PPTP Client
zh-CN:Microsoft VPN client setup with pptpclient pptpclient is a program implementing the Microsoft PPTP protocol. As such, it can be used to connect to a Microsoft VPN network (or any PPTP-based VPN) provided by a school or workplace.
Contents
Installing PPTP Client
PPTP Client is provided by the pptpclient package found in the official repositories.
Configure
To configure pptpclient you will need to collect the following information from your network administrator:
- The IP address or hostname of the VPN server
- The name you wish to use for the tunnel.
- The authentication (Windows) domain name. This is not provided or needed for certain networks.
- The username you will use to connect.
- The password you will use to connect.
Edit The options.pptp File
With your favorite text editor open /etc/ppp/options.pptp
. This file enables a lot of security for your VPN connection by default. If you have trouble connecting to your network, you can relax the options down. At a minimum, your /etc/ppp/options.pptp
file should contain:
lock noauth nobsdcomp nodeflate
Edit The chap-secrets File
Next, open or create the /etc/ppp/chap-secrets
file. We will be storing your password in this file, so make sure that the permissions are set such that no-one besides root can read this file.
chmod 0600 /etc/ppp/chap-secrets
The file should have the following format:
<DOMAIN>\\<USERNAME> PPTP <PASSWORD> *
Or, if your connection does not require a domain:
<USERNAME> PPTP <PASSWORD> *
Simply replace each bracketed term in the examples with the appropriate value.
$
you should place the password in double quotation marks ("
).Name Your Tunnel
With your favorite text editor create a /etc/ppp/peers/<TUNNEL>
file, where <TUNNEL>
is the name you wish to use for your VPN connection. The file should look like this:
pty "pptp <SERVER> --nolaunchpppd" name <DOMAIN>\\<USERNAME> remotename PPTP require-mppe-128 file /etc/ppp/options.pptp ipparam <TUNNEL>
<DOMAIN>\\
from the file you createremotename PPTP
is used to find <PASSWORD>
in the /etc/ppp/chap-secrets
File.<SERVER>
is the remote address of the VPN server, <DOMAIN>
is the domain your user belongs to, <USERNAME>
is the name you will use to connect to the server, and <TUNNEL>
is the name of the connection.
require-mppe-128
option from this file and from /etc/ppp/options.pptp
Making Your Connection
To make sure that everything is configured properly, as root execute:
# pon <TUNNEL> debug dump logfd 2 nodetach
If everything has been configured correctly, the pon
command should not terminate. Once you are satisfied that it has connected successfully, you can terminate the command.
ip addr show
and ensure that a new device, ppp0
, is available.To connect to your VPN normally, simply execute:
# pon <TUNNEL>
Where <TUNNEL>
is the name of the tunnel you established earlier. Note that this command should be run as root.
Routing
Once you have connected to your VPN, you should be able to interact with anything available on the VPN server. To access anything on the remote network, you need to add a new route to your routing table.
For more information on how to add routes, you can read this article which has many more examples: PPTP Routing Howto
Split Tunneling
Packets with a destination of your VPN's network should be routed through the VPN interface (usually ppp0
). To do this, you create the route:
# ip route add 192.168.10.0/24 dev ppp0
This will route all the traffic with a destination of 192.168.10.* through your VPN's interface, (ppp0
).
Route All Traffic
It may be desirable to route all traffic through your VPN connection. You can do this by running:
# ip route add default dev ppp0
Route All Traffic by /etc/ppp/ip-up.d
/etc/ppp/ip-up.d/
will called when the VPN connection is established./etc/ppp/ip-up.d/01-routes.sh
#!/bin/bash # This script is called with the following arguments: # Arg Name # $1 Interface name # $2 The tty # $3 The link speed # $4 Local IP number # $5 Peer IP number # $6 Optional ``ipparam'' value foo route add default gw $4
Make sure the script is executable.
Split Tunneling based on port by /etc/ppp/ip-up.d
/etc/ppp/ip-up.d/
will called when the VPN connection is established./etc/ppp/ip-up.d/01-routebyport.sh
#!/bin/bash # This script is called with the following arguments: # Arg Name # $1 Interface name # $2 The tty # $3 The link speed # $4 Local IP number # $5 Peer IP number # $6 Optional ``ipparam'' value foo echo 0 > /proc/sys/net/ipv4/conf/$1/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr ip route flush table vpn ip route add default via $5 dev $1 table vpn iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 6667,6697 -j MARK --set-mark 0x1 iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE ip rule add fwmark 0x1 pri 100 lookup vpn ip rule add from $4 pri 200 table vpn ip route flush cache
Make sure the script is executable and that the vpn table is added to /etc/iproute2/rt_tables
201 vpn
Disconnecting
To disconnect from your VPN simply execute:
# poff <TUNNEL>
Where <TUNNEL> is the name of your connection.
Making A VPN Daemon and Connecting On Boot
You can create a simple daemon for your VPN connection by creating an appropriate /etc/rc.d/*
script:
<TUNNEL>
is the name of your tunnel. <ROUTING COMMAND>
is the command you use to add the appropriate route to the routing table.updetach
and persist
arguments are passed to /usr/bin/pon
when pon is started. The reason for this is that the /usr/bin/poff
script contains a bug when determining the PID of the specified pppd
process if arguments were passed to pon
.
To resolve this issue, you can patch your /usr/bin/poff
file by making the following changes on line 93:
-PID=`ps axw | grep "[ /]pppd call $1 *\$" | awk '{print $1}'` +PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'`
/etc/rc.d/name-of-your-vpn
#!/bin/bash . /etc/rc.conf . /etc/rc.d/functions DAEMON=<TUNNEL>-vpn ARGS= [ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON case "$1" in start) stat_busy "Starting $DAEMON" pon <TUNNEL> updetach persist &>/dev/null && <ROUTING COMMAND> &>/dev/null if [ $? = 0 ]; then add_daemon $DAEMON stat_done else stat_fail exit 1 fi ;; stop) stat_busy "Stopping $DAEMON" poff <TUNNEL> &>/dev/null if [ $? = 0 ]; then rm_daemon $DAEMON stat_done else stat_fail exit 1 fi ;; restart) $0 stop sleep 1 $0 start ;; *) echo "usage: $0 {start|stop|restart}" esac
pon
in the script with two additional arguments: updetach
and persist
. The argument updetach
makes pon block until the connection has been established. The other argument, persist
, makes the network automatically reconnect in the event of a failure. To connect at boot add @<TUNNEL>-vpn to the end of your DAEMONS
array in /etc/rc.conf
.Remarks
You can find more information about configuring pptpclient at their website: pptpclient website. The contents of this article where adapted from their Ubuntu How-To which also provides some hints on how to do things such as connecting on boot. These examples should be easy to adapt into daemons or other scripts to help automate your configuration.