|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installing the PoPToP PPTP
service
on Mandrake Linux 9.0
PoPToP is a great and really inexpensive way to create a VPN gateway for a home or small to mid-sized office. It can be more than a little tricky and/or intimidating to build and configure if you are not a kernel hacker. Take it from me, I'm not and it was... But with a little help I've set up PoPToP on both Mandrake 8.2 and 9.0. It works with MSCHAP-v2 clients, so it supports MS-Windows and you can run remote desktop over PPTP so you can litterally sit at your home/office XP Pro desktop from anywhere you can get to the internet with a Win 98 or later machine.
To build the PoPToP PPTPD with 128 bit MSCHAPv2 support and encrypted password storage on Mandrake Linux 9.0 with 2.4.19 kernel.
With:
ppp-2.4.1 with: MSCHAPv2, openssl, smblib, and require-mppe
libsmbpw-1.3
Linux-PAM-0.77
pptpd-1.1.3
You get: A 128-bit MSCHAPv2 pptp server that works with XP/2K/Me/98 (I've tested this build with XP, 2K, 98SE, and ME)
All of this must be done as root.
Install kernel-source RPM (will install ncurses too, you will need glibc and gcc as well if you don't already have it installed)
Modify /usr/src/Makefile for a new extra version (I add 'VPN' to distinguish it)
Get the following packages: (I have them here, the MMPE repository on Planetmirror has most of the them too). The ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch and smbpw setup comes courtesy of will at c0rtex.com. http://www.c0rtex.com/~will/vpn.
linux-2.4.19-openssl-0.9.6b-mppe.patch.gz
ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch
Put them all in a convenient directory then
tar -zxvf the PPP source tar -zxvf the libsmbpw source tar -zxvf the PoPToP source tar -zxvf the Linux-PAM sourceThen:
gunzip linux-2.4.19-openssl-0.9.6b-mppe.patch.gzcd /usr/src/linux
patch -p1 < ~/linux-2.4.19-openssl-0.9.6b-mppe.patchNext, compile the kernel, from /usr/src/linux:
make menuconfigCheck to make sure that the PPP settings in Network device support look something like:
[*] Network device support ARCnet devices --->Dummy net driver support Bonding driver support EQL (serial line load balancing) support Universal TUN/TAP device driver support Ethertap network tap (OBSOLETE) General Instruments Surfboard 1000 Ethernet (10 or 100Mbit) ---> Ethernet (1000 Mbit) ---> [*] FDDI driver support Digital DEFEA and DEFPA adapter support SysKonnect FDDI PCI support [ ] HIPPI driver support (EXPERIMENTAL) PLIP (parallel port) support PPP (point-to-point protocol) support [*] PPP multilink support (EXPERIMENTAL) [*] PPP filtering PPP support for async serial ports PPP support for sync tty ports PPP Deflate compression PPP BSD-Compress compression PPP over Ethernet (EXPERIMENTAL) PPP over ATM (EXPERIMENTAL) SLIP (serial line) support [*] CSLIP compressed headers [*] Keepalive and linefill [*] Six bit SLIP encapsulation Wireless LAN (non-hamradio) ---> Token Ring devices ---> [*] Fibre Channel driver support Interphase 5526 Tachyon chipset based adapter support Red Creek Hardware VPN (EXPERIMENTAL) Traffic Shaper (EXPERIMENTAL) Wan interfaces ---> PCMCIA network device support ---> ATM drivers --->
Build the new kernel and modules:
The next three lines are only needed if you are not starting clean:
make mrproper cp /usr/src/linux/arch/i386/defconfig /usr.src.linux/.config (default Mandrake .config) make oldconfigNormally start here:
make dep make clean make bzImage make modules make modules_install make installreboot and select the new kernel in LILO.
libsmbpw
cd libsmbpw-1.3 make cp libsmbpw.1.3.so libsmbpw.a libsmbpw.so /lib ldconfig
PAM
cd Linux-PAM-0.77 ./configure make make install
PPP
NOTE: this is Will from c0rtex.com's rolled up patch created from:
ppp-2.4.1-MSCHAPv2-fix.patch
ppp-2.4.1-openssl-0.9.6-mppe-patch
pppsmb2.4.patch
require-mppe.diff
cp ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch ppp-2.4.1
cd ppp-2.4.1
patch -p1 < ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch
./configure
make
make install
PoPToP
cd pptpd-1.1.3 ./configure make make installAdd the following to your /etc/modules.conf
alias /dev/ppp ppp_generic alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflateSet up the pptpd and pppd conf files.
Sample pptpd.conf, goes in /etc:
speed 115200 option /etc/ppp/options.pptp localip 192.168.1.6 # the IP of the PPTP server remoteip 192.168.1.150-160 # or the IP range taht you want to useSample options.pptp, goes in /etc/ppp
lock debug auth proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless name pptpdSample options: , goes in /etc/ppp
ms-dns 207.155.183.73 # put in your own DNS ms-wins 192.168.1.6 # and your own WINS server address noipdefault usepeerdns asyncmap 0 auth crtscts lock hide-password modem debug name your-servername.com proxyarp lcp-echo-interval 30 lcp-echo-failure 4 noipx +chapms +chapms-v2 mppe-40 mppe-128 mppe-statelessSample chap-secrets: , goes in /etc/ppp
# Secrets for authentication using CHAP # client server secret IP addresses george pptpd &/etc/smbpasswd * # or specific IP addr instead of *
Do:
rmmod ppp insmod ppp insmod ppp_mppe(you will get some complaints from the above, but they will work) The PPP module may have been compiled directly into the kernel, so it might not be found depending on your configure settings.
Edit /etc/sysconfig/network Change:
FORWARD_IPV4=yesEdit /etc/rc.d/rc.local... add
/usr/local/sbin/pptpd echo 1 > /proc/sys/net/ipv4/ip_forwardAs the last lines. There are obviously cleaner, nicer, ways of doing this, I will look at a script one day...
Reboot
Make sure that there is a wins server, either on the LAN or turn on the one in SAMBA
here are two sample simple smb.conf files. They go in /etc/samba. This one is if you have another WINS server.
[global]
workgroup = Gulfstream
encrypt passwords = Yes
smb passwd file = /etc/smbpasswd
password level = 8
username level = 8
socket options = TCP_NODELAY
domain logons = No
domain master = No
local master = No
os level = 10
preferred master = No
wins proxy =no
hosts allow = 10.0.0.
# logon script = logon.bat
wins server = 10.0.0.6
[homes]
comment = Home Directories
read only = No
browseable = No
This one is if the Samba server is the WINS server
[global]
workgroup = Gulfstream
encrypt passwords = Yes
smb passwd file = /etc/smbpasswd
password level = 8
username level = 8
socket options = TCP_NODELAY
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
wins proxy = yes
wins support = yes
hosts allow = 192.168.1.
# logon script = logon.bat
name resolve order = wins hosts bcast lmhosts
[homes]
comment = Home Directories
read only = No
browseable = No
Add and enable Samba users
smbpasswd -a username smbpasswd -e usernameSetup the Windows VPN PPTP client, turn off header compression in W2000 and XP (MPPE has compression built-in) & test...
For W98 clients, you need to get DUN (Dial Up Networking) 1.4 to support 128 bit encryption, it's available free from Microsoft. Also if you are using XP Pro on your inside desktops you can turn on the Remote desktop server and use the Remote desktop client that comes with XP Pro (and can also be downloaded from MS), and will work with any OS from Windows 98 on to allow you to remotely 'sit' at your Windows XP Pro desktop. To find out about this, go to The Microsoft Knowledge Base and search on 'XP Remote Desktop'. If you don't use XP Pro, you can use VNC, Timbuktu, OnCall, or other remote desktop services. Also, MS Neetmeeting can enable remote desktops for Win98, ME, NT and 2000 clients, see the The Microsoft Knowledge Base for details and instructions.
Remember to set up a Linux account, a SAMBA UID and password, and to make an entry in chap-secrets for each user. It's a lot simpler to test this on a LAN with local access first. Once it's going, you can enable your firewall to pass port 1723 and to enable GRE (protocol 47). And remember to change the IP address when you switch from inside to outside if you use NAT!
Good luck! Enjoy your gateway. If you find any errors, or have and questions or suggestions, please contact me.
Thanks to Chris Zimman for constant help, and to Will at c0rtex.com for the smbpasswd code.
Steve Weingart / shw@gulf-stream.net /12-12-02
Gulfstream Technologies Inc.
t: (561) 394-5086
e-mail:
Copyright 2003
Designed by: Sherman, Perlman & Associates