From the pptpclient website:
"PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers."
While pptpclient is great and lightweight, it isn't exactly the easiest thing to get up and running by itself. There is another program called pptpconfig which does what I describe below and more. Unfortunately it's not in any of the repos and I couldn't get all the php4 stuff that it depends on to work. If/when it makes it into the repositories, use that instead of this.
Lastly I got almost all of my information from this forum post (connecting to Relakks from Arch) and from the pptpclient's pages on configuring by hand and routing. If my way doesn't work for you try those pages.
The package we need is pptpclient, which is in the [community] repository (uncomment the appropriate lines in /etc/pacman.conf to get it).
pacman -S pptpclient
If you don't already have ppp installed, make sure pacman picks it up for you.
Configuring and Connecting
If your smart/safe you're running a firewall. If thats so, we need to make sure some things are open in order for us to be able to connect. Personally I use guarddog, in which case you just need to go to the Protocol Tab->Internet Zone->Networking and make sure PPTP is checked.
If you use firestarter, they supposedly have a workaround for VPNs, but it didn't work for me.
Lastly if you despise all GUIness and still use iptables directly, check out the forum post from above, it uses iptables.
All (I think) configuration and running of pptpclient requires root, so first
Here you should see the following files:
$ls -l total 36K -rw------- 1 root root 78 2006-09-28 02:52 chap-secrets -rwxr-xr-x 1 root root 75 2006-09-28 02:52 ip-down* -rwxr-xr-x 1 root root 85 2006-09-28 02:52 ip-up* -rw-r--r-- 1 root root 14K 2006-09-28 02:52 options -rw-r--r-- 1 root root 1.7K 2006-12-25 06:06 options.pptp -rw------- 1 root root 77 2006-09-28 02:52 pap-secrets
Of those files we only need to muck with options.pptp and chap-secrets
My options.pptp file has these options set
lock noauth refuse-eap refuse-chap refuse-mschap nobsdcomp nodeflate
In chap-secrets put username, password, a name to identify the server and a * for ip addresses
DOMAIN\\MyUserName TheServer MyPassWord *
Note: If your pptp server does not require a domain name, leave it and the slashes out.
Yes you really did just put your password in a file in plain text, so
chmod 600 chap-secrets
If it wasn't already that way.
Now its time to define our vpn connection:
mkdir peers; cd peers
Now come up with a name for your connection, I'll call it myCon.
Add the following lines with your editor of choice, making sure that the variables match what you defined in chap-secrets and options.pptp:
remotename TheServer ipparam myCon pty "pptp my.vpn.server --nolaunchpppd" name DOMAIN\\MyUserName usepeerdns require-mppe-128 refuse-eap noauth file /etc/ppp/options.pptp
If you don't need MPPE support, remove the require-mppe-128 line
With that you should be able to execute the following command
and see something like this in /var/log/daemon.log
pppd: pppd 2.4.4 started by root, uid 0 pppd: Using interface ppp0 pppd: Connect: ppp0 <--> /dev/pts/7 pptp: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated pptp: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' pptp: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply pptp: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established. pptp: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' pptp: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply. pptp: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer's call ID 64029). pptp: anon log[ctrlp_disp:pptp_ctrl.c:949]: PPTP_SET_LINK_INFO received from peer_callid 0 pptp: anon log[ctrlp_disp:pptp_ctrl.c:952]: send_accm is 00000000, recv_accm is FFFFFFFF pptp: anon warn[ctrlp_disp:pptp_ctrl.c:955]: Non-zero Async Control Character Maps are not supported! pppd: CHAP authentication succeeded pppd: MPPE 128-bit stateless compression enabled pppd: Cannot determine ethernet address for proxy ARP pppd: local IP address <local IP address> pppd: remote IP address <remote IP address> pppd: primary DNS address <primary DNS> pppd: secondary DNS address <secondary DNS>
should show you an inet addr matching <local IP address> and P-t-P matching <remote IP address>
If that didn't work, see below in the Troubleshooting section
If the vpn server is also the computer you need to connect to, then you can skip this section. However, if you're like me, the vpn server is just a gateway and what you really want access to is the computers on the other side. There are several different methods of routing traffic through the vpn tunnel, all of which can be found here at the pptpclient's website. For my purposes, I want only traffic destined for the remote network to go through the tunnel, i.e. a Client -> LAN setup.
For this to work, you need to know what the remote network address start with, i.e. 192.168.10. So for every subnet (is that the right term?) on the remote network that you want to access, issue this command
route add -net <subnet address>.0 netmask 255.255.255.0 dev ppp0
Which in our example of remote network addresses starting with 192.168.10 means
route add -net 192.168.10.0 netmask 255.255.255.0 dev ppp0
Now that we have that set, you'll want to add the DNS servers that pptp found to /etc/resolv.conf. Conveniently it stores them in /etc/ppp/resolv.conf, so just take whats there and add it to the beginning of your existing resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.bak mv /etc/ppp/resolv.conf /etc/resolv.conf cat /etc/resolv.conf.bak >> /etc/resolv.conf
With that you should be connected! Try route, ping, and/or traceroute to see the layout of your connections.
When your down just issue
Also don't forget to restore your resolv.conf
mv /etc/resolv.conf.bak /etc/resolv.conf