Replacing a Windows PPTP server with Linux HOWTO

by Matt Alexander (maintained by James Cameron)
2005-11-16

We describe how to replace a Windows PPTP server with a Linux one, with the same authentication and encryption capability. The instructions are generic, but some file names are specific to Fedora Core 3, as we used that to verify the process.

2005-02-26

Note: if you don't need Active Directory support, please see our HOWTO for conventional configurations.
2005-05-06

Note: if you are trying this with an older distribution version, ensure that you have a recent version of Kerberos. This is required for interoperability with Active Directory. We know krb5-1.3.4 works. We believe Kerberos in anything Red Hat 9 or later should work.

Note: the system time on the Linux host must be kept in reasonable sync with the Active Directory server, or Kerberos authentication will fail.

2005-02-23

Note: purple highlight shows text you must change for your environment.

2005-02-28

  1. install the following from poptop.sourceforge.net downloads:

    • if you have a kernel below 2.6.15-rc1, dkms-2.0.5-1.noarch.rpm (file list)
    • if you have a kernel below 2.6.15-rc1, kernel_ppp_mppe-0.0.5-2dkms.noarch.rpm (file list)
    • pptpd-1.2.3-1.i386.rpm (file list)
    • ppp-2.4.3-3.fc3.i386.rpm (file list)

    Note: ppp-2.4.3-5 or later includes a fix that prevents authentication of some usernames.
    2005-05-13

    Note: these are the versions for Fedora Core 3, but you should choose appropriate versions from the files available. PPP has a version for each distribution.

    2005-02-28

    Note: DKMS is the Dynamic Kernel Module Support package. It builds kernel modules such as MPPE that were not part of the kernel source below version 2.6.15-rc1. The kernel_ppp_mppe package contains the module source. See Dell's Linux community Projects list, the DKMS project page or the Ottawa Linux Symposium paper on DKMS.

    2005-11-16

    Note: the released version 2.4.3 of PPP contains the required winbind feature, some CVS versions prior to that release do not.

    2005-02-22

  2. setup smb.conf:

    [global]
    workgroup = YOURDOMAIN
    realm = YOURDOMAIN.COM
    server string = your-server-name
    load printers = no
    log file = /var/log/samba/%m.log
    security = ads
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    local master = no
    domain master = no
    preferred master = no
    wins server = your-wins-server-ip-address
    dns proxy = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    interfaces = your-server-ip lo

  3. configure firewall:

    The details of configuring a firewall are outside the scope of this paper, but it should be set to allow;

    • packets for TCP port 1723 connections to the server from the clients,
    • packets of IP protocol 47 (GRE) in both directions with the clients,
    • packets for UDP ports 137 and 138 with the Active Directory server,
    • packets for TCP ports 139 and 445 with the Active Directory server.

    For example, on Red Hat the iptables rules for talking with the Active Directory are:

    -N WINBIND
    -A WINBIND -p udp -m udp -s source --dport 137 -j ACCEPT
    -A WINBIND -p udp -m udp -s source --dport 138 -j ACCEPT
    -A WINBIND -p tcp -m tcp -s source --dport 139 --syn -j ACCEPT
    -A WINBIND -p tcp -m tcp -s source --dport 445 --syn -j ACCEPT

    where source is the subnet or IP address of the Active Directory server.

    2005-02-23

  4. configure Kerberos /etc/krb5.conf:

    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
      default_realm = YOURDOMAIN.COM
      dns_lookup_realm = false
      dns_lookup_kdc = false

    [realms]
      YOURDOMAIN.COM = {
        kdc = your-domain-controller-ip-address:88
        admin_server = your-domain-controller-ip-address:749
        default_domain = YOURDOMAIN.COM
      }

    [domain_realm]
      .YOURDOMAIN.COM = YOURDOMAIN.COM
      YOURDOMAIN.COM = YOURDOMAIN.COM

    [kdc]
      profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
      pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
      }

    Note: the domain needs to be in uppercase.

    2005-02-23

  5. join the computer to the domain:

    net join -U somedomainadmin

    Note: this only needs to be done once, not on every boot. It's a one time thing to join the computer to the Active Directory domain. Authenticating users with winbind won't work unless the computer is part of the domain.

    2005-02-22

  6. edit /etc/pptpd.conf:

    option /etc/ppp/options.pptpd
    ppp /usr/local/sbin/pppd
    localip your-tunnel-local-ip-address
    remoteip your-tunnel-remote-ip-address-range

  7. edit /etc/ppp/options.pptpd:

    lock
    debug
    nologfd
    name pptpdev
    nobsdcomp
    proxyarp
    refuse-pap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    ms-dns your-first-domain-name-server-ip-address
    ms-dns your-second-domain-name-server-ip-address
    plugin winbind.so
    ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

  8. enable IP forwarding in /etc/sysctl.conf:

    net.ipv4.ip_forward = 1

    Note: the change to sysctl.conf is effective on reboot, to make the change now "echo 1 > /proc/sys/net/ipv4/ip_forward" .
    2005-05-11

  9. startup winbind:

    chkconfig winbind on && service winbind start

    Note: winbind is provided by the samba-common RPM on Fedora Core 3. The Samba smbd service doesn't need to be running, however. Just winbind and nmbd. No file service is required.

    2005-02-22

  10. startup pptpd:

    /usr/local/sbin/pptpd

    Note: this needs to be done on reboot, so you may want to script it.

    2005-02-22

    Note: sample init.d scripts are supplied in the .tar.gz, and are deployed by the pptpd RPM.

    2005-02-23

  11. power down old Windows VPN server:

      Start -> Shutdown...

ChangeLog

DateChange
2005-11-16 Remove defaultroute and noauth, clarify nmbd requirement. Reported by Earl Tom.
2005-11-16 Skip MPPE kernel module if reader is using kernel 2.6.15-rc1 or later.
2005-08-15 In options.pptpd add nologfd option, to prevent serial line loopbacked problem, discussed on mailing list. Without nologfd any output by a plugin may be sent to the pty thus releasing the packet stream from the client.
2005-05-12 In smb.conf add interfaces clause, requested by Peter Mueller on mailing list.
2005-05-11 Change to ip_forward in sysctl.conf is not effective until reboot, so we show a workaround.
2004-12-23 Integrated comments from Peter Mueller.
2004-12-22 Adopted from mailing list posting, and followups in the thread.