Remote Access: PPTP VPN with OpenBSD Tutorial, part 2

In last week’s tutorial installment on PPTP VPN, we

recompiled the kernel. The next step is to create the additional tun devices and

finish installing and configuring Poptop.

Let’s get started: tun0 – tun3 exist by default, so create
additional devices with the following:

# cd /dev

# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4
– tun49 to create the 50 concurrent devices I enabled in the kernel.

Flying along now, we can get down to installing the Poptop

package. Download the package from the repository of your choice and install

with:

# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are shown but they aren’t anything to worry

about. Let’s get down to the Poptop configuration. The first file to edit is

/etc/pptpd.conf:

option /etc/ppp/ppp.conf

# IP address of your server-side PPP endpoint:

# (An unused IP address on your internal LAN)

localip 20.1.1.2

# IP address range to use for your PPTP clients:

# (Unused IP addresses on your internal LAN)

remoteip 20.1.1.200-250

# IP address of external LAN interface:

# (The IP which a remote users client will connect with)

listen 10.21.7.63

pidfile /var/run/pptpd.pid

Now /etc/ppp/ppp.conf needs to be configured to handle
encryption via a loop back:

loop:

      set timeout 0

      set log phase chat connect lcp ipcp command

      set device localhost:pptp

      set dial

      set login

      set mppe * stateful

      # Server (local) IP address, Range for Clients, and Netmask

      # Use the same IP addresses you specified in /etc/pppd.conf :

      set ifaddr 20.1.1.2 20.1.1.200-20.1.1.250 255.255.255.255

      set server /tmp/loop "" 0177

loop-in:

     set timeout 0

     set log phase lcp ipcp command

     allow mode direct

pptp:

     load loop

     # Disable unsecured auth

     disable pap

     disable chap

     enable mschapv2

     disable deflate pred1

     deny deflate pred1

     disable ipv6

     accept mppe

     enable proxy

     accept dns

     # DNS Servers to assign client 

     # Use your own DNS server IP address :

     set dns 20.1.1.100 

     # NetBIOS/WINS Servers to assign client 

     # Use your own WINS server IP address :

     set nbns 20.1.1.100

     set device !/etc/ppp/secure

We need to create the file /etc/ppp/secure and add the
following content:

#!/bin/sh

exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames and passwords
for your dial-in users. The format is quite simple:

username       password       *

username       password       staticip

username       password       *

This file needs to have chmod 0400

performed on it after editing. The * denotes that this user will be

automatically allocated a free IP address; you can alternatively specify a

static address for this user.

It’s nice to have any PPP log messages sent to it’s own log

file, as this makes debugging easier and keeps things tidy. Add the following

lines to /etc/syslog.conf :

!ppp

*.*                    /var/log/ppp.log

Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log

# kill –HUP (syslogd PID)

Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you
need to use the one running as root.

Poptop can be launched manually, the –d switch will enable
debug output.

# /usr/local/sbin/pptpd -d

To start Poptop automatically during boot, the following
lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then

    echo -n " pptpd";    /usr/local/sbin/pptpd -d

fi

I would recommend doing this as it would be easy to forget
to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall (Packet Filter). We

need to allow inbound tcp connections on port 1723 on the external IP, inbound

and outbound connections of type gre on the external IP, and also all traffic

to tun* devices:

# PPTP Rules (VPN Dial in)

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state

pass in quick on $ext_if proto gre from any to $ext_if keep state

pass out quick on $ext_if proto gre from $ext_if to any keep state

pass in quick log on tun0 all

pass out quick log on tun0 all

pass in quick log on tun1 all

pass out quick log on tun1 all

Now all that’s left is to test it. Reboot the machine to

make sure that everything is started cleanly. Now, we just need to create a

PPTP client connection and make sure it actually connects.

I’m using Windows XP as an example. Start the New Connection

Wizard, and select the option ‘Connect to the network at my workplace’. The

next option to select is ‘Virtual Private Network connection’ rather than

Dial-up connection. Enter any name for the connection; the suggestion is ‘Company

Name’. There is an option at this stage to have an initial connection dialed before

making the VPN connection. I prefer to disable this option, but the choice is

yours. At the next step, enter the IP address or hostname of your Gateway

machine; this is the address seen by the outside world. In our example, this is

10.21.7.63, the IP specified in /etc/pptpd.conf with the listen directive.

Daily Tech Insider Newsletter

Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.

Delivered Weekdays

Sign up today