Installing the PoPToP PPTP service on Mandrake Linux 9.0<

Installing the PoPToP PPTP service on Mandrake Linux 9.0 --> Installing the PoPToP PPTP service on Mandrake Linux 9.1

PoPToP is a great and really inexpensive way to create a VPN gateway for a home or small to mid-sized office. It can be more than a little tricky and/or intimidating to build and configure if you are not a kernel hacker. Take it from me, I'm not and it was... But with a little help I've set up PoPToP on Mandrake 8.2, 9.0, and 9.1. It works with MSCHAP-v2 clients, so it supports MS-Windows and you can run remote desktop over PPTP so you can litterally sit at your home/office XP Pro desktop from anywhere you can get to the internet with a Win 98 or later machine. And on 9.1, you don't need to build the kernel!

To build the PoPToP PPTPD with 128 bit MSCHAPv2 support and encrypted password storage on Mandrake Linux 9.1.

With:

ppp-2.4.1 with: MSCHAPv2, openssl, smblib, and require-mppe
libsmbpw-1.3
Linux-PAM-0.77
pptpd-1.1.3

You get: A 128-bit MSCHAPv2 pptp server that works with XP/2K/Me/98 (I've tested this build with XP, 2K, 98SE, and ME)

All of this must be done as root.

Install kernel-source RPM (will install ncurses too, you will need glibc and gcc as well if you don't already have it installed)

Modify /usr/src/Makefile for a new extra version (I add 'VPN' to distinguish it)

Get the following packages: (I have them here, the MMPE repository on Planetmirror has most of the them too). The ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch and smbpw setup comes courtesy of will at c0rtex.com. http://www.c0rtex.com/~will/vpn.

libsmbpw-1.3.tar.gz

ppp-2.4.1.tar.gz

ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch

pptpd-1.1.3.tar.gz

Linux-PAM-0.77.tar.gz

Put them all in a convenient directory then

   tar -zxvf the PPP source
   tar -zxvf the libsmbpw source
   tar -zxvf the PoPToP source
   tar -zxvf the Linux-PAM source

Then:

libsmbpw

   cd libsmbpw-1.3
   make
   cp libsmbpw.1.3.so libsmbpw.a libsmbpw.so /lib
   ldconfig

PAM

   cd Linux-PAM-0.77
   ./configure
   make
   make install

PPP

        NOTE: this is Will from c0rtex.com's rolled up patch created from:
        ppp-2.4.1-MSCHAPv2-fix.patch
        ppp-2.4.1-openssl-0.9.6-mppe-patch
        pppsmb2.4.patch
        require-mppe.diff

   cp ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch ppp-2.4.1
   cd ppp-2.4.1
   patch -p1 < ppp-2.4.1-MSCHAPv2-mppe-require-mppe-smbpw.patch
   ./configure
   make
   make install

PoPToP

   cd pptpd-1.1.3
   ./configure
   make
   make install

Add the following to your /etc/modules.conf

   alias /dev/ppp          ppp_generic
   alias char-major-108    ppp_generic
   alias tty-ldisc-3       ppp_async
   alias tty-ldisc-14      ppp_synctty
   alias ppp-compress-18   ppp_mppe
   alias ppp-compress-21   bsd_comp
   alias ppp-compress-24   ppp_deflate

Set up the pptpd and pppd conf files.

Sample pptpd.conf, goes in /etc:

   speed 115200
   option /etc/ppp/options.pptp
   localip 192.168.1.6         # the IP of the PPTP server
   remoteip 192.168.1.150-160  # or the IP range taht you want to use

Sample options.pptp, goes in /etc/ppp

   lock
   debug
   auth
   proxyarp
   +chap
   +chapms
   +chapms-v2
   mppe-40
   mppe-128
   mppe-stateless
   name pptpd

Sample options: , goes in /etc/ppp

   ms-dns 207.155.183.73 # put in your own DNS
   ms-wins 192.168.1.6   # and your own WINS server address
   noipdefault
   usepeerdns
   asyncmap 0
   auth
   crtscts
   lock
   hide-password
   modem
   debug
   name your-servername.com
   proxyarp
   lcp-echo-interval 30
   lcp-echo-failure 4
   noipx
   +chapms
   +chapms-v2
   mppe-40
   mppe-128
   mppe-stateless

Sample chap-secrets: , goes in /etc/ppp

   # Secrets for authentication using CHAP
   # client        server      secret          IP addresses
   george          pptpd   &/etc/smbpasswd           *   # or specific IP addr instead of *

Do:

   rmmod ppp
   modprobe mppe

(you will get some complaints from the above, but they will work) The PPP module may have been compiled directly into the kernel, so it might not be found depending on your configure settings.

Edit /etc/sysconfig/network Change:

   FORWARD_IPV4=yes

Edit /etc/rc.d/rc.local... add

   /usr/local/sbin/pptpd
   echo 1 >  /proc/sys/net/ipv4/ip_forward

As the last lines. There are obviously cleaner, nicer, ways of doing this, I will look at a script one day...

Edit /etc/modules add

   mppe

this will load the already available, already patched for MS compatibility MPPE kernel module.

Reboot

Make sure that there is a wins server, either on the LAN or turn on the one in SAMBA

here are two sample simple smb.conf files. They go in /etc/samba. This one is if you have another WINS server.

[global]
        workgroup = Gulfstream
        encrypt passwords = Yes
        smb passwd file = /etc/smbpasswd
        password level = 8
        username level = 8
        socket options = TCP_NODELAY
        domain logons = No
        domain master = No
        local master = No
        os level = 10
        preferred master = No
        wins proxy =no
        hosts allow = 10.0.0.
#       logon script = logon.bat
        wins server = 10.0.0.6
[homes]
        comment = Home Directories
        read only = No
        browseable = No

This one is if the Samba server is the WINS server

[global]
        workgroup = Gulfstream
        encrypt passwords = Yes
        smb passwd file = /etc/smbpasswd
        password level = 8
        username level = 8
        socket options = TCP_NODELAY
        domain logons = yes
        domain master = yes
        local master = yes
        os level = 65
        preferred master = yes
        wins proxy = yes
        wins support = yes
        hosts allow = 192.168.1.
#       logon script = logon.bat
        name resolve order = wins hosts bcast lmhosts

[homes]
        comment = Home Directories
        read only = No
        browseable = No

Add and enable Samba users

smbpasswd -a username
smbpasswd -e username

Setup the Windows VPN PPTP client, turn off header compression in W2000 and XP (MPPE has compression built-in) & test...

For W98 clients, you need to get DUN (Dial Up Networking) 1.4 to support 128 bit encryption, it's available free from Microsoft. Also if you are using XP Pro on your inside desktops you can turn on the Remote desktop server and use the Remote desktop client that comes with XP Pro (and can also be downloaded from MS), and will work with any OS from Windows 98 on to allow you to remotely 'sit' at your Windows XP Pro desktop. To find out about this, go to The Microsoft Knowledge Base and search on 'XP Remote Desktop'. If you don't use XP Pro, you can use VNC, Timbuktu, OnCall, or other remote desktop services. Also, MS Neetmeeting can enable remote desktops for Win98, ME, NT and 2000 clients, see the The Microsoft Knowledge Base for details and instructions.

Remember to set up a Linux account, a SAMBA UID and password, and to make an entry in chap-secrets for each user. It's a lot simpler to test this on a LAN with local access first. Once it's going, you can enable your firewall to pass port 1723 and to enable GRE (protocol 47). And remember to change the IP address when you switch from inside to outside if you use NAT!

Good luck! Enjoy your gateway. If you find any errors, or have and questions or suggestions, please contact me.

Thanks to Chris Zimman for constant help, and to Will at c0rtex.com for the smbpasswd code.

Steve Weingart / shw@gulf-stream.net /12-12-02