Difference between revisions of "PPTP server"

From ArchWiki
Jump to: navigation, search
(Troubleshooting: Fixed CURRENT calculation too (now using 'ip link)
(34 intermediate revisions by 18 users not shown)
Line 1: Line 1:
 +
[[Category:Virtual Private Network]]
 +
[[zh-CN:PPTP Server]]
 +
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
 +
 
This entry will show you on how to create a PPTP server in Arch.
 
This entry will show you on how to create a PPTP server in Arch.
  
You will need two packages, the poptop server, and the ppp package.
+
==Installation==
  
<pre>
+
[[pacman|Install]] {{Pkg|pptpd}}, available in the [[Official Repositories]].
pacman --sync pptpd ppp
+
</pre>
+
  
Now, edit the file '''/etc/pptpd.conf'''
+
==Configuration==
  
<pre>
+
Now, edit the file {{ic|/etc/pptpd.conf}}
option /etc/ppp/options.pptp
+
listen 192.168.0.1 # IP Address of listening interface
+
localip 192.168.0.1 # local Server IP Address
+
remoteip 192.168.1.1-254 # Range of IP Addresses to be assigned to clients
+
</pre>
+
  
Now, edit the file '''/etc/ppp/options.pptp'''
+
{{hc|/etc/pptpd.conf|
 +
option /etc/ppp/pptpd-options
 +
localip 172.16.36.1
 +
remoteip 172.16.36.2-254
 +
}}
  
<pre>
+
Now, edit the file {{ic|/etc/ppp/pptpd-options}}
 +
 
 +
{{hc|/etc/ppp/pptpd-options|
 +
name pptpd
 +
refuse-pap
 +
refuse-chap
 +
refuse-mschap
 +
require-mschap-v2
 +
require-mppe-128
 +
proxyarp
 
lock
 
lock
name pptp
+
nobsdcomp
ms-dns <ip address> # primary DNS server ip address
+
novj
ms-dns <ip address> # secondary DNS server ip address
+
novjccomp
+pap # for pap authentication
+
nologfd
-chap # do not authenticate client using chap protocol
+
ms-dns 8.8.8.8
</pre>
+
ms-dns 8.8.4.4
 +
}}
  
There are many more options which can be added to the options.pptp file, please refer to the man pages for help
+
Now we must add my users & passwords in {{ic|/etc/ppp/chap-secrets}}
 +
{{hc|/etc/ppp/chap-secrets|
 +
<username>    pptpd    <password>  *
 +
}}
  
if pap authentication is enabled, then edit the file '''/etc/ppp/pap-secrets''' to add the credentials of your users.
+
Now, enable IP Forwarding by editing {{ic|/etc/sysctl.conf}}
  
<pre>
+
{{hc|/etc/sysctl.conf|2=
<username>    pptp    <password>
+
net.ipv4.ip_forward=1
</pre>
+
}}
  
if chap authentication is used, edit the file '''/etc/ppp/chap-secrets'''
+
Now apply the changes made to sysctl.conf
  
<pre>
+
# sysctl -p
<username>    pptp    <password>  *
+
</pre>
+
  
Now, enable IP Forwarding by editing '''/etc/sysctl.conf'''
+
===iptables firewall configuration===
 +
Configure your iptables settings to enable access for PPTP Clients
  
<pre>
+
{{bc|
net.ipv4.ip_forward=1
+
iptables -A INPUT -i ppp+ -j ACCEPT
</pre>
+
iptables -A OUTPUT -o ppp+ -j ACCEPT
  
Configure your iptables settings to enable access for PPTP Clients
+
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 +
iptables -A INPUT -p 47 -j ACCEPT
 +
iptables -A OUTPUT -p 47 -j ACCEPT
 +
 
 +
iptables -F FORWARD
 +
iptables -A FORWARD -j ACCEPT
 +
 
 +
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
 +
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
 +
}}
 +
 
 +
Now save the new iptables rules with:
 +
 
 +
# rc.d save iptables
 +
 
 +
For systemd users after editing the rules:
 +
 
 +
# iptables-save > /etc/iptables/iptables.rules
 +
 
 +
Read [[Iptables]] for more information.
 +
 
 +
===ufw firewall configuration===
 +
Configure your ufw settings to enable access for PPTP Clients.
 +
 
 +
You must change default forward policy in {{ic|/etc/default/ufw}}
 +
 
 +
{{hc|/etc/default/ufw|2=
 +
DEFAULT_FORWARD_POLICY=”ACCEPT”
 +
}}
 +
 
 +
Now change {{ic|/etc/ufw/before.rules}}, add following code after header and before *filter line
 +
 
 +
{{hc|/etc/ufw/before.rules|
 +
# nat Table rules
 +
*nat
 +
:POSTROUTING ACCEPT [0:0]
 +
 
 +
# Allow traffic from clients to eth0
 +
-A POSTROUTING -s 172.16.36.0/24 -o eth0 -j MASQUERADE
 +
 
 +
# don.t delete the .COMMIT. line or these nat table rules won.t be processed
 +
COMMIT
 +
}}
 +
 
 +
Open pptp port 1723
 +
 
 +
{{bc|
 +
ufw allow 1723
 +
}}
 +
 
 +
Restart ufw for good measure
 +
 
 +
{{bc|
 +
ufw disable
 +
ufw enable
 +
}}
 +
 
 +
==Start up==
 +
 
 +
Now you can start your PPTP Server by this command and enjoy
 +
 
 +
===Using initscript===
 +
 
 +
# rc.d start pptpd
 +
 
 +
'''You can use [http://dl.dropbox.com/u/17412056/pptpd.sh this script] to auto install pptpd server.'''
 +
 
 +
===Using systemd===
 +
 
 +
The service unit file is now provided with the pptpd package.
 +
 
 +
Start the PPTP server.
 +
 
 +
# systemctl start pptpd.service
 +
 
 +
If you want to start your PPTP server while system startup, you could enable it in systemd.
 +
 
 +
# systemctl enable pptpd.service
 +
 
 +
==Troubleshooting==
 +
*If you keep getting error 619 on the client side, search for the '''logwtmp''' option in {{ic|/etc/pptpd.conf}} and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.
 +
#logwtmp
  
<pre>
+
*If you keep getting '''pptpd[xxxxx]: Long config file line ignored''' when checking status by "systemctl status pptpd", you need to add a blank line at the end of /etc/pptpd.conf.[http://sourceforge.net/p/poptop/bugs/35/]
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT # pptp connects to port 1723
+
iptables -A INPUT -p 47 -j ACCEPT # all tunneling is performed using GRE Protocol
+
</pre>
+
  
Once clients are successfully connected, they will show up as device names ppp0,ppp1,etc. To route the users so that they get internet activity, you can NAT them using iptables
+
*If you keep getting '''ppp0: ppp: compressor dropped pkt''' when client connected into server, you need add the script following into '''/etc/ppp/ip-up.d/mppefixmtu.sh'''
 +
#!/bin/sh
 +
CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`"
 +
FIXED_MTU="`expr $CURRENT_MTU + 4`"
 +
ip link set $1 mtu $FIXED_MTU
  
<pre>
+
After finish editing , do not forgot make it executable ('''chmod 770 /etc/ppp/ip-up.d/mppefixmtu.sh''').
iptables -t nat -A POSTROUTING -i ppp+ -j SNAT --to-source <outgoing interface ip address>
+
</pre>
+
  
You now have a functioning PPTP Server.
+
For reason of this issue refer this link: [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330973]

Revision as of 13:41, 23 September 2013

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

This entry will show you on how to create a PPTP server in Arch.

Installation

Install pptpd, available in the Official Repositories.

Configuration

Now, edit the file /etc/pptpd.conf

/etc/pptpd.conf
option /etc/ppp/pptpd-options
localip 172.16.36.1
remoteip 172.16.36.2-254

Now, edit the file /etc/ppp/pptpd-options

/etc/ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 8.8.8.8
ms-dns 8.8.4.4

Now we must add my users & passwords in /etc/ppp/chap-secrets

/etc/ppp/chap-secrets
<username>     pptpd     <password>   *

Now, enable IP Forwarding by editing /etc/sysctl.conf

/etc/sysctl.conf
net.ipv4.ip_forward=1

Now apply the changes made to sysctl.conf

# sysctl -p

iptables firewall configuration

Configure your iptables settings to enable access for PPTP Clients

iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT

iptables -F FORWARD
iptables -A FORWARD -j ACCEPT

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE

Now save the new iptables rules with:

# rc.d save iptables

For systemd users after editing the rules:

# iptables-save > /etc/iptables/iptables.rules

Read Iptables for more information.

ufw firewall configuration

Configure your ufw settings to enable access for PPTP Clients.

You must change default forward policy in /etc/default/ufw

/etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”

Now change /etc/ufw/before.rules, add following code after header and before *filter line

/etc/ufw/before.rules
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 172.16.36.0/24 -o eth0 -j MASQUERADE

# don.t delete the .COMMIT. line or these nat table rules won.t be processed
COMMIT

Open pptp port 1723

ufw allow 1723

Restart ufw for good measure

ufw disable
ufw enable

Start up

Now you can start your PPTP Server by this command and enjoy

Using initscript

# rc.d start pptpd

You can use this script to auto install pptpd server.

Using systemd

The service unit file is now provided with the pptpd package.

Start the PPTP server.

# systemctl start pptpd.service

If you want to start your PPTP server while system startup, you could enable it in systemd.

# systemctl enable pptpd.service

Troubleshooting

  • If you keep getting error 619 on the client side, search for the logwtmp option in /etc/pptpd.conf and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.
#logwtmp
  • If you keep getting pptpd[xxxxx]: Long config file line ignored when checking status by "systemctl status pptpd", you need to add a blank line at the end of /etc/pptpd.conf.[1]
  • If you keep getting ppp0: ppp: compressor dropped pkt when client connected into server, you need add the script following into /etc/ppp/ip-up.d/mppefixmtu.sh
#!/bin/sh
CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`"
FIXED_MTU="`expr $CURRENT_MTU + 4`"
ip link set $1 mtu $FIXED_MTU

After finish editing , do not forgot make it executable (chmod 770 /etc/ppp/ip-up.d/mppefixmtu.sh).

For reason of this issue refer this link: [2]