User Tools

Site Tools


doc:howto:vpn.server.pptpd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
doc:howto:vpn.server.pptpd [2013/10/28 08:31]
lorema
doc:howto:vpn.server.pptpd [2014/12/14 14:52] (current)
silverk added pptp configuration for 14.07
Line 1: Line 1:
-====== ​pptpd ======+====== ​Point-to-Point Tunneling Protocol (PPTP) Server ​====== 
 +The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pptpd is server daemon which enables pptp clients to establish tunnel over IP network. 
 +As it is today PPTP with MS-CHAP-v2 encryption is not secure and should not be used((http://​poptop.sourceforge.net/​dox/​protocol-security.phtml)) ((https://​www.cloudcracker.com/​blog/​2012/​07/​29/​cracking-ms-chap-v2/​)). Please consider to use other VPN server. For alternative solutions, please visit [[doc/​howto/​vpn.overview]]. See -> [[doc:​howto:​vpn.client.pptp]] to set up a client.
  
 +===== Preparation =====
 +==== Prerequisites ====
 +  * Study the documentation available in [[http://​poptop.sourceforge.net/​dox/​| sourceforge]].
 +  * Plan your networks. Remote clients can be in "​lan",​ but it is feasible to configure dedicated network for clients and set up routing accordingly.
 +  * Modify your firewall rules as described below.
 +  ***If upgrading from previous OpenWrt version make backup from pptpd configuration files. 14.07 init script overwrites chap-secrets file.**
 +<​code>​
 +/​etc/​pptpd.conf
 +/​etc/​ppp/​options.pptpd
 +/​etc/​ppp/​chap-secrets
 +</​code>​
  
-| To create please follow: [[meta/​template_howto]] |+==== Required Packages ==== 
 +  * pptpd 
 +  * kmod-mppe 
 +  * ppp
  
 +See OpenWrt log for other required packages. ​
  
-{{page>meta:​infobox:​outdated&​noheader&​nofooter&​noeditbtn}}+==== Installation ===== 
 +<​code>​ opkg install pptpd kmod-mppe</​code>
  
-===== Oldwiki: PPTP Daemon ===== +There are bugs in BARRIER BREAKER (14.07r42625) init script.  
-| For an overview over all existing Virtual private network (VPN)-related articles ​in the OpenWrt wikiplease visit [[doc/howto/vpn.overview]] | +Modify ​/etc/init.d/​pptpd  ​to clean up temporary pptp.conf ​and chap-secrets. Original init script does not enable multiple simultaneous clients with fixed remote IP's. Following script and modified configuration file enables it: 
-This HOWTO describes how to install ​and configure ​//pptpd// on OpenWrtSee -> [[doc:​howto:​vpn.client.pptp]] to setup a client.+<​code>#​!/bin/sh /etc/rc.common 
 +# Copyright (C) 2006 OpenWrt.org
  
-===== Required Packages ​=====+START=60 
 +BIN=/​usr/​sbin/​pptpd 
 +DEFAULT=/​etc/​default/​$BIN 
 +RUN_D=/var/run 
 +PID_F=$RUN_D/​$BIN.pid 
 +CONFIG=/​var/​etc/​pptpd.conf 
 +CHAP_SECRETS=/​var/​etc/​chap-secrets 
 + 
 +setup_login() { 
 + local section="​$1"​ 
 + config_get username "​$section"​ username 
 + config_get password "​$section"​ password 
 + config_get remoteip "​$section"​ remoteip 
 + [ -n "​$username"​ ] || return 0 
 + [ -n "​$password"​ ] || return 0 
 + [ -n "​$remoteip"​ ] || return 0 
 + 
 + echo "​$username pptp-server $password $remoteip"​ >> $CHAP_SECRETS 
 +
 + 
 +setup_config() { 
 + local section="​$1"​ 
 + 
 + config_get enabled "​$section"​ enabled 
 + [ "​$enabled"​ -eq 0 ] && return 1 
 + 
 + mkdir -p /var/etc 
 + cp /​etc/​pptpd.conf $CONFIG 
 + 
 + config_get localip "​$section"​ localip 
 + [ -n "​$localip"​ ] && echo "​localip ​ $localip"​ >> $CONFIG 
 + return 0 
 +
 + 
 +start_pptpd() { 
 + [ -f $DEFAULT ] && . $DEFAULT 
 + mkdir -p $RUN_D 
 + for m in arc4 sha1_generic slhc crc-ccitt ppp_generic ppp_async ppp_mppe; do 
 + insmod $m >/​dev/​null 2>&​1 
 + done 
 + ln -sfn $CHAP_SECRETS /​etc/​ppp/​chap-secrets 
 + service_start $BIN $OPTIONS -c $CONFIG 
 +
 + 
 +start() { 
 + config_load pptpd 
 + setup_config pptpd || return 
 + config_foreach setup_login login 
 + start_pptpd 
 +
 + 
 +stop() { 
 + service_stop $BIN 
 + rm -rf $CHAP_SECRETS $CONFIG /​etc/​ppp/​chap-secrets 
 +
 +</​code>​ 
 + 
 +===== Configuration ===== 
 +==== Server configuration ==== 
 +There is no need to modify server configuration files /​etc/​pptpd.conf /​etc/​ppp/​options.pptpd,​ however some parameters needs to be adjusted depending from clients and network configuration ( such as mtu, mru, ms-dns, proxyarp). See documentation and tips below. 
 + 
 +Clients configuration is located in /​etc/​config/​pptpd. Modify it to enable pptpd and configure clients and network. Following is example for two clients. You can add multiple config '​login'​. 
 +<​code>​config service '​pptpd'​ 
 + option '​enabled'​ '​1'​ 
 + option '​localip'​ ‘xxx.yyy.www.zzz’ 
 + 
 +config '​login'​  
 + option '​username'​ ‘foo’ 
 + option '​password'​ ‘bar’ 
 + option '​remoteip'​ '​xxx.yyy.zzz.1’ 
 + 
 +config '​login'​  
 + option '​username'​ ‘foo’ 
 + option '​password'​ ‘bar’ 
 + option '​remoteip'​ '​xxx.yyy.zzz.2’ 
 +</​code>​ 
 +==== Network configuration ==== 
 +If you are using different subnet for VPN clients you need to add route to /​etc/​network:​ 
 +<​code>​config route 
 + option interface '​lan'​ 
 + option target '​xxx.yyy.zzz.0'​ 
 + option netmask '​255.255.255.0'​ 
 + option gateway '​xxx.yyy.www.zzz'​ 
 +</​code>​ 
 + 
 +==== Firewall configuration ==== 
 +In order to accept pptp traffic in wan to router you need to open following protocols and ports. ​ Add following to /​etc/​config/​network:​ 
 +<​code>​config rule 
 + option target '​ACCEPT'​ 
 + option _name '​pptp'​ 
 + option src '​wan'​ 
 + option proto '​tcp'​ 
 + option dest_port '​1723'​ 
 + 
 +config rule 
 + option target '​ACCEPT'​ 
 + option _name '​gre'​ 
 + option src '​wan'​ 
 + option proto '​47'​ 
 +</​code>​ 
 + 
 +In order to enable traffic inside VPN to enter, leave and pass trough router you need to add following. Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration is insecure and shall be modified. You can add it to /​etc/​firewall.user:​ 
 +<​code>#​ Allow all traffic in and out of the ppp interface. No reason to specify nets. 
 +iptables -A input_rule -i ppp+ -j ACCEPT 
 +iptables -A output_rule -o ppp+ -j ACCEPT 
 +# This rule will allow traffic towards internet 
 +iptables -A forwarding_rule -i ppp+ -j ACCEPT 
 +iptables -A forwarding_rule -o ppp+ -j ACCEPT 
 +</​code>​ 
 + 
 +==== Start service ==== 
 +<​code>​ 
 +/​etc/​init.d/​pptpd enable 
 +/​etc/​init.d/​pptpd start 
 +</​code>​ 
 + 
 +===== Set-up and configuration for historic versions (pre 14.07) ​=====
 <​code>​ <​code>​
 opkg install pptpd kmod-mppe opkg install pptpd kmod-mppe
Line 22: Line 157:
 The kernel module kmod-mppe is needed for encryption. If you are on trunk, you might need to update your firmware to latest before installing kernel modules, as the kernel sometimes changes, thus the trunk repository modules will not match the older kernel. The kernel module kmod-mppe is needed for encryption. If you are on trunk, you might need to update your firmware to latest before installing kernel modules, as the kernel sometimes changes, thus the trunk repository modules will not match the older kernel.
  
-===== OpenWrt Generic ​=====+==== OpenWrt Generic ====
 Instructions that are not specific to any particular version of OpenWrt. Instructions that are not specific to any particular version of OpenWrt.
  
  
-===== Configuration ​=====+=== Configuration ===
 The default IP address of the server end of the tunnel is 172.16.1.1, and is set in the file ''/​etc/​ppp/​options.pptpd'',​ with a colon after it, like this: The default IP address of the server end of the tunnel is 172.16.1.1, and is set in the file ''/​etc/​ppp/​options.pptpd'',​ with a colon after it, like this:
  
Line 47: Line 182:
  
  
-==== Tunnel Remote IP Addresses ​====+=== Tunnel Remote IP Addresses ===
 Add lines to ''/​etc/​ppp/​chap-secrets''​ for each client. The format is: Add lines to ''/​etc/​ppp/​chap-secrets''​ for each client. The format is:
  
Line 66: Line 201:
 /!\ It is important to set an IP address rather than use the default asterisk. ​ If you use an asterisk, the peer may propose it's own address, which could cause a routing loop.  This results in very large transmit counters on //ifconfig ppp0// and a badly performing router, as it spends all it's time trying to move packets through the loop. /!\ It is important to set an IP address rather than use the default asterisk. ​ If you use an asterisk, the peer may propose it's own address, which could cause a routing loop.  This results in very large transmit counters on //ifconfig ppp0// and a badly performing router, as it spends all it's time trying to move packets through the loop.
  
-==== Firewall ​====+=== Firewall ===
 For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces. ​ If your client is to connect on the WAN interface, edit the ///​etc/​firewall.user//​ file and add the following: For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces. ​ If your client is to connect on the WAN interface, edit the ///​etc/​firewall.user//​ file and add the following:
  
Line 89: Line 224:
 </​code>​ </​code>​
  
-===== Test Connection ===== +==== Configure Routing ====
-Tell a client to connect to the PPTP server, using the username and password you set in //​chap-secrets//​. +
- +
-The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN.  See the routing section below. +
- +
-===== Configure Debug Logging ===== +
-If you have problems making a connection, increase the amount of information logged: +
- +
-  * edit ///​etc/​pptpd.conf//​ and add the line //debug//, and restart //pptpd// using ///​etc/​init.d/​S50pptpd stop// followed by ///​etc/​init.d/​S50pptpd start//, +
-  * edit ///​etc/​ppp/​options.pptpd//​ and add the line //debug//, and the line //logfile "/​tmp/​pptpd.log"//​ ... these changes take effect on next client connection, there is no need to restart //​pptpd//​. +
-To understand the //pppd// debug log, read these key sections of the PPTP Client Diagnosis HOWTO: +
- +
-  * [[http://​pptpclient.sourceforge.net/​howto-diagnosis.phtml#​confreqacknakrej|What does ConfReq, ConfAck, ConfNak, and ConfRej mean?]] +
-  * [[http://​pptpclient.sourceforge.net/​howto-diagnosis.phtml#​mppe_bits|What are those CCP MPPE bitmasks?​]] +
-===== Configure Routing ​=====+
 While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there'​s another way. In our example we have a LAN network 192.168.0.1/​24 on the LAN port of our router. We want multiple clients to connect to the //pptpd// server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the //pptpd// tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use //​proxyarp//​ for that purpose and add the following line to ///​etc/​ppp/​options.pptpd//:​ While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there'​s another way. In our example we have a LAN network 192.168.0.1/​24 on the LAN port of our router. We want multiple clients to connect to the //pptpd// server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the //pptpd// tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use //​proxyarp//​ for that purpose and add the following line to ///​etc/​ppp/​options.pptpd//:​
  
Line 127: Line 248:
  
  
-===== Setup for Windows filesharing ​=====+==== Setup for Windows filesharing ====
 If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the  IP addresses of the PPTP clients to be on the same subnet as the LAN.  This is because of a limitation in proxyarp. ​ They also cannot be on the same subnet as the local addresses of the PPTP clients. ​ For example, if your PPTP clients have addresses in the 192.168.0.0/​24 subnet, you can set you LAN to be 192.168.30.0/​24 with DCHP assigning 192.168.30.50-192.168.30.100,​ but be careful that your PPTP clients'​ subnets are not in the 192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/​12 range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0). You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line to /​etc/​ppp/​options.pptpd:​ If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the  IP addresses of the PPTP clients to be on the same subnet as the LAN.  This is because of a limitation in proxyarp. ​ They also cannot be on the same subnet as the local addresses of the PPTP clients. ​ For example, if your PPTP clients have addresses in the 192.168.0.0/​24 subnet, you can set you LAN to be 192.168.30.0/​24 with DCHP assigning 192.168.30.50-192.168.30.100,​ but be careful that your PPTP clients'​ subnets are not in the 192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/​12 range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0). You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line to /​etc/​ppp/​options.pptpd:​
  
Line 165: Line 286:
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +==== Test Connection ====
 +Tell a client to connect to the PPTP server, using the username and password you set in //​chap-secrets//​.
 +
 +The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN.  See the routing section above .
 +
 +==== Configure Debug Logging ====
 +If you have problems making a connection, increase the amount of information logged:
 +
 +  * edit ///​etc/​pptpd.conf//​ and add the line //debug//, and restart //pptpd// using ///​etc/​init.d/​S50pptpd stop// followed by ///​etc/​init.d/​S50pptpd start//,
 +  * edit ///​etc/​ppp/​options.pptpd//​ and add the line //debug//, and the line //logfile "/​tmp/​pptpd.log"//​ ... these changes take effect on next client connection, there is no need to restart //pptpd//.
 +To understand the //pppd// debug log, read these key sections of the PPTP Client Diagnosis HOWTO:
 +
 +  * [[http://​pptpclient.sourceforge.net/​howto-diagnosis.phtml#​confreqacknakrej|What does ConfReq, ConfAck, ConfNak, and ConfRej mean?]]
 +  * [[http://​pptpclient.sourceforge.net/​howto-diagnosis.phtml#​mppe_bits|What are those CCP MPPE bitmasks?]]
 +
 +====Notes====
 +If you can not ping router, host in lan or in internet from VPN client and there are no errors in pptpd log or system log, most likely packets get dropped in firewall.
 +
 If you can connect to the //pptpd// and can ping the client from the server and vice versa but are not able to ping anything else refer to this [[http://​poptop.sourceforge.net/​dox/​diagnose-forwarding.phtml|checklist for diagnosis]] If you can connect to the //pptpd// and can ping the client from the server and vice versa but are not able to ping anything else refer to this [[http://​poptop.sourceforge.net/​dox/​diagnose-forwarding.phtml|checklist for diagnosis]]
  
Line 172: Line 311:
  
 If the PPTP clients are behind an Actiontec DSL Modem/​Router,​ only one of them will be able to connect. ​ This is do to a bug in the Actiontec. ​ Apparently it locks the connection to one client. ​ If the router is rebooted the first client to reconnect is locked in.  Putting the Actiontec into bridged mode and using a different router will probably bypass the problem. ​ Does anyone else have any experience with this? If the PPTP clients are behind an Actiontec DSL Modem/​Router,​ only one of them will be able to connect. ​ This is do to a bug in the Actiontec. ​ Apparently it locks the connection to one client. ​ If the router is rebooted the first client to reconnect is locked in.  Putting the Actiontec into bridged mode and using a different router will probably bypass the problem. ​ Does anyone else have any experience with this?
- 
- 
doc/howto/vpn.server.pptpd.1382945505.txt.bz2 · Last modified: 2013/10/28 08:31 by lorema