In last week’s tutorial installment on PPTP VPN, we recompiled the kernel. The next step is to create the additional tun devices and finish installing and configuring Poptop.

Let’s get started: tun0 – tun3 exist by default, so create additional devices with the following:

# cd /dev
# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4 – tun49 to create the 50 concurrent devices I enabled in the kernel.

Flying along now, we can get down to installing the Poptop package. Download the package from the repository of your choice and install with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are shown but they aren’t anything to worry about. Let’s get down to the Poptop configuration. The first file to edit is /etc/pptpd.conf:

option /etc/ppp/ppp.conf
# IP address of your server-side PPP endpoint:
# (An unused IP address on your internal LAN)
localip 20.1.1.2


# IP address range to use for your PPTP clients:


# (Unused IP addresses on your internal LAN)


remoteip 20.1.1.200-250


# IP address of external LAN interface:


# (The IP which a remote users client will connect with)


listen 10.21.7.63


pidfile /var/run/pptpd.pid


Now /etc/ppp/ppp.conf needs to be configured to handle encryption via a loop back:


loop:


      set timeout 0


      set log phase chat connect lcp ipcp command


      set device localhost:pptp


      set dial


      set login


      set mppe * stateful


      # Server (local) IP address, Range for Clients, and Netmask


      # Use the same IP addresses you specified in /etc/pppd.conf :


      set ifaddr 20.1.1.2 20.1.1.200-20.1.1.250 255.255.255.255


      set server /tmp/loop "" 0177


loop-in:


     set timeout 0


     set log phase lcp ipcp command


     allow mode direct


pptp:


     load loop


     # Disable unsecured auth


     disable pap


     disable chap


     enable mschapv2


     disable deflate pred1


     deny deflate pred1


     disable ipv6


     accept mppe


     enable proxy


     accept dns


    # DNS Servers to assign client 


     # Use your own DNS server IP address :


     set dns 20.1.1.100 




     # NetBIOS/WINS Servers to assign client 


     # Use your own WINS server IP address :


     set nbns 20.1.1.100


     set device !/etc/ppp/secure


We need to create the file /etc/ppp/secure and add the following content:


#!/bin/sh


exec /usr/sbin/ppp -direct loop-in


Chmod the file after creation: 


# chmod u+x


The file /etc/ppp/ppp.secret holds usernames and passwords for your dial-in users. The format is quite simple:


username       password       *


username       password       staticip


username       password       *


This file needs to have chmod 0400 performed on it after editing. The * denotes that this user will be automatically allocated a free IP address; you can alternatively specify a static address for this user.


It’s nice to have any PPP log messages sent to it’s own log file, as this makes debugging easier and keeps things tidy. Add the following lines to /etc/syslog.conf :


!ppp


*.*                    /var/log/ppp.log


Remember to create ppp.log and reload syslogd:


# touch /var/log/ppp.log


# kill –HUP (syslogd PID)


Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you need to use the one running as root.


Poptop can be launched manually, the –d switch will enable debug output.


# /usr/local/sbin/pptpd -d 


To start Poptop automatically during boot, the following lines should be added to /etc/rc.local:


if [ -x /usr/local/sbin/pptpd ]; then


    echo -n " pptpd";    /usr/local/sbin/pptpd -d


fi


I would recommend doing this as it would be easy to forget to start the daemon after rebooting and takes no effort to set up.


Our last consideration is the firewall (Packet Filter). We need to allow inbound tcp connections on port 1723 on the external IP, inbound and outbound connections of type gre on the external IP, and also all traffic to tun* devices:


# PPTP Rules (VPN Dial in)


pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state


pass in quick on $ext_if proto gre from any to $ext_if keep state


pass out quick on $ext_if proto gre from $ext_if to any keep state


pass in quick log on tun0 all


pass out quick log on tun0 all


pass in quick log on tun1 all


pass out quick log on tun1 all


Now all that’s left is to test it. Reboot the machine to make sure that everything is started cleanly. Now, we just need to create a PPTP client connection and make sure it actually connects.


I’m using Windows XP as an example. Start the New Connection Wizard, and select the option ‘Connect to the network at my workplace’. The next option to select is ‘Virtual Private Network connection’ rather than Dial-up connection. Enter any name for the connection; the suggestion is ‘Company Name’. There is an option at this stage to have an initial connection dialed before making the VPN connection. I prefer to disable this option, but the choice is yours. At the next step, enter the IP address or hostname of your Gateway machine; this is the address seen by the outside world. In our example, this is 10.21.7.63, the IP specified in /etc/pptpd.conf with the listen directive.


That’s the final step. Initiate the connection and enter a username/password from the ppp.secret file.


Once the connection is made you should be able to find your locally allocated IP in the VPN Status window, and you should also be able to ping an internal address (in my example 20.1.1.1 responds just fine).







I hope this has been an easy to follow guide to configuring PPTP access using OpenBSD and Poptop. If you have any problems following this guide then let me know.