Following up on my previous series on implementing VPN
tunnels with OpenBSD, I thought I should cover the configuration of another VPN
implementation, PPTP. PPTP stands for 'Point to Point Tunnelling Protocol.' This
allows users to 'dial-in' to access files or services on the internal corporate
network, from any Internet connection. The great thing about PPTP versus other
remote 'dial-in' types of VPN is that Microsoft Windows
(95/98/Me/NT/2000/XP/Vista) has a PPTP client built in, which means
administrators don't have to deal with any additional client software and theproblems that normally accompany it.
By far the most popular Open-Source PPTP server offering is Poptop. Poptop has the following features:
- Microsoft compatible authentication and encryption (MSCHAPv2, MPPE 40 - 128 bit RC4 encryption)
- Support for multiple client connections
- Seamless integration into a Microsoft network environment (LDAP, SAMBA) using RADIUS plugin
- Works with Windows 95/98/Me/NT/2000/XP PPTP clients
- Works with Linux PPTP client
- Poptop is, and will remain, totally free under the GNU General Public License
While there isn't source for OpenBSD on the Poptop project
packages archive. I'm going to run through installing and configuring Poptop on
an almost clean OpenBSD 3.7 installation; in fact, it's the exact same systemwhich I have just used in the IPSec tutorials.
I found the Poptop package here.
While I should use the
mirror, it's slow and often incomplete, and the German mirror sites are usually
fast and exact! Note that this is the package for OpenBSD 3.7. If you're using
another release of OpenBSD, then be sure to get the package from the correct
branch. I don't think there would be a problem but the packaging system mayhave been modified between releases.
Getting Poptop running is not as simple as it initially sounds. We have to go through the following process:
- Recompile BSD Kernel for GRE support and additional tun devices.
- Create additional tun devices.
- Install package.
- Configure Poptop to run with full strength encryption.
- Allow Poptop traffic through the firewall.
I know recompiling the Kernel can sound quite scary to
someone who hasn't done this before. It did to me. This was required when I
first performed a Poptop installation with OpenBSD 3.6. I don't know if it's
still required, but as far as I can tell it is, (if anyone knows otherwise then
please let me know!). You don't need to do this for every system built. I did
it the first time and then kept a copy of the new kernel to use on laterinstalls.
The following process is just one way in which Poptop can be
configured, but I'm sure there are others. I found this quite difficult the
first time with various mailing lists and forum posts giving conflicting
information. Hopefully, this guide brings all of the correct informationtogether into one place.
First of all, copy and unzip the system source files to your
/usr/src directory. I won't go in to too much detail with explaining simple
actions like this, I'm assuming by now most people following these tutorials
are pretty comfortable with performing basic operations in BSD. The source will
be located in files called src.tar.gz, and sys.tar.gz, either located on yourinstallation CD or downloaded from the OpenBSD FTP servers.
# tar xzf src.tar.gz C /usr/src/
# tar xzf sys.tar.gz C /usr/src/
Move to the platform independent config directory and create a copy of the GENERIC config file:
# cd /usr/src/sys/conf
# cp ./GENERIC ./Custom-Poptop-build
Now we need to edit the config,
# vi ./Custom-Poptop-build
First comment out the inbuilt GRE support:
#pseudo-device gre # GRE encapsulation interface
Secondly increase the number of tun devices to match the
maximum number of concurrent users you expect to have connected. I have set
this to 50, which is much more that I will ever need (I would say 10 is enoughfor my needs):
pseudo-device tun 50 # network tunneling over tty
Now lets rebuild the kernel; we need to create a copy of the platform dependent configuration file:
# cd /usr/src/sys/arch/i386/conf
# cp ./GENERIC ./Custom-Poptop-build
Edit this config file to point to the previously modified platform independent config:
# vi ./Custom-Poptop-config
Now start the building process:
# config ./Custom-Poptop-build
# cd ../compile/Custom-Poptop-build
# make depend && make
Hopefully you shouldn't get any nasty errors thrown up. Once
the build process has completed you should find the kernel (filename is simply 'bsd')with the size 4.9MB. Let's now replace the default kernel:
# cp /bsd /bsd.old
# cp./bsd /bsd
Now a reboot will verify that all is working okay. After
logon you should see the name of your new kernel (Custom-Poptop-build) to the
right of the timestamp. Well that's the kernel recompiled; it wasn't as tricky
as it sounds was it? That's enough for one installment. In the next one, we'll
continue with creating the additional tun devices that you'll need, and thenactually installing and configuring the Poptop package.