PPTP Client

From ArchWiki
Revision as of 04:18, 15 April 2007 by Lir (talk | contribs) (initial upload, Troubleshooting needs to be fleshed out still)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


From the pptpclient website:

"PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers."

While pptpclient is great and lightweight, it isn't exactly the easiest thing to get up and running by itself. There is another program called pptpconfig which does what I describe below and more. Unfortunately it's not in any of the repos and I couldn't get all the php4 stuff that it depends on to work. If/when it makes it into the repositories, use that instead of this.

Lastly I got almost all of my information from this forum post (connecting to Relakks from Arch) and from the pptpclient's pages on configuring by hand and routing. If my way doesn't work for you try those pages.


The package we need is pptpclient, which is in the [community] repository (uncomment the appropriate lines in /etc/pacman.conf to get it).

pacman -S pptpclient

If you don't already have ppp installed, make sure pacman picks it up for you.

Configuring and Connecting

Firewall Config

If your smart/safe you're running a firewall. If thats so, we need to make sure some things are open in order for us to be able to connect. Personally I use guarddog, in which case you just need to go to the Protocol Tab->Internet Zone->Networking and make sure PPTP is checked.

If you use firestarter, they supposedly have a workaround for VPNs, but it didn't work for me.

Lastly if you despise all GUIness and still use iptables directly, check out the forum post from above, it uses iptables.

PPTP Config

All (I think) configuration and running of pptpclient requires root, so first



cd /etc/ppp

Here you should see the following files:

$ls -l
 total 36K
 -rw------- 1 root root   78 2006-09-28 02:52 chap-secrets
 -rwxr-xr-x 1 root root   75 2006-09-28 02:52 ip-down*
 -rwxr-xr-x 1 root root   85 2006-09-28 02:52 ip-up*
 -rw-r--r-- 1 root root  14K 2006-09-28 02:52 options
 -rw-r--r-- 1 root root 1.7K 2006-12-25 06:06 options.pptp
 -rw------- 1 root root   77 2006-09-28 02:52 pap-secrets

Of those files we only need to muck with options.pptp and chap-secrets

My options.pptp file has these options set


In chap-secrets put username, password, a name to identify the server and a * for ip addresses

DOMAIN\\MyUserName TheServer MyPassWord *

Note: If your pptp server does not require a domain name, leave it and the slashes out.

Yes you really did just put your password in a file in plain text, so

chmod 600 chap-secrets

If it wasn't already that way.

Now its time to define our vpn connection:


mkdir peers; cd peers

Now come up with a name for your connection, I'll call it myCon.

touch myCon

Add the following lines with your editor of choice, making sure that the variables match what you defined in chap-secrets and options.pptp:

remotename TheServer
ipparam myCon
pty "pptp my.vpn.server --nolaunchpppd"
name DOMAIN\\MyUserName
file /etc/ppp/options.pptp

If you don't need MPPE support, remove the require-mppe-128 line

With that you should be able to execute the following command

pon myCon

and see something like this in /var/log/daemon.log

pppd[10505]: pppd 2.4.4 started by root, uid 0
pppd[10505]: Using interface ppp0
pppd[10505]: Connect: ppp0 <--> /dev/pts/7
pptp[10506]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated
pptp[10513]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established.
pptp[10513]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply.
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer's call ID 64029).
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:949]: PPTP_SET_LINK_INFO received from peer_callid 0
pptp[10513]: anon log[ctrlp_disp:pptp_ctrl.c:952]:   send_accm is 00000000, recv_accm is FFFFFFFF
pptp[10513]: anon warn[ctrlp_disp:pptp_ctrl.c:955]: Non-zero Async Control Character Maps are not supported!
pppd[10505]: CHAP authentication succeeded
pppd[10505]: MPPE 128-bit stateless compression enabled
pppd[10505]: Cannot determine ethernet address for proxy ARP
pppd[10505]: local  IP address <local IP address>
pppd[10505]: remote IP address <remote IP address>
pppd[10505]: primary   DNS address <primary DNS>
pppd[10505]: secondary DNS address <secondary DNS>


ifconfig ppp0

should show you an inet addr matching <local IP address> and P-t-P matching <remote IP address>

If that didn't work, see below in the Troubleshooting section

Network Config

If the vpn server is also the computer you need to connect to, then you can skip this section. However, if you're like me, the vpn server is just a gateway and what you really want access to is the computers on the other side. There are several different methods of routing traffic through the vpn tunnel, all of which can be found here at the pptpclient's website. For my purposes, I want only traffic destined for the remote network to go through the tunnel, i.e. a Client -> LAN setup.

For this to work, you need to know what the remote network address start with, i.e. 192.168.10. So for every subnet (is that the right term?) on the remote network that you want to access, issue this command

route add -net <subnet address>.0 netmask dev ppp0

Which in our example of remote network addresses starting with 192.168.10 means

route add -net netmask dev ppp0

Now that we have that set, you'll want to add the DNS servers that pptp found to /etc/resolv.conf. Conveniently it stores them in /etc/ppp/resolv.conf, so just take whats there and add it to the beginning of your existing resolv.conf

mv /etc/resolv.conf /etc/resolv.conf.bak
mv /etc/ppp/resolv.conf /etc/resolv.conf
cat /etc/resolv.conf.bak >> /etc/resolv.conf

With that you should be connected! Try route, ping, and/or traceroute to see the layout of your connections.

Connection teardown

When your down just issue

poff myCon

Also don't forget to restore your resolv.conf

mv /etc/resolv.conf.bak /etc/resolv.conf


Bad config files