Fantoft: Linux to MS PPTP VPN server mini-HOWTO (v. 0.5.4)

0) Before you start reading

Be sure to have the root permissions before you start doing anything.

This mini-howto assumes that you know what is a kernel, what are loadable modules, what is a dhcp client, what is pppd and maybe some other stuff. If you don't know them, you can continue reading anyway, the procedure is quite straigthforward.
If you are interested in going deeper in these topics I suggest you a visit to www.linuxdoc.org .

1) PPTP support

The MS server implements the proprietary (and insecure) PPTP protocol for the tunnelling. You need to have the sources of your kernel (in the as usual location /usr/src/linux) and the 'ppp_generic', 'ppp_async' and 'ppp_deflate' compiled as loadable modules.
Check if you have them either by typing a 'modprobe ppp_generic', 'modprobe ppp_async', 'modprobe ppp_deflate', or a 'lsmod' to see if they are already loaded.
You can obtain the latest kernel tree at www.kernel.org .

2) The required software

You need the package 'pppd' (current version is probably 2.4.1). Find it on the Internet, be careful with the dependencies. If you use Debian it is pretty easy with APT.

3) Installing mppe support (optional)

[It seems that here the VPN doesn't require support for this, because my module isn't loaded at run time with all the others, but the connection goes..So skip point 3 of the mini-HOWTO for the moment..]

MPPE stands for Microsoft Point to Point Encryption. Download the package 'ppp-mppe' (dont' care if the version sounds older then the one of pppd) and afterwards do the following to install it:
cd /usr/src/archive/im
tar xzvf ppp-mppe-2.4.0-4.tar.gz
cd ppp-mppe-2.4.0-4
chmod u+x unpack.sh
./unpack.sh
cd ppp-2.4.0
./configure
make
Now let's save original PPP programs from your Linux distribution (please note that your distribution might place these files in different directories).
cp /usr/sbin/chat /usr/sbin/chat.bak
cp /usr/sbin/pppd /usr/sbin/pppd.bak
cp /usr/sbin/pppdump /usr/sbin/pppdump.bak
cp /usr/sbin/pppstats /usr/sbin/pppstats.bak
And, now install the new versions of PPPd:
make install
cd linux-kernel
NOTE: When compiling the MPPE kernel module:
The makefile's auto kernel-tree mechanism could be broken in yuor source-package. To fix things, you have to do the following (these steps assume that your linux source tree is in "/usr/src/kernel/linux" as usual):
edit the "kmodbuild.sh" script, look for the "ARGS" line and change it so that it is:

ARGS="TREE=/usr/src/kernel/linux"
Now compile the kernel module:
./kmodbuild.sh
The final compile output from the above step should look something like:
There is a script in kernel-modules that can do this for you. To use it to install your newly built kernel modules, type:
kernel-modules/kmodinst.sh kernel-modules/new-2.4.18
Check the bottom line displayed on your system when you ran the "./kmodbuild.sh" script. The name of the directory will be different from the one displayed below depending on the kernel version installed on your machine. From the message received from above, run the following command for a generic 2.4.18 kernel:
kernel-modules/kmodinst.sh kernel-modules/new-2.4.18
NOTE:
I tested this script with kernels 2.4.18 and 2.4.19, and everything went fine.

4) Install the pptp client

To start the tunnel you need also the 'pptp-linux' (or maybe elsewere called just 'pptp') package. Take it and install it.

5) Configuring the file /etc/pap-secrets

Be sure that at the end of this file you have a line like the following:

username@rasmus PPTP password

where username and password have to be substituted with your real user name and password
The password will be in clear text so if you are paranoic put the no read permission to everyone but root to the file.

6) Starting the connection

Before starting the connection be sure that you have started the dhcp client on your Linux box.
Then you can use this script (I modified the one provided by the ones at www.adsl.uib.no):
#########
# PPTP-ON
# put this script into a new empty file(such as /etc/ppp/pptp-on) and make it executable by root.
#########
#!/bin/bash
/bin/rm -f /var/run/pptp/* 1>/dev/null 2>/dev/null
modprobe ppp_generic
modprobe ppp_async
/usr/sbin/pptp uib-vpn-gw debug name username@rasmus noauth
sleep 10
where username is the same one that is in the last line of your /etc/pap/secrets file.
Probably now you are connected (if you type 'ifconfig' you should see that your ppp0 interface is up) but the routing table may be wrong and you can't send/receive packets to/from outside the LAN. To fix this, just put into the previous script, after the 'sleep' command, these 3 commands:
# adds the new local route
route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.10.64.1 dev eth0
# deletes the default route set by the dhcp client
route del default dev eth0
# stores the ppp0_address
ppp0_address=`/sbin/ifconfig ppp0 | grep 'inet addr:' | awk '{print $2}' | sed -e 's/addr://'`
# prints it to show you ppp0 is up
echo $ppp0_address
# adds the new default route
route add default gw $ppp0_address dev ppp0
Typing now the command 'route', you should receive an output similar to this:
root@puccio2:/home/alessio# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
uib-gw3.uib.no * 255.255.255.255 UH 0 0 0 ppp0
10.10.64.0 * 255.255.240.0 U 0 0 0 eth0
localnet 10.10.64.1 255.0.0.0 UG 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default tunnel-43-98.vp 0.0.0.0 UG 0 0 0 0 ppp0

To shutdown the connection a simple:
##########
# PPTP-OFF
# put this script into a new empty file(such as /etc/ppp/pptp-off) and make it executable by root.
##########
#!/bin/bash
killall pppd
/bin/rm /var/run/pptp/*
killall pppd
Remember that to do all the procedure that I provided in this short mini-howto you must be root.

Alessio Pace.