Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.server.pptpd [2013/03/18 14:50]
povlhp Simplified rules, accepting everything in/out of ppp.
doc:howto:vpn.server.pptpd [2014/11/17 14:36] (current)
silverk Installation and configuration for 14.07
Line 1: Line 1:
-====== pptpd ======+====== Point-to-Point Tunneling Protocol (PPTP) Server ====== 
 +The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pptpd is server daemon which enables pptp clients to establish tunnel over IP network. 
 +As it is today PPTP with MS-CHAP-v2 encryption is not secure and should not be used((http://poptop.sourceforge.net/dox/protocol-security.phtml)) ((https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/)). Please consider to use other VPN server. For alternative solutions, please visit [[doc/howto/vpn.overview]]. See -> [[doc:howto:vpn.client.pptp]] to set up a client.
 +===== Preparation =====
 +==== Prerequisites ====
 +  * Study the documentation available in [[http://poptop.sourceforge.net/dox/| sourceforge]].
 +  * Plan your networks. Remote clients can be in "lan", but it is feasible to configure dedicated network for clients and set up routing accordingly.
 +  * Modify your firewall rules as described below.
 +  ***If upgrading from previous OpenWrt version make backup from pptpd configuration files. 14.07 init script overwrites chap-secrets file.**
 +<code>
 +/etc/pptpd.conf
 +/etc/ppp/options.pptpd
 +/etc/ppp/chap-secrets
 +</code>
-| To create please follow: [[meta/template_howto]] |+==== Required Packages ==== 
 +  * pptpd 
 +  * kmod-mppe 
 +  * ppp
 +See OpenWrt log for other required packages.
-{{page&gt;meta:infobox:outdated&amp;noheader&amp;nofooter&amp;noeditbtn}}+==== Installation ===== 
 +&lt;code&gt; opkg install pptpd kmod-mppe&lt;/code&gt;
-===== Oldwiki: PPTP Daemon ===== +There are bugs in BARRIER BREAKER (14.07, r42625) init script.  
-This HOWTO describes how to install and configure //pptpd// on OpenWrt. See -> [[doc:howto:vpn.client.pptp]] to setup a client.+Modify /etc/init.d/pptpd  to clean up temporary pptp.conf and chap-secrets. Original init script does not enable multiple simultaneous clients with fixed remote IP's. Following script and modified configuration file enables it: 
 +<code>#!/bin/sh /etc/rc.common 
 +# Copyright (C) 2006 OpenWrt.org
-===== Required Packages =====+START=60 
 +BIN=/usr/sbin/pptpd 
 +DEFAULT=/etc/default/$BIN 
 +RUN_D=/var/run 
 +PID_F=$RUN_D/$BIN.pid 
 +CONFIG=/var/etc/pptpd.conf 
 +CHAP_SECRETS=/var/etc/chap-secrets 
 + 
 +setup_login() { 
 + local section="$1" 
 + config_get username "$section" username 
 + config_get password "$section" password 
 + config_get remoteip "$section" remoteip 
 + [ -n "$username" ] || return 0 
 + [ -n "$password" ] || return 0 
 + [ -n "$remoteip" ] || return 0 
 + 
 + echo "$username pptp-server $password $remoteip" >> $CHAP_SECRETS 
 +
 + 
 +setup_config() { 
 + local section="$1" 
 + 
 + config_get enabled "$section" enabled 
 + [ "$enabled" -eq 0 ] && return 1 
 + 
 + mkdir -p /var/etc 
 + cp /etc/pptpd.conf $CONFIG 
 + 
 + config_get localip "$section" localip 
 + [ -n "$localip" ] && echo "localip  $localip" >> $CONFIG 
 + return 0 
 +
 + 
 +start_pptpd() { 
 + [ -f $DEFAULT ] && . $DEFAULT 
 + mkdir -p $RUN_D 
 + for m in arc4 sha1_generic slhc crc-ccitt ppp_generic ppp_async ppp_mppe; do 
 + insmod $m >/dev/null 2>&1 
 + done 
 + ln -sfn $CHAP_SECRETS /etc/ppp/chap-secrets 
 + service_start $BIN $OPTIONS -c $CONFIG 
 +
 + 
 +start() { 
 + config_load pptpd 
 + setup_config pptpd || return 
 + config_foreach setup_login login 
 + start_pptpd 
 +
 + 
 +stop() { 
 + service_stop $BIN 
 + rm -rf $CHAP_SECRETS $CONFIG /etc/ppp/chap-secrets 
 +
 +</code> 
 + 
 +===== Configuration ===== 
 +==== Server configuration ==== 
 +There is no need to modify server configuration files /etc/pptpd.conf /etc/ppp/options.pptpd, however some parameters needs to be adjusted depending from clients and network configuration ( such as mtu, mru, ms-dns, proxyarp). See documentation and tips below. 
 + 
 +Clients configuration is located in /etc/config/pptpd. Modify it to enable pptpd and configure clients and network. Following is example for two clients. You can add multiple config 'login'. 
 +<code>config service 'pptpd' 
 + option 'enabled' '1' 
 + option 'localip' ‘xxx.yyy.www.zzz’ 
 + 
 +config 'login'  
 + option 'username' ‘foo’ 
 + option 'password' ‘bar’ 
 + option 'remoteip' 'xxx.yyy.zzz.1’ 
 + 
 +config 'login'  
 + option 'username' ‘foo’ 
 + option 'password' ‘bar’ 
 + option 'remoteip' 'xxx.yyy.zzz.2’ 
 +</code> 
 +==== Network configuration ==== 
 +If you are using different subnet for VPN clients you need to add route to /etc/network: 
 +<code>config route 
 + option interface 'lan' 
 + option target 'xxx.yyy.zzz.0' 
 + option netmask '255.255.255.0' 
 + option gateway 'xxx.yyy.www.zzz' 
 +</code> 
 + 
 +==== Firewall configuration ==== 
 +In order to accept pptp traffic in wan to router you need to open following protocols and ports.  Add following to /etc/config/network: 
 +<code>config rule 
 + option target 'ACCEPT' 
 + option _name 'pptp' 
 + option src 'wan' 
 + option proto 'tcp' 
 + option dest_port '1723' 
 + 
 +config rule 
 + option target 'ACCEPT' 
 + option _name 'gre' 
 + option src 'wan' 
 + option proto '47' 
 +</code> 
 + 
 +In order to enable traffic inside VPN to enter, leave and pass trough router you need to add following. Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration is insecure and shall be modified. You can add it to /etc/firewall.user: 
 +<code># Allow all traffic in and out of the ppp interface. No reason to specify nets. 
 +iptables -A input_rule -i ppp+ -j ACCEPT 
 +iptables -A output_rule -o ppp+ -j ACCEPT 
 +# This rule will allow traffic towards internet 
 +iptables -A forwarding_rule -i ppp+ -j ACCEPT 
 +iptables -A forwarding_rule -o ppp+ -j ACCEPT 
 +</code> 
 + 
 +==== Start service ====
<code> <code>
-opkg install pptpd+/etc/init.d/pptpd enable 
 +/etc/init.d/pptpd start 
 +</code> 
 + 
 +===== Set-up and configuration for historic versions (pre 14.07) ===== 
 +<code> 
 +opkg install pptpd kmod-mppe
/etc/init.d/pptpd enable /etc/init.d/pptpd enable
/etc/init.d/pptpd start /etc/init.d/pptpd start
Line 19: Line 155:
pptpd will be running, and will be running on boot.  Add a user to ''/etc/ppp/chap-secrets'' (see below).  Optionally add //proxyarp// to ''/etc/ppp/options.pptpd''.  Then try to connect from a client. pptpd will be running, and will be running on boot.  Add a user to ''/etc/ppp/chap-secrets'' (see below).  Optionally add //proxyarp// to ''/etc/ppp/options.pptpd''.  Then try to connect from a client.
-===== OpenWrt Generic =====+The kernel module kmod-mppe is needed for encryption. If you are on trunk, you might need to update your firmware to latest before installing kernel modules, as the kernel sometimes changes, thus the trunk repository modules will not match the older kernel. 
 + 
 +==== OpenWrt Generic ====
Instructions that are not specific to any particular version of OpenWrt. Instructions that are not specific to any particular version of OpenWrt.
-===== Configuration =====+=== Configuration ===
The default IP address of the server end of the tunnel is 172.16.1.1, and is set in the file ''/etc/ppp/options.pptpd'', with a colon after it, like this: The default IP address of the server end of the tunnel is 172.16.1.1, and is set in the file ''/etc/ppp/options.pptpd'', with a colon after it, like this:
Line 44: Line 182:
-==== Tunnel Remote IP Addresses ====+=== Tunnel Remote IP Addresses ===
Add lines to ''/etc/ppp/chap-secrets'' for each client. The format is: Add lines to ''/etc/ppp/chap-secrets'' for each client. The format is:
Line 63: Line 201:
/!\ It is important to set an IP address rather than use the default asterisk.  If you use an asterisk, the peer may propose it's own address, which could cause a routing loop.  This results in very large transmit counters on //ifconfig ppp0// and a badly performing router, as it spends all it's time trying to move packets through the loop. /!\ It is important to set an IP address rather than use the default asterisk.  If you use an asterisk, the peer may propose it's own address, which could cause a routing loop.  This results in very large transmit counters on //ifconfig ppp0// and a badly performing router, as it spends all it's time trying to move packets through the loop.
-==== Firewall ====+=== Firewall ===
For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces.  If your client is to connect on the WAN interface, edit the ///etc/firewall.user// file and add the following: For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces.  If your client is to connect on the WAN interface, edit the ///etc/firewall.user// file and add the following:
Line 73: Line 211:
</code> </code>
-See the [[doc:uci:firewall]] for help.+See the [[doc:uci:firewall]] for help. Be aware that $WAN might not be defined. If that is the case, insert the interface name instead. I.e. replace $WAN by eth1.
Alternatively you can configure the firewall using UCI in "/etc/config/firewall": Alternatively you can configure the firewall using UCI in "/etc/config/firewall":
Line 86: Line 224:
</code> </code>
-===== Test Connection ===== +==== Configure Routing ====
-Tell a client to connect to the PPTP server, using the username and password you set in //chap-secrets//. +
- +
-The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN.  See the routing section below. +
- +
-===== Configure Debug Logging ===== +
-If you have problems making a connection, increase the amount of information logged: +
- +
-  * edit ///etc/pptpd.conf// and add the line //debug//, and restart //pptpd// using ///etc/init.d/S50pptpd stop// followed by ///etc/init.d/S50pptpd start//, +
-  * edit ///etc/ppp/options.pptpd// and add the line //debug//, and the line //logfile "/tmp/pptpd.log"// ... these changes take effect on next client connection, there is no need to restart //pptpd//. +
-To understand the //pppd// debug log, read these key sections of the PPTP Client Diagnosis HOWTO: +
- +
-  * [[http://pptpclient.sourceforge.net/howto-diagnosis.phtml#confreqacknakrej|What does ConfReq, ConfAck, ConfNak, and ConfRej mean?]] +
-  * [[http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bits|What are those CCP MPPE bitmasks?]] +
-===== Configure Routing =====+
While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there's another way. In our example we have a LAN network 192.168.0.1/24 on the LAN port of our router. We want multiple clients to connect to the //pptpd// server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the //pptpd// tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use //proxyarp// for that purpose and add the following line to ///etc/ppp/options.pptpd//: While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there's another way. In our example we have a LAN network 192.168.0.1/24 on the LAN port of our router. We want multiple clients to connect to the //pptpd// server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the //pptpd// tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use //proxyarp// for that purpose and add the following line to ///etc/ppp/options.pptpd//:
Line 124: Line 248:
-===== Setup for Windows filesharing =====+==== Setup for Windows filesharing ====
If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the  IP addresses of the PPTP clients to be on the same subnet as the LAN.  This is because of a limitation in proxyarp.  They also cannot be on the same subnet as the local addresses of the PPTP clients.  For example, if your PPTP clients have addresses in the 192.168.0.0/24 subnet, you can set you LAN to be 192.168.30.0/24 with DCHP assigning 192.168.30.50-192.168.30.100, but be careful that your PPTP clients' subnets are not in the 192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/12 range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0). You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line to /etc/ppp/options.pptpd: If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the  IP addresses of the PPTP clients to be on the same subnet as the LAN.  This is because of a limitation in proxyarp.  They also cannot be on the same subnet as the local addresses of the PPTP clients.  For example, if your PPTP clients have addresses in the 192.168.0.0/24 subnet, you can set you LAN to be 192.168.30.0/24 with DCHP assigning 192.168.30.50-192.168.30.100, but be careful that your PPTP clients' subnets are not in the 192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/12 range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0). You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line to /etc/ppp/options.pptpd:
Line 162: Line 286:
===== Troubleshooting ===== ===== Troubleshooting =====
 +==== Test Connection ====
 +Tell a client to connect to the PPTP server, using the username and password you set in //chap-secrets//.
 +
 +The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN.  See the routing section above .
 +
 +==== Configure Debug Logging ====
 +If you have problems making a connection, increase the amount of information logged:
 +
 +  * edit ///etc/pptpd.conf// and add the line //debug//, and restart //pptpd// using ///etc/init.d/S50pptpd stop// followed by ///etc/init.d/S50pptpd start//,
 +  * edit ///etc/ppp/options.pptpd// and add the line //debug//, and the line //logfile "/tmp/pptpd.log"// ... these changes take effect on next client connection, there is no need to restart //pptpd//.
 +To understand the //pppd// debug log, read these key sections of the PPTP Client Diagnosis HOWTO:
 +
 +  * [[http://pptpclient.sourceforge.net/howto-diagnosis.phtml#confreqacknakrej|What does ConfReq, ConfAck, ConfNak, and ConfRej mean?]]
 +  * [[http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bits|What are those CCP MPPE bitmasks?]]
 +
 +====Notes====
 +If you can not ping router, host in lan or in internet from VPN client and there are no errors in pptpd log or system log, most likely packets get dropped in firewall.
 +
If you can connect to the //pptpd// and can ping the client from the server and vice versa but are not able to ping anything else refer to this [[http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml|checklist for diagnosis]] If you can connect to the //pptpd// and can ping the client from the server and vice versa but are not able to ping anything else refer to this [[http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml|checklist for diagnosis]]
Line 169: Line 311:
If the PPTP clients are behind an Actiontec DSL Modem/Router, only one of them will be able to connect.  This is do to a bug in the Actiontec.  Apparently it locks the connection to one client.  If the router is rebooted the first client to reconnect is locked in.  Putting the Actiontec into bridged mode and using a different router will probably bypass the problem.  Does anyone else have any experience with this? If the PPTP clients are behind an Actiontec DSL Modem/Router, only one of them will be able to connect.  This is do to a bug in the Actiontec.  Apparently it locks the connection to one client.  If the router is rebooted the first client to reconnect is locked in.  Putting the Actiontec into bridged mode and using a different router will probably bypass the problem.  Does anyone else have any experience with this?
- 
- 

Back to top

doc/howto/vpn.server.pptpd.1363614605.txt.bz2 · Last modified: 2013/03/18 14:50 by povlhp