FROM: Niall Keegan
DATE: 03/28/2002 16:49:01
SUBJECT: RE: [Poptop-server] PoPToP, OpenBSD 3.0 and Windows 2000
Hi Jyri,
I have this exact configuration working with OpenBSD 3.0.
Here is an OpenBSD 3.0 PoPToP Howto that I put together
based on my experiences. Hopefully, after the dust settles
from the Lineo -> SourceForge transition, some or all of
this document can find its way into the archives.
In your particular case, I think you only need to pay attention
to Section 6, which describes the Userland PPP setup.
Pay special attention to the 'set mppe * stateful' line,
if you want encryption.
Regards,
Niall Keegan.
---------------------------------------------------------------------------
Setting up and Running PoPToP on OpenBSD 3.0
---------------------------------------------------------------------------
Last Updated: 20020319
Send changes to: Niall Keegan <nkeegan at solus dot net>
This document was compiled from several sources, including:
- John Heyer's instructions for running PoPToP under FreeBSD at:
http://heyer.supranet.net/pptp
- The PoPToP Mailing-List archives at:
http://lists.schulte.org/pipermail/pptp-server
- The PoPToP FAQ compiled by Phil Van Baren, at:
http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt
- The PoPToP RedHat HOWTO by Mike Barsalou at:
http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt
- The OpenBSD FAQ at:
http://www.openbsd.org/faq/index.html
The PoPToP FAQ at http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt
provides a lot of background information on the internals and operation
of a PPTP server, which is outside the scope of this document.
You should refer to the main FAQ for useful advice on troubleshooting
client PPTP (VPN) issues.
Contents
--------
1.0 Introduction
2.0 System Requirements
3.0 OpenBSD Specifics
4.0 Kernel Configuration
5.0 PoPToP Installation
6.0 Userland PPP Setup
7.0 Setup and testing
8.0 Firewall Considerations
1.0 Introduction
----------------
OpenBSD is well known for its built-in IPSec support, but it can easily
be configured to run PoPToP, too.
This document describes how to do it. With or without session encryption
for the clients.
Broadly speaking, you need to do 3 things in order to get PoPToP working
on OpenBSD :
- Configure and build a custom kernel
- Configure and build PoPToP for BSD PPP
- Configure Userland PPP
2.0 System Requirements
-----------------------
1. This document is directly aimed at OpenBSD 3.0. It may work for prior
versions, but it has not been tested with them.
2. PoPToP v1.0.1 (or 1.1.2 which adds packet reordering)
3.0 OpenBSD Specifics
---------------------
In order to configure and troubleshoot PoPToP on OpenBSD 3.0, you should
note the following :
1. OpenBSD comes with its own built-in (kernel) support for GRE tunnels.
You need to disable this, in order for PoPToP to work.
(See Kernel Configuration, section 4.2, Change #1)
2. On OpenBSD (as with FreeBSD), the construction and tear-down of PPTP
tunnels (under PoPToP) is done with userland PPP (/usr/sbin/ppp).
This is in contrast to Linux, where the construction and tear-down
of PPTP tunnels is done using the kernel-mode PPP daemon. ( pppd )
In a nutshell : We will use /usr/sbin/ppp, (not /usr/sbin/pppd)
3. OpenBSD 3.0 comes with DES and MPPE support compiled-in to its PPP.
This allows us to do MS-compatible MPPE encryption on PPTP tunnels to
Microsoft (compatible) VPN clients, without having to concern ourselves
with the MSChap / MPPE patches to PPP or kernel modules, referred to in
the Linux documentation.
4. OpenBSD comes with built-in (kernel) support for IPv6.
You may want to turn off kernel IPv6 support unless you presently have
a use for it. Otherwise, be prepared for plenty of syslog messages from
/usr/sbin/ppp about the other side not supporting IPv6 ...
Since PoPToP is generally implemented on a perimeter / bastion host,
it's not a bad idea to eliminate any kernel / networking / userland
stuff you don't use, anyway.
4.0 Kernel Configuration
------------------------
In order to run PoPToP on OpenBSD, a couple of kernel settings need
to be changed. I prefer building a custom kernel from sources, because
I normally turn off IPv6 support and disable support for devices and
subsystems I don't need.
If you are comfortable using 'config' to tune your kernel, you should be
able to get the same results by frobbing the pseudo-devices concerned
(see section 4.2) and generate a modified copy of your kernel file,
without having to compile from source. If you do this, you can skip to
section 4.4 .
This is one way to build a custom kernel inside a writable source tree:
1. Get the OpenBSD 3.0 source code. You can find it on CD #3 of the 3.0
CD set, or at ftp://ftp.openbsd.org/pub/OpenBSD/3.0/src.tar.gz
Unpack the distribution source files under /usr/src
I did this :
cd /tmp
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/src.tar.gz
cd /usr/src
tar -zxvf /tmp/src.tar.gz
You can find detailed instructions on customizing and building the
kernel, in section 5 of the OpenBSD FAQ: http://www.openbsd.com/faq
2. Kernel modifications :
Edit the machine-independent configuration file located at:
/usr/src/sys/conf/GENERIC and make the following changes :
Change #1 : (required) : disable kernel GRE support by commenting out
: pseudo-device gre :
#pseudo-device gre 1 # GRE encapsulation interface
Change #2 : (required) : increase the number of tun pseudo-devices to
: match the expected number of concurrent PPTP
: users (I configured 8) :
pseudo-device tun 8 # network tunneling over tty
Change #3 : (optional) : disable kernel IPv6 support by commenting out
: option INET6, option PULLDOWN_TEST,
: pseudo-device gif :
#option INET6 # IPv6 (needs INET)
#option PULLDOWN_TEST # use m_pulldown for IPv6 packet parsing
.
.
.
#pseudo-device gif 4 # IPv[46] over IPv[46] tunnel (RFC1933)
3. Rebuild your kernel.
Note: PoPToP will work just fine with a kernel built from original 3.0
sources and the changes we introduced to the (machine-independent)
/usr/src/sys/conf/GENERIC file.
However, unless you follow OpenBSD-Current, now would be a good time
to make sure your system is up to date with relevant patches for your
architecture, listed here: http://www.openbsd.com/errata.html
Instructions on compiling a new kernel are here :
http://www.openbsd.com/faq/faq5.html#Building
At the end of the kernel build process, you will have a new kernel file
without built-in gre support, configured for additional tun devices,
and optionally, without IPv6 support.
Move your new kernel into place after backing up the previous kernel.
Something like this:
cp /bsd /bsd.old
cp /sys/arch/$ARCH/compile/SOMEFILE/bsd /bsd
4. Create additional tunnel devices, as necessary :
After you reboot, you will need to create device files for all the tun*
pseudo-devices your new kernel supports. This is done as follows :
cd /dev
sh ./MAKEDEV tunX
... where X is the number of the tunnel device to create. OpenBSD 3.0
creates tun0, tun1, tun2, by default. You will need to create tun3 and
any higher numbered tun* device special files, if you plan on having
more than 3 concurrent users.
5. Verify that your new kernel will support the number of concurrent PPTP
connections you need, by running:
ifconfig -a
and look for tun* interfaces
5.0 PoPToP Installation
-----------------------
1. Get the PoPToP sources here :
http://www.snapgear.com/ftp/poptop/pptpd-1.0.1.tar.gz
2. Build and install the pptpd (configure --with-bsdppp) :
Example :
cd /tmp
ftp: http://www.snapgear.com/ftp/poptop/pptpd-1.0.1.tar.gz
tar -zxvf pptpd-1.0.1.tar.gz
cd pptpd-1.0.1
./configure --with-bsdppp
make
make install
3. Configure PoPToP using /etc/pptpd.conf :
Aside : You should set aside a dedicated IP address (labeled "localip")
for the pptpd (PoPToP server) on the same IP subnet as your LAN, as well
as a range of IP addresses (labeled "remoteip"), also on the same IP
subnet as your LAN, for VPN clients. The "listen" field contains the
IP address of your external LAN adapter.
You can find a detailed explanation of the pptpd.conf parameters in
Matthew Ramsay's original documents, and in the configuration samples.
pptpd.conf should look something like this :
--- cut here ---
option /etc/ppp/ppp.conf
# IP address of your server-side PPP endpoint:
# (Should be an unused IP address on your internal LAN)
localip 192.168.1.7
# IP address range to use for your PPTP clients:
# (Should be unused IP addresses on your internal LAN)
remoteip 192.168.1.8-15
# IP address of your external LAN interface:
listen 10.10.10.10
pidfile /var/run/pptpd.pid
--- cut here ---
6.0 Userland PPP Setup
----------------------
Note : The information in this section is shamelessly copied from
John Heyer's document on running PoPToP under FreeBSD :
http://heyer.supranet.net/pptp
Create the following 3 configuration files (for userland PPP) :
1. /etc/ppp/ppp.conf
2. /etc/ppp/secure
3. /etc/ppp/ppp.secret
1. /etc/ppp/ppp.conf :
Aside : ppp.conf is to userland PPP, what the /etc/ppp/options.XXX
files are to kernel PPP (pppd).
ppp.conf should look something like this for encrypted PPTP tunnels :
--- cut here ---
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set mppe * stateful
# Server (local) IP address, Range for Clients, and Netmask
# Use the same IP addresses you specified in /etc/pppd.conf :
set ifaddr 192.168.1.7 192.168.1.8-192.168.1.15 255.255.255.255
set server /tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
accept mppe
enable proxy
accept dns
# DNS Servers to assign client
# Use your own DNS server IP address :
set dns 192.168.1.20
# NetBIOS/WINS Servers to assign client
# Use your own WINS server IP address :
set nbns 192.168.1.20
set device !/etc/ppp/secure
--- cut here ---
Remember to use your own IP addresses with "set ifaddr" in the loop:
section above, and use your own DNS / WINS server IP addresses in the
pptp: section, if applicable.
Note : If you want to test without encrypted PPTP tunnels, you can
remove the following lines from the loop: section :
set mppe * stateful
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
Also add the following line to the "pptp:" section :
enable chap
2. /etc/ppp/secure :
Create a /etc/ppp/secure file with the following 2 lines and chmod u+x
on it :
--- cut here ---
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in
--- cut here ---
3. /etc/ppp/ppp.secret :
Aside : If you have used pppd before, think of /etc/ppp/ppp.secret
as a kind of combined pap-secrets / chap-secrets file.
Create a /etc/ppp/ppp.secret file containing lines like the following
and chmod 0400 on it :
--- cut here ---
username1 password1
username2 password2
.
.
.
--- cut here ---
Note : If your remote clients are running Win9x and encrypted PPTP
tunnels, you should prepend DOMAIN\ to the username in the first field,
where "DOMAIN" is your Microsoft Workgroup or Domain Name.
This behavior seems to be confined to Win9x clients, where if you
request / require encryption, expect these clients to send you a
DOMAIN\username challenge, instead of just username.
4. Modify /etc/syslog.conf to send PPP messages to a dedicated logfile.
Add the following 2 lines to /etc/syslog.conf :
--- cut here ---
!ppp
*.* /var/log/ppp.log
--- cut here ---
Send a HUP signal to syslogd for the changes to take effect.
7.0 Setup and testing
---------------------
If you followed the PoPToP configuration steps above, your PPTP daemon
will be located in /usr/local/sbin/pptpd. Launch it with a -d switch.
You can arrange to autostart the PoPToP daemon by adding a section like
this to your /etc/rc.local :
--- cut here ---
# PoPToP Server
if [ -x /usr/local/sbin/pptpd ]; then
echo -n ' pptpd'; /usr/local/sbin/pptpd -d
fi
--- cut here ---
8.0 Firewall Considerations
---------------------------
1. If you are using pf (or ipf) :
1. Allow gre (IP protocol 47) inbound, as well as outbound, to the
(IP address of the) External LAN adapter.
2. Allow hosts on the Internet to connect to the PPTP control channel
(tcp/1723) on the (IP address of the) External LAN adapter.
3. Allow all traffic in and out of the tun* interfaces
2. Ensure that any other firewall between your OpenBSD box and the PPTP
clients, allows GRE (IP proto 47) bidirectionally and allows the client
to initiate a control connection with tcp/1723 on the OpenBSD host.
9.0 Conclusion
--------------
I currently have this configuration working on an OpenBSD 3.0 system,
(release + errata to 015), with PoPToP 1.0.1.
My clients are Win98 SE clients with DUN 1.4 and 128bit encryption.
I have tested both WinNT SP6a and Win2K clients with 128bit encryption;
These appear to run fine. I have not yet tested WinXP clients.
If this configuration does not work for you, with the PPTP clients that
you need to support, here are some things you can try :
- If you are running pf, temporarily relax your OpenBSD firewall rules
so that you pass in all and pass out all, on the external LAN interface,
for the purposes of troubleshooting.
- Temporarily increase the amount of PPP logging you do, by changing the
"set log" line in the loop: section of /etc/ppp/ppp.conf to :
set log phase chat connect lcp ipcp ccp tun command
- Look at what's getting sent to /var/log/ppp.log
You can watch it in real-time using: tail -f /var/log/ppp.log
- Check the Microsoft downloads site to make sure your Windows clients
are running the latest version of Dialup networking for their OS.
- Refer to the PoPToP FAQ at:
http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt
for a more in-depth coverage of PPTP client troubleshooting.
Enjoy PoPToP on OpenBSD !
_______________________________________________
Poptop-server mailing list
<EMAIL: PROTECTED>
https://lists.sourceforge.net/lists/listinfo/poptop-server