Setting up a PPTP/MPPE VPN

 


    Author: MAIL_FSMLABS

    Last updated: 17 Nov 2003

    Copyright (c) 2002 MAIL_FSMLABS.
    Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the GNU Free Documentation License is included here.

    Overview

    Microsoft has defined some extensions to the Point-to-Point Tunneling Protocol (PPTP), which allow it to be used for VPNs. Authentication is accomplished using Microsoft's Challenge Handshake Protocol (CHAP), and encryption is performed according to the Microsoft Point-to-Point Encryption (MPPE) mechanism.

    The principle is to tunnel PPP in IP and to use CHAP authentication with PPP. Encryption is implemented as a PPP compression module. On Linux, MPPE needs to be compiled as a kernel module, CHAP is already supported by recent pppd distributions. There are both a PPTP server (PoPToP) and a PPTP client for Linux available.

    PPTP/MPPE is implemented by both Windows Servers and Clients, but has a couple of security weaknesses allowing to launch dictionary attacks against the passwords used as authentication and encryption secrets. Due to US export restrictions, the RC4 stream cipher employed by MPPE may only be used with 40-bit keys, which is not considered secure today. PPTP/MPPE therefore cannot be recommended for security-critical applications.

    HOWTO

    This section describes how to setup a PPTP client on a SuSE 7.2 Linux system with a fresh 2.4.x kernel from kernel.org. To simulate the server side, we use the pptpd package coming with the SuSE 7.2 distribution.

    Getting the Client software

    SuSE 7.2 does not contain the PPTP client software, so you have to get it from URL_VISIBLE(http://pptpclient.sourceforge.net/). We have downloaded the pptp-linux-1.1.0-1.tar.gz and ppp-mppe-2.4.0-4.tar.gz archives. The former contains the client software, the latter includes the kernel modules and the pppd daemon.

    Compiling pppd

    The pppd coming with SuSE has MPPE support already built-in. If you need to compile pppd yourself, do the following: 

      # cd ppp-mppe-2.4.0-4
  # sh unpack.sh
  # cd ppp-2.4.0
  # ./configure
  # make

    You should now find the pppd executable in the pppd/ subdirectory.

    Compiling the Kernel Modules

    The SuSE kernels already contain the MPPE compression module as ppp_mppe.o and have the modules.conf file setup correctly. However, if you use a fresh 2.4.x kernel from kernel.org, you will have to compile this module by yourself. To this end, unpack the ppp-mppe-2.4.0-4.tar.gz archive and do the following: 

      # cd ppp-mppe-2.4.0-4/ppp-2.4.0/linux-kernel/kernel
  # make TREE=/usr/src/linux-2.4.17 VERSION=2.4.17

    Expect some compiler warnings (the kernel modules were actually written for kernel version 2.4.0), but there should be no compiler error reported by make. The built kernel modules are mppe.o and ppp_generic.o. Install these in /lib/modules on the target machine; they are needed on both the server and the client.

    Make sure that the following lines are present in /etc/modules.conf and that the modules can be found by modprobe (use pathnet directives if necessary): 

      alias ppp0                ppp_generic
  alias tty-ldisc-3         ppp_async
  alias ppp-compress-18     mppe

    Compiling the PPTP client

      # tar xzf pptp-linux-1.1.0-1.tar.gz
  # cd pptp-linux-1.1.0-1
  # tar xzf pptp-linux-1.1.0.tar.gz
  # cd pptp-linux-1.1.0
  # make

    You should now have the pptp executable in the current directory.

    Setting up the Server

    1. Edit /etc/pptpd.conf to include something like:

        speed 115200
  option /etc/ppp/options.ppp0
  debug
  localip 192.168.13.1
  remoteip 192.168.13.100-199
  pidfile /var/run/pptpd.pid

    2. Edit /etc/ppp/options.ppp0 to include something like:

        lock
  debug
  auth
  +chap
  +chapms-v2
  require-chapms-v2
  mppe-40
  mppe-128
  mppe-stateless
  name server_name
  proxyarp

    3. Edit /etc/ppp/chap-secrets to include the authentication data:

        # client        server          password        IP addresses
  client_name     server_name     "passwd1"       192.168.13.0/24
  server_name     client_name     "passwd2"       192.168.13.0/24

      The second line is only needed if the server should also authenticate itself at the client (which is highly recommended for VPNs).

    4. Start pptpd.

    Setting up the Client

    1. Edit /etc/ppp/peers/server_name to contain the following options:

        lock
  debug
  auth
  +chap
  +chapms-v2
  require-chapms-v2
  mppe-128
  mppe-stateless
  name client_name
  proxyarp
  nodeflate
  nobsdcomp

      The auth and require-chapms-v2 options are only needed if the server should also authenticate itself at the client (which is highly recommended for VPNs).

    2. Edit /etc/ppp/chap-secrets to include the authentication data:

        # client        server          password        IP addresses
  client_name     server_name     "passwd1"       192.168.13.0/24
  server_name     client_name     "passwd2"       192.168.13.0/24

      The second line is only needed if the server should also authenticate itself at the client (which is highly recommended for VPNs).

    3. Start the PPTP client:

        # pptp server_dns_or_ip call server_name 192.168.13.100:192.168.13.1

    You should now see a couple of debug messages scrolling down the screen, which should inform you that CHAP authentication was successfull, and mppe-128 "compression" is enabled.

    Note: If mutual authentication is enabled, the authentication messages seem to be ignored by the peers for quite a while. This problem has not yet been investigated.