Networking

Remote Access: PPTP VPN with OpenBSD, part 2


In last week's tutorial installment on PPTP VPN, we recompiled the kernel. The next step is to create the additional tun devices and finish installing and configuring Poptop.

Let's get started: tun0 – tun3 exist by default, so create additional devices with the following:

# cd /dev
# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4 - tun49 to create the 50 concurrent devices I enabled in the kernel.

Flying along now, we can get down to installing the Poptop package. Download the package from the repository of your choice and install with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are shown but they aren't anything to worry about. Let's get down to the Poptop configuration. The first file to edit is /etc/pptpd.conf:

option /etc/ppp/ppp.conf
# IP address of your server-side PPP endpoint:
# (An unused IP address on your internal LAN)
localip 20.1.1.2
# IP address range to use for your PPTP clients:
# (Unused IP addresses on your internal LAN)
remoteip 20.1.1.200-250
# IP address of external LAN interface:
# (The IP which a remote users client will connect with)
listen 10.21.7.63
pidfile /var/run/pptpd.pid

Now /etc/ppp/ppp.conf needs to be configured to handle encryption via a loop back:

loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr 20.1.1.2 20.1.1.200-20.1.1.250 255.255.255.255
      set server /tmp/loop "" 0177
loop-in:
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
pptp:
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
    # DNS Servers to assign client 
     # Use your own DNS server IP address :
     set dns 20.1.1.100 
     # NetBIOS/WINS Servers to assign client 
     # Use your own WINS server IP address :
     set nbns 20.1.1.100
     set device !/etc/ppp/secure

We need to create the file /etc/ppp/secure and add the following content:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation: 

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames and passwords for your dial-in users. The format is quite simple:

username       password       *
username       password       staticip
username       password       *

This file needs to have chmod 0400 performed on it after editing. The * denotes that this user will be automatically allocated a free IP address; you can alternatively specify a static address for this user.

It's nice to have any PPP log messages sent to it's own log file, as this makes debugging easier and keeps things tidy. Add the following lines to /etc/syslog.conf :

!ppp
*.*                    /var/log/ppp.log

Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log
# kill –HUP (syslogd PID)

Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you need to use the one running as root.

Poptop can be launched manually, the –d switch will enable debug output.

# /usr/local/sbin/pptpd -d 

To start Poptop automatically during boot, the following lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then
    echo -n " pptpd";    /usr/local/sbin/pptpd -d
fi

I would recommend doing this as it would be easy to forget to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall (Packet Filter). We need to allow inbound tcp connections on port 1723 on the external IP, inbound and outbound connections of type gre on the external IP, and also all traffic to tun* devices:

# PPTP Rules (VPN Dial in)

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all

Now all that's left is to test it. Reboot the machine to make sure that everything is started cleanly. Now, we just need to create a PPTP client connection and make sure it actually connects.

I'm using Windows XP as an example. Start the New Connection Wizard, and select the option 'Connect to the network at my workplace'. The next option to select is 'Virtual Private Network connection' rather than Dial-up connection. Enter any name for the connection; the suggestion is 'Company Name'. There is an option at this stage to have an initial connection dialed before making the VPN connection. I prefer to disable this option, but the choice is yours. At the next step, enter the IP address or hostname of your Gateway machine; this is the address seen by the outside world. In our example, this is 10.21.7.63, the IP specified in /etc/pptpd.conf with the listen directive.

That's the final step. Initiate the connection and enter a username/password from the ppp.secret file.

Once the connection is made you should be able to find your locally allocated IP in the VPN Status window, and you should also be able to ping an internal address (in my example 20.1.1.1 responds just fine).

I hope this has been an easy to follow guide to configuring PPTP access using OpenBSD and Poptop. If you have any problems following this guide then let me know.

2 comments
oscar_ross
oscar_ross

Hi, I followed the setup instruction to setup a PPTP VPN to an OpenBSD LAN gateway/firewall. Still, I could not make it work when assigning IP addresses from the same LAN subnet to the clients. To be more specific, the LAN behind the firewall is in the 192.168.0.0/24 subnet. If I setup pptpd.conf with localip 192.168.0.10 remoteip 192.168.0.240-250 then I can connect to the VPN but cannot ping a single thing, not even the PPTP server. Checking the logs doesn't yield a single error message and arp -a does not show any entry for the VPN client. If I assign a set of addresses from a different subnet then everything works coorectly, being that the OpenBSD box is setup as a router. BUT errors 'Cannont determine ethernet address for proxy arp' start popping up in the logs. Which I consider correct, proxy arp is not necessary in this case, routing gets the job done. Any ideas about what can be going wrong? Thanks for your help and for the guide :)

CG IT
CG IT

not a question but a discussion on an article

Editor's Picks