FROM: Niall Keegan
DATE: 03/28/2002 16:49:01
SUBJECT: RE: [Poptop-server] PoPToP, OpenBSD 3.0 and Windows 2000
Hi Jyri, I have this exact configuration working with OpenBSD 3.0. Here is an OpenBSD 3.0 PoPToP Howto that I put together based on my experiences. Hopefully, after the dust settles from the Lineo -> SourceForge transition, some or all of this document can find its way into the archives. In your particular case, I think you only need to pay attention to Section 6, which describes the Userland PPP setup. Pay special attention to the 'set mppe * stateful' line, if you want encryption. Regards, Niall Keegan. --------------------------------------------------------------------------- Setting up and Running PoPToP on OpenBSD 3.0 --------------------------------------------------------------------------- Last Updated: 20020319 Send changes to: Niall Keegan <nkeegan at solus dot net> This document was compiled from several sources, including: - John Heyer's instructions for running PoPToP under FreeBSD at: http://heyer.supranet.net/pptp - The PoPToP Mailing-List archives at: http://lists.schulte.org/pipermail/pptp-server - The PoPToP FAQ compiled by Phil Van Baren, at: http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt - The PoPToP RedHat HOWTO by Mike Barsalou at: http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt - The OpenBSD FAQ at: http://www.openbsd.org/faq/index.html The PoPToP FAQ at http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt provides a lot of background information on the internals and operation of a PPTP server, which is outside the scope of this document. You should refer to the main FAQ for useful advice on troubleshooting client PPTP (VPN) issues. Contents -------- 1.0 Introduction 2.0 System Requirements 3.0 OpenBSD Specifics 4.0 Kernel Configuration 5.0 PoPToP Installation 6.0 Userland PPP Setup 7.0 Setup and testing 8.0 Firewall Considerations 1.0 Introduction ---------------- OpenBSD is well known for its built-in IPSec support, but it can easily be configured to run PoPToP, too. This document describes how to do it. With or without session encryption for the clients. Broadly speaking, you need to do 3 things in order to get PoPToP working on OpenBSD : - Configure and build a custom kernel - Configure and build PoPToP for BSD PPP - Configure Userland PPP 2.0 System Requirements ----------------------- 1. This document is directly aimed at OpenBSD 3.0. It may work for prior versions, but it has not been tested with them. 2. PoPToP v1.0.1 (or 1.1.2 which adds packet reordering) 3.0 OpenBSD Specifics --------------------- In order to configure and troubleshoot PoPToP on OpenBSD 3.0, you should note the following : 1. OpenBSD comes with its own built-in (kernel) support for GRE tunnels. You need to disable this, in order for PoPToP to work. (See Kernel Configuration, section 4.2, Change #1) 2. On OpenBSD (as with FreeBSD), the construction and tear-down of PPTP tunnels (under PoPToP) is done with userland PPP (/usr/sbin/ppp). This is in contrast to Linux, where the construction and tear-down of PPTP tunnels is done using the kernel-mode PPP daemon. ( pppd ) In a nutshell : We will use /usr/sbin/ppp, (not /usr/sbin/pppd) 3. OpenBSD 3.0 comes with DES and MPPE support compiled-in to its PPP. This allows us to do MS-compatible MPPE encryption on PPTP tunnels to Microsoft (compatible) VPN clients, without having to concern ourselves with the MSChap / MPPE patches to PPP or kernel modules, referred to in the Linux documentation. 4. OpenBSD comes with built-in (kernel) support for IPv6. You may want to turn off kernel IPv6 support unless you presently have a use for it. Otherwise, be prepared for plenty of syslog messages from /usr/sbin/ppp about the other side not supporting IPv6 ... Since PoPToP is generally implemented on a perimeter / bastion host, it's not a bad idea to eliminate any kernel / networking / userland stuff you don't use, anyway. 4.0 Kernel Configuration ------------------------ In order to run PoPToP on OpenBSD, a couple of kernel settings need to be changed. I prefer building a custom kernel from sources, because I normally turn off IPv6 support and disable support for devices and subsystems I don't need. If you are comfortable using 'config' to tune your kernel, you should be able to get the same results by frobbing the pseudo-devices concerned (see section 4.2) and generate a modified copy of your kernel file, without having to compile from source. If you do this, you can skip to section 4.4 . This is one way to build a custom kernel inside a writable source tree: 1. Get the OpenBSD 3.0 source code. You can find it on CD #3 of the 3.0 CD set, or at ftp://ftp.openbsd.org/pub/OpenBSD/3.0/src.tar.gz Unpack the distribution source files under /usr/src I did this : cd /tmp ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/src.tar.gz cd /usr/src tar -zxvf /tmp/src.tar.gz You can find detailed instructions on customizing and building the kernel, in section 5 of the OpenBSD FAQ: http://www.openbsd.com/faq 2. Kernel modifications : Edit the machine-independent configuration file located at: /usr/src/sys/conf/GENERIC and make the following changes : Change #1 : (required) : disable kernel GRE support by commenting out : pseudo-device gre : #pseudo-device gre 1 # GRE encapsulation interface Change #2 : (required) : increase the number of tun pseudo-devices to : match the expected number of concurrent PPTP : users (I configured 8) : pseudo-device tun 8 # network tunneling over tty Change #3 : (optional) : disable kernel IPv6 support by commenting out : option INET6, option PULLDOWN_TEST, : pseudo-device gif : #option INET6 # IPv6 (needs INET) #option PULLDOWN_TEST # use m_pulldown for IPv6 packet parsing . . . #pseudo-device gif 4 # IPv[46] over IPv[46] tunnel (RFC1933) 3. Rebuild your kernel. Note: PoPToP will work just fine with a kernel built from original 3.0 sources and the changes we introduced to the (machine-independent) /usr/src/sys/conf/GENERIC file. However, unless you follow OpenBSD-Current, now would be a good time to make sure your system is up to date with relevant patches for your architecture, listed here: http://www.openbsd.com/errata.html Instructions on compiling a new kernel are here : http://www.openbsd.com/faq/faq5.html#Building At the end of the kernel build process, you will have a new kernel file without built-in gre support, configured for additional tun devices, and optionally, without IPv6 support. Move your new kernel into place after backing up the previous kernel. Something like this: cp /bsd /bsd.old cp /sys/arch/$ARCH/compile/SOMEFILE/bsd /bsd 4. Create additional tunnel devices, as necessary : After you reboot, you will need to create device files for all the tun* pseudo-devices your new kernel supports. This is done as follows : cd /dev sh ./MAKEDEV tunX ... where X is the number of the tunnel device to create. OpenBSD 3.0 creates tun0, tun1, tun2, by default. You will need to create tun3 and any higher numbered tun* device special files, if you plan on having more than 3 concurrent users. 5. Verify that your new kernel will support the number of concurrent PPTP connections you need, by running: ifconfig -a and look for tun* interfaces 5.0 PoPToP Installation ----------------------- 1. Get the PoPToP sources here : http://www.snapgear.com/ftp/poptop/pptpd-1.0.1.tar.gz 2. Build and install the pptpd (configure --with-bsdppp) : Example : cd /tmp ftp: http://www.snapgear.com/ftp/poptop/pptpd-1.0.1.tar.gz tar -zxvf pptpd-1.0.1.tar.gz cd pptpd-1.0.1 ./configure --with-bsdppp make make install 3. Configure PoPToP using /etc/pptpd.conf : Aside : You should set aside a dedicated IP address (labeled "localip") for the pptpd (PoPToP server) on the same IP subnet as your LAN, as well as a range of IP addresses (labeled "remoteip"), also on the same IP subnet as your LAN, for VPN clients. The "listen" field contains the IP address of your external LAN adapter. You can find a detailed explanation of the pptpd.conf parameters in Matthew Ramsay's original documents, and in the configuration samples. pptpd.conf should look something like this : --- cut here --- option /etc/ppp/ppp.conf # IP address of your server-side PPP endpoint: # (Should be an unused IP address on your internal LAN) localip 192.168.1.7 # IP address range to use for your PPTP clients: # (Should be unused IP addresses on your internal LAN) remoteip 192.168.1.8-15 # IP address of your external LAN interface: listen 10.10.10.10 pidfile /var/run/pptpd.pid --- cut here --- 6.0 Userland PPP Setup ---------------------- Note : The information in this section is shamelessly copied from John Heyer's document on running PoPToP under FreeBSD : http://heyer.supranet.net/pptp Create the following 3 configuration files (for userland PPP) : 1. /etc/ppp/ppp.conf 2. /etc/ppp/secure 3. /etc/ppp/ppp.secret 1. /etc/ppp/ppp.conf : Aside : ppp.conf is to userland PPP, what the /etc/ppp/options.XXX files are to kernel PPP (pppd). ppp.conf should look something like this for encrypted PPTP tunnels : --- cut here --- loop: set timeout 0 set log phase chat connect lcp ipcp command set device localhost:pptp set dial set login set mppe * stateful # Server (local) IP address, Range for Clients, and Netmask # Use the same IP addresses you specified in /etc/pppd.conf : set ifaddr 192.168.1.7 192.168.1.8-192.168.1.15 255.255.255.255 set server /tmp/loop "" 0177 loop-in: set timeout 0 set log phase lcp ipcp command allow mode direct pptp: load loop disable pap disable chap enable mschapv2 disable deflate pred1 deny deflate pred1 accept mppe enable proxy accept dns # DNS Servers to assign client # Use your own DNS server IP address : set dns 192.168.1.20 # NetBIOS/WINS Servers to assign client # Use your own WINS server IP address : set nbns 192.168.1.20 set device !/etc/ppp/secure --- cut here --- Remember to use your own IP addresses with "set ifaddr" in the loop: section above, and use your own DNS / WINS server IP addresses in the pptp: section, if applicable. Note : If you want to test without encrypted PPTP tunnels, you can remove the following lines from the loop: section : set mppe * stateful disable chap enable mschapv2 disable deflate pred1 deny deflate pred1 Also add the following line to the "pptp:" section : enable chap 2. /etc/ppp/secure : Create a /etc/ppp/secure file with the following 2 lines and chmod u+x on it : --- cut here --- #!/bin/sh exec /usr/sbin/ppp -direct loop-in --- cut here --- 3. /etc/ppp/ppp.secret : Aside : If you have used pppd before, think of /etc/ppp/ppp.secret as a kind of combined pap-secrets / chap-secrets file. Create a /etc/ppp/ppp.secret file containing lines like the following and chmod 0400 on it : --- cut here --- username1 password1 username2 password2 . . . --- cut here --- Note : If your remote clients are running Win9x and encrypted PPTP tunnels, you should prepend DOMAIN\ to the username in the first field, where "DOMAIN" is your Microsoft Workgroup or Domain Name. This behavior seems to be confined to Win9x clients, where if you request / require encryption, expect these clients to send you a DOMAIN\username challenge, instead of just username. 4. Modify /etc/syslog.conf to send PPP messages to a dedicated logfile. Add the following 2 lines to /etc/syslog.conf : --- cut here --- !ppp *.* /var/log/ppp.log --- cut here --- Send a HUP signal to syslogd for the changes to take effect. 7.0 Setup and testing --------------------- If you followed the PoPToP configuration steps above, your PPTP daemon will be located in /usr/local/sbin/pptpd. Launch it with a -d switch. You can arrange to autostart the PoPToP daemon by adding a section like this to your /etc/rc.local : --- cut here --- # PoPToP Server if [ -x /usr/local/sbin/pptpd ]; then echo -n ' pptpd'; /usr/local/sbin/pptpd -d fi --- cut here --- 8.0 Firewall Considerations --------------------------- 1. If you are using pf (or ipf) : 1. Allow gre (IP protocol 47) inbound, as well as outbound, to the (IP address of the) External LAN adapter. 2. Allow hosts on the Internet to connect to the PPTP control channel (tcp/1723) on the (IP address of the) External LAN adapter. 3. Allow all traffic in and out of the tun* interfaces 2. Ensure that any other firewall between your OpenBSD box and the PPTP clients, allows GRE (IP proto 47) bidirectionally and allows the client to initiate a control connection with tcp/1723 on the OpenBSD host. 9.0 Conclusion -------------- I currently have this configuration working on an OpenBSD 3.0 system, (release + errata to 015), with PoPToP 1.0.1. My clients are Win98 SE clients with DUN 1.4 and 128bit encryption. I have tested both WinNT SP6a and Win2K clients with 128bit encryption; These appear to run fine. I have not yet tested WinXP clients. If this configuration does not work for you, with the PPTP clients that you need to support, here are some things you can try : - If you are running pf, temporarily relax your OpenBSD firewall rules so that you pass in all and pass out all, on the external LAN interface, for the purposes of troubleshooting. - Temporarily increase the amount of PPP logging you do, by changing the "set log" line in the loop: section of /etc/ppp/ppp.conf to : set log phase chat connect lcp ipcp ccp tun command - Look at what's getting sent to /var/log/ppp.log You can watch it in real-time using: tail -f /var/log/ppp.log - Check the Microsoft downloads site to make sure your Windows clients are running the latest version of Dialup networking for their OS. - Refer to the PoPToP FAQ at: http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt for a more in-depth coverage of PPTP client troubleshooting. Enjoy PoPToP on OpenBSD ! _______________________________________________ Poptop-server mailing list <EMAIL: PROTECTED> https://lists.sourceforge.net/lists/listinfo/poptop-server