Networking

Remote Access: PPTP VPN with OpenBSD Tutorial, part 2


In last week's tutorial installment on PPTP VPN, we

recompiled the kernel. The next step is to create the additional tun devices and

finish installing and configuring Poptop.

Let's get started: tun0 – tun3 exist by default, so create additional devices with the following:

# cd /dev
# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4 - tun49 to create the 50 concurrent devices I enabled in the kernel.

Flying along now, we can get down to installing the Poptop

package. Download the package from the repository of your choice and install

with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are shown but they aren't anything to worry

about. Let's get down to the Poptop configuration. The first file to edit is

/etc/pptpd.conf:

option /etc/ppp/ppp.conf
# IP address of your server-side PPP endpoint:
# (An unused IP address on your internal LAN)
localip 20.1.1.2
# IP address range to use for your PPTP clients:
# (Unused IP addresses on your internal LAN)
remoteip 20.1.1.200-250
# IP address of external LAN interface:
# (The IP which a remote users client will connect with)
listen 10.21.7.63
pidfile /var/run/pptpd.pid

Now /etc/ppp/ppp.conf needs to be configured to handle encryption via a loop back:

loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr 20.1.1.2 20.1.1.200-20.1.1.250 255.255.255.255
      set server /tmp/loop "" 0177
loop-in:
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
pptp:
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
     # DNS Servers to assign client 
     # Use your own DNS server IP address :
     set dns 20.1.1.100 
     # NetBIOS/WINS Servers to assign client 
     # Use your own WINS server IP address :
     set nbns 20.1.1.100
     set device !/etc/ppp/secure

We need to create the file /etc/ppp/secure and add the following content:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames and passwords for your dial-in users. The format is quite simple:

username       password       *
username       password       staticip
username       password       *

This file needs to have chmod 0400

performed on it after editing. The * denotes that this user will be

automatically allocated a free IP address; you can alternatively specify a

static address for this user.

It's nice to have any PPP log messages sent to it's own log

file, as this makes debugging easier and keeps things tidy. Add the following

lines to /etc/syslog.conf :

!ppp
*.*                    /var/log/ppp.log

Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log
# kill –HUP (syslogd PID)

Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you need to use the one running as root.

Poptop can be launched manually, the –d switch will enable debug output.

# /usr/local/sbin/pptpd -d

To start Poptop automatically during boot, the following lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then
    echo -n " pptpd";    /usr/local/sbin/pptpd -d
fi

I would recommend doing this as it would be easy to forget to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall (Packet Filter). We

need to allow inbound tcp connections on port 1723 on the external IP, inbound

and outbound connections of type gre on the external IP, and also all traffic

to tun* devices:

# PPTP Rules (VPN Dial in)
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all

Now all that's left is to test it. Reboot the machine to

make sure that everything is started cleanly. Now, we just need to create a

PPTP client connection and make sure it actually connects.

I'm using Windows XP as an example. Start the New Connection

Wizard, and select the option 'Connect to the network at my workplace'. The

next option to select is 'Virtual Private Network connection' rather than

Dial-up connection. Enter any name for the connection; the suggestion is 'Company

Name'. There is an option at this stage to have an initial connection dialed before

making the VPN connection. I prefer to disable this option, but the choice is

yours. At the next step, enter the IP address or hostname of your Gateway

machine; this is the address seen by the outside world. In our example, this is

10.21.7.63, the IP specified in /etc/pptpd.conf with the listen directive.