!! You should use Poptop 1.1.3 [red.] !!
Setting up PPTPD on Linux Kernel 2.4 HOWTO
Version 0.76, Updated 12/16/2001
Preface
I am far from an expert on this subject, but since others might benefit from my
experience, I am writing this document in hopes of helping others. Anything enclosed
in [ ]'s are commands the user should type in exactly except for line breaks and except
for stuff in < > 's, which will vary with each system.
I assume a reasonable level of competency with Linux. I also assume you have already
upgraded all the programs necessary to use the 2.4 kernel series. Consult
./Documentation/Changes in the 2.4 source tree (once you have installed it) for the
minimum version numbers required and how to get updates for these packages.
This HOWTO was written and is currently maintained by Robert Spotswood.
[Note : we haven't seen an update since 2001 though. --
James Cameron, 2005-05-11]
Much of this was based on the RedHat -PoPToP HOWTO, the mailing list,
and personal experimentation. I'm subscribed to the mailing list, so
any questions, comments, and corrections would best be addressed
there.
Disclaimer and Copyright
This document is not gospel. Nobody is responsible for what happens to your system but
yourself. THE AUTHOR(S) ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS
TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT.
This document is Copyright © 2001 by Robert Spotswood. Permission is granted to make
and distribute verbatim copies of this manual provided the copyright notice and this
permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this document under
the conditions for verbatim copying, provided that this copyright notice is included
exactly as in the original, and that the entire resulting derived work is distributed
under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this document into another
language, under the above conditions for modified versions.
If you are intending to incorporate this document into a published work, please make
contact (via e-mail) so that you can be supplied with the most up to date information
available. In the past, out of date versions of the Linux HowTo documents have been
published, which caused the developers undue grief from being plagued with questions
that were already answered in the up to date versions.
1.0 Kernel compile
Download the new kernel source. You can get it at
http://www.kernel.org/pub/linux/kernel/v2.4/ . You can get either the bz2 or the gz
version. Once you have it downloaded, type the following commands:
If you downloaded the bz2 version: [bunzip2 linux-2.4.8.tar.bz2]
If you downloaded the gz version: [gunzip linux-2.4.8.tar.gz]
[cd /usr/src/]
If you have an existing directory linux here (a true directory, not a symbolic link),
back up that directory if there is anything you want to keep in there.
[tar xvf linux-2.4.8]
The next step may be a little controversial, but I have found it works best for me
(YMMV). Because the kernels will install themselves in the linux subdirectory, it can
easily trash another version you may be saving. By moving it to its own special
directory, I avoid this problem. However, in compiling, some things are coded to look
in the linux directory. Therefore a symlink needs to be created to get around that
problem. Note that if you untar a different kernel source, it will clobber the
symlink, but not the directory you moved the source to.
[mv /usr/src/linux /usr/src/linux-2.4.8]
[ln -s /usr/src/linux-2.4.8 /usr/src/linux]
[cd /usr/src/linux]
The default options in the kernel configuration for me were horrible. Therefore, I
saved my configuration after I went through every option. You can grab a copy of my
configuration, and use that as a starting point. I designed mine as a transition
between 2.2 and 2.4, so for anyone else upgrading, it probably will work well. The
only thing you *REALLY* should check is the processor type. It is set for K6-2.
Change it for your computer! You may also need to change other things (I don't have a
TV card, so I didn't include support for that for example.) You can download a copy of
the configuration file from http://home.swbell.net/berzerke/linux241 (permission to
mirror granted and encouraged). This configuration file works for either 2.4.1
kernel or 2.4.4 kernel. It will also work for a 2.4.8 kernel, although some "new" features
will be left out. Note that the firewalling software has changed from
2.2 series kernels. However, I have included the needed modules so that once loaded
([insmod ipchains]), all/most of the old ipchains firewall stuff will still work.
Section 4.1 has some of the new netfilter/iptables rules.
If you want to start with your current configuration, backup your ".config" file from the
/usr/src/linux directory, back it up to /usr/src directory. Then, after
installing your new kernel, do a [make mrproper]. This wipes clean all files to give you
a fresh, clean kernel tree. Then copy your old .config file back to the new source tree
and make and proceed from there.
Unlike the 2.2 series of kernels, the crypto code is in two separate patches. The
other howto mentions that you must do a make kernel from the pppd source tree. My
experience shows that will fail with the 2.4 series of kernels. In fact, according the
kernel docs, ppp 2.4.0 is the minimum version for 2.4 kernels. One of the patches is
for the kernel, the other is for pppd. You will also need the 2.4.0 (or 2.4.1) version of
pppd (but that is later). You can download the patches (with the usual warnings about
checking the legality of downloading crypto in your country) from
http://mirror.binarix.com/ppp-mppe/ . The two patches you want are
linux-2.4.4-openssl-0.9.6-mppe.patch.gz (works with kernels 2.4.1 - 2.4.8 too) and
ppp-2.4.1-openssl-0.9.6-mppe.patch.gz (this is for pppd, later). Another source for the
patches is http://www.advancevpn.com/en/download_other.html .
Apply the kernel patch:
[zcat linux-2.4.4-openssl-0.9.6-mppe.patch.gz | patch -p1]
Now configure your kernel. If in X, from a terminal [cd /usr/src/linux],
[make xconfig] and load the configuration file you downloaded earlier. Configure the kernel
as needed.
If not in X, [cd /usr/src/linux], [make menuconfig] and load the configuration file you
downloaded earlier. Configure the kernel as needed.
[make dep clean bzImage modules modules_install]
(Go do something for awhile...)
[/sbin/depmod -a]
This last command in essence instructs the kernel to load the modules in a set order.
Copy the new kernel image (for i386 systems the full path to new image will be
/usr/src/linux/arch/i386/boot/bzImage) to /boot. Update you boot loader (if using
lilo, don't forget to run lilo -v!), and reboot.
1.1 Upgrading from 2.4.2 to 2.4.4 and beyond
If you have used a previous version of this howto (for the 2.4.1 or 2.4.2 kernel),
you do not have to repeat all the steps to upgrade to the 2.4.4 kernel (or higher).
There have been problems with kernels between 2.4.9 and 2.4.15, so I don't recommend
these. So far, 2.4.16 seems to be stable for me. Instead of
re-downloading the entire source code, download the patch file instead (either
patch-2.4.x.bz2 or patch-2.4.x.gz). Note that if you are patching, you should apply
each patch in turn. For example, if upgrading from 2.4.1, then first apply the patch
for 2.4.2, then 2.4.3, then 2.4.4. For 2.4.2, apply the 2.4.3 patch, then the 2.4.4
patch, etc. The steps to apply each patch are the same, except for the patch name. You
do not have to recompile between patches. You also might want to rename the linux
source directory to reflect the new kernel number.
Apply the patch:
If you downloaded the bz2 version:
[bunzip2 patch-2.4..tar.bz2]
If you downloaded the gz version:
[gunzip patch-2.4..tar.gz]
[cd /usr/src/linux]
[patch -p1 < patch-2.4.]
There is no need to reapply the openssl patch or do another kernel configuration
(unless you want to change something). However, you must recompile.
[make dep clean bzImage modules modules_install]
(Go do something for awhile...)
Note if you get an error, other than a signal 11, run the above command again. It
should compile fine then. If you're making multiple jumps, it might take a few trys.
Install the new kernel image, update you boot loader (if using lilo, don't forget to
run lilo -v!), and reboot.
Note that if you jump more than one patch level between compiles, you will probably
get an error. Simply do the make command again and things should compile fine.
2.0 PPP compile
Start by grabbing yourself a clean copy of pppd. Do not use a RPM. One place to
obtain it is: ftp://cs.anu.edu.au/pub/software/ppp/ . Another is
http://www.advancevpn.com/en/download_other.html .
[cd /usr/src]
[tar zxvf ppp-2.4.1.tar.gz]
[cd ppp-2.4.1]
The following patch should have been downloaded earlier:
[zcat ppp-2.4.1-openssl-0.9.6-mppe.patch.gz | patch -p1]
[./configure]
[make]
[make install]
3.0 PPTPD compile
Download the pptpd source. According the website, 1.0.1 is the stable version and 1.1.2
is the development version. I'm using 1.1.2 with no problems, and from the mailing
list, I haven't seen any complaints about 1.1.2 but I have with 1.0.1. Which version you
get is up to you.
One place to download the source is: http://PoPToP.lineo.com/download_pptp.html . In
the following instructions, I'll assume you went with the 1.1.2 version.
[cd /usr/src]
[tar zxvf pptpd-1.1.2.tar.gz]
[cd /usr/src/pptpd-1.1.2]
[./configure]
[make]
[make install]
4.0 Config files
Now you need to set up the configuration files /etc/modules.conf, /etc/pptpd.conf,
/etc/ppp/options.pptpd, and /etc/ppp/chap-secrets. Add the following lines to your modules.conf:
[alias char-major-108 ppp_generic]
[alias tty-ldisc-3 ppp_async]
[alias tty-ldisc-14 ppp_synctty]
[alias ppp-compress-18 ppp_mppe]
[alias ppp-compress-21 bsd_comp]
[alias ppp-compress-24 ppp_deflate]
[alias ppp-compress-26 ppp_deflate]
Note : these aliases are no longer required with current
versions of modutils package. -- James Cameron, 2005-01-14Note : these options files are for a very old version of
pppd, and using ipcp-accept-local or ipcp-accept-remote will generally
stop things working right with pppd versions 2.4.2 and later. See
the page above and the samples directory for what is
currently recommended. -- James Cameron, 2005-01-14 192.168.1.4
I don't recommend this because if you do this, and someone else connects and gets
192.168.1.4, and robert then connects, the route to the first person will be replaced
by the route to robert. This means the first person is cut off.
There are three ways around this problem. First, don't assign IP numbers.
Second, assign everyone their own IP number. Finally, don't but the assigned IP
numbers in the pool for pptpd to hand out. They must still be available though.
The last thing to do is to start pptpd.
[/usr/local/sbin/pptpd -d]
You may want to put this command somewhere in your startup scripts.
4.1 Netfilter/Iptables rules
The 2.4 series kernel introduced new firewalling code. The above configuration file
(see section 1.0) includes the new code. Netfilter is the new packet
filter/mangler, and iptables is the tool used to manipulate netfilter. The following
assumes you have iptables already installed (current version is 1.2, use your favorite
installation method). Note that these rules are for a pptpd server that is not being
masqueraded, although I believe they would work for a client not being masqueraded too,
but this hasn't been tested. Hopefully, the masquerading rules for pptp will be added
soon (as soon as I figure out how; I've got regular masquerading working, but have not
tried pptp masquerading).
These rules are not a complete firewall, and while fully functional, may still have
security holes. I assume that the default filter table policies are drop, and the
nat table policies are accept. Let me know if you can improve them. Note I use
constants in my scripts to make customizations easy:
[echo "Seting up firewall....."]
[#Define some constants - change for your network!]
[LOCALNETWORK="192.168.1.0/24"]
[INTINT="eth1" #The internal interface]
[EXTINT="eth0" #The external interface]
[# Activate the forwarding!]
[echo 1 >/proc/sys/net/ipv4/ip_forward]
[# Insert the required kernel modules]
[modprobe iptable_nat]
[modprobe ip_conntrack]
[modprobe ip_conntrack_ftp]
You may already have something similar to this. In which case use the one you prefer.
[#=============================================]
[# Flush the old rules and set default policies]
[#=============================================]
[echo "Setting defaults"]
[/sbin/iptables -F]
[/sbin/iptables -t nat -F]
[/sbin/iptables -P INPUT DROP]
[/sbin/iptables -P OUTPUT DROP]
[/sbin/iptables -P FORWARD DROP]
[/sbin/iptables -t nat -P POSTROUTING ACCEPT]
[/sbin/iptables -t nat -P PREROUTING ACCEPT]
[/sbin/iptables -t nat -P OUTPUT ACCEPT]
[#Loopback interface is valid]
[/sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT]
[/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT]
[/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT]
[#Yes, I know lo looks strange, but otherwise there are problems.]
[#Some local network traffic does pass through lo rather than]
[#the internal interface.]
[/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT]
[echo "Loopback setup"]
[#Allow unlimited LAN traffic]
[/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT]
[#This next allows local broadcasts from this machine.]
[/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \]
[ -j ACCEPT]
[/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT]
[echo "LAN traffic allowed"]
[#Allow forwarding from inside to out and vice versa]
[/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT]
[#Allow pptpd connections (port 1723)]
[/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \]
[ --sport $PUBLICPORTS --dport 1723 -j ACCEPT]
[/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A INPUT -i ppp+ \]
[ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o ppp+ \]
[ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT]
[echo "PPTPD allowed"]
A complete *SAMPLE* iptables script, including pptpd support, can be found at
http://home.swbell.net/berzerke .
4.2 Setting up the clients.
This section was ripped from the RedHat-PoPToP HOWTO by Mike Barsalou. Thanks Mike.
Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 and
both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed
first. You're going to have to hunt around a little for these files as they keep
moving. However, here are a couple places to try first:
Windows 95
http://www.microsoft.com/windows95/downloads
Windows 98
http://www.microsoft.com/windows98/downloads/corporate.asp
1a. For Win95 machines install the DUN 1.3.
1b. For Win98 machines use the add-remove programs tool to uninstall the VPN
software. Some of the OEM's don't install this properly. Re-Install it using the
add-remove programs tool. Go to windows setup (tab) select communications and press the
details button. Scroll down and check the VPN support.
2. Install the vpupdate for your particular machine (win95/98 not 98SE).
take a little nap here...
Once your Machine is back
1. Go to dial-up networking (usually
start->programs->Accessories->communications->Dial-up Networking) YMMV
2. Click make new connection
3. Name the Connection whatever you'd like.
4. Select Microsoft VPN adapter as the device.
5. Click next.
6. Type in the ip address or hostname of your pptp server.
7. Click next.
8. Click finish
9. Right-click on the intranet icon.
10. Select properties.
11. Choose server types.
12. Check require encrypted password. It is also recommend that you check
require data encryption. Without the data encryption, your Virtual Private Network
becomes a Virtual Public Network.
13. Uncheck netbeui, ipx/spx compatible.
14. Click tcp/ip settings.
15. Turn off use IP header compression (May not be necessary).
16. Turn off use default gw on remote network.
17. Click ok.
18. Start that connection.
19. Type in your username and pw (yadda, yadda, yadda).
20. Once it finishes its connection your up.
You will probably only have 40 bit data encryption. See section 5.2 for how to get 128
bit encryption.
5.0 Troubleshooting.
5.1 Q: How do I know if my users are connecting at 40 bits or 128 bits?
A: Look for a line in the logs that reads either: MPPE 40 bit, stateless compression
enabled or MPPE 128 bit, stateless compression enabled. What you see is what you get.
5.2 Q: I'm connecting at only 40 bits. How do I connect at 128 bits?
A: This is probably a client (Windows) problem. The key file for Windows 95/98
is pppmac.vxd, located in c:\windows\system. The easiest way to upgrade this
properly is to get the DUN 1.4 update from Microsoft. As of 07/10/2001, the urls
are:
Win 95 (all versions):
http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe
Win 98 First Edition:
http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe
Win 98 Second Edition:
http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe
If the above URLS don't work, try here:
http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP
For W2K clients, get the high encryption pack from Microsoft.
5.3 Q: When someone tries to connect, my system logs show something like:
Feb 17 15:03 linux pppd[3305]: Peer is not authorized to use remote address 212.31.242.99
Feb 17 15:03 linux pppd[3305]: ipcp: down
Feb 17 15:03 linus pppd[3305]: sent [IPCP TermReq id=0x3 "Unauthorized remote IP address"]
A: This message *can* appear if don't have the noauth line in your
/etc/ppp/options.pptpd file. Without this line, ppp will require the pptp server to
authenticate itself. I was unable to reproduce this error with setup described in this HOWTO.
5.4 Q: I having trouble getting pppd 2.3.X to work. I'm using a 2.4 series
kernel.
A: The minimum version of pppd you should be using with the 2.4.x series
kernels is 2.4.0. Don't try to use the ppp 2.3 series.
5.5 Q: The client can't connect to port 1723.
A: Is pptpd running? [ps ax |grep pptpd] should show if it is running or not.
A: Is another program using port 1723? [netstat --inet -a -n -p | grep 1723] should
show which program, if any, is using port 1723.
A: Some providers, (AT&T and @home have been reported so far) do not pass port
1723 or filter GRE packets (which are necessary for pptp). Supposedly it is to
cut down on bandwidth. If possible, try connecting over a lan and
see if that works. You also may want to re-read your subscriber agreement.
You could try doing a traceroute to port 1723 and see if that gets through. The
command is traceroute -p 1723 .
A: Is a firewall blocking it, either at the client or server end? For those
using iptables, the commands to check ALL your firewall rules are:
[iptables -t filter -L -n]
[iptables -t mangle -L -n]
[iptables -t nat -L -n]
5.6.1 Q: Windows is giving me an error 645.
A: Try uninstalling the VPN compenent under Communications, and
reinstall it.
5.6.2 Q: Windows is giving me an error 650.
A: This can be caused by port 1723 being blocked somewhere along the path
or IP protocol 47 (GRE) being blocked (or both). Some providers, (AT&T and @home
have been reported so far) do not pass port 1723 or filter GRE packets (which are
necessary for pptp). Supposedly it is to cut down on bandwidth. If possible, try
connecting over a lan and see if that works. You also may want to re-read your
subscriber agreement.
You could try doing a traceroute to port 1723 and see if that gets through. The
command is traceroute -p 1723 .
Another reason this error happens is the public card (connection to internet) has
to be listed first when you look at your adapters in the properties of My Network
Places. MS admits that this seems to only affect W98 clients when using W2K PPTPD
servers. It is currently unknown if it also has an impact on Linux PPTPD servers.
5.6.3 Q: Windows is giving me an error 53.
A: See question 5.11
5.6.4 Q: Windows is giving me error 619.
A: Check that you have pty support compiled into your kernel.
5.6.5 Q: Windows NT is giving me error 742.
A: Upgrade to at least service pack 5. Service pack 6a is recommended. Also,
disable other protocols like NetBeui, and IPX.
5.7 Q: Do I have to use multiple local IP numbers?
A: No. One is all you need. However, you do need multiple remote IP numbers
if you want more than one client connecting at a time. You need one remote IP number
for each simultaneous connection.
5.8 Q: Do the local and remote IP numbers have to be on the same subnet?
A: No, but the setup is a pain, especially if you are also running a firewall.
I don't recommend trying this unless you *must*.
5.9 Q: My clients get 2 DNS servers when the connect to the internet. I assign
them 2 additional ones for the VPN. How come when I do a winipcfg, my 2 DNS servers
show last?
A: This is normal. From tests others have done, it does *appear* as if the two
servers you assigned are consulted first.
5.10 Q: Browsing doesn't work. How do I fix it?
A: First, can you ping other computers. If not, then there is a
connectivity problem (at least). Resolve this and try again.
A: Updating network neighborhood to the point where a PPTPD client can
see the other computer can take 30-60 seconds (I've seen a couple of minutes).
Be patient and try again.
A: Are you using a wins server? Broadcasts generally don't pass routers
(a ppp interface counts). Browsing is generally done either via Wins, or
broadcasts. It is possible to use the hosts and lmhosts files as a substitute
for a wins server. Most people report fewer troubles when the pptpd server is
also a wins server.
A: If you are using a Samba wins server, is the "guest account" in your
smb.conf set to an actual valid account? The IPC$ connection that lists the
shares is done as guest, and will fail without a valid guest account.
A: If you are using an MS wins server, it requires a re-registration at
least every 90 days. Since linux is so stable, it is quite possible to run
longer than 90 days without rebooting (or at least restarting Samba). Be sure
and restart Samba at least every 89 days. This browsing problem should only
affect Samba computers. Once you pass the 90 days, you may have to restart the
MS machine too to clear things up, and even that may not work (conflicting
reports here).
A: Are *ANY* of the clients running more than one protocol? From the
Samba docs: "Every NetBIOS machine take part in a process of electing the LMB
[Local Master Browser] (and DMB [Domain Master Browser]) every 15 minutes...The
election process is "fought out" so to speak over every NetBIOS network
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
installed and has NetBIOS enabled over both protocols the election will be
decided over both protocols. As often happens, if the Windows 9x machine is
the only one with both protocols then the LMB may be won on the NetBIOS
interface over the IPX protocol. Samba will then lose the LMB role as Windows
9x will insist it knows who the LMB is. Samba will then cease to function
as an LMB and thus browse list operation on all TCP/IP only machines will
fail.
A: If running Samba, and only one machine isn't accessable (to pptpd
clients), look in the wins.dat file. Generally it is in /var/lock/samba. See if
the computer is actually listed. If not, restart the computer (or Samba). Samba
seems only to register itself once (when starting). If the wins server is not
available at that time, you will not be able to access that machine via wins
until you restart Samba.
A: Try using the "net use" and "net view" commands from the windows client.
Just because you can't see something in network neighborhood doesn't mean it isn't
on the network. If fact, they are much more reliable than browsing. I've also
found mapping a drive with the net use command tends to make things appear in
network neighborhood. YMMV.
A: Windows 9x and Me suffer from memory fragmentation issues that can require
rebooting in order to make PPP or PPTP work again. This is something to try especially
when you have connected before successfully.
5.11 Q: I can browse the server's shares, but no other computers. What
am I missing?
A: There are several things to check. Do you have proxyarp in your
ppp/options? Make sure that there is an entry in the /var/log/messages, when the
link is brought up, that says something like:
Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp file?
If not, you won't see past the pptpd server. Second, check your firewall rules and
make sure the packets are getting forwarded from the ppp interface to the lan.
Sometimes, over a pptp connection, it takes a few minutes to update the browse lists.
Be patient. Manually mapping a drive seems to speed this up considerably.
Finally, try the [net view \\] command. You normally can substitute
the ipaddress of the computer. If when substituting the ip address, you get an error
53, then there is a problem with reaching or with the Wins server. I've found
from experience, if there are only a couple of servers who's ip addresses don't
change, try using a lmhosts file. Note that if you use an lmhosts file, don't try
the net view command with an ip address. Use the computer's name. This is because
MS decided that an ip address is first treated as a name, and will try to do a
lookup. That will fail, and you'll get an error 53 message.
5.12 Q: Everytime the last PPTP session closes, pptpd exits. As long as there is
an active session, it's runs fine. How do I fix this?
A: This problem has been reported with pptpd version 1.0.1. Some
have reported that upgrading to 1.1.2 (or better) fixed the problem.
5.13 Q: I can get the PPTP connection to work fine, but can not get
encryption to work. What is wrong?
A: It has been reported that changing PPP from being built into the
kernel to being a loadable module has fixed the problem. The configuration file
listed in the earlier instructions does build PPP as a loadable module.
5.14 Q: I'm unable to send packets. My debug logs have something like:
Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject for unsupported protocol 0x94e9
A: You must add the line [mppe-stateless] (without the [ ]'s) to your
/etc/ppp/options.pptpd file.
5.15 Q: I've tried downloading the patches with Netscape and I get all kinds of
errors.
A: Netscape is known to mangle patches, especially non-zipped patches. Use
something else like wget or lynx. If you have KDE, Konqueror doesn't give me any
problems either.
5.16 Q: I'm getting errors indicating that ppp support hasn't been compiled into the
kernel even though it is. How do I fix it?
A: Use the following commands:
[mknod /dev/ppp c 108 0]
[chmod 600 /dev/ppp]
5.17 Q: How come the ppp connection formed by pptp shows a netmask of
255.255.255.255? Isn't this an error?
A: Your ppp* device should have that netmask (255.255.255.255). This is
normal when you have a ppp virtual device that has another device (eth*) answer arp
requests on behalf of the remote pptp clients ip address. i.e. proxyarp. You are
using the proxyarp option, aren't you?
5.18 Q: When I connect to the pptpd server, the client's internet connection
goes over the pptp connection and not over its usual connection. How do I fix
this?
A: In the client configuration, under TCP settings, there is a check box
use default gateway on remote network. Uncheck that.
5.19 Q: How can I disconnect an idle user automatically?
A: In ppp options file, add the line:
[idle ]
5.20 Q: I have W2K clients, and without encryption everything works fine,
but with encryption, they won't communicate across the pptp connection. How
do I fix this?
A: You probably don't have the correct options in your ppp options
file. Reread section 4.0.
5.21 Q: Can I use IPSec and PPTPD in the same kernel?
A: Yes.
5.22 Q: I'm getting the following error messages: /usr/sbin/pppd: The
remote system is required to authenticate itself
/usr/sbin/pppd: but I couldn't find any suitable secret (password) for it
to use to do so.
What is this error ?
A: It means you need to populate your /etc/ppp/chap-secrets file.
5.23 Q: I'm having problems with Windows 98SE/ME or Windows 2K running
at the proper encryption level. What's going on?
A: For Windows 2K, problems have been reported if you have the
line [mppe-40] in the options file. Commenting it out seems to fix the
problem. You can also try the alterative options file listed above.
For Windows 98SE (and probably ME), it is the exact opposite. If you
don't have the line [mppe-40], then the client will connect and negotiate
MPPE 128 bit, but pppd spews messages like these for all traffic:
Apr 9 11:34:00 ra0 pppd[9521]: rcvd [Compressed data] 90 00 bb 5c a3 2d a7 0d ...
Apr 9 11:34:04 ra0 pppd[9521]: rcvd [Compressed data] 90 01 c3 1a 0e cb c2 29 ...
No traffic actually goes across the link. Adding "mppe-40" to
/etc/ppp/options.pptpd makes everything work perfectly. The clients still
negotiate MPPE 128 bit.
Note that adding the options
[require-chap]
[require-mppe]
[require-mppe-stateless]
tends to kill Win9x/ME client connections. I recommend not using these options.
5.24 Q: Will pptpd work with clients on a Linksys ethernet/dsl router?
A: Yes. Depending on how old it is, you may have to upgrade the
firmware (If anyone knows what the cut-off is, let me know). You also
have to forward port 1723 to the appropriate machine. Needless to say, it
only seems to work with one client, not multiple clients.
5.25 Q: My pptpd server is answering arp requests for mac addresses and ip
addresses that are not the server's. Why is going on?
A: That is the proxyarp command. Nothing is wrong. That's what should be
happening. Its required to simulate that remote machine(s) being on the lan.
5.26 Q: Why can't I access anything in the PPTP server after the connnection?
There are "Cannot determine ethernet address for proxy ARP" errors in the log
file.
A: This may be caused by having remoteip and localip numbers that are NOT
members of the same subnet. Technically, you don't need proxyarp, but it helps
local LAN machines to know how to reach to the VPN machines and vice versa.
5.27 Q: I don't seem to have packet compression when I use the Linux pptpd. Why?
A: You are correct. There is no compression. Nobody has bothered to write
code to support MPPC (which does the compression).
5.28 Q: I can connect, but can't send any traffic across the connection. Not
even a ping. I have a firewall on the server.
A: Do have a forward rule? You must have a rule that allows forwarding of
local traffic from and to your ppp interface to and from the lan interface.
5.29 Q: I sometimes get messages about pptp giving up waiting for 1 (or more
lost packets. What do I do?
A: Try lowering your mtu and mru in the ppp options file. 750 has been
recommened. For example, add (or change to) these lines:
[mtu 750]
[mru 750]
5.30 Q: How do I assign a specific IP address based on their login name (and
password)?
A: If you compile pptp with ./configure --with-pppd-ip-alloc, then ip's will be
assigned from the chap-secrects file, based on the user log in name. Of course,
this could bring on lots of fun with iptables if they ip addresses aren't all on
the same subnet.
5.31 Q: Is there a howto for Redhat 6.2?
A: It is by a different author I am not connected with, but yes. See
http://members.home.net/dont-bug-me/pptpd .
5.32 Q: Why can't I NAT more than one connection at a time to my Linux PPTPD
server? Windows NT allows that.
A: Short answer: PoPToP follows the RFC. Microsoft doesn't. The long
is answer taken from:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/VPN-Masquerade-HOWTO
section 2.7:
The PPTP RFC specifies in section 3.1.3 that there may only be one
control channel connection between two systems. This should mean that
you can only masquerade one PPTP session at a time with a given remote
server, but in practice the MS implementation of PPTP does not enforce
this, at least not as of NT 4.0 Service Pack 4. If the PPTP server
you're trying to connect to only permits one connection at a time,
it's following the protocol rules properly. Note that this does not
affect a masqueraded server, only multiple masqueraded clients
attempting to contact the same remote server.
Even then it only affects multiple clients masqueraded behind the same box.
5.33 Q: Can I configure pptpd to authenticate against a domain controller
(win2K or NT)?
A: No. The PPTP client authenticates using MSCHAPv2, that is,
version two of a Microsoft specific version of CHAP. That protocol doesn't send the
plaintext version of the password, but instead uses a cryptographic handshake that
verifies that the server and client both have a copy of the NT hash of the
plaintext password. pppd cannot calculate the NT hash without the plaintext, but it
needs it both for authentication (although it can ask samba to do the
authentication) and to initialise the keys used in MPPE encryption.
This state of events will probably make it impossible for a PopTop server to
authenticate against an NT PDC - what you are asking it to do is to become a
man-in-the-middle, and the protocols are designed to prevent that.
5.34 Q: Can link 2 lans together using pptpd?
A: Yes. A document giving some
pointers how is at http://earthling.2y.net/LinkingNets.html . Basically, you have
to make the pptpd interface your router.
5.35 Q: How can I get rid of the fact windows clients send a \\ (and domain
name) before the user name?
A: First, should you even try? Looking at the debug logs for pptpd will
show you the exact name sent. You can always add that to your chaps-secret file,
enclosing it in quotes ("") if there are spaces in the name. This means
that anyone who tries to break in from another computer will probably fail, even if
they have the correct username and password. Windows will send \\username rather than just the username. Not absolute security, but it
will make breaking in more troublesome.
If you really do need to strip the domain name, there is a "Strip
MS-Domain" patch that would correct this. Be sure and test it if do apply the
patch. Older versions of this patch would allow null names and passwords (in other
words, not sending a password would still autheticate. A patch can be found at
http://linus.dns2go.com/linux/ or http://home.swbell.net/berzerke/pppsmb2.4.patch (among
other places) and instructions. However, ignore the options lines with require.
You must add the line [chapms-strip-domain] to your pppd options file. Also, for
this patch to work correctly, you must have another entry in chap-secrets.
5.36 Q: MPPE isn't working! I sniff packets on the client and I see them in
clear text. What's going on?
A: Be absolutely sure that you are correct about the lack of encryption. Do
not trust sniffing on either end point machine - make sure that you sniff en-route.
If the packets are clear text en-route, then you have a problem.
5.37 Q: How do I tell if a dead link from a live one?
A: You should use the pppd options called lcp-echo-interval and
lcp-echo-failure to determine a dead link which appears to be up but it isn't, eg.:
[lcp-echo-failure 60]
[lcp-echo-interval 5]
5.38 Q: I want to use MSCHAP, the first version, not the second. How do I enable
this?
A: First, you must compile this in. From pppd/Makefile:
# Uncomment the next 2 lines to include support for Microsoft's
# MS-CHAP authentication protocol.
CHAPMS=y
USE_CRYPT=y
Compile it. This assumes you also applied the normal patches. Next, in the ppp
options file, add the line:
[+chapms]
You should note this is a very poor authetication protocol and it has been replaced
by CHAPv2. Enable this at your own risk!
5.39 Q: Can I compile ppp directly into the kernel rather than making it a
module?
A: This isn't recommended, and from the reports in the mailing list,
probably won't work. For unknown reasons to the author, some things don't work if
compiled directly into the kernel, but do work as modules. I have personally seen
this with network card drivers. In any case, it seems ppp_mppe is tied into
ppp_generic's compile. No ppp_generic module, no ppp_mppe.
5.40 Q: What are the various directives for the ppp options file?
A: Here are a few explained.
[+chapms] #MS's first version of the chap protocol
[ms-wins] #Sets the WINS server on the client
[ms-dns] #Sets the DNS server on the client
5.41 Q: Why should I use pptpd rather than ipsec? Isn't ipsec more secure?
A: Yes, ipsec is more secure. However, it is also a support nightmare for
road warriors. Pptpd is far easier to administrater. How many times will you pager
go off at 3 AM before you decide the security advantages of ipsec just aren't worth
it? Besides, if you're really concerend about security, why are you allowing
Windows 9x/ME? I think the most common reason to use
PoPToP is that it is A) cheap B) the client is built into MS products
which eliminates the need to install client software on all the peers. C)
Designed more specifically for Client to Network connections. IPSec is designed for
network to network connections.
5.42 Q: What is the maximum number of clients that can be connected at once?
A: There are various limits, but the real world number is about 100.
5.43 Q: I have an unusual subnet mask. My windows clients don't seem to route
properly. What's going on?
A: Windows likes to make assumptions. In most cases, it will just assume a
8 bit mask for 10.x.x.x, 16 bits for 172.16-32.x.x, and 24 bits for 192.168.x.x .
Because it is a windows problem, there's not much you can do about it.
5.44 Q: I can't connect from a specific client.
A: Check to see if the client has a firewall that is blocking communication.
Remember, W2K comes with a very-limited builtin packet filter.
5.45 Q: I'm getting lots of "GRE: Discarding out of order packet" error messages.
How do I fix that?
A: Try dropping the mtu and mru values to 750 or even 736 in the pppd
options file.
5.46 Q: I'm having trouble compiling mppe.
A: This may work for you. I've not have any trouble, so I can't verify these
instructions.
a) Download and install the patch.
b) Go to /usr/src/linux/drivers/net/
c) Edit the makefile with your favorite text editor
Replace these lines:
obj-$(CONFIG_PPP) += ppp_generic.o slhc.o ppp_mppe.o
obj-$(CONFIG_PPP_ASYNC) += ppp_async.o
obj-$(CONFIG_PPP_SYNC_TTY) += ppp_synctty.o
obj-$(CONFIG_PPP_DEFLATE) += ppp_deflate.o
obj-$(CONFIG_PPP_BSDCOMP) += bsd_comp.o
obj-$(CONFIG_PPPOE) += pppox.o pppoe.o
With these lines:
obj-$(CONFIG_PPP) += ppp_generic.o slhc.o
obj-$(CONFIG_PPP_ASYNC) += ppp_async.o
obj-$(CONFIG_PPP_SYNC_TTY) += ppp_synctty.o
obj-$(CONFIG_PPP_DEFLATE) += ppp_deflate.o ppp_mppe.o
obj-$(CONFIG_PPP_BSDCOMP) += bsd_comp.o
obj-$(CONFIG_PPPOE) += pppox.o pppoe.o
d) Do a regular kernel build. Be sure you have at least the following
selected as modules:
async serial ports
sync tty ports
deflate compression
bsd-comression
e) The author of these instructions recommends ppp support be compiled into
the kernel and not as a module. I've found far fewer problems with modules
than stuff compiled in. I recommend compiling as a module. You're call.
Give me some feedback if you use this.
5.47 Q: PPTPD is real slow. How can I speed it up? FTP speed is fine.
A: Without a faster connection on both ends, you probably can't. Remember that
pptp is designed for windows clients and they use the smb protocol. This is not a
very effient protocol. It was never designed for WAN use. The Samba team may very
object to the term designed period with regards to smb. FTP uses TCP/IP which is designed
for WAN use. That's why FTP is faster.
If your interested in measuring speed, try [pppstats -c 10000 -w 1 ppp]
This will show you your transfer speed in Bytes/s, although the output isn't pretty.
I have an unconfirmed report that removing the debug strings from the config files will speed
things up a bit.
5.47.1 Q: Can I speed things up by playing with the speed option in /etc/pptpd.conf?
A: Not really. In any case, values above 115200 are ignored.
5.48 Q: Does pptpd work with Windows XP clients?
A: I have only report on that I have so far is one person who followed these instructions
and claims it works just fine. I also have reports from others that XP (final, not beta) does
work, although I don't know what configuration they used.
5.49.1 Q: PPTPD works without encryption, but doesn't work with encryption. Why?
5.49.2 Q: I'm getting ppp-compression-18 not found in my syslog.
A: Make sure to compile the ppp options in network options as modules, especially) the
first ppp option.
5.50 Q: Does pptpd work under xinetd?
A: Yes, although I don't currently have an example config file.
5.51 Q: Windows XP (or 2000) can establish a link, but then it goes dead. The error logs
have messages like: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
A: This is caused by the clients trying to negotiate an IPSEC connection rather than
a pptp connection. For Windows 2000, disable ipsec in the dialup connectoid, and
enable pptp and high encryption (128 bit) only.
5.52 Q: Does pptpd work with Windows ME clients?
A: Yes.
5.53 Q: When compiling, I get an error message "...couldn't find the kernel version
the module was compiled for".
A: This is cause by something it depends on being compiled into the kernel instead
of being built as module. Usually, for pptpd, this is ppp support.
5.54 Q: Can IPX be passed through pptp tunnels?
A: Yes. However, I've found multiple times, even on an all MS network, mixing
TCP/IP and IPX will cause all sorts of mysterious problems. These problems go away
once IPX is removed from the network. Don't mix these two.
5.55 Q: I can't connect and am getting error messages along the lines of
"modprobe: Can't locate module ".
A: Double check you modules.conf file and be sure that module is actually
listed. If it is listed, does it actually exist on your machine?
5.56 Q: Can I autheticate using PAM?
A: Yes. However, be aware that PAM uses cleartext passwords.
5.57 Q: I'm having trouble with W2k ignoring the default route.
A: This is known to happen when netmeeting is running. Close netmeeting.
5.58 Q: I'm getting errors: "Not enough space to encrypt packet: <+4"
A: You didn't apply the linux-2.4.4-openssl-0.9.6a-mppe.patch.gz patch.
The problem is that ppp_generic.c assumes that no "compression" method will ever cause
a frame to grow. However, MPPE causes every frame to grow by four bytes. This only
generates the above error message when you are trying to send a frame that is within four
bytes of the MTU.
Reducing the MTU will not help because if you reduce the MTU, ppp_generic.c will just reduce
the size of the buffer that it passes.
5.59 Q: The first user that tries to connect succeeds, but then if that user disconnects
and tries immediately to reconnect, it fails. Why?
A: If you're using MPPE (and you should), it has a bug in it that prevents a secondary
(single) connection, or multiple simultaneous connections.
For a single user, you have to unload the ppp_mppe module before the 2nd connection. If you're
using the kmod loader, then the module will auto-load itself the next connection. But for it to
work at all, MPPE has to be unloaded before it's used. If the times between connects are far
enough appart, Linux will automatically unload modules that are not being used. Therefore, this
problem will be intermittent.
5.60 Q: I have a problem with Windows clients (Laptops) who connect to both our Corporate
LAN (static IP) and our VPN (Not at the same time). The VPN doesn't work reliably.
A: Since it is the same LAN, the ip numbers are in the same subnet. That is the root
of the problem. This can also affect DHCP users if the lease hasn't expired yet. Since the
pptp tunnel and NIC card are on the same subnet, the routing table gets confused and tries to
send the packets through the NIC card, which, of course, fails.
Steve Cowels suggested this solution: Another alternative that I use (especially for non-technical
management types) is to create a separate windows hardware profile. i.e. Office/Remote.
Then in Windows Device Manager -- disable the Ethernet NIC for the "Remote"
hardware profile.
This approach has the usual pluses/minuses associated with it.
PLUS: It fixes this problem by not initializing the NIC at boot up. Dialup/PPTP and TCP/IP stack
still function normally.
MINUS: When the user turns on their PC/Laptop, they will now be prompted to
select the appropriate hardware profile before windows fully boots. The way
I explain how to correctly answer this additional prompt to the non
technical managers types... Ask yourself the following question: "Where are
you powering up your Laptop? The Office or are you Remote?" So far, even the
most computer illiterate can correctly answer this prompt.
5.61 Q: Can I autheticate users against the /etc/passwd file?
A: Not currently. However, you can use the /etc/smbpasswd file with the correct
patches.
5.62 Q: I can't run an iptables firewall. I get messages like:
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o:
init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO or IRQ parameters
/lib/modules//kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
/lib/modules//net/ipv4/netfilter/ip_conntrack.o failed
/lib/modules//net/ipv4/netfilter/ip_conntrack.o: insmod
iptable_nat failed
A: This can happen if the ipchains module is loaded. Ipchains and Iptables are
not compatible with each other. If you have both compiled as modules, whichever one you
use first will load automatically, then lock the other out. The easiest way I've found
to fix this is manually (as in rmmod) unload the ipchains module(s). Then the iptables
will load.
5.63 Q: Can't ping the LAN but I can ping the PPTPD server.
A: Check your ip_forward is turned on and that your client IP is in the
same subnet as the PPTP servers LAN address.
The usual mistake is that people use a different subnet between the
server and the pptp clinet from the local LAN and forgetting to add either
IP masquerading or IP routing between subnets. IP routing makes it difficult
for Windows machines as they need routing entered manually (as far as I
know). Under linux you use the /etc/ppp/ip-up.local scripts to run routing
commands. But it is far easier to just make sure everyone is on the same subnet.
5.64 Q: I can't ping even the PPTPD server.
A: Firstly open up for firewall for all PPTP traffic (temporarily unless
it's trusted). If pinging still fails check with a traceroute when the
packets are going. If they timeout straight away then it's travelling
through the tunnel OK. Also check your logs, "discarded packets" tends to
drop pings at the beginning of connections but then catches up (from
experience).
5.65 Q: My clients can't autheticate.
A: One possible solution is to turn off compression on the client.
5.66 Q: Windows refusesto honor the netmask directive in the ppp options file, and
so my clients have the wrong netmask.
A: Windows PPTP clients seem to assign a class based netmask. This is a
windows problem and unforunately, there's nothing you can do about it.
5.67 Q: I'm having problems with both pppoe and pptpd running on the same machine.
A: In the /etc/ppp/options.pptp use [nodefaultroute].
6.0 Gotchas
This section lists things to watch out/check if pptpd isn't working.
6.1 Firewalls - Does the client have a firewall? If the client has a firewall, be
sure it allows pptpd to pass through.
6.2 Remote and Local IPs - In your pptpd.conf file, be sure the remoteip(s) and
localip (you don't need more than one) are on the same subnet and do *NOT* overlap.
They must be different. Also, be sure any ip's specified in chaps-secrets do not
overlap either.
6.3 Reinstall - If a particular machine can't browse over pptpd and you've checked
everything else, try uninstalling and reinstalling Client for Microsoft Networks.
Also try uninstalling and reinstalling the adapters. This is a problem even with W2k.
6.4 Forwarding - You're going to have lots of trouble unless you enable ip
forwarding. The command [echo "1" >/proc/sys/net/ipv4/ip_forward] will do it, but
will not survive a reboot, so be sure and place the command somewhere in your
startup scripts.
6.5 Windows - The three R's of MS tech support: Retry, Reboot, Reinstall. Especially try
the reboot. Windows 9x and Me suffer from memory fragmentation issues that can require
rebooting in order to make PPP or PPTP work again. This is something to try especially
when you have connected before successfully.
6.6 PoPToP version - Are you using version 1.1.2? Don't use 1.0.1. 1.1.2 IS stable.
!! You should use Poptop 1.1.3 [red.] !!
Source Forge Project Page |
Downloads |
News |
Mailing List
