PPTP Client
pptpclient is a program implementing the Microsoft PPTP protocol. As such, it can be used to connect to a Microsoft VPN network (or any PPTP-based VPN) provided by a school or workplace.
Contents
Installing PPTP Client
PPTP Client is provided by the pptpclient package found in the official repositories.
Configure
To configure pptpclient you will need to collect the following information from your network administrator:
- The IP address or hostname of the VPN server
- The name you wish to use for the tunnel.
- The authentication (Windows) domain name. This is not provided or needed for certain networks.
- The username you will use to connect.
- The password you will use to connect.
Edit The options.pptp File
With your favorite text editor open /etc/ppp/options.pptp. This file enables a lot of security for your VPN connection by default. If you have trouble connecting to your network, you can relax the options down. At a minimum, your /etc/ppp/options.pptp file should contain:
lock noauth nobsdcomp nodeflate
Edit The chap-secrets File
Next, open or create the /etc/ppp/chap-secrets file. We will be storing your password in this file, so make sure that the permissions are set such that no-one besides root can read this file.
chmod 0600 /etc/ppp/chap-secrets
The file should have the following format:
<DOMAIN>\\<USERNAME> PPTP <PASSWORD> *
Or, if your connection does not require a domain:
<USERNAME> PPTP <PASSWORD> *
Simply replace each bracketed term in the examples with the appropriate value.
Name Your Tunnel
With your favorite text editor create a /etc/ppp/peers/<TUNNEL> file, where <TUNNEL> is the name you wish to use for your VPN connection. The file should look like this:
pty "pptp <SERVER> --nolaunchpppd" name <DOMAIN>\\<USERNAME> remotename PPTP require-mppe-128 file /etc/ppp/options.pptp ipparam <TUNNEL>
<SERVER> is the remote address of the VPN server, <DOMAIN> is the domain your user belongs to, <USERNAME> is the name you will use to connect to the server, and <TUNNEL> is the name of the connection.
Making Your Connection
To make sure that everything is configured properly, as root execute:
# pon <TUNNEL> debug dump logfd 2 nodetach
If everything has been configured correctly, the pon command should not terminate. Once you are satisfied that it has connected successfully, you can terminate the command.
To connect to your VPN normally, simply execute:
# pon <TUNNEL>
Where <TUNNEL> is the name of the tunnel you established earlier. Note that this command should be run as root.
Routing
Once you have connected to your VPN, you should be able to interact with anything available on the VPN server. To access anything on the remote network, you need to add a new route to your routing table.
For more information on how to add routes, you can read this article which has many more examples: PPTP Routing Howto
Split Tunneling
Packets with a destination of your VPN's network should be routed through the VPN interface (usually ppp0). To do this, you create the route:
# ip route add 192.168.10.0/24 dev ppp0
This will route all the traffic with a destination of 192.168.10.* through your VPN's interface, (ppp0).
Route All Traffic
It may be desirable to route all traffic through your VPN connection. You can do this by running:
# ip route add default dev ppp0
Route All Traffic by /etc/ppp/ip-up.d
/etc/ppp/ip-up.d/01-routes.sh
#!/bin/bash # This script is called with the following arguments: # Arg Name # $1 Interface name # $2 The tty # $3 The link speed # $4 Local IP number # $5 Peer IP number # $6 Optional ``ipparam'' value foo route add default gw $4
Make sure the script is executable.
Split Tunneling based on port by /etc/ppp/ip-up.d
/etc/ppp/ip-up.d/01-routebyport.sh
#!/bin/bash # This script is called with the following arguments: # Arg Name # $1 Interface name # $2 The tty # $3 The link speed # $4 Local IP number # $5 Peer IP number # $6 Optional ``ipparam'' value foo echo 0 > /proc/sys/net/ipv4/conf/$1/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr ip route flush table vpn ip route add default via $5 dev $1 table vpn iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 6667,6697 -j MARK --set-mark 0x1 iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE ip rule add fwmark 0x1 pri 100 lookup vpn ip rule add from $4 pri 200 table vpn ip route flush cache
Make sure the script is executable and that the vpn table is added to /etc/iproute2/rt_tables
201 vpn
Disconnecting
To disconnect from your VPN simply execute:
# poff <TUNNEL>
Where <TUNNEL> is the name of your connection.
Making A VPN Daemon and Connecting On Boot
You can create a simple daemon for your VPN connection by creating an appropriate /etc/rc.d/* script:
/etc/rc.d/name-of-your-vpn
#!/bin/bash
. /etc/rc.conf
. /etc/rc.d/functions
DAEMON=<TUNNEL>-vpn
ARGS=
[ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON
case "$1" in
start)
stat_busy "Starting $DAEMON"
pon <TUNNEL> updetach persist &>/dev/null && <ROUTING COMMAND> &>/dev/null
if [ $? = 0 ]; then
add_daemon $DAEMON
stat_done
else
stat_fail
exit 1
fi
;;
stop)
stat_busy "Stopping $DAEMON"
poff <TUNNEL> &>/dev/null
if [ $? = 0 ]; then
rm_daemon $DAEMON
stat_done
else
stat_fail
exit 1
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
Remarks
You can find more information about configuring pptpclient at their website: pptpclient website. The contents of this article where adapted from their Ubuntu How-To which also provides some hints on how to do things such as connecting on boot. These examples should be easy to adapt into daemons or other scripts to help automate your configuration.