Note: we are keeping these very old instructions around until someone updates them, and this page contains many things now that are no longer true with current versions. If you find a problem, please report it to the mailing list. -- James Cameron, 2005-01-14.

!! You should use Poptop 1.1.3 [red.] !!

Setting up PPTPD on Linux Kernel 2.4 HOWTO

Version 0.76, Updated 12/16/2001

Preface

I am far from an expert on this subject, but since others might benefit from my 
experience, I am writing this document in hopes of helping others.  Anything enclosed 
in [ ]'s are commands the user should type in exactly except for line breaks and except 
for stuff in < > 's, which will vary with each system.

I assume a reasonable level of competency with Linux.  I also assume you have already 
upgraded all the programs necessary to use the 2.4 kernel series.  Consult 
./Documentation/Changes in the 2.4 source tree (once you have installed it) for the 
minimum version numbers required and how to get updates for these packages.

This HOWTO was written and is currently maintained by Robert Spotswood.

[Note: we haven't seen an update since 2001 though.  --
James Cameron, 2005-05-11]

Much of this was based on the RedHat -PoPToP HOWTO, the mailing list,
and personal experimentation.  I'm subscribed to the mailing list, so
any questions, comments, and corrections would best be addressed
there.

Disclaimer and Copyright
This document is not gospel.  Nobody is responsible for what happens to your system but 
yourself.  THE AUTHOR(S) ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS 
TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT.

This document is Copyright  2001 by Robert Spotswood. Permission is granted to make 
and distribute verbatim copies of this manual provided the copyright notice and this 
permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this document under 
the conditions for verbatim copying, provided that this copyright notice is included 
exactly as in the original, and that the entire resulting derived work is distributed 
under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this document into another 
language, under the above conditions for modified versions.

If you are intending to incorporate this document into a published work, please make 
contact (via e-mail) so that you can be supplied with the most up to date information 
available. In the past, out of date versions of the Linux HowTo documents have been 
published, which caused the developers undue grief from being plagued with questions 
that were already answered in the up to date versions.


1.0 Kernel compile

Download the new kernel source.  You can get it at 
http://www.kernel.org/pub/linux/kernel/v2.4/ .  You can get either the bz2 or the gz 
version.  Once you have it downloaded, type the following commands:

If you downloaded the bz2 version: [bunzip2 linux-2.4.8.tar.bz2]

If you downloaded the gz version: [gunzip linux-2.4.8.tar.gz]

[cd /usr/src/]

If you have an existing directory linux here (a true directory, not a symbolic link), 
back up that directory if there is anything you want to keep in there.

[tar xvf linux-2.4.8]

The next step may be a little controversial, but I have found it works best for me 
(YMMV).  Because the kernels will install themselves in the linux subdirectory, it can 
easily trash another version you may be saving.  By moving it to its own special 
directory, I avoid this problem.  However, in compiling, some things are coded to look 
in the linux directory.  Therefore a symlink needs to be created to get around that 
problem.  Note that if you untar a different kernel source, it will clobber the 
symlink, but not the directory you moved the source to.

[mv /usr/src/linux /usr/src/linux-2.4.8]

[ln -s /usr/src/linux-2.4.8 /usr/src/linux]

[cd /usr/src/linux]

The default options in the kernel configuration for me were horrible.  Therefore, I 
saved my configuration after I went through every option.  You can grab a copy of my 
configuration, and use that as a starting point.  I designed mine as a transition 
between 2.2 and 2.4, so for anyone else upgrading, it probably will work well.  The 
only thing you *REALLY* should check is the processor type.  It is set for K6-2.  
Change it for your computer!  You may also need to change other things (I don't have a 
TV card, so I didn't include support for that for example.)  You can download a copy of 
the configuration file from http://home.swbell.net/berzerke/linux241 (permission to 
mirror granted and encouraged).  This configuration file works for either 2.4.1 
kernel or 2.4.4 kernel.  It will also work for a 2.4.8 kernel, although some "new" features
will be left out.  Note that the firewalling software has changed from 
2.2 series kernels.  However, I have included the needed modules so that once loaded 
([insmod ipchains]), all/most of the old ipchains firewall stuff will still work.  
Section 4.1 has some of the new netfilter/iptables rules.

If you want to start with your current configuration, backup your ".config" file from the 
/usr/src/linux directory, back it up to /usr/src directory.  Then, after
installing your new kernel, do a [make mrproper]. This wipes clean all files to give you
a fresh, clean kernel tree.  Then copy your old .config file back to the new source tree
and make  and proceed from there.

Unlike the 2.2 series of kernels, the crypto code is in two separate patches.  The 
other howto mentions that you must do a make kernel from the pppd source tree.  My 
experience shows that will fail with the 2.4 series of kernels.  In fact, according the 
kernel docs, ppp 2.4.0 is the minimum version for 2.4 kernels.  One of the patches is 
for the kernel, the other is for pppd.  You will also need the 2.4.0 (or 2.4.1) version of
pppd (but that is later).  You can download the patches (with the usual warnings about 
checking the legality of downloading crypto in your country) from  
http://mirror.binarix.com/ppp-mppe/ .  The two patches you want are 
linux-2.4.4-openssl-0.9.6-mppe.patch.gz (works with kernels 2.4.1 - 2.4.8 too) and 
ppp-2.4.1-openssl-0.9.6-mppe.patch.gz  (this is for pppd, later).  Another source for the
patches is http://www.advancevpn.com/en/download_other.html .

Apply the kernel patch:
[zcat linux-2.4.4-openssl-0.9.6-mppe.patch.gz | patch -p1]

Now configure your kernel.  If in X, from a terminal [cd /usr/src/linux],
[make xconfig] and load the configuration file you downloaded earlier.  Configure the kernel 
as needed.

If not in X, [cd /usr/src/linux], [make menuconfig] and load the configuration file you 
downloaded earlier.  Configure the kernel as needed.

[make dep clean bzImage modules modules_install]

(Go do something for awhile...)

[/sbin/depmod -a] 

This last command in essence instructs the kernel to load the modules in a set order.

Copy the new kernel image (for i386 systems the full path to new image will be 
/usr/src/linux/arch/i386/boot/bzImage) to /boot.  Update you boot loader (if using 
lilo, don't forget to run lilo -v!), and reboot.

1.1	Upgrading from 2.4.2 to 2.4.4 and beyond

If you have used a previous version of this howto (for the 2.4.1 or 2.4.2 kernel), 
you do not have to repeat all the steps to upgrade to the 2.4.4 kernel (or higher).
There have been problems with kernels between 2.4.9 and 2.4.15, so I don't recommend
these.  So far, 2.4.16 seems to be stable for me.  Instead of 
re-downloading the entire source code, download the patch file instead (either 
patch-2.4.x.bz2 or patch-2.4.x.gz).  Note that if you are patching, you should apply 
each patch in turn.  For example, if upgrading from 2.4.1, then first apply the patch 
for 2.4.2, then 2.4.3, then 2.4.4.  For 2.4.2, apply the 2.4.3 patch, then the 2.4.4 
patch, etc.  The steps to apply each patch are the same, except for the patch name.  You 
do not have to recompile between patches.  You also might want to rename the linux 
source directory to reflect the new kernel number.

Apply the patch:

If you downloaded the bz2 version:

[bunzip2 patch-2.4..tar.bz2]

If you downloaded the gz version:

[gunzip patch-2.4..tar.gz]

[cd /usr/src/linux]

[patch -p1 < patch-2.4.]

There is no need to reapply the openssl patch or do another kernel configuration 
(unless you want to change something).  However, you must recompile.

[make dep clean bzImage modules modules_install]

(Go do something for awhile...)

Note if you get an error, other than a signal 11, run the above command again.  It 
should compile fine then.  If you're making multiple jumps, it might take a few trys.

Install the new kernel image, update you boot loader (if using lilo, don't forget to 
run lilo -v!), and reboot.

Note that if you jump more than one patch level between compiles, you will probably 
get an error.  Simply do the make command again and things should compile fine.

2.0 PPP compile

Start by grabbing yourself a clean copy of pppd.  Do not use a RPM.  One place to 
obtain it is: ftp://cs.anu.edu.au/pub/software/ppp/ .  Another is 
http://www.advancevpn.com/en/download_other.html .

[cd /usr/src]
[tar zxvf ppp-2.4.1.tar.gz]
[cd ppp-2.4.1]
The following patch should have been downloaded earlier:
[zcat ppp-2.4.1-openssl-0.9.6-mppe.patch.gz | patch -p1]
[./configure]
[make]
[make install]

3.0 PPTPD compile

Download the pptpd source.  According the website, 1.0.1 is the stable version and 1.1.2 
is the development version.  I'm using 1.1.2 with no problems, and from the mailing 
list, I haven't seen any complaints about 1.1.2 but I have with 1.0.1.  Which version you
get is up to you.  

One place to download the source is: http://PoPToP.lineo.com/download_pptp.html .  In 
the following instructions, I'll assume you went with the 1.1.2 version.

[cd /usr/src]
[tar zxvf pptpd-1.1.2.tar.gz]
[cd /usr/src/pptpd-1.1.2]
[./configure]
[make]
[make install]

4.0 Config files

Now you need to set up the configuration files /etc/modules.conf, /etc/pptpd.conf, 
/etc/ppp/options.pptpd, and /etc/ppp/chap-secrets.  Add the following lines to your modules.conf:

[alias char-major-108 ppp_generic]
[alias tty-ldisc-3 ppp_async]
[alias tty-ldisc-14 ppp_synctty]
[alias ppp-compress-18 ppp_mppe]
[alias ppp-compress-21 bsd_comp]
[alias ppp-compress-24 ppp_deflate]
[alias ppp-compress-26 ppp_deflate]

Note: these aliases are no longer required with current
versions of modutils package. -- James Cameron, 2005-01-14

Run [depmod -a] at a command prompt after you make any changes to modules.conf.  
This eliminates the error message, "Note: /etc/modules.conf is more recent than 
/lib/modules/2.4.x/modules.dep".

Create a file /etc/ppp/options.pptpd, and make sure /etc/ppp/options.pptpd has at 
least the following lines:

[name *]
[lock]
[noauth]
[proxyarp]
[+chap]
[+chapms-v2]
[mppe-40 #comment this out if don't want to support 40 bit encryption, but see 5.23 first]
[mppe-128]
[mppe-stateless]

If you are using W2k clients, your options file should look like this:

[name *]
[lock]
[mtu 1450]
[mru 1450]
[proxyarp]
[auth]
[+chap]
#[+chapms] #This one is optional and my be omitted.
[+chapms-v2]
[ipcp-accept-local]
[ipcp-accept-remote]
[lcp-echo-failure 3]
[lcp-echo-interval 5]
[deflate 0]
[mppe-128]
[mppe-40]
[mppe-stateless]

Note: these options files are for a very old version of
pppd, and using ipcp-accept-local or ipcp-accept-remote will generally
stop things working right with pppd versions 2.4.2 and later.  See 
the page above and the samples directory for what is
currently recommended.  -- James Cameron, 2005-01-14

The above option file works with Win95 clients too, so if in doubt, use the above
options file.

If the above option file still does not work with W2K clients, add the lines:
[nodeflate]
[nobsdcomp]

If that does not work, remove the [deflate 0] line. Caution: This has not been
tested with both Win9x and W2K clients.

You may want to add the line [debug] too, but this is optional.

For /etc/pptpd.conf, unless you already have such a file, copy the sample file that 
came with pptpd.
[cp /usr/src/pptpd-1.1.2/samples/pptpd.conf /etc/]

You must edit the localip and remoteip lines.  This is highly individual, but 
instructions are included in the configuration file.  You may also want to uncomment 
the debug line as well.

Also, uncomment the option line and make sure it reads:
[option /etc/ppp/options.pptpd]

Make sure /etc/ppp/options is blank.  If you have any options in this file, they are always
read and may interfer with pptpd.  This is good advice for all your ppp work.  Don't populate
the /etc/ppp/options file.  Always specify everything required into it's own
options file eg.

/etc/ppp/options.dialinuser
/etc/ppp/options.pptpd
/etc/ppp/options.dialout
/etc/ppp/options.anotherspecialsetup


The final configuration file is /etc/ppp/chap-secrets.  The general format is:
username  *  password  *

Add the appropriate usernames and passwords.  Note that the username and passwords are 
only to log into pptpd.  They are not used for Linux or SAMBA authetication.  Also, 
windows clients have a bad habit of appending the first domain name ever used to the 
username.  Thus, even though a client might enter robert as the username, what actually 
gets sent could be (for example) MyDomain\\robert.  The one way to fix this is to use 
the debug logs to look for the actual name sent, and add the actual name in 
chap-secrets.  This also means if the client uses a different computer, the same 
username and password he (or she) has been using could stop working.

There is also a patch to strip the domain names and a separate patch to allow the 
use of your samba password database rather then chap-secrets.  See
http://home.swbell.net/berzerke/pppsmb2.4.patch for the second patch.  This patch 
includes the blank password fix. You must add the line [chapms-strip-domain] to
your pppd options file.  See also section 5.35.

If you wish to assign the person connecting a fixed IP address, rather than one from 
the pool you set up in pptpd.conf, replace the last star with the remote IP address.  
For example, if 192.168.1.4 is in the remote address pool (what gets assigned to 
client), and you always wish to assign it to the user robert, the line in chap-secrets 
would be:

robert	*	 192.168.1.4

I don't recommend this because if you do this, and someone else connects and gets 
192.168.1.4, and robert then connects, the route to the first person will be replaced 
by the route to robert.  This means the first person is cut off.

There are three ways around this problem.  First, don't assign IP numbers.  
Second, assign everyone their own IP number.  Finally, don't but the assigned IP 
numbers in the pool for pptpd to hand out.  They must still be available though. 

The last thing to do is to start pptpd.

[/usr/local/sbin/pptpd -d]

You may want to put this command somewhere in your startup scripts.

4.1	Netfilter/Iptables rules

The 2.4 series kernel introduced new firewalling code.  The above configuration file 
(see section 1.0) includes the new code.  Netfilter is the new packet 
filter/mangler, and iptables is the tool used to manipulate netfilter.  The following 
assumes you have iptables already installed (current version is 1.2, use your favorite 
installation method).  Note that these rules are for a pptpd server that is not being 
masqueraded, although I believe they would work for a client not being masqueraded too, 
but this hasn't been tested.  Hopefully, the masquerading rules for pptp will be added 
soon (as soon as I figure out how; I've got regular masquerading working, but have not 
tried pptp masquerading).

These rules are not a complete firewall, and while fully functional, may still have 
security holes.  I assume that the default filter table policies are drop, and the 
nat table policies are accept.  Let me know if you can improve them.  Note I use 
constants in my scripts to make customizations easy:

[echo "Seting up firewall....."]
[#Define some constants - change for your network!]
[LOCALNETWORK="192.168.1.0/24"]
[INTINT="eth1" #The internal interface]
[EXTINT="eth0" #The external interface]
[# Activate the forwarding!]
[echo 1 >/proc/sys/net/ipv4/ip_forward]
[# Insert the required kernel modules]
[modprobe iptable_nat]
[modprobe ip_conntrack]
[modprobe ip_conntrack_ftp]

You may already have something similar to this.  In which case use the one you prefer.

[#=============================================]
[# Flush the old rules and set default policies]
[#=============================================]
[echo "Setting defaults"]
[/sbin/iptables -F]
[/sbin/iptables -t nat -F]
[/sbin/iptables -P INPUT DROP]
[/sbin/iptables -P OUTPUT DROP]
[/sbin/iptables -P FORWARD DROP]
[/sbin/iptables -t nat -P POSTROUTING ACCEPT]
[/sbin/iptables -t nat -P PREROUTING ACCEPT]
[/sbin/iptables -t nat -P OUTPUT ACCEPT]

[#Loopback interface is valid]
[/sbin/iptables -A INPUT  -i lo -s $LOOPBACK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT]
[/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT]
[/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT]
[#Yes, I know lo looks strange, but otherwise there are problems.]
[#Some local network traffic does pass through lo rather than]
[#the internal interface.]
[/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A INPUT  -i lo -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT]
[echo "Loopback setup"]

[#Allow unlimited LAN traffic]
[/sbin/iptables -A INPUT  -i $INTINT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT]
[#This next allows local broadcasts from this machine.]
[/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \]
[        -j ACCEPT]
[/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT]
[echo "LAN traffic allowed"]

[#Allow forwarding from inside to out and vice versa]
[/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT]

[#Allow pptpd connections (port 1723)]
[/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \]
[        --sport $PUBLICPORTS --dport 1723 -j ACCEPT]
[/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A INPUT  -i $EXTINT -p 47 -j ACCEPT]
[/sbin/iptables -A INPUT  -i ppp+ \]
[        -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT]
[/sbin/iptables -A OUTPUT -o ppp+ \]
[        -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT]
[echo "PPTPD allowed"]

A complete *SAMPLE* iptables script, including pptpd support, can be found at 
http://home.swbell.net/berzerke .

4.2 Setting up the clients.

This section was ripped from the RedHat-PoPToP HOWTO by Mike Barsalou.  Thanks Mike.

Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 and 
both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed 
first.  You're going to have to hunt around a little for these files as they keep 
moving.  However, here are a couple places to try first:

Windows 95

http://www.microsoft.com/windows95/downloads

Windows 98

http://www.microsoft.com/windows98/downloads/corporate.asp    


	1a. For Win95 machines install the DUN 1.3.

	1b. For Win98 machines use the add-remove programs tool to uninstall the VPN 
software. Some of the OEM's don't install this properly. Re-Install it using the 
add-remove programs tool. Go to windows setup (tab) select communications and press the 
details button.  Scroll down and check the VPN support.

	2. Install the vpupdate for your particular machine (win95/98 not 98SE).    

take a little nap here...

Once your Machine is back     

   1. Go to dial-up networking (usually 
start->programs->Accessories->communications->Dial-up Networking) YMMV

   2. Click make new connection

   3. Name the Connection whatever you'd like.

   4. Select Microsoft VPN adapter as the device.

   5. Click next.

   6. Type in the ip address or hostname of your pptp server.

   7. Click next.

   8. Click finish

   9. Right-click on the intranet icon.

  10. Select properties.

  11. Choose server types.

  12. Check require encrypted password.  It is also recommend that you check 
require data encryption.  Without the data encryption, your Virtual Private Network 
becomes a Virtual Public Network.

  13. Uncheck netbeui, ipx/spx compatible.

  14. Click tcp/ip settings.

  15. Turn off use IP header compression (May not be necessary).

  16. Turn off use default gw on remote network.

  17. Click ok.

  18. Start that connection.

  19. Type in your username and pw (yadda, yadda, yadda).

  20. Once it finishes its connection your up.

You will probably only have 40 bit data encryption.  See section 5.2 for how to get 128 
bit encryption.

5.0 Troubleshooting.

5.1 	Q: How do I know if my users are connecting at 40 bits or 128 bits?

	A: Look for a line in the logs that reads either: MPPE 40 bit, stateless compression 
enabled or MPPE 128 bit, stateless compression enabled.  What you see is what you get.

5.2	Q: I'm connecting at only 40 bits.  How do I connect at 128 bits?

	A: This is probably a client (Windows) problem.  The key file for Windows 95/98 
is pppmac.vxd, located in c:\windows\system. The easiest way to upgrade this 
properly is to get the DUN 1.4 update from Microsoft.  As of 07/10/2001, the urls 
are:

Win 95 (all versions): 
http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe

Win 98 First Edition: 
http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe

Win 98 Second Edition: 
http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe

If the above URLS don't work, try here: 
http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP

For W2K clients, get the high encryption pack from Microsoft.

5.3	Q: When someone tries to connect, my system logs show something like:

Feb 17 15:03 linux pppd[3305]: Peer is not authorized to use remote address 212.31.242.99
Feb 17 15:03 linux pppd[3305]: ipcp: down
Feb 17 15:03 linus pppd[3305]: sent [IPCP TermReq id=0x3 "Unauthorized remote IP address"]
	A: This message *can* appear if don't have the noauth line in your
/etc/ppp/options.pptpd file.  Without this line, ppp will require the pptp server to
authenticate itself.  I was unable to reproduce this error with setup described in this HOWTO.

5.4	Q: I having trouble getting pppd 2.3.X to work.  I'm using a 2.4 series 
kernel.
	A: The minimum version of pppd you should be using with the 2.4.x series 
kernels is 2.4.0.  Don't try to use the ppp 2.3 series.

5.5	Q: The client can't connect to port 1723.
	A: Is pptpd running?  [ps ax |grep pptpd] should show if it is running or not.
	A: Is another program using port 1723?  [netstat --inet -a -n -p | grep 1723] should 
show which program, if any, is using port 1723.
	A: Some providers, (AT&T and @home have been reported so far) do not pass port 
1723 or filter GRE packets (which are necessary for pptp). Supposedly it is to 
cut down on bandwidth.  If possible, try connecting over a lan and 
see if that works.  You also may want to re-read your subscriber agreement.

You could try doing a traceroute to port 1723 and see if that gets through.  The 
command is traceroute -p 1723 .
	A: Is a firewall blocking it, either at the client or server end?  For those
using iptables, the commands to check ALL your firewall rules are:
[iptables -t filter -L -n]
[iptables -t mangle -L -n]
[iptables -t nat -L -n]

5.6.1	Q: Windows is giving me an error 645.
	A: Try uninstalling the VPN compenent under Communications, and 
reinstall it.

5.6.2	Q: Windows is giving me an error 650.
	A: This can be caused by port 1723 being blocked somewhere along the path 
or IP protocol 47 (GRE) being blocked (or both).  Some providers, (AT&T and @home 
have been reported so far) do not pass port 1723 or filter GRE packets (which are 
necessary for pptp). Supposedly it is to cut down on bandwidth.  If possible, try 
connecting over a lan and see if that works.  You also may want to re-read your 
subscriber agreement.

You could try doing a traceroute to port 1723 and see if that gets through.  The
command is traceroute -p 1723 .

Another reason this error happens is the public card (connection to internet) has 
to be listed first when you look at your adapters in the properties of My Network 
Places.  MS admits that this seems to only affect W98 clients when using W2K PPTPD
servers. It is currently unknown if it also has an impact on Linux PPTPD servers.

5.6.3	Q: Windows is giving me an error 53.
	A: See question 5.11

5.6.4	Q: Windows is giving me error 619.
	A: Check that you have pty support compiled into your kernel.

5.6.5	Q: Windows NT is giving me error 742.
	A: Upgrade to at least service pack 5.  Service pack 6a is recommended.  Also,
disable other protocols like NetBeui, and IPX.

5.7	Q: Do I have to use multiple local IP numbers?
	A: No.  One is all you need.  However, you do need multiple remote IP numbers 
if you want more than one client connecting at a time.  You need one remote IP number 
for each simultaneous connection.

5.8	Q: Do the local and remote IP numbers have to be on the same subnet?
	A: No, but the setup is a pain, especially if you are also running a firewall.  
I don't recommend trying this unless you *must*.

5.9	Q: My clients get 2 DNS servers when the connect to the internet.  I assign 
them 2 additional ones for the VPN.  How come when I do a winipcfg, my 2 DNS servers 
show last?
	A: This is normal.  From tests others have done, it does *appear* as if the two 
servers you assigned are consulted first.

5.10	Q: Browsing doesn't work.  How do I fix it?

	A: First, can you ping other computers.  If not, then there is a 
connectivity problem (at least).  Resolve this and try again.

	A: Updating network neighborhood to the point where a PPTPD client can 
see the other computer can take 30-60 seconds (I've seen a couple of minutes).  
Be patient and try again.

	A: Are you using a wins server?  Broadcasts generally don't pass routers 
(a ppp interface counts).  Browsing is generally done either via Wins, or 
broadcasts.  It is possible to use the hosts and lmhosts files as a substitute 
for a wins server.  Most people report fewer troubles when the pptpd server is 
also a wins server.

	A: If you are using a Samba wins server, is the "guest account" in your 
smb.conf set to an actual valid account?  The IPC$ connection that lists the 
shares is done as guest, and will fail without a valid guest account.

	A: If you are using an MS wins server, it requires a re-registration at 
least every 90 days.  Since linux is so stable, it is quite possible to run 
longer than 90 days without rebooting (or at least restarting Samba).  Be sure 
and restart Samba at least every 89 days.  This browsing problem should only 
affect Samba computers.  Once you pass the 90 days, you may have to restart the 
MS machine too to clear things up, and even that may not work (conflicting 
reports here).

	A: Are *ANY* of the clients running more than one protocol?  From the 
Samba docs: "Every NetBIOS machine take part in a process of electing the LMB 
[Local Master Browser] (and DMB [Domain Master Browser]) every 15 minutes...The 
election process is "fought out" so to speak over every NetBIOS network 
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
installed and has NetBIOS enabled over both protocols the election will be
decided over both protocols. As often happens, if the Windows 9x machine is
the only one with both protocols then the LMB may be won on the NetBIOS
interface over the IPX protocol. Samba will then lose the LMB role as Windows
9x will insist it knows who the LMB is. Samba will then cease to function
as an LMB and thus browse list operation on all TCP/IP only machines will
fail.

	A: If running Samba, and only one machine isn't accessable (to pptpd 
clients), look in the wins.dat file.  Generally it is in /var/lock/samba.  See if 
the computer is actually listed.  If not, restart the computer (or Samba). Samba 
seems only to register itself once (when starting).  If the wins server is not 
available at that time, you will not be able to access that machine via wins 
until you restart Samba.

	A: Try using the "net use" and "net view" commands from the windows client.  
Just because you can't see something in network neighborhood doesn't mean it isn't 
on the network.  If fact, they are much more reliable than browsing.  I've also 
found mapping a drive with the net use command tends to make things appear in 
network neighborhood.  YMMV.

	A: Windows 9x and Me suffer from memory fragmentation issues that can require
rebooting in order to make PPP or PPTP work again.  This is something to try especially
when you have connected before successfully.

5.11	Q: I can browse the server's shares, but no other computers.  What 
am I missing?

	A: There are several things to check.  Do you have proxyarp in your
ppp/options?  Make sure that there is an entry in the /var/log/messages, when the
link is brought up, that says something like:
Feb  2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp file?

If not, you won't see past the pptpd server.  Second, check your firewall rules and
make sure the packets are getting forwarded from the ppp interface to the lan.

Sometimes, over a pptp connection, it takes a few minutes to update the browse lists.
Be patient.  Manually mapping a drive seems to speed this up considerably.

Finally, try the [net view \\] command.  You normally can substitute
the ipaddress of the computer.  If when substituting the ip address, you get an error
53, then there is a problem with reaching or with the Wins server.  I've found
from experience, if there are only a couple of servers who's ip addresses don't
change, try using a lmhosts file.  Note that if you use an lmhosts file, don't try
the net view command with an ip address.  Use the computer's name.  This is because
MS decided that an ip address is first treated as a name, and will try to do a
lookup.  That will fail, and you'll get an error 53 message.

5.12	Q: Everytime the last PPTP session closes, pptpd exits. As long as there is
an active session, it's runs fine.  How do I fix this?

	A: This problem has been reported with pptpd version 1.0.1.  Some
have reported that upgrading to 1.1.2 (or better) fixed the problem.

5.13	Q: I can get the PPTP connection to work fine, but can not get
encryption to work.  What is wrong?

	A: It has been reported that changing PPP from being built into the 
kernel to being a loadable module has fixed the problem.  The configuration file 
listed in the earlier instructions does build PPP as a loadable module.

5.14	Q: I'm unable to send packets.  My debug logs have something like:
Mar  4 20:54:14 foo pppd[2719]: Protocol-Reject for unsupported protocol 0x94e9

	A: You must add the line [mppe-stateless] (without the [ ]'s) to your 
/etc/ppp/options.pptpd file.

5.15	Q: I've tried downloading the patches with Netscape and I get all kinds of 
errors.

	A: Netscape is known to mangle patches, especially non-zipped patches.  Use 
something else like wget or lynx.  If you have KDE, Konqueror doesn't give me any 
problems either.

5.16	Q: I'm getting errors indicating that ppp support hasn't been compiled into the 
kernel even though it is.  How do I fix it?

	A: Use the following commands:
[mknod /dev/ppp c 108 0]
[chmod 600 /dev/ppp]

5.17	Q: How come the ppp connection formed by pptp shows a netmask of 
255.255.255.255?  Isn't this an error?

	A: Your ppp* device should have that netmask (255.255.255.255).  This is 
normal when you have a ppp virtual device that has another device (eth*) answer arp 
requests on behalf of the remote pptp clients ip address. i.e. proxyarp.  You are 
using the proxyarp option, aren't you?

5.18	Q: When I connect to the pptpd server, the client's internet connection 
goes over the pptp connection and not over its usual connection.  How do I fix 
this?

	A: In the client configuration, under TCP settings, there is a check box 
use default gateway on remote network.  Uncheck that.

5.19	Q: How can I disconnect an idle user automatically?

	A: In ppp options file, add the line:
[idle 

Source Forge Project Page | Downloads | News | Mailing List
Free Software Foundation SourceForge Logo Valid HTML 3.2! Viewable With Any Browser