HMAC support
 <M> MD5 digest algorithm
 <M> SHA1 digest algorithm
 <M> SHA256 digest algorithm
 <M> SHA384 and SHA512 digest algorithms
 <M> DES and Triple DES EDE cipher algorithms
 <M> ARC4 cipher algorithm
Linux Kernel Configuration: Kernel >= 2.6.15 
Device Drivers --->
 Network device support --->
  <M> PPP (point-to-point protocol) support
    <M> PPP support for async serial ports
    <M> PPP support for sync tty ports
    <M> PPP Deflate compression
    <M> PPP BSD-Compress compression
    <M> PPP MPPE compression (encryption) (EXPERIMENTAL)
Cryptographic options  --->
 [*] Cryptographic API
Linux Kernel Configuration: Kernel < 2.6.15 
Device Drivers --->
 Networking support --->
  <M> PPP (point-to-point protocol) support
  <M> PPP support for async serial ports
  <M> PPP support for sync tty ports
  <M> PPP Deflate compression
  <M> PPP BSD-Compress compression
  <M> Microsoft PPP compression/encryption (MPPC/MPPE)
Cryptographic options  --->
 [*] Cryptographic API
Linux Kernel Configuration: Kernel 2.4 
Network device support  --->
 <M> PPP (point-to-point protocol) support
 <M> PPP support for async serial ports
 <M> PPP support for sync tty ports
 <M> PPP Deflate compression
 <M> PPP BSD-Compress compression
 <M> Microsoft PPP compression/encryption (MPPC/MPPE)
Cryptographic options  --->
 <M> AES cipher algorithms

Add the following to /etc/modules.autoload.d/kernel-2.6 if they were compiled as modules:

File: /etc/modules.autoload.d/kernel-2.6 
ppp_mppe
sha1
ecb
arc4

[edit] Required software

Install net-dialup/ppp and net-dialup/pptpclient.

Note: If you patched the kernel with mppe-mppc support, enable the mppe-mppc USE-Flag for the ppp package. Otherwise, disable it.

[edit] Setting up the connection

Throughout the configuration files replace the following:

  • VPNHOST: The target machine's hostname or ip.
  • VPNNAME: Generic name chosen for this connection.
  • DOMAIN: The domain your user is in on the target machine (if none exists, remove DOMAIN\\).
  • VPNUSER: The login name for the vpn (may be different from your domain password)
  • VPNPASSWORD: The vpn password associated with VPNUSER
  • PPPN: A network device for this connection (eg. ppp0, ppp1)

[edit] Configure PPP

File: /etc/ppp/peers/VPNNAME 
pty "pptp VPNHOST --nolaunchpppd"
name DOMAIN\\VPNUSER
require-mschap-v2
remotename VPNNAME
file /etc/ppp/options.VPNNAME
ipparam VPNNAME
File: /etc/ppp/options.VPNNAME

Lock the port 

lock

Don't need the tunnel server to authenticate itself: 

noauth

Turn off unused transmission protocols: 

nobsdcomp
nodeflate

For MPPE:

  • Using kernel >= 2.6.15: 
require-mppe-128
  • Using kernel < 2.6.15: 
mppe required,stateless

The following line may solve unsupported protocol error: 

mppe stateless

Sane mtu/mru: 

mtu 1000
mru 1000

Timeout: 

lcp-echo-failure 10
lcp-echo-interval 10
File: /etc/ppp/chap-secrets 
DOMAIN\\VPNUSER VPNNAME VPNPASSWORD *
VPNNAME DOMAIN\\VPNUSER VPNPASSWORD *
Note: If the passwords contain any special characters, quote them. See man pppd for more details.

[edit] Gentoo specific configuration

When using a recent enough ppp package, configuration is done in /etc/conf.d/net:

File: /etc/conf.d/net 
config_PPPN=( "ppp" )
pppd_PPPN=(
  "persist"
  "call VPNNAME"
  "holdoff 10"
  "mru 1460"
  "mtu 1460"
  "idle 600"
)
link_PPPN="pty \"pptp VPNHOST --nolaunchpppd\""

For older ppp use:

File: /etc/conf.d/net.ppp0 
PEER="VPNNAME"                 # Define peer (aka ISP)
DEBUG="no"                     # Turn on debugging
PERSIST="yes"                  # Redial after being dropped
ONDEMAND="no"                  # Only bring the interface up on demand?
HOLDOFF="10"
MRU="1460"                     # Sets the MRU
MTU="1460"                     # Sets the MTU
RETRYTIMEOUT="60"              # Retry timeout for when ONDEMAND="yes" or
IDLETIMEOUT="600"              # Idle timeout for when ONDEMAND="yes"
PEERDNS="no"                   # Should pppd set the peer dns?
AUTOCFGFILES="no"              # By default this scripts will generate
                               # /etc/ppp/chat-isp, /etc/ppp/chap-secrets,
                               # /etc/ppp/pap-secrets and /etc/ppp/peers/isp
                               # automatically.  Set to "no" if you experience
                               # problems, or need specialized scripts.  You
                               # will have to create these files by hand then.
AUTOCHATSCRIPT="no"            # By default this script will generate
                               # /etc/ppp/chat-${PEER} automatically. Set to "no"
                               # if you experience problems, or need specialized
                               # scripts. You will have to create these files by
                               # hand then.
TEMPLATEDIR=/etc/ppp

In either case, create the gentoo startup script link: 

# ln /etc/init.d/net.lo /etc/init.d/net.PPPN -s

[edit] Test the connection

To verify the vpn connection works, use the following command: 

pon VPNNAME debug dump logfd 2 nodetach
Note: If you get something like "Received bad configure-ack:" try commenting out the "mtu" and "mru" values in /etc/ppp/options.VPNNAME.
Note: If the output of the above command notes you received an ip address, but doing ifconfig does not show it, try running the gentoo startup script (see below).

If everything is correct, you will have a vpn connection up and running: 

# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
          inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:996  Metric:1
          RX packets:10074 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11773 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:5604182 (5.3 Mb)  TX bytes:6636122 (6.3 Mb)

If you experience problems, please look at the pptpclient Diagnosis HOWTO.

[edit] Start the connection

Once the connection is properly configured, use /etc/init.d/net.PPPN to manage it.

[edit] Routing

If you need to communicate with the internal network through the VPN server, set an additional route (or routes) for the IP addresses you want to connect to.

This example forwards trafic to 192.168.0.* through the VPN.

Code: routing client-to-lan
route add -net 192.168.0.0 netmask 255.255.255.0 dev PPPN

To have this run after the ppp interface is up, add this to /etc/conf.d/net:

File: /etc/conf.d/net 
postup(){
if [[ ${IFACE} = "PPPN" ]]; then
        /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 dev PPPN
fi
return 0;
}
Note: If you already have a postup function in that file, encorporate this one into it.

See the pptpclient Routing HOWTO for more ways to route your network, such as LAN-to-LAN and "All Traffic through tunnel".

For routing all traffic through tunnel, add a script to /etc/ppp/ip-up.d/ and /etc/ppp/ip-down.d/ to establish the proper routing table when the tunnel is initiated, and then restore the table after the tunnel is closed. For instance, the script to set up the routing table to route all traffic through the VPN tunnel should look like this:

File: /etc/ppp/ip-up.d/60-routes.sh 
#!/bin/sh

# pppd ip-up script for all-to-tunnel routing

## Direct tunnelled packets to the tunnel server
route add -host <pptp_server> gw <gateway_ip> dev <default_nw_iface>

## direct all other packets into the tunnel
route del default dev <default_nw_iface>
route add default dev <pptp_vpn_iface>

Then to restore the routing table after the VPN Tunnel is closed create a script in /etc/ppp/ip-down.d/ like such:

File: /etc/ppp/ip-down.d/60-routes.sh 
#!/bin/sh

route del -host <pptp-server> dev <default_nw_iface>

route del default dev <pptp_vpn_iface>
route add default gw <gateway_ip> dev <default_nw_iface>

[edit] Troubleshooting

[edit] 'No such device' when loading ppp_mppe module

Make sure you autoload the modules mentioned in the kernel configuration section.

[edit] Resources

Retrieved from "http://gentoo-wiki.com/HOWTO_PPTP_VPN_client_%28Microsoft-compatible_with_mppe%29"
Personal tools