Difference between revisions of "PPTP server"

From ArchWiki
Jump to: navigation, search
(Using systemd: Fixed wrong script)
m (iptables firewall configuration: fix garbage letter)
 
(43 intermediate revisions by 20 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
[[zh-CN:PPTP Server]]
+
[[ja:PPTP サーバー]]
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
+
[[ru:PPTP server]]
 +
[[zh-hans:PPTP server]]
 +
{{Related articles start}}
 +
{{Related|PPTP Client}}
 +
{{Related articles end}}
 +
 
 +
[[Wikipedia:PPTP|Point-to-Point Tunneling Protocol]] (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
  
 
This entry will show you on how to create a PPTP server in Arch.
 
This entry will show you on how to create a PPTP server in Arch.
  
==Installation==
+
{{Warning|The PPTP protocol is inherently insecure. See http://poptop.sourceforge.net/dox/protocol-security.phtml for details.}}
 +
 
 +
== Installation ==
 +
 
 +
[[Install]] the {{Pkg|pptpd}} package.
 +
 
 +
== Configuration ==
 +
 
 +
{{Tip|Configuration examples can be found in the {{ic|/usr/share/doc/pptpd}} directory.}}
 +
 
 +
A typical configuration may look like:
  
[[pacman|Install]] {{Pkg|pptpd}}, available in the [[Official Repositories]].
+
{{hc|/etc/pptpd.conf|
 +
# Read man pptpd.conf, see samples in /usr/share/doc/pptpd
 +
# and write your pptpd configuration here
  
==Configuration==
+
# pppd options file. By default, /etc/ppp/options is used
 +
option /etc/ppp/options.pptpd
  
Now, edit the file '''/etc/pptpd.conf'''
+
# Server IP in local network
 +
localip 192.168.1.2
  
{{bc|
+
# IP address ranges used to assign IPs to new connecting clients
option /etc/ppp/pptpd-options
+
# Here we define two ranges for our 192.168.1.* subnet: 234-238 and 245
localip 172.16.36.1
+
remoteip 192.168.1.234-238,192.168.1.245
remoteip 172.16.36.2-254
 
 
}}
 
}}
  
Now, edit the file '''/etc/ppp/pptpd-options'''
+
Now create the pppd options file, in our example this is {{ic|/etc/ppp/options.pptpd}}:
  
{{bc|
+
{{hc|/etc/ppp/options.pptpd|
 +
# Read man pppd to see the full list of available options
  
 +
# The name of the local system for authentication purposes
 
name pptpd
 
name pptpd
 +
 +
# Refuse PAP, CHAP or MS-CHAP connections but accept connections with
 +
# MS-CHAPv2 or MPPE with 128-bit encryption
 
refuse-pap
 
refuse-pap
 
refuse-chap
 
refuse-chap
Line 29: Line 53:
 
require-mschap-v2
 
require-mschap-v2
 
require-mppe-128
 
require-mppe-128
 +
 +
# Add entry to the ARP system table
 
proxyarp
 
proxyarp
 +
 +
# For the serial device to ensure exclusive access to the device
 
lock
 
lock
 +
 +
# Disable BSD-Compress and Van Jacobson TCP/IP header compression
 
nobsdcomp
 
nobsdcomp
 
novj
 
novj
 
novjccomp
 
novjccomp
nologfd
+
 
 +
# Disable file logging
 +
nolog
 +
 
 +
# DNS servers for Microsoft Windows clients. Using Google's public servers here
 
ms-dns 8.8.8.8
 
ms-dns 8.8.8.8
 
ms-dns 8.8.4.4
 
ms-dns 8.8.4.4
 
}}
 
}}
  
Now we must add my users & passwords in '''/etc/ppp/chap-secrets'''
+
{{Note|Ensure that empty line at the end of the file exists to prevent possible parsing issues.}}
{{bc|
+
 
<username>    pptpd     <password>   *
+
Now create credentials file for authenticating users:
 +
 
 +
{{hc|/etc/ppp/chap-secrets|
 +
# Secrets for authentication using CHAP
 +
# client server secret IP addresses
 +
  user2        pptpd  123                    *
 
}}
 
}}
  
Now, enable IP Forwarding by editing '''/etc/sysctl.conf'''
+
Now you can be authenticated with ''user2'' as username and ''123'' for password.
 +
 
 +
Create a sysctl configuration file {{ic|/etc/sysctl.d/30-ipforward.conf}} and enable kernel packet forwarding that allow connecting clients to have access to your subnet (see also [[Internet Share#Enable packet forwarding]]):
  
{{bc|1=
+
{{hc|/etc/sysctl.d/30-ipforward.conf|2=
 
net.ipv4.ip_forward=1
 
net.ipv4.ip_forward=1
 
}}
 
}}
  
Now apply the changes made to sysctl.conf
+
Now apply changes to let the sysctl configuration take effect:
 +
 
 +
# sysctl --system
  
# sysctl -p
+
=== iptables firewall configuration ===
  
===iptables firewall configuration===
 
 
Configure your iptables settings to enable access for PPTP Clients
 
Configure your iptables settings to enable access for PPTP Clients
  
 
{{bc|
 
{{bc|
 +
# Accept all packets via ppp* interfaces (for example, ppp0)
 
iptables -A INPUT -i ppp+ -j ACCEPT
 
iptables -A INPUT -i ppp+ -j ACCEPT
 
iptables -A OUTPUT -o ppp+ -j ACCEPT
 
iptables -A OUTPUT -o ppp+ -j ACCEPT
  
 +
# Accept incoming connections to port 1723 (PPTP)
 
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 +
 +
# Accept GRE packets
 
iptables -A INPUT -p 47 -j ACCEPT
 
iptables -A INPUT -p 47 -j ACCEPT
 
iptables -A OUTPUT -p 47 -j ACCEPT
 
iptables -A OUTPUT -p 47 -j ACCEPT
  
 +
# Enable IP forwarding
 
iptables -F FORWARD
 
iptables -F FORWARD
 
iptables -A FORWARD -j ACCEPT
 
iptables -A FORWARD -j ACCEPT
  
 +
# Enable NAT for eth0 on ppp* interfaces
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
 
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
 
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
 
}}
 
}}
 +
{{Note|Ensure that "eth0" is replaced with the actual ethernet interface connected to the server.}}
 +
Now save the new iptables rules with:
  
Now save the new iptables rules with:
+
# iptables-save > /etc/iptables/iptables.rules
  
  # rc.d save iptables
+
To load /etc/iptables/iptables.rules automatically after boot, [[enable]] the {{ic|iptables.service}} unit.
 +
  # systemctl enable iptables.service
  
 
Read [[Iptables]] for more information.
 
Read [[Iptables]] for more information.
  
===ufw firewall configuration===
+
=== UFW firewall configuration ===
 +
 
 
Configure your ufw settings to enable access for PPTP Clients.
 
Configure your ufw settings to enable access for PPTP Clients.
  
You must change default forward policy in '''/etc/default/ufw'''
+
You must change default forward policy in {{ic|/etc/default/ufw}}
  
{{bc|1=
+
{{hc|/etc/default/ufw|2=
DEFAULT_FORWARD_POLICY=”ACCEPT”
+
DEFAULT_FORWARD_POLICY="ACCEPT"
 
}}
 
}}
  
Now change '''/etc/ufw/before.rules''', add following code after header and before *filter line
+
Now change {{ic|/etc/ufw/before.rules}}, add following code after header and before *filter line
  
{{bc|
+
{{hc|/etc/ufw/before.rules|
 
# nat Table rules
 
# nat Table rules
 
*nat
 
*nat
Line 95: Line 147:
  
 
# Allow traffic from clients to eth0
 
# Allow traffic from clients to eth0
-A POSTROUTING -s 172.16.36.0/24 -o eth0 -j MASQUERADE
+
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
  
# don.t delete the .COMMIT. line or these nat table rules won.t be processed
+
# commit to apply changes
 
COMMIT
 
COMMIT
 +
}}
 +
 +
Allow GRE packets (protocol 47) in {{ic|/etc/ufw/before.rules}}, find the line with: {{ic|# drop INVALID packets}} and add rule:
 +
{{hc|/etc/ufw/before.rules|
 +
# drop INVALID packets (logs these in loglevel medium and higher)
 +
'''-A ufw-before-input -p 47 -i $iface -j ACCEPT'''
 +
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
 +
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
 
}}
 
}}
  
Line 114: Line 174:
 
}}
 
}}
  
==Start up==
+
== Start the server ==
  
Now you can start your PPTP Server by this command and enjoy
+
Now you can [[Systemd#Using units|start and enable]] your PPTP Server using {{ic|pptpd.service}}.
  
===Using initscript===
+
== Troubleshooting ==
  
# rc.d start pptpd
+
As with any service, see [[Systemd#Troubleshooting]] to investigate errors.
  
'''You can use [http://dl.dropbox.com/u/17412056/pptpd.sh this script] to auto install pptpd server.'''
+
=== Error 619 on the client side ===
  
===Using systemd===
+
Search for the {{ic|logwtmp}} option in {{ic|/etc/pptpd.conf}} and comment it out. When this is enabled, ''wtmp'' will be used to record client connections and disconnections.
  
Add a service unit file.
+
#logwtmp
  
# touch /usr/lib/systemd/system/pptpd.service
+
=== pptpd[xxxxx]: Long config file line ignored ===
# vim /usr/lib/systemd/system/pptpd.service
 
  
{{bc|1=
+
Add a blank line at the end of {{ic|/etc/pptpd.conf}}. [http://sourceforge.net/p/poptop/bugs/35/]
[Unit]
 
Description=PPTP Server
 
After=network.target
 
  
[Service]
+
=== ppp0: ppp: compressor dropped pkt ===
ExecStart=/usr/sbin/pptpd -c /etc/pptpd.conf -p /var/run/pptpd.pid -f
 
StandardOutput=null
 
  
[Install]
+
If you have this error while a client is connected to the server, add the following script to {{ic|/etc/ppp/ip-up.d/mppefixmtu.sh}}:
WantedBy=multi-user.target
 
}}
 
  
Reload the systemd and start PPTP server.
+
#!/bin/sh
 +
CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`"
 +
FIXED_MTU="`expr $CURRENT_MTU + 4`"
 +
ip link set $1 mtu $FIXED_MTU
  
# systemctl daemon-reload
+
Make the script executable:
# systemctl start pptpd.service
 
  
If you want to start your PPTP server while system startup, you could enable it in systemd.
+
# chmod 755 /etc/ppp/ip-up.d/mppefixmtu.sh
  
# systemctl enable pptpd.service
+
See also: [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330973]
 
 
==Troubleshooting==
 
If you keep getting error 619 on the client side, search for the '''logwtmp''' option in {{ic|/etc/pptpd.conf}} and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.
 
#logwtmp
 

Latest revision as of 12:17, 16 March 2018

Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

This entry will show you on how to create a PPTP server in Arch.

Warning: The PPTP protocol is inherently insecure. See http://poptop.sourceforge.net/dox/protocol-security.phtml for details.

Installation

Install the pptpd package.

Configuration

Tip: Configuration examples can be found in the /usr/share/doc/pptpd directory.

A typical configuration may look like:

/etc/pptpd.conf
# Read man pptpd.conf, see samples in /usr/share/doc/pptpd
# and write your pptpd configuration here

# pppd options file. By default, /etc/ppp/options is used
option /etc/ppp/options.pptpd

# Server IP in local network
localip 192.168.1.2

# IP address ranges used to assign IPs to new connecting clients
# Here we define two ranges for our 192.168.1.* subnet: 234-238 and 245
remoteip 192.168.1.234-238,192.168.1.245

Now create the pppd options file, in our example this is /etc/ppp/options.pptpd:

/etc/ppp/options.pptpd
# Read man pppd to see the full list of available options

# The name of the local system for authentication purposes
name pptpd

# Refuse PAP, CHAP or MS-CHAP connections but accept connections with
# MS-CHAPv2 or MPPE with 128-bit encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

# Add entry to the ARP system table
proxyarp

# For the serial device to ensure exclusive access to the device
lock

# Disable BSD-Compress and Van Jacobson TCP/IP header compression
nobsdcomp
novj
novjccomp

# Disable file logging
nolog

# DNS servers for Microsoft Windows clients. Using Google's public servers here
ms-dns 8.8.8.8
ms-dns 8.8.4.4
Note: Ensure that empty line at the end of the file exists to prevent possible parsing issues.

Now create credentials file for authenticating users:

/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client	server	secret			IP addresses
  user2         pptpd   123                     *

Now you can be authenticated with user2 as username and 123 for password.

Create a sysctl configuration file /etc/sysctl.d/30-ipforward.conf and enable kernel packet forwarding that allow connecting clients to have access to your subnet (see also Internet Share#Enable packet forwarding):

/etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1

Now apply changes to let the sysctl configuration take effect:

# sysctl --system

iptables firewall configuration

Configure your iptables settings to enable access for PPTP Clients

# Accept all packets via ppp* interfaces (for example, ppp0)
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT

# Accept incoming connections to port 1723 (PPTP)
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

# Accept GRE packets
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT

# Enable IP forwarding
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT

# Enable NAT for eth0 on ppp* interfaces
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
Note: Ensure that "eth0" is replaced with the actual ethernet interface connected to the server.

Now save the new iptables rules with:

# iptables-save > /etc/iptables/iptables.rules

To load /etc/iptables/iptables.rules automatically after boot, enable the iptables.service unit.

# systemctl enable iptables.service

Read Iptables for more information.

UFW firewall configuration

Configure your ufw settings to enable access for PPTP Clients.

You must change default forward policy in /etc/default/ufw

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now change /etc/ufw/before.rules, add following code after header and before *filter line

/etc/ufw/before.rules
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# commit to apply changes
COMMIT

Allow GRE packets (protocol 47) in /etc/ufw/before.rules, find the line with: # drop INVALID packets and add rule:

/etc/ufw/before.rules
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -p 47 -i $iface -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

Open pptp port 1723

ufw allow 1723

Restart ufw for good measure

ufw disable
ufw enable

Start the server

Now you can start and enable your PPTP Server using pptpd.service.

Troubleshooting

As with any service, see Systemd#Troubleshooting to investigate errors.

Error 619 on the client side

Search for the logwtmp option in /etc/pptpd.conf and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.

#logwtmp

pptpd[xxxxx]: Long config file line ignored

Add a blank line at the end of /etc/pptpd.conf. [1]

ppp0: ppp: compressor dropped pkt

If you have this error while a client is connected to the server, add the following script to /etc/ppp/ip-up.d/mppefixmtu.sh:

#!/bin/sh
CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`"
FIXED_MTU="`expr $CURRENT_MTU + 4`"
ip link set $1 mtu $FIXED_MTU

Make the script executable:

# chmod 755 /etc/ppp/ip-up.d/mppefixmtu.sh

See also: [2]