Home

Setup OpenBSD PPTP VPN server with Poptop

By ripper - Posted on December 19th, 2007
Tagged:  


Setup OpenBSD PPTP VPN server with PoptopFirst we will need Poptop.Poptop add function to integrate MS PPTP VPN environment on BSD and Linux.
Poptop features:
# Microsoft compatible authentication and encryption (MSCHAPv2, MPPE 40 - 128 bit RC4 encryption)
# Support for multiple client connections
# Seamless integration into a Microsoft network environment (LDAP, SAMBA) using RADIUS plugin
# Works with Windows 95/98/Me/NT/2000/XP PPTP clients

Now download and install poptop.

# pkg_add poptop-1.1.4.b4p1

Let’s configure Poptop. The first file to edit is /etc/pptpd.conf:
There are only few things to be changed.
option /etc/ppp/ppp.conf

# IP address of your server-side PPP endpoint:
# (An unused IP address on your internal LAN)

localip 10.100.9.1

# IP address range to use for your PPTP clients:
# (Unused IP addresses on your internal LAN)

remoteip 10.100.9.2-254

# IP address of external LAN interface:
isten 10.100.10.10

pidfile /var/run/pptpd.pid

The ip 10.100.9.1 will be assigned to tun0 interface, and users will use 10.100.9.2-254 as ip addresses.
You maybe wonder why i’m providing 10.100.10.10 as my external ip address.The answer is that i redirect all traffic from
port 1723 proto TCP and all gre trafic to local ip address which is 10.100.10.10
rdr pass on $ext_if inet proto tcp from any to any port = pptp -> 10.100.10.10 port 1723
rdr pass on $ext_if inet proto gre all -> 10.100.10.10

Poptop handle just authentication and encryption, everything else is passed to native OpenBSD PPP daemon.
So it is time to tell PPP what exactly we want.
Put this code in ppp.conf
loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr 10.100.9.1 10.100.9.2-10.100.9.254 255.255.255.255
      set server /tmp/loop "" 0177

loop-in:
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
pptp:
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
     # DNS Servers to assign client
     # Use your own DNS server IP address :
     set dns 10.100.10.10
     set device !/etc/ppp/secure

We need to create the file /etc/ppp/secure and add the following content:
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:
# chmod u+x /etc/ppp/secure
<code>
The file /etc/ppp/ppp.secret holds usernames and passwords for your dial-in users. The format is quite simple:
<code>
# Authname Authkey      Peer's IP address        Label   Callback
username       password       *

Do not forgot to have chmod 0400 performed on /etc/ppp/ppp.secret after editing. The * denotes that this user will
be automatically allocated a free IP address; you can alternatively specify a static address for this user.

To start Poptop automatically during boot, we should add following lines to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then
    echo -n " pptpd";    /usr/local/sbin/pptpd -d
fi

Now is time for PF.First make sure your configurations is working before adding other PF rules.
Before begin playing with PF make sure you allow network forwarding and GRE.
#sysctl net.inet.gre.allow=1 (thanks to vaiojunkie)

This 2 line should exists in /etc/sysctl.conf so next reboot PF work as is expected.
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet.gre.allow=1

This is the simple configurations.

rdr pass on $ext_if inet proto tcp from any to any port = pptp -> 10.100.10.10 port 1723
rdr pass on $ext_if inet proto gre all -> 10.100.10.10

pass in on tun0 from any to any keep state
pass out on tun0 from any to any keep state

If you want change rdr with this lines.And change listen 10.100.10.10 to ip address assigned to $ext_if (your external interface)
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state

After you are connected to the server check tun0
#ifconfig tun0
tun0: flags=8051 mtu 1398
        groups: tun
        inet 10.100.9.1 –> 10.100.9.33 netmask 0xffffffff

Since OpenBSD 4.2 you also can limit bandwidth on tun(4) interfaces.


thanks
Submitted by vaiojunkie on Mon, 01/07/2008 - 00:42.

Hi

Thanks for the easy to follow tutorial. I've been using Linux for a while but I'm currently migrating over to BSD, it's tutorials like these that help ease the pain.

I did notice that i had to run the following before I could get my XP boxes to connect
sysctl net.inet.gre.allow=1

Maybe you would like to add it to the tutorial.

Thanks Again.

Wayne

Thanks for comment.I add
Submitted by ripper on Tue, 01/08/2008 - 23:48.

Thanks for comment.I add necessary changes.