Enterprise Software

Remote Access: PPTP VPN with OpenBSD Tutorial, part 1

Following up on my previous series on implementing VPN

tunnels with OpenBSD, I thought I should cover the configuration of another VPN

implementation, PPTP. PPTP stands for 'Point to Point Tunnelling Protocol.' This

allows users to 'dial-in' to access files or services on the internal corporate

network, from any Internet connection. The great thing about PPTP versus other

remote 'dial-in' types of VPN is that Microsoft Windows

(95/98/Me/NT/2000/XP/Vista) has a PPTP client built in, which means

administrators don't have to deal with any additional client software and the

problems that normally accompany it.

By far the most popular Open-Source PPTP server offering is Poptop. Poptop has the following features:

  • Microsoft compatible authentication and encryption (MSCHAPv2, MPPE 40 - 128 bit RC4 encryption)
  • Support for multiple client connections
  • Seamless integration into a Microsoft network environment (LDAP, SAMBA) using RADIUS plugin
  • Works with Windows 95/98/Me/NT/2000/XP PPTP clients
  • Works with Linux PPTP client
  • Poptop is, and will remain, totally free under the GNU General Public License

While there isn't source for OpenBSD on the Poptop project

page, a port of Poptop is made available in the OpenBSD

packages archive. I'm going to run through installing and configuring Poptop on

an almost clean OpenBSD 3.7 installation; in fact, it's the exact same system

which I have just used in the IPSec tutorials.

I found the Poptop package here.

While I should use the UK

mirror, it's slow and often incomplete, and the German mirror sites are usually

fast and exact! Note that this is the package for OpenBSD 3.7. If you're using

another release of OpenBSD, then be sure to get the package from the correct

branch. I don't think there would be a problem but the packaging system may

have been modified between releases.

Getting Poptop running is not as simple as it initially sounds. We have to go through the following process:

  1. Recompile BSD Kernel for GRE support and additional tun devices.
  2. Create additional tun devices.
  3. Install package.
  4. Configure Poptop to run with full strength encryption.
  5. Allow Poptop traffic through the firewall.

I know recompiling the Kernel can sound quite scary to

someone who hasn't done this before. It did to me. This was required when I

first performed a Poptop installation with OpenBSD 3.6. I don't know if it's

still required, but as far as I can tell it is, (if anyone knows otherwise then

please let me know!). You don't need to do this for every system built. I did

it the first time and then kept a copy of the new kernel to use on later


The following process is just one way in which Poptop can be

configured, but I'm sure there are others. I found this quite difficult the

first time with various mailing lists and forum posts giving conflicting

information. Hopefully, this guide brings all of the correct information

together into one place.

First of all, copy and unzip the system source files to your

/usr/src directory. I won't go in to too much detail with explaining simple

actions like this, I'm assuming by now most people following these tutorials

are pretty comfortable with performing basic operations in BSD. The source will

be located in files called src.tar.gz, and sys.tar.gz, either located on your

installation CD or downloaded from the OpenBSD FTP servers.

# tar –xzf src.tar.gz –C /usr/src/
# tar –xzf sys.tar.gz –C /usr/src/

Move to the platform independent config directory and create a copy of the GENERIC config file:

# cd /usr/src/sys/conf
# cp ./GENERIC ./Custom-Poptop-build

Now we need to edit the config,

# vi ./Custom-Poptop-build

First comment out the inbuilt GRE support:

#pseudo-device  gre            # GRE encapsulation interface

Secondly increase the number of tun devices to match the

maximum number of concurrent users you expect to have connected. I have set

this to 50, which is much more that I will ever need (I would say 10 is enough

for my needs):

pseudo-device   tun     50       # network tunneling over tty

o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"



Now lets rebuild the kernel; we need to create a copy of the platform dependent configuration file:

# cd /usr/src/sys/arch/i386/conf
# cp ./GENERIC ./Custom-Poptop-build

Edit this config file to point to the previously modified platform independent config:

# vi ./Custom-Poptop-config


include “../../../conf/GENERIC”


include “../../../conf/Custom-Poptop-build”

Now start the building process:

# config ./Custom-Poptop-build
# cd ../compile/Custom-Poptop-build
# make depend && make

Hopefully you shouldn't get any nasty errors thrown up. Once

the build process has completed you should find the kernel (filename is simply 'bsd')

with the size 4.9MB. Let's now replace the default kernel:

# cp /bsd /bsd.old
# cp./bsd /bsd

Now a reboot will verify that all is working okay. After

logon you should see the name of your new kernel (Custom-Poptop-build) to the

right of the timestamp. Well that's the kernel recompiled; it wasn't as tricky

as it sounds was it? That's enough for one installment. In the next one, we'll

continue with creating the additional tun devices that you'll need, and then

actually installing and configuring the Poptop package.

Editor's Picks