Setting up PPTPD on Linux Kernel 2.4 HOWTO Version 0.76, Updated 12/16/2001 Preface I am far from an expert on this subject, but since others might benefit from my experience, I am writing this document in hopes of helping others. Anything enclosed in [ ]'s are commands the user should type in exactly except for line breaks and except for stuff in < > 's, which will vary with each system. I assume a reasonable level of competency with Linux. I also assume you have already upgraded all the programs necessary to use the 2.4 kernel series. Consult ./Documentation/Changes in the 2.4 source tree (once you have installed it) for the minimum version numbers required and how to get updates for these packages. This HOWTO was written and is currently maintained by Robert Spotswood. Much of this was based on the RedHat -PoPToP HOWTO, the mailing list, and personal experimentation. I'm subscribed to the mailing list, so any questions, comments, and corrections would best be addressed there. However, if you really *must* contact me personally, I'm at berzerke@swbell.net. Disclaimer and Copyright This document is not gospel. Nobody is responsible for what happens to your system but yourself. THE AUTHOR(S) ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT. This document is Copyright © 2001 by Robert Spotswood. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions. If you are intending to incorporate this document into a published work, please make contact (via e-mail) so that you can be supplied with the most up to date information available. In the past, out of date versions of the Linux HowTo documents have been published, which caused the developers undue grief from being plagued with questions that were already answered in the up to date versions. 1.0 Kernel compile Download the new kernel source. You can get it at http://www.kernel.org/pub/linux/kernel/v2.4/ . You can get either the bz2 or the gz version. Once you have it downloaded, type the following commands: If you downloaded the bz2 version: [bunzip2 linux-2.4.8.tar.bz2] If you downloaded the gz version: [gunzip linux-2.4.8.tar.gz] [cd /usr/src/] If you have an existing directory linux here (a true directory, not a symbolic link), back up that directory if there is anything you want to keep in there. [tar xvf linux-2.4.8] The next step may be a little controversial, but I have found it works best for me (YMMV). Because the kernels will install themselves in the linux subdirectory, it can easily trash another version you may be saving. By moving it to its own special directory, I avoid this problem. However, in compiling, some things are coded to look in the linux directory. Therefore a symlink needs to be created to get around that problem. Note that if you untar a different kernel source, it will clobber the symlink, but not the directory you moved the source to. [mv /usr/src/linux /usr/src/linux-2.4.8] [ln -s /usr/src/linux-2.4.8 /usr/src/linux] [cd /usr/src/linux] The default options in the kernel configuration for me were horrible. Therefore, I saved my configuration after I went through every option. You can grab a copy of my configuration, and use that as a starting point. I designed mine as a transition between 2.2 and 2.4, so for anyone else upgrading, it probably will work well. The only thing you *REALLY* should check is the processor type. It is set for K6-2. Change it for your computer! You may also need to change other things (I don't have a TV card, so I didn't include support for that for example.) You can download a copy of the configuration file from http://home.swbell.net/berzerke/linux241 (permission to mirror granted and encouraged). This configuration file works for either 2.4.1 kernel or 2.4.4 kernel. It will also work for a 2.4.8 kernel, although some "new" features will be left out. Note that the firewalling software has changed from 2.2 series kernels. However, I have included the needed modules so that once loaded ([insmod ipchains]), all/most of the old ipchains firewall stuff will still work. Section 4.1 has some of the new netfilter/iptables rules. If you want to start with your current configuration, backup your ".config" file from the /usr/src/linux directory, back it up to /usr/src directory. Then, after installing your new kernel, do a [make mrproper]. This wipes clean all files to give you a fresh, clean kernel tree. Then copy your old .config file back to the new source tree and make and proceed from there. Unlike the 2.2 series of kernels, the crypto code is in two separate patches. The other howto mentions that you must do a make kernel from the pppd source tree. My experience shows that will fail with the 2.4 series of kernels. In fact, according the kernel docs, ppp 2.4.0 is the minimum version for 2.4 kernels. One of the patches is for the kernel, the other is for pppd. You will also need the 2.4.0 (or 2.4.1) version of pppd (but that is later). You can download the patches (with the usual warnings about checking the legality of downloading crypto in your country) from http://mirror.binarix.com/ppp-mppe/ . The two patches you want are linux-2.4.4-openssl-0.9.6-mppe.patch.gz (works with kernels 2.4.1 - 2.4.8 too) and ppp-2.4.1-openssl-0.9.6-mppe.patch.gz (this is for pppd, later). Another source for the patches is http://www.advancevpn.com/en/download_other.html . Apply the kernel patch: [zcat linux-2.4.4-openssl-0.9.6-mppe.patch.gz | patch -p1] Now configure your kernel. If in X, from a terminal [cd /usr/src/linux], [make xconfig] and load the configuration file you downloaded earlier. Configure the kernel as needed. If not in X, [cd /usr/src/linux], [make menuconfig] and load the configuration file you downloaded earlier. Configure the kernel as needed. [make dep clean bzImage modules modules_install] (Go do something for awhile...) [/sbin/depmod -a] This last command in essence instructs the kernel to load the modules in a set order. Copy the new kernel image (for i386 systems the full path to new image will be /usr/src/linux/arch/i386/boot/bzImage) to /boot. Update you boot loader (if using lilo, don't forget to run lilo -v!), and reboot. 1.1 Upgrading from 2.4.2 to 2.4.4 and beyond If you have used a previous version of this howto (for the 2.4.1 or 2.4.2 kernel), you do not have to repeat all the steps to upgrade to the 2.4.4 kernel (or higher). There have been problems with kernels between 2.4.9 and 2.4.15, so I don't recommend these. So far, 2.4.16 seems to be stable for me. Instead of re-downloading the entire source code, download the patch file instead (either patch-2.4.x.bz2 or patch-2.4.x.gz). Note that if you are patching, you should apply each patch in turn. For example, if upgrading from 2.4.1, then first apply the patch for 2.4.2, then 2.4.3, then 2.4.4. For 2.4.2, apply the 2.4.3 patch, then the 2.4.4 patch, etc. The steps to apply each patch are the same, except for the patch name. You do not have to recompile between patches. You also might want to rename the linux source directory to reflect the new kernel number. Apply the patch: If you downloaded the bz2 version: [bunzip2 patch-2.4..tar.bz2] If you downloaded the gz version: [gunzip patch-2.4..tar.gz] [cd /usr/src/linux] [patch -p1 < patch-2.4.] There is no need to reapply the openssl patch or do another kernel configuration (unless you want to change something). However, you must recompile. [make dep clean bzImage modules modules_install] (Go do something for awhile...) Note if you get an error, other than a signal 11, run the above command again. It should compile fine then. If you're making multiple jumps, it might take a few trys. Install the new kernel image, update you boot loader (if using lilo, don't forget to run lilo -v!), and reboot. Note that if you jump more than one patch level between compiles, you will probably get an error. Simply do the make command again and things should compile fine. 2.0 PPP compile Start by grabbing yourself a clean copy of pppd. Do not use a RPM. One place to obtain it is: ftp://cs.anu.edu.au/pub/software/ppp/ . Another is http://www.advancevpn.com/en/download_other.html . [cd /usr/src] [tar zxvf ppp-2.4.1.tar.gz] [cd ppp-2.4.1] The following patch should have been downloaded earlier: [zcat ppp-2.4.1-openssl-0.9.6-mppe.patch.gz | patch -p1] [./configure] [make] [make install] 3.0 PPTPD compile Download the pptpd source. According the website, 1.0.1 is the stable version and 1.1.2 is the development version. I'm using 1.1.2 with no problems, and from the mailing list, I haven't seen any complaints about 1.1.2 but I have with 1.0.1. Which version you get is up to you. One place to download the source is: http://PoPToP.lineo.com/download_pptp.html . In the following instructions, I'll assume you went with the 1.1.2 version. [cd /usr/src] [tar zxvf pptpd-1.1.2.tar.gz] [cd /usr/src/pptpd-1.1.2] [./configure] [make] [make install] 4.0 Config files Now you need to set up the configuration files /etc/modules.conf, /etc/pptpd.conf, /etc/ppp/options.pptpd, and /etc/ppp/chap-secrets. Add the following lines to your modules.conf: [alias char-major-108 ppp_generic] [alias tty-ldisc-3 ppp_async] [alias tty-ldisc-14 ppp_synctty] [alias ppp-compress-18 ppp_mppe] [alias ppp-compress-21 bsd_comp] [alias ppp-compress-24 ppp_deflate] [alias ppp-compress-26 ppp_deflate] Run [depmod -a] at a command prompt after you make any changes to modules.conf. This eliminates the error message, "Note: /etc/modules.conf is more recent than /lib/modules/2.4.x/modules.dep". Create a file /etc/ppp/options.pptpd, and make sure /etc/ppp/options.pptpd has at least the following lines: [name *] [lock] [noauth] [proxyarp] [+chap] [+chapms-v2] [mppe-40 #comment this out if don't want to support 40 bit encryption, but see 5.23 first] [mppe-128] [mppe-stateless] If you are using W2k clients, your options file should look like this: [name *] [lock] [mtu 1490] [mru 1490] [proxyarp] [auth] [+chap] #[+chapms] #This one is optional and my be omitted. [+chapms-v2] [ipcp-accept-local] [ipcp-accept-remote] [lcp-echo-failure 3] [lcp-echo-interval 5] [deflate 0] [mppe-128] [mppe-40] [mppe-stateless] The above option file works with Win95 clients too, so if in doubt, use the above options file. If the above option file still does not work with W2K clients, add the lines: [nodeflate] [nobsdcomp] If that does not work, remove the [deflate 0] line. Caution: This has not been tested with both Win9x and W2K clients. You may want to add the line [debug] too, but this is optional. For /etc/pptpd.conf, unless you already have such a file, copy the sample file that came with pptpd. [cp /usr/src/pptpd-1.1.2/samples/pptpd.conf /etc/] You must edit the localip and remoteip lines. This is highly individual, but instructions are included in the configuration file. You may also want to uncomment the debug line as well. Also, uncomment the option line and make sure it reads: [option /etc/ppp/options.pptpd] Make sure /etc/ppp/options is blank. If you have any options in this file, they are always read and may interfer with pptpd. This is good advice for all your ppp work. Don't populate the /etc/ppp/options file. Always specify everything required into it's own options file eg. /etc/ppp/options.dialinuser /etc/ppp/options.pptpd /etc/ppp/options.dialout /etc/ppp/options.anotherspecialsetup The final configuration file is /etc/ppp/chap-secrets. The general format is: username * password * Add the appropriate usernames and passwords. Note that the username and passwords are only to log into pptpd. They are not used for Linux or SAMBA authetication. Also, windows clients have a bad habit of appending the first domain name ever used to the username. Thus, even though a client might enter robert as the username, what actually gets sent could be (for example) MyDomain\\robert. The one way to fix this is to use the debug logs to look for the actual name sent, and add the actual name in chap-secrets. This also means if the client uses a different computer, the same username and password he (or she) has been using could stop working. There is also a patch to strip the domain names and a separate patch to allow the use of your samba password database rather then chap-secrets. See http://home.swbell.net/berzerke/pppsmb2.4.patch for the second patch. This patch includes the blank password fix. You must add the line [chapms-strip-domain] to your pppd options file. See also section 5.35. If you wish to assign the person connecting a fixed IP address, rather than one from the pool you set up in pptpd.conf, replace the last star with the remote IP address. For example, if 192.168.1.4 is in the remote address pool (what gets assigned to client), and you always wish to assign it to the user robert, the line in chap-secrets would be: robert * 192.168.1.4 I don't recommend this because if you do this, and someone else connects and gets 192.168.1.4, and robert then connects, the route to the first person will be replaced by the route to robert. This means the first person is cut off. There are three ways around this problem. First, don't assign IP numbers. Second, assign everyone their own IP number. Finally, don't but the assigned IP numbers in the pool for pptpd to hand out. They must still be available though. The last thing to do is to start pptpd. [/usr/local/sbin/pptpd -d] You may want to put this command somewhere in your startup scripts. 4.1 Netfilter/Iptables rules The 2.4 series kernel introduced new firewalling code. The above configuration file (see section 1.0) includes the new code. Netfilter is the new packet filter/mangler, and iptables is the tool used to manipulate netfilter. The following assumes you have iptables already installed (current version is 1.2, use your favorite installation method). Note that these rules are for a pptpd server that is not being masqueraded, although I believe they would work for a client not being masqueraded too, but this hasn't been tested. Hopefully, the masquerading rules for pptp will be added soon (as soon as I figure out how; I've got regular masquerading working, but have not tried pptp masquerading). These rules are not a complete firewall, and while fully functional, may still have security holes. I assume that the default filter table policies are drop, and the nat table policies are accept. Let me know if you can improve them. Note I use constants in my scripts to make customizations easy: [echo "Seting up firewall....."] [#Define some constants - change for your network!] [LOCALNETWORK="192.168.1.0/24"] [INTINT="eth1" #The internal interface] [EXTINT="eth0" #The external interface] [# Activate the forwarding!] [echo 1 >/proc/sys/net/ipv4/ip_forward] [# Insert the required kernel modules] [modprobe iptable_nat] [modprobe ip_conntrack] [modprobe ip_conntrack_ftp] You may already have something similar to this. In which case use the one you prefer. [#=============================================] [# Flush the old rules and set default policies] [#=============================================] [echo "Setting defaults"] [/sbin/iptables -F] [/sbin/iptables -t nat -F] [/sbin/iptables -P INPUT DROP] [/sbin/iptables -P OUTPUT DROP] [/sbin/iptables -P FORWARD DROP] [/sbin/iptables -t nat -P POSTROUTING ACCEPT] [/sbin/iptables -t nat -P PREROUTING ACCEPT] [/sbin/iptables -t nat -P OUTPUT ACCEPT] [#Loopback interface is valid] [/sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT] [/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT] [/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT] [/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT] [#Yes, I know lo looks strange, but otherwise there are problems.] [#Some local network traffic does pass through lo rather than] [#the internal interface.] [/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT] [/sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT] [/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT] [echo "Loopback setup"] [#Allow unlimited LAN traffic] [/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT] [/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT] [#This next allows local broadcasts from this machine.] [/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT] [/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \] [ -j ACCEPT] [/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT] [echo "LAN traffic allowed"] [#Allow forwarding from inside to out and vice versa] [/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT] [/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT] [#Allow pptpd connections (port 1723)] [/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \] [ --sport $PUBLICPORTS --dport 1723 -j ACCEPT] [/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT] [/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT] [/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT] [/sbin/iptables -A INPUT -i ppp+ \] [ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT] [/sbin/iptables -A OUTPUT -o ppp+ \] [ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT] [echo "PPTPD allowed"] A complete *SAMPLE* iptables script, including pptpd support, can be found at http://home.swbell.net/berzerke . 4.2 Setting up the clients. This section was ripped from the RedHat-PoPToP HOWTO by Mike Barsalou. Thanks Mike. Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 and both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed first. You're going to have to hunt around a little for these files as they keep moving. However, here are a couple places to try first: Windows 95 http://www.microsoft.com/windows95/downloads Windows 98 http://www.microsoft.com/windows98/downloads/corporate.asp 1a. For Win95 machines install the DUN 1.3. 1b. For Win98 machines use the add-remove programs tool to uninstall the VPN software. Some of the OEM's don't install this properly. Re-Install it using the add-remove programs tool. Go to windows setup (tab) select communications and press the details button. Scroll down and check the VPN support. 2. Install the vpupdate for your particular machine (win95/98 not 98SE). take a little nap here... Once your Machine is back 1. Go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV 2. Click make new connection 3. Name the Connection whatever you'd like. 4. Select Microsoft VPN adapter as the device. 5. Click next. 6. Type in the ip address or hostname of your pptp server. 7. Click next. 8. Click finish 9. Right-click on the intranet icon. 10. Select properties. 11. Choose server types. 12. Check require encrypted password. It is also recommend that you check require data encryption. Without the data encryption, your Virtual Private Network becomes a Virtual Public Network. 13. Uncheck netbeui, ipx/spx compatible. 14. Click tcp/ip settings. 15. Turn off use IP header compression (May not be necessary). 16. Turn off use default gw on remote network. 17. Click ok. 18. Start that connection. 19. Type in your username and pw (yadda, yadda, yadda). 20. Once it finishes its connection your up. You will probably only have 40 bit data encryption. See section 5.2 for how to get 128 bit encryption. 5.0 Troubleshooting. 5.1 Q: How do I know if my users are connecting at 40 bits or 128 bits? A: Look for a line in the logs that reads either: MPPE 40 bit, stateless compression enabled or MPPE 128 bit, stateless compression enabled. What you see is what you get. 5.2 Q: I'm connecting at only 40 bits. How do I connect at 128 bits? A: This is probably a client (Windows) problem. The key file for Windows 95/98 is pppmac.vxd, located in c:\windows\system. The easiest way to upgrade this properly is to get the DUN 1.4 update from Microsoft. As of 07/10/2001, the urls are: Win 95 (all versions): http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe Win 98 First Edition: http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe Win 98 Second Edition: http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe If the above URLS don't work, try here: http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP For W2K clients, get the high encryption pack from Microsoft. 5.3 Q: When someone tries to connect, my system logs show something like: Feb 17 15:03 linux pppd[3305]: Peer is not authorized to use remote address 212.31.242.99 Feb 17 15:03 linux pppd[3305]: ipcp: down Feb 17 15:03 linus pppd[3305]: sent [IPCP TermReq id=0x3 "Unauthorized remote IP address"] A: This message *can* appear if don't have the noauth line in your /etc/ppp/options.pptpd file. Without this line, ppp will require the pptp server to authenticate itself. I was unable to reproduce this error with setup described in this HOWTO. 5.4 Q: I having trouble getting pppd 2.3.X to work. I'm using a 2.4 series kernel. A: The minimum version of pppd you should be using with the 2.4.x series kernels is 2.4.0. Don't try to use the ppp 2.3 series. 5.5 Q: The client can't connect to port 1723. A: Is pptpd running? [ps ax |grep pptpd] should show if it is running or not. A: Is another program using port 1723? [netstat --inet -a -n -p | grep 1723] should show which program, if any, is using port 1723. A: Some providers, (AT&T and @home have been reported so far) do not pass port 1723 or filter GRE packets (which are necessary for pptp). Supposedly it is to cut down on bandwidth. If possible, try connecting over a lan and see if that works. You also may want to re-read your subscriber agreement. You could try doing a traceroute to port 1723 and see if that gets through. The command is traceroute -p 1723 . A: Is a firewall blocking it, either at the client or server end? For those using iptables, the commands to check ALL your firewall rules are: [iptables -t filter -L -n] [iptables -t mangle -L -n] [iptables -t nat -L -n] 5.6.1 Q: Windows is giving me an error 645. A: Try uninstalling the VPN compenent under Communications, and reinstall it. 5.6.2 Q: Windows is giving me an error 650. A: This can be caused by port 1723 being blocked somewhere along the path or IP protocol 47 (GRE) being blocked (or both). Some providers, (AT&T and @home have been reported so far) do not pass port 1723 or filter GRE packets (which are necessary for pptp). Supposedly it is to cut down on bandwidth. If possible, try connecting over a lan and see if that works. You also may want to re-read your subscriber agreement. You could try doing a traceroute to port 1723 and see if that gets through. The command is traceroute -p 1723 . Another reason this error happens is the public card (connection to internet) has to be listed first when you look at your adapters in the properties of My Network Places. MS admits that this seems to only affect W98 clients when using W2K PPTPD servers. It is currently unknown if it also has an impact on Linux PPTPD servers. 5.6.3 Q: Windows is giving me an error 53. A: See question 5.11 5.6.4 Q: Windows is giving me error 619. A: Check that you have pty support compiled into your kernel. 5.6.5 Q: Windows NT is giving me error 742. A: Upgrade to at least service pack 5. Service pack 6a is recommended. Also, disable other protocols like NetBeui, and IPX. 5.7 Q: Do I have to use multiple local IP numbers? A: No. One is all you need. However, you do need multiple remote IP numbers if you want more than one client connecting at a time. You need one remote IP number for each simultaneous connection. 5.8 Q: Do the local and remote IP numbers have to be on the same subnet? A: No, but the setup is a pain, especially if you are also running a firewall. I don't recommend trying this unless you *must*. 5.9 Q: My clients get 2 DNS servers when the connect to the internet. I assign them 2 additional ones for the VPN. How come when I do a winipcfg, my 2 DNS servers show last? A: This is normal. From tests others have done, it does *appear* as if the two servers you assigned are consulted first. 5.10 Q: Browsing doesn't work. How do I fix it? A: First, can you ping other computers. If not, then there is a connectivity problem (at least). Resolve this and try again. A: Updating network neighborhood to the point where a PPTPD client can see the other computer can take 30-60 seconds (I've seen a couple of minutes). Be patient and try again. A: Are you using a wins server? Broadcasts generally don't pass routers (a ppp interface counts). Browsing is generally done either via Wins, or broadcasts. It is possible to use the hosts and lmhosts files as a substitute for a wins server. Most people report fewer troubles when the pptpd server is also a wins server. A: If you are using a Samba wins server, is the "guest account" in your smb.conf set to an actual valid account? The IPC$ connection that lists the shares is done as guest, and will fail without a valid guest account. A: If you are using an MS wins server, it requires a re-registration at least every 90 days. Since linux is so stable, it is quite possible to run longer than 90 days without rebooting (or at least restarting Samba). Be sure and restart Samba at least every 89 days. This browsing problem should only affect Samba computers. Once you pass the 90 days, you may have to restart the MS machine too to clear things up, and even that may not work (conflicting reports here). A: Are *ANY* of the clients running more than one protocol? From the Samba docs: "Every NetBIOS machine take part in a process of electing the LMB [Local Master Browser] (and DMB [Domain Master Browser]) every 15 minutes...The election process is "fought out" so to speak over every NetBIOS network interface. In the case of a Windows 9x machine that has both TCP/IP and IPX installed and has NetBIOS enabled over both protocols the election will be decided over both protocols. As often happens, if the Windows 9x machine is the only one with both protocols then the LMB may be won on the NetBIOS interface over the IPX protocol. Samba will then lose the LMB role as Windows 9x will insist it knows who the LMB is. Samba will then cease to function as an LMB and thus browse list operation on all TCP/IP only machines will fail. A: If running Samba, and only one machine isn't accessable (to pptpd clients), look in the wins.dat file. Generally it is in /var/lock/samba. See if the computer is actually listed. If not, restart the computer (or Samba). Samba seems only to register itself once (when starting). If the wins server is not available at that time, you will not be able to access that machine via wins until you restart Samba. A: Try using the "net use" and "net view" commands from the windows client. Just because you can't see something in network neighborhood doesn't mean it isn't on the network. If fact, they are much more reliable than browsing. I've also found mapping a drive with the net use command tends to make things appear in network neighborhood. YMMV. A: Windows 9x and Me suffer from memory fragmentation issues that can require rebooting in order to make PPP or PPTP work again. This is something to try especially when you have connected before successfully. 5.11 Q: I can browse the server's shares, but no other computers. What am I missing? A: There are several things to check. Do you have proxyarp in your ppp/options? Make sure that there is an entry in the /var/log/messages, when the link is brought up, that says something like: Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp file? If not, you won't see past the pptpd server. Second, check your firewall rules and make sure the packets are getting forwarded from the ppp interface to the lan. Sometimes, over a pptp connection, it takes a few minutes to update the browse lists. Be patient. Manually mapping a drive seems to speed this up considerably. Finally, try the [net view \\] command. You normally can substitute the ipaddress of the computer. If when substituting the ip address, you get an error 53, then there is a problem with reaching or with the Wins server. I've found from experience, if there are only a couple of servers who's ip addresses don't change, try using a lmhosts file. Note that if you use an lmhosts file, don't try the net view command with an ip address. Use the computer's name. This is because MS decided that an ip address is first treated as a name, and will try to do a lookup. That will fail, and you'll get an error 53 message. 5.12 Q: Everytime the last PPTP session closes, pptpd exits. As long as there is an active session, it's runs fine. How do I fix this? A: This problem has been reported with pptpd version 1.0.1. Some have reported that upgrading to 1.1.2 (or better) fixed the problem. 5.13 Q: I can get the PPTP connection to work fine, but can not get encryption to work. What is wrong? A: It has been reported that changing PPP from being built into the kernel to being a loadable module has fixed the problem. The configuration file listed in the earlier instructions does build PPP as a loadable module. 5.14 Q: I'm unable to send packets. My debug logs have something like: Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject for unsupported protocol 0x94e9 A: You must add the line [mppe-stateless] (without the [ ]'s) to your /etc/ppp/options.pptpd file. 5.15 Q: I've tried downloading the patches with Netscape and I get all kinds of errors. A: Netscape is known to mangle patches, especially non-zipped patches. Use something else like wget or lynx. If you have KDE, Konqueror doesn't give me any problems either. 5.16 Q: I'm getting errors indicating that ppp support hasn't been compiled into the kernel even though it is. How do I fix it? A: Use the following commands: [mknod /dev/ppp c 108 0] [chmod 600 /dev/ppp] 5.17 Q: How come the ppp connection formed by pptp shows a netmask of 255.255.255.255? Isn't this an error? A: Your ppp* device should have that netmask (255.255.255.255). This is normal when you have a ppp virtual device that has another device (eth*) answer arp requests on behalf of the remote pptp clients ip address. i.e. proxyarp. You are using the proxyarp option, aren't you? 5.18 Q: When I connect to the pptpd server, the client's internet connection goes over the pptp connection and not over its usual connection. How do I fix this? A: In the client configuration, under TCP settings, there is a check box use default gateway on remote network. Uncheck that. 5.19 Q: How can I disconnect an idle user automatically? A: In ppp options file, add the line: [idle