|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installing the PoPToP PPTP
service
on Mandrake Linux 10.1
PoPToP is a great and really inexpensive way to create a VPN gateway for a home or small to mid-sized office. It can be more than a little tricky and/or intimidating to build and configure if you are not a kernel hacker. Take it from me, I'm not and it was... But with a little help I've set up PoPToP on Mandrake 8.2, 9.0, and 9.1 (NOTE: Someone else has tried this on 9.2 and said that it worked, but I have not tested it myself). So here we go with 10.1 It works with MSCHAP-v2 clients, so it supports MS-Windows and you can run remote desktop over PPTP so you can litterally sit at your home/office XP Pro desktop from anywhere you can get to the internet with a Win 98 or later machine. And you don't need to build the kernel!
To build the PoPToP PPTPD with 128 bit MSCHAPv2 support and encrypted password storage on Mandrake Linux 10.1.
With:
Linux-PAM-0.77
pptpd-1.1.3
You get: A 128-bit MSCHAPv2 pptp server that works with XP/2K/Me/98 (I've tested this build with XP, 2K, 98SE, and ME)
All of this must be done as root.
Get the following packages: (I have them here, the MMPE repository on Planetmirror has most of the them too).
Put them all in a convenient directory then
tar -zxvf the PoPToP source tar -zxvf the Linux-PAM sourceThen:
PAM
cd Linux-PAM-0.77 ./configure make make install
PPP
Make sure that PPP is installed from the Mandrake CDs
PoPToP
cd pptpd-1.1.3 ./configure make make installAdd the following to your /etc/modules.conf
alias /dev/ppp ppp_generic alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflateSet up the pptpd and pppd conf files.
Sample pptpd.conf, goes in /etc:
speed 115200 option /etc/ppp/options.pptp localip 192.168.1.6 # the IP of the PPTP server remoteip 192.168.1.150-160 # or the IP range taht you want to useSample options.pptp, goes in /etc/ppp
lock debug auth proxyarp name pptpdSample options: , goes in /etc/ppp
ms-dns 207.155.183.73 # put in your own DNS ms-wins 192.168.1.6 # and your own WINS server address noipdefault usepeerdns asyncmap 0 auth crtscts lock hide-password modem debug name your-servername.com proxyarp lcp-echo-interval 30 lcp-echo-failure 4 noipxSample chap-secrets: , goes in /etc/ppp
# Secrets for authentication using CHAP # client server secret IP addresses george pptpd password * # or specific IP addr instead of *
Do:
rmmod ppp modprobe ppp_mppe_mppc(you may get some complaints from the above, but they will work) The PPP module may have been compiled directly into the kernel, so it might not be found depending on your configure settings.
Edit /etc/sysconfig/network Change:
FORWARD_IPV4=yesEdit /etc/rc.d/rc.local... add
modprobe ppp_mppe_mppc /usr/local/sbin/pptpd echo 1 > /proc/sys/net/ipv4/ip_forwardAs the last lines. There are obviously cleaner, nicer, ways of doing this, I will look at a script one day...
Edit /etc/modules add
ppp_mppe_mppcThis should load the already available, already patched for MS compatibility MPPE kernel module.(but in some systems it won't so the line in rc.local guarantees it).
Reboot
Make sure that there is a wins server, either on the LAN or turn on the one in SAMBA
here are two sample simple smb.conf files. They go in /etc/samba. This one is if you have another WINS server.
[global]
workgroup = Gulfstream
encrypt passwords = Yes
smb passwd file = /etc/smbpasswd
password level = 8
username level = 8
socket options = TCP_NODELAY
domain logons = No
domain master = No
local master = No
os level = 10
preferred master = No
wins proxy =no
hosts allow = 10.0.0.
# logon script = logon.bat
wins server = 10.0.0.6
[homes]
comment = Home Directories
read only = No
browseable = No
This one is if the Samba server is the WINS server
[global]
workgroup = Gulfstream
encrypt passwords = Yes
smb passwd file = /etc/smbpasswd
password level = 8
username level = 8
socket options = TCP_NODELAY
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
wins proxy = yes
wins support = yes
hosts allow = 192.168.1.
# logon script = logon.bat
name resolve order = wins hosts bcast lmhosts
[homes]
comment = Home Directories
read only = No
browseable = No
Add and enable Samba users
smbpasswd -a username smbpasswd -e usernameSetup the Windows VPN PPTP client, turn off header compression in W2000 and XP (MPPE has compression built-in) & test...
For W98 clients, you need to get DUN (Dial Up Networking) 1.4 to support 128 bit encryption, it's available free from Microsoft. Also if you are using XP Pro on your inside desktops you can turn on the Remote desktop server and use the Remote desktop client that comes with XP Pro (and can also be downloaded from MS), and will work with any OS from Windows 98 on to allow you to remotely 'sit' at your Windows XP Pro desktop. To find out about this, go to The Microsoft Knowledge Base and search on 'XP Remote Desktop'. If you don't use XP Pro, you can use VNC, Timbuktu, OnCall, or other remote desktop services. Also, MS Neetmeeting can enable remote desktops for Win98, ME, NT and 2000 clients, see the The Microsoft Knowledge Base for details and instructions.
Remember to set up a Linux account, a SAMBA UID and password, and to make an entry in chap-secrets for each user. It's a lot simpler to test this on a LAN with local access first. Once it's going, you can enable your firewall to pass port 1723 and to enable GRE (protocol 47). And remember to change the IP address when you switch from inside to outside if you use NAT!
Good luck! Enjoy your gateway. If you find any errors, or have and questions or suggestions, please contact me.
Thanks to Chris Zimman for constant help, and to Will at c0rtex.com for the smbpasswd code.
Steve Weingart / shw@gulf-stream.net /1-20-05
Gulfstream Technologies Inc.
t: (561) 394-5086
e-mail:
Copyright 2003
Designed by: Sherman, Perlman & Associates