Version 0.78, Updated January 21,2002 - Still incomplete translation from text to html, but mostly usable.
I am far from an expert on this subject, but since others might benefit from my experience, I am writing this document in hopes of helping others. Anything in these colors are commands the user should type in exactly except for stuff in [ ]'s, which will vary with each system. For the later, substitute whatever is appropriate for your system. Note if you want to download this for offline reading (which is fine with me), you will need the style sheet in the same directory to get the proper formating. Here is the style sheet. Right click and select save as.
I assume a reasonable level of competency with Linux. I also assume you have already upgraded all the programs necessary to use the 2.4 kernel series. Consult ./Documentation/Changes in the 2.4 source tree (once you have installed it) for the minimum version numbers required and how to get updates for these packages. If your using a distribution that comes with a 2.4 kernel, you should be ready to go.
This HOWTO was written and is currently maintained by Robert Spotswood. Much of this was based on the RedHat -PoPToP HOWTO, the mailing list, and personal experimentation. I'm subscribed to the mailing list, so any questions, comments, and corrections would best be addressed there. However, if you really *must* contact me personally, I'm at berzerke at swbell dot net. (Assemble the message manually. Damn Spammers.)
Disclaimer and Copyright
This document is not gospel. Nobody is responsible for what happens to your system but yourself. THE AUTHOR(S) ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT.
This document is Copyright © 2001 by Robert Spotswood. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the no Invariant Sections , with no Front-Cover Texts, and with the no Back-Cover Texts. A copy of the license is included in the section entitled "GNUFree Documentation License" and is available at www.fsf.org/licenses/fdl.html.
Download the new kernel source. You can get it at www.kernel.org/pub/linux/kernel/v2.4/ . You can get either the bz2 or the gz version. I prefer the bz2 because it saves bandwidth. I'm assuming with these directions that you have choosen the 2.4.8 version. I do not recommend using versions 2.4.11-2.4.15. So far, 2.4.16 seems to be ok.Once you have it downloaded, type the following commands:
If you downloaded the bz2 version: bunzip2 [path to source]linux-2.4.8.tar.bz2
If you downloaded the gz version: gunzip [path to source]linux-2.4.8.tar.gz
cd /usr/src/
If you have an existing directory linux here (a true directory, not a symbolic link), back up that directory if there is anything you want to keep in there before the next command.
tar xvf [path to source]linux-2.4.8.tar
The next step may be a little controversial, but I have found it works best for me (Your Milage May Vary - YMMV). Because the kernels will install themselves in the linux subdirectory, it can easily trash another version you may be saving. By moving it to its own special directory, I avoid this problem. However, in compiling, some things are coded to look in the linux directory. Therefore a symlink needs to be created to get around that problem. Note that if you untar a different kernel source, it will clobber the symlink, but not the directory you moved the source to.
mv /usr/src/linux /usr/src/linux-2.4.8
ln -s /usr/src/linux-2.4.8 /usr/src/linux
cd /usr/src/linux
The default options in the kernel configuration for me were horrible. Therefore, I saved my configuration after I went through every option. You can grab a copy of my configuration, and use that as a starting point. I designed mine as a transition between 2.2 and 2.4, so for anyone else upgrading, it probably will work well. The only thing you *REALLY* should check is the processor type. It is set for K6-2. Change it for your computer!
You may also need to change other things (I don't have a TV card, so I didn't include support for that for example.) You can download a copy of the configuration file from http://home.swbell.net/berzerke/linux241 (permission to mirror granted and encouraged). This configuration file works for any 2.4 kernel other than 2.4.0, although some "new" features will be left out.
Note that the firewalling software has changed from 2.2 series kernels. However, I have included the needed modules so that once loaded (insmod ipchains), all/most of the old ipchains firewall stuff will still work. Section 4.1*** has some of the new netfilter/iptables rules.
If you want to start with your current configuration, backup your ".config" file from the /usr/src/linux[kernel number] directory, back it up to /usr/src directory. Then, after installing your new kernel, do a make mrproper. This wipes clean all files to give you a fresh, clean kernel tree. Then copy your old .config file back to the new source tree, make [your choice of config programs] and proceed from there.
Unlike the 2.2 series of kernels, the crypto code is in two separate patches. The other howto mentions that you must do a make kernel from the pppd source tree. My experience shows that will fail with the 2.4 series of kernels. In fact, according the kernel docs, ppp 2.4.0 is the minimum version for 2.4 kernels. One of the patches is for the kernel, the other is for pppd. You will also need the 2.4.0 (or 2.4.1) version of pppd (but that is later). You can download the patches (with the usual warnings about checking the legality of downloading crypto in your country) from mirror.binarix.com/ppp-mppe/ or www.advancevpn.com/en/download_other.html . The two patches you want are linux-2.4.4-openssl-0.9.6-mppe.patch.gz (works with kernels 2.4.1 - 2.4.8 and up too) and ppp-2.4.1-openssl-0.9.6-mppe.patch.gz (this is for pppd, later).
Apply the kernel patch zcat [path to kernel patch]linux-2.4.4-openssl-0.9.6-mppe.patch.gz | patch -p1
Now configure your kernel. If in X, from a terminal cd /usr/src/linux, then make xconfig and load the configuration file you downloaded earlier. Make changes to the configuration as needed.
If not in X, cd /usr/src/linux, then make menuconfig and load the configuration file you downloaded earlier. Make changes to the configuration as needed.
make dep clean bzImage modules modules_install
Go do something else for awhile...
/sbin/depmod -a This command in essence instructs the kernel to load the modules in a set order.
Copy the new kernel image (for i386 systems the full path to new image will be /usr/src/linux/arch/i386/boot/bzImage) to /boot. Update you boot loader (if using lilo, don't forget to run lilo -v!), and reboot.
2.1 Upgrading from 2.4.2 to 2.4.4 and beyond
If your starting with a fresh install of pptpd, you can skip this section.
If you have used a previous version of this howto (for the 2.4.1, 2.4.2, or 2.4.4 kernel), you do not have to repeat all the steps to upgrade to the 2.4.4 kernel (or higher). There have been problems with kernels between 2.4.9 and 2.4.15, so I don't recommend these. So far, 2.4.16 seems to be stable for me.
Instead of re-downloading the entire source code, download the patch file instead (either patch-2.4.x.bz2 or patch-2.4.x.gz). Note that if you are patching, you should apply each patch in turn. For example, if upgrading from 2.4.1, then first apply the patch for 2.4.2, then 2.4.3, then 2.4.4. For 2.4.2, apply the 2.4.3 patch, then the 2.4.4 patch, etc. The steps to apply each patch are the same, except for the patch name. You do not have to recompile between patches. You also might want to rename the linux source directory to reflect the new kernel number.
Apply the patch(es):
f you downloaded the bz2 version:
bunzip2 [path to source]patch-2.4.[patch number].tar.bz2
If you downloaded the gz version:
gunzip [path to source]patch-2.4.[patch number].tar.gz
Repeat as needed.
cd /usr/src/linux
patch -p1 [path to patch]patch-2.4.[patch number]
There is no need to reapply the openssl patch or do another kernel configuration (unless you want to change something). However, you must recompile.
make dep clean bzImage modules modules_install
Go do something else for awhile...
Note that if you jump more than one patch level between compiles, you will probably get an error. If you get an error, other than a signal 11, simply run the above command again. It should compile fine then. If you're making multiple jumps, it might take a few trys.
Copy the new kernel image (for i386 systems the full path to new image will be /usr/src/linux/arch/i386/boot/bzImage) to /boot. Update you boot loader (if using lilo, don't forget to run lilo -v!), and reboot.
Start by grabbing yourself a clean copy of pppd. Do not use a RPM. One place to obtain it is: ftp://cs.anu.edu.au/pub/software/ppp/ and another is http://www.advancevpn.com/en/download_other.html.
cd /usr/src
tar zxvf [path to ppp source]ppp-2.4.1.tar.gz
cd ppp-2.4.1
The following patch should have been downloaded earlier. If not, see 2.0 Kernel compile.
zcat [path to ppp patch]ppp-2.4.1-openssl-0.9.6-mppe.patch.gz | patch -p1
./configure
make
make install
Download the pptpd source. According the website, 1.0.1 is the stable version and 1.1.2 is the development version. I'm using 1.1.2 with no problems, and from the mailing list, I haven't seen any complaints about 1.1.2 but I have with 1.0.1. Which version you get is up to you, but I recommend 1.1.2.
Two places to download the source are PoPToP.lineo.com/download_pptp.html or http://www.poptop.de/poptop/. In the following instructions, I'll assume you went with the 1.1.2 version.
cd /usr/src
tar zxvf [path to source]pptpd-1.1.2.tar.gz
cd /usr/src/pptpd-1.1.2
./configure
make
make install
Now you need to set up the configuration files /etc/modules.conf, /etc/pptpd.conf, /etc/ppp/options.pptpd, and /etc/ppp/chap-secrets. Add the following lines to your modules.conf:
alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate
Run depmod -a at a command prompt after you make the changes to modules.conf. This eliminates the error message, "Note: /etc/modules.conf is more recent than /lib/modules/2.4.x/modules.dep" error message.
Create a file /etc/ppp/options.pptpd, and make sure /etc/ppp/options.pptpd has at least the following lines:
name * lock noauth proxyarp +chap +chapms-v2 mppe-40 #comment this out if don't want to support 40 bit encryption, but see 5.23*** first mppe-128 mppe-stateless
If you are using W2k clients, your options file should look like this:
name * lock mtu 1490 mru 1490 proxyarp auth +chap #+chapms #This one is optional and my be omitted. +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless
The above option file works with Win95 clients too, so if in doubt, use the above options file.
If the above option file still does not work with W2K clients, add the lines:
nodeflate nobsdcomp
If that does not work, remove the line
deflate 0
Caution: This has not been tested with both Win9x and W2K clients. You may want to add the line
debugtoo, but this is optional and may reduce your pptp throughput.
For /etc/pptpd.conf, unless you already have such a file, copy the sample file that came with pptpd.
cp /usr/src/pptpd-1.1.2/samples/pptpd.conf /etc/
You must edit the localip and remoteip lines. This is highly individual, but instructions are included in the configuration file. You may also want to uncomment the debug line as well, although this may reduce your pptp througput. Also, uncomment the option line and make sure it reads:
option /etc/ppp/options.pptpd
Make sure /etc/ppp/options is blank. If you have any options in this file, they are always read and may interfer with pptpd. This is good advice for all your ppp work. Don't populate the /etc/ppp/options file. Always specify everything required into it's own options file eg.
The final configuration file is /etc/ppp/chap-secrets. The general format is:
username * password *
Add the appropriate usernames and passwords. Note that the username and passwords are only to log into pptpd. They are not used for Linux or SAMBA authetication. Also, windows clients have a bad habit of appending the first domain name ever used to the username. Thus, even though a client might enter robert as the username, what actually gets sent could be (for example) MyDomain\\robert. The one way to fix this is to use the debug logs to look for the actual name sent, and add the actual name in chap-secrets. This also means if the client uses a different computer, the same username and password he (or she) has been using could stop working.
There is also a patch to strip the domain names and a separate patch to allow the use of your samba password database rather then chap-secrets. See home.swbell.net/berzerke/pppsmb2.4.patch for the second patch. This patch includes the blank password fix. You must add the line
chapms-strip-domain
to your pppd options file. See also section 5.35***.
If you wish to assign the person connecting a fixed IP address, rather than one from the pool you set up in pptpd.conf, replace the last star with the remote IP address. For example, if 192.168.1.4 is in the remote address pool (what gets assigned to client), and you always wish to assign it to the user robert, the line in chap-secrets would be:
robert * [robert's password] 192.168.1.4
Be careful if you use this. The addresses assigned must NOT be in the pool you allocated in pptpd.conf. If someone else connects and gets 192.168.1.4, and robert then connects, the route to the first person will be replaced by the route to robert. This means the first person is cut off. Note that these numbers must still be set aside and not used except for the person they are assigned to.
The last thing to do is to start pptpd.
/usr/local/sbin/pptpd -d
You may want to put this command somewhere in your startup scripts.
The 2.4 series kernel introduced new firewalling code. The above kernel configuration file (see section 2.0) includes the new code. Netfilter is the new packet filter/mangler, and iptables is the tool used to manipulate netfilter. The following assumes you have iptables already installed (current version is 1.2.3, use your favorite installation method). Note that these rules are for a pptpd server that is not being masqueraded, although I believe they would work for a client not being masqueraded too, but this hasn't been tested. Hopefully, the masquerading rules for pptp will be added soon (as soon as I figure out how; I've got regular masquerading working, but have not tried pptp masquerading).
These rules are not a complete firewall, and while they may be fully functional, I believe they still have security holes. I assume that the default filter table policies are drop, and the nat table policies are accept. Let me know if you can improve them. A more complete SAMPLE iptables script, including pptpd support, can be found at home.swbell.net/berzerke. Note I use constants in my scripts to make customizations easy:
echo "Seting up firewall....."
#Define some constants - change for your network!
LOCALNETWORK="192.168.1.0/24"
INTINT="eth1" #The internal interface
EXTINT="eth0" #The external interface
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#=============================================
# Flush the old rules and set default policies
#=============================================
echo "Setting defaults"
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#Loopback interface is valid
/sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT
#Yes, I know lo looks strange, but otherwise there are problems.
#Some local network traffic does pass through lo rather than
#the internal interface.
/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT
echo "Loopback setup"
#Allow unlimited LAN traffic
/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT
#This next allows local broadcasts from this machine.
/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \
-j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT
echo "LAN traffic allowed"
#Allow forwarding from inside to out and vice versa
/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
echo "PPTPD allowed"
This section was based heavily on the RedHat-PoPToP HOWTO by Mike Barsalou. Thanks Mike. I don't have ME, XP, or 2000 clients to test against, so I can't offer setup instructions for those platforms. I would appreciate any write-ups.
Note that the Win95 routine is similar but requires Dial Up Networking (DUN) Update 1.3, with DUN 1.4 recommended and both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed first. You're going to have to hunt around a little for these files as they keep moving. However, here are a couple places to try first:
For Windows 95 (DUN 1.4): http://www.microsoft.com/Windows95/downloads/contents/WURecommended/S_WUNetworking/dun14win95/Default.asp
For Windows 98 (DUN 1.4): http://www.microsoft.com/Windows98/downloads/contents/WURecommended/S_WUNetworking/dun14/Default.asp
This section lists things to watch out for and check if pptpd isn't working.
Does the client have a firewall? If the client has a firewall, be sure it allows pptpd to pass through.
In your pptpd.conf file, be sure the remoteip(s) and localip (you don't need more than one) are on the same subnet and do *NOT* overlap. They must be different. Also, be sure any ip's specified in chaps-secrets do not overlap either.
If a particular machine can't browse over pptpd and you've checked everything else, try uninstalling and reinstalling Client for Microsoft Networks. Also try uninstalling and reinstalling the adapters. This is a problem even with W2k.
You're going to have lots of trouble unless you enable ip forwarding. The command [echo "1" >/proc/sys/net/ipv4/ip_forward] will do it, but will not survive a reboot, so be sure and place the command somewhere in your startup scripts. Also, if you have a firewall, be sure it allows the forwarded packets through.
The three R's of MS tech support: Retry, Reboot, Reinstall. Especially try the reboot. Windows 9x and Me suffer from memory fragmentation issues that can require rebooting in order to make PPP or PPTP work again. This is something to try especially when you have connected before successfully.
Are you using version 1.1.2? Don't use 1.0.1. 1.1.2 is stable.
The placement of the questions in various catergories is somewhat subjective. If you have any better ideas on categories or placement, please let me know.
7.2 PPTPD questions (non-error messages)
The PPTP RFC specifies in section 3.1.3 that there may only be one control channel connection between two systems. This should mean that you can only masquerade one PPTP session at a time with a given remote server, but in practice the MS implementation of PPTP does not enforce this, at least not as of NT 4.0 Service Pack 4. If the PPTP server you're trying to connect to only permits one connection at a time, it's following the protocol rules properly. Note that this does not affect a masqueraded server, only multiple masqueraded clients attempting to contact the same remote server.
# Uncomment the next 2 lines to include support for Microsoft's # MS-CHAP authentication protocol. CHAPMS=y USE_CRYPT=yCompile it. This assumes you also applied the normal patches. Next, in the /etc/ppp/options.pptpd file, add the line:
+chapmsYou should note this is a very poor authetication protocol and it has been replaced by CHAPv2. Enable this at your own risk!
7.3 PPTPD client issues (non-error messages)
iptables -t filter -L -n iptables -t mangle -L -n iptables -t nat -L -n
Apr 9 11:34:00 ra0 pppd[9521]: rcvd [Compressed data] 90 00 bb 5c a3 2d a7 0d ...
Apr 9 11:34:04 ra0 pppd[9521]: rcvd [Compressed data] 90 01 c3 1a 0e cb c2 29 ...
No traffic actually goes across the link. Adding "mppe-40" to /etc/ppp/options.pptpd makes everything work perfectly. The clients still
negotiate MPPE 128 bit.require-chap require-mppe require-mppe-statelesstends to kill Win9x/ME client connections. I don't recommend using these options.
Apr 9 11:34:00 ra0 pppd[9521]: rcvd [Compressed data] 90 00 bb 5c a3 2d a7 0d ...
Apr 9 11:34:04 ra0 pppd[9521]: rcvd [Compressed data] 90 01 c3 1a 0e cb c2 29 ... in my log files and no traffic seems to go across the link.