In this article, I’ll cover the configuration
of a VPN implementation using the Point-to-Point Tunnelling Protocol (PPTP). This
allows users to access files or services on an internal corporate network from
any Internet connection. The great thing about PPTP vs. other remote “dial-in”
types of VPN is that Microsoft Windows (95/98/Me/NT/2000/XP/Vista) has a PPTP
client built in, which means administrators don’t have to deal with any
additional client software and the problems that normally accompany it.

By far the most popular Open-Source PPTP
server offering is Poptop. Poptop has the
following features:

  • Microsoft compatible authentication
    and encryption (MSCHAPv2, MPPE 40 – 128 bit RC4 encryption).
  • Support for multiple client
  • Seamless integration into a
    Microsoft network environment (LDAP, SAMBA) using RADIUS plugin.
  • Works with Windows
    95/98/Me/NT/2000/XP PPTP clients.
  • Works with Linux PPTP client.
  • Poptop is, and will remain, totally
    free under the GNU General Public License.

Tips in your inbox

Stay up to date with the latest IT news and information affecting the world of finance with TechRepublic’s free Financial Services IT newsletter, delivered each Wednesday.

Automatically sign up today!

While there isn’t source for OpenBSD on the
Poptop project page, a port
of Poptop
is made
available in the OpenBSD packages archive. I’m going show you how to install
and configure Poptop on an almost clean OpenBSD 3.7 installation. (In fact, it’s
the exact same system which I have just used in the
IPSec tutorials
, presented in my Financial
Services Networking and Security blog

I found the Poptop package here.
While I should use the UK mirror (I’m located in London), it’s slow and often
incomplete, and the German mirror sites are usually fast and exact! Note that
this is the package for OpenBSD 3.7. If you’re using another release of OpenBSD,
then be sure to get the package from the correct branch. I don’t think there
would be a problem but the packaging system may have been modified between

Configuring Poptop

Getting Poptop running is not as simple as it
initially sounds. This is the basic process:

  1. Recompile BSD Kernel for GRE support
    and additional tun devices.
  2. Create additional tun devices.
  3. Install package.
  4. Configure Poptop to run with full
    strength encryption.
  5. Allow Poptop traffic through the

I know that recompiling the kernel can sound
quite scary to someone who hasn’t done this before. It did to me. This was
required when I first performed a Poptop installation with OpenBSD 3.6. I
believe this is still a requirement with OpenBSD 3.7. You don’t need to do this
for every system built, however. I recompiled the first time and then kept a
copy of the new kernel to use on later installations.

The following process is just one way in which
Poptop can be configured, but I’m sure you can discover other ways to configure
it. I found this quite difficult the first time; various mailing lists and
forum posts gave conflicting information. I hope that my guide brings all of
the correct information together into one place.

First, copy and unzip the system source files
to your /usr/src directory. (I won’t go in to too much detail with explaining
simple actions like this; I’m assuming your ability to perform basic operations
in BSD.) The source will be located in files called src, tar.gz, and sys.tar.gz, located either on your
installation CD or downloaded from the OpenBSD FTP servers.

# tar –xzf src.tar.gz –C /usr/src/
# tar –xzf sys.tar.gz –C /usr/src/

Move to the platform-independent config
directory and create a copy of the GENERIC config file:

# cd /usr/src/sys/conf
# cp ./GENERIC ./Custom-Poptop-build

Now we need to edit the config,

# vi ./Custom-Poptop-build

First comment out the inbuilt GRE support:

#pseudo-device  gre            # GRE encapsulation interface

Second, increase the number of tun devices to
match the maximum number of concurrent users you expect to have connected. I
have set this to 50 (see the example in Figure
), which is many more than I will ever need (I would say that 10 are
enough for my needs):

pseudo-device   tun     50       # network tunneling over tty

Figure A

Now let’s rebuild the kernel; we need to
create a copy of the platform-dependent configuration file:

# cd /usr/src/sys/arch/i386/conf
# cp ./GENERIC ./Custom-Poptop-build

Edit this config file to point to the
previously modified platform independent config:

# vi ./Custom-Poptop-config

Replace this:

include "../../../conf/GENERIC"

With this:

include "../../../conf/Custom-Poptop-build"

Now start the building process:

# config ./Custom-Poptop-build
# cd ../compile/Custom-Poptop-build
# make depend && make

Hopefully you shouldn’t get any nasty errors
thrown up. Once the build process has completed you should find the kernel
(filename is simply bsd) with the
size 4.9MB. Let’s now replace the default kernel:

# cp /bsd /bsd.old
# cp./bsd /bsd

Now, a reboot will verify that all is working
okay. After you log on, you should see the name of your new kernel
(Custom-Poptop-build) to the right of the timestamp. Well that’s the kernel
recompiled; it wasn’t as tricky as it sounds was it?

Creating additional tun devices

The next step is to create the additional tun
devices (Virtual Point-to-Point network devices) and finish installing and
configuring Poptop.

Let’s get started: tun0 – tun3 exist by
default, so create additional devices with the following:

# cd /dev
# sh ./MAKEDEV tun?

Where ?
is the device number, I need to go through from tun4 – tun49 to create the 50
concurrent devices that I enabled in the kernel.

Flying along now, we can get down to installing
the Poptop package. Download the package from the repository of your choice and
install with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are thrown, but they aren’t
anything to worry about. Let’s get down to the Poptop configuration. The first
file to edit is /etc/pptpd.conf in
Listing A.

Now /etc/ppp/ppp.conf needs to be configured
to handle encryption via a loop back, as in
Listing B.

We need to create the file /etc/ppp/secure
and add the following content:

exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames
and passwords for your dial-in users. The format is quite simple:

username password *
username password staticip
username password *

This file needs to have chmod 0400 performed
on it after editing. The asterisk (*) denotes that this user will be
automatically allocated a free IP address; you can alternatively specify a
static address for this user.

It’s nice to have any PPP log messages sent
to it’s own log file, as this makes debugging easier and keeps things tidy. Add
the following lines to /etc/syslog.conf :

*.* /var/log/ppp.log

Remember to create ppp.log and reload

# touch /var/log/ppp.log
# kill –HUP (syslogd PID)

Just as a hint, find the syslogd process ID with
ps aux. There will be two syslogd processes running, so you need to use the one
running as root.

Poptop can be launched manually; the –d
switch will enable debug output.

# /usr/local/sbin/pptpd -d

To start Poptop automatically during boot,
the following lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then
 echo -n " pptpd"; /usr/local/sbin/pptpd -d

I would recommend doing this as it would be
easy to forget to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall
(Packet Filter). We need to allow inbound tcp connections on port 1723 on the
external IP, inbound and outbound connections of type gre on the external IP,
and also all traffic to tun* devices as in Listing C.

Testing the connection

Now all that’s left is to test it. Reboot the
machine to make sure that everything is started cleanly. We just need to create
a PPTP client connection and make sure it actually connects.

I’m using Windows XP as an example. Start the
New Connection Wizard, and select the option Connect To The Network At My Workplace.
Then, you should select Virtual Private Network Connection. Enter any name for
the connection; the suggestion is “Company Name”. There is an option
at this stage to have an initial connection dialed before making the VPN
connection. I prefer to disable this option, but the choice is yours. At the
next step, enter the IP address or hostname of your gateway machine. This is
the address seen by the outside world. In our example (Figure B), this is, the IP specified in /etc/pptpd.conf
with the listen directive.

Figure B

That’s the final step. Initiate the
connection and enter a username/password from the ppp.secret file.

Once the connection is made, you should be
able to find your locally allocated IP in the VPN Status window, and you should
also be able to ping an internal address (in my example responds just
fine, Figure C).

Figure C

I hope this has been an easy-to-follow guide
to configuring PPTP access using OpenBSD and Poptop. If you have any problems
following this guide then let me know, by responding in my blog,
or by clicking the Discussion link at the end of this article.