Date: Sat, 02 Mar 2002 23:54:02 -0500 From: Andy Sparrow <spadger@best.com> To: goups@bigfoot.com Cc: nsayer@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: FreeBSD Port: poptop-1.1.2 Message-ID: <20020303045402.DE3CD3E17@CRWdog.demon.co.uk> In-Reply-To: Message from "Vincent Goupil" <vincent@pixelweb.net> of "Sat, 02 Mar 2002 15:24:25 EST." <00a901c1c228$3f911e40$0f32a8c0@nbmouaj3fsbyab>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_-135644228P Content-Type: multipart/mixed ; boundary="==_Exmh_-1386206620" This is a multipart MIME message. --==_Exmh_-1386206620 Content-Type: text/plain; charset=us-ascii > It seems that this port is old ? > > "The page http://poptop.lineo.com/ Last Updated 11 Oct, 2000" > > Is it supported ? Don't know. I found that the searchable mailing lists for it contained all the information I needed to get it running well on Linux (client was an RH shop). However, I found I had to manually apply the following patches for best results: draftietf-pppext-mppe05.txt mppe_stateless.patch require-mppe-2.4.1.diff ppp-2.4.1-MSCHAPv2-fix.patch require-mppe.diff ppp-2.4.1-openssl-0.9.6-mppe-patch strip-MSdomain-patch.diff And at least some of the above needed to be ported to the latest version of (Linux) PPP. Some of the above implies (Linux) kernel patches too. The procedure would be different for FreeBSD, particularly with userland PPP. You're on your own with that. It's more than slightly messy, time-consuming and prone to operator error. For a start, there's no central place to find all the above patches or a complete description of how to apply them and get it working. Except on my laptop... :-) > I want to setup a FreeBSD box with incoming VPN PPTP windows tunnels. Make sure you force 128-bit encryption, MS-CHAPv2, otherwise the VPN is fairly worthless, see any one of many documents on this. Thanks Bill. Better yet, use L2TP or IPSec. Note that getting Win98 (yeech) to use 128 encryption is hard work, but it can be done. Don't believe the documentation files for the 2 updates that purport to upgrade this for you - they lie, and M$ pulled the necessary .EXE from their FTP site over 16 months ago and never replaced it. Google rocks... NT & 2000 pretty much Just Work. > Is there another way ? Look at '/usr/ports/net/mpd', it's probably the better way for FreeBSD. Personally, I'd consider an appliance solution, if you've got the money. Low end starts @ $299 for a SnapGear Lite, which supports PPTP & IPSec, if you don't run to a Cisco 3000 concentrator :) Depends on your budget, e.g. whether it's for work or home. You'll easily burn a day or so setting up/testing the Linux variant yourself, even if I wrote up a more complete HOW-TO for it than the one I've attached. It took quite some time to pull together all the information (and yet more to track down the missing bits of the puzzle for Win98...) Enjoy. Cheers, AS --==_Exmh_-1386206620 Content-Type: text/plain ; name="PPTP-Obsfucated.txt"; charset=us-ascii Content-Description: PPTP-Obsfucated.txt Content-Disposition: attachment; filename="PPTP-Obsfucated.txt" Fast-Track Linux PPTP Server Installation Guide =============================================== This isn't intended to provide full details of the installation procedure, merely detail the important points, patches, patch locations etc. Kernel: ======= Get a Linux 2.4.5 kernel distribution. You can get this from many places. I used: ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.5.tar.gz (The reason for the choice of 2.4.5 over all the other possibilities was that FreeS/WAN is verified to work on this version of the kernel, and both of these packages are known to co-exist in the same kernel). You need to patch the kernel to provide MPPE (Microsoft Point-to-Point Encryption). This patch adds the source files, modifies the Makefiles etc. in order to provide the ppp_mppe.o kernel module, which is subsequently built if the appropriate options are selected in the kernel config (under the PPP subsection). I used the patch from here: http://www.advancevpn.com/public/linux-2.4.4-openssl-0.9.6a-mppe.patch Configure a kernel. Ensure that the PPP sub-components are selected as dynamically-loaded modules, as some of them won't work if statically built. Build and install a kernel, and the modules. After doing the modules_install, check for this module (and the others) in /lib/modules/<KERNEL_VERSION>/kernel/drivers/net. If this are missing, something went wrong with your build. Note that ppp_mppe is necessary for encryption to work. Here's a working directory: -rw-r--r-- 1 root root 7524 Sep 12 16:28 slhc.o -rw-r--r-- 1 root root 8392 Sep 12 16:28 ppp_synctty.o -rw-r--r-- 1 root root 3920 Sep 12 16:28 pppox.o -rw-r--r-- 1 root root 11380 Sep 12 16:28 pppoe.o -rw-r--r-- 1 root root 26028 Sep 12 16:28 ppp_mppe.o -rw-r--r-- 1 root root 25340 Sep 12 16:28 ppp_generic.o -rw-r--r-- 1 root root 40960 Sep 12 16:28 ppp_deflate.o -rw-r--r-- 1 root root 10180 Sep 12 16:28 ppp_async.o -rw-r--r-- 1 root root 2408 Sep 12 16:28 dummy.o -rw-r--r-- 1 root root 6148 Sep 12 16:28 bsd_comp.o Make sure that you have the ppp_mppe.o module, and check that your '/etc/modules.conf' file includes these lines (they don't seem to be put there auto-magically).: alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflat Run 'depmod -a' as many times as you feel comfortable with :) Reboot. PPP: ==== Get the PPP distribution source, version 2.4.1. Do not be tempted to use 2.3.x - you want 2.4.x. I got it from: http://www.advancevpn.com/public There are an unbelievable number of patches, for some (most?) revisions of this package, some of which are folded into later version of the software (but most are not). Be careful. Here are some of the patches that are available: MPPE patch MSCHAP-v2 Remove MS Domain name Force Encryption Options You want to enable MPPE, MS-CHAP-v2 and Force Encryption. Don't be tempted by the MSCHAP-v1 patch for 2.3.x - it's already incorporated into the pppd 2.4.1 distro. I used: MPPE Patch: ----------- http://www.advancevpn.com/public/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz Adds openssl-based MPPE support to PPP. Non-optional for our purposes. MSCHAP-V1 Patch: ---------------- This is already applied to ppp-2.4.1, so don't worry about it. MSCHAP-v2 Patch: ---------------- http://www.advancevpn.com/public/ppp-2.4.1-MSCHAPv2-fix.patch Fixes a problem with return status for MS-CHAP-v2. Force Encryption Patch: ----------------------- http://themm.net/require-mppe.diff (You'll have to apply this by hand). Or use the local version. Strip Domain Name Patch: ------------------------ http://themm.net/strip-MSdomain-patch.diff This is not applied. These last two are patches relative to 2.3.x, but aren't too hard to apply "by hand" (remind me why people don't use context diffs again?). I'll put up a Grand, Unified Everything-And-The-Kitchen-Sink 2.4.1 patch locally shortly, so no-one else has to do this. PPP/PPTP Config files: ---------------------- Set up a '/etc/pptp.conf' file, ours looks like this: #pptpd.conf file speed 19200 option /etc/ppp/pptp.options debug localip 192.168.1.200 remoteip 192.168.1.201-215 # Note that we also reserve 192.168.1.216-220 # for "static" IPs via PPTP. Setup the '/etc/ppp/pptp.options' file, ours looks like this (annotations in this document only): # WINS server ms-wins 192.168.1.16 # Primary DNS ms-dns 192.168.1.16 # Secondary DNS ms-dns 192.168.1.13 lock # Tell me what's going on... debug # Allow pppd to tweak things - like ip_forward, netmask ktune # Matches 2nd field in 'chap-secrets', if used in both places name pptp-vpn noipdefault usepeerdns # Reduce MRU/MTU for busy tunnels, reduces dropped packets. mru 736 mtu 736 # Oh yeh, we want authentication... auth +chap +chapms-v2 require-chapms-v2 # Remove 40-bit when all clients upgraded/testing over mppe-40 mppe-128 mppe-stateless # Force stateless mppe. This is good. require-mppe require-mppe-stateless # Remote machines seamlessly appear in local network. proxyarp ipcp-accept-local ipcp-accept-remote # Lets us detect failed links and drop our end. lcp-echo-failure 3 lcp-echo-interval 5 PPTP: ===== Use v1.1.2. This is a development version, but most people are using this, and it hasn't changed in a fairly long time. Get it here: http://www.advancevpn.com/public It pretty much Just Works - there aren't any patches necessary, AFAIK. IP Forwarding: ============== Ensure that you have IP forwarding enabled in the kernel, otherwise, even with Proxy ARP enabled, client(s) at the other end of the PPTP tunnel won't see or reply to your pings from other machines on the network (the clue to this situation is that the PPTP server can ping them, and the remote clients can ping the PPTP server). This will set it on (you can cat this virtual file to view the current setting, too): echo 1 > /proc/sys/net/ipv4/ip_forward Note that including the 'ktune' option (in '/etc/ppp/pptp.options') will permit 'pppd' to dynamically set this itself, if appropriate, as well as adjust the netmask on the interface(s) etc. Firewall Configuration: ======================= Ensure that GRE (IP protocol 47) and TCP port 1723 are allowed in both directions. For our Cisco, for example, with an external IP of AAA.BBB.CCC.nnn, adding these lines would do it: access-list 100 permit tcp any host AAA.BBB.CCC.nnn eq 1723 access-list 100 permit gre any host AAA.BBB.CCC.nnn Run-Time Configuration: ======================= Note that it is NOT necessary to stop or restart either PPTP or PPPD in order to have new user accounts noticed, or change a password (which will take effect onthe next account to establish a connection, leaving any existing established connections still running). To start it, type 'pptpd -d'. To stop it, do a 'ps' and grep for 'pp', kill the ones that look likely :) Messages are written to '/var/log/messages' - a 'tail -f' can be helpful. Debugging: ========== Note that the 'pptp.options' file contains a 'debug' line. On 'bastille', the file '/etc/syslog.conf' also contains a line to control the disposition of logger messages from facility 'daemon' of level 'debug, thus: daemon.debug /var/log/pppd.log (Note that the white space above MUST be tabs, NOT spaces). When it is no longer desired to debug PPPD connections, remove or rename the referenced file, and re-start syslogd, e.g.: kill -HUP `cat /var/run/syslogd.pid` Passwords: ========== 31 character passwords work. 32 character passwords don't. Looks like one end or the other will truncate them. I'm generating 31-character random passwords with a rich character set with the following command-line: apg -m 31 -x 31 -r passwd/password.lst -M SNCL -a 1 (password.lst is a collated 7Mb English word dictionary I use for cracking/checking weak passwords). One caveat: Note that a password containing a backslash ('\') character (and possibly other special characters) will NOT work. Looks like one end or the other is bodging quoting. Simply don't enter a password with this character in it :) The following message(s) definitively mean 'login or password incorrect' (from the logfile specified in '/etc/syslog.conf'): Sep 24 13:28:08 bastille pppd[19661]: sent [CHAP Failure id=0x1 "I don't like you. Go 'way."] Sep 24 13:28:08 bastille pppd[19661]: MSCHAP-v2 peer authentication failed for remote host andy-pptp Sep 24 13:28:08 bastille pppd[19661]: sent [LCP TermReq id=0x5 "Authentication failed"] Sep 24 13:28:08 bastille pppd[19661]: rcvd [LCP TermAck id=0x5 "Authentication failed"] Note that, if the user incorrectly specifies that the computer should supply the domain/username as part of the login (which is invalid, because we're not using that to validate the connection, but rather a set of rather more secure credentials), then you'll see that in the logfile, e.g.: Sep 24 13:43:34 bastille pppd[19796]: No CHAP secret found for authenticating AUSTIN\\andy Note: There is a specific patch for stripping the Domain name from the supplied username, because at least some versions of Windows (e.g. 98) will ALWAYS supply the Domain if they've EVER been registered in a Domain, even if you've since removed every trace of the domain you can find in the dialogs... *sigh*. You can apparently track the domain down and expunge the registrry entries too, but you don't want users doing this... Enabling PPTP VPN on Windows Clients: ===================================== Installing VPN -------------- * Ensure Dial Up Networking is installed. Select Start->Control Panel->Add/Remove Programs. * Select the 'Windows' Tab. * Select 'Communications' from the scrolling list. * Hit the 'Details' button. Scroll to the bottom, ensure that 'Virtual Private Networking' is checked. Check it if it is not. * Feed the machine the Win98 CD as necessary. * Reboot as prompted. Fine, now you have the VPN (aka PPTP) capability installed. However, out-of-the-box, it uses the widely vilified and totally insecure MS-CHAP-v1 authentication protocol, and the encryption is broken (read: "does not work"). You gotta love Micro$oft. Fixing VPN ---------- Get patched. See this (or the local copies of same): http://www.bhamcland.com/ts/patches.html Win98 & 98 SE: -------------- Start by applying the recommended Client Service Pack, which fixes many security concerns, Y2K issues etc: http://www.microsoft.com/windows98/downloads/contents/WURecommended/systemupdate/Default.asp Now might be a good time to update IE to 128-bit, by running ie501dom.exe. This supposedly also updates the underlying system to provide 128-bit encryption. Nope, didn't work for me. Update Dial Up Networking by applying DUN14-98.EXE (Win98 ONLY) or DUN14-SE.EXE (Win98 SE ONLY). Note that these are more recent than both DUN40.EXE and VPNUPD.EXE (by 2-3 years). No, I don't know why there's a different version for 98 & 98SE... This provides 40-bit encryption and MS-CHAP-v2 support. The documents for the DUN14*.EXE upgrades state that they provide 128-bit encryption. Good luck; they lie - it didn't work... You should now have encryption (almost certainly 40-bit only - YMMV), and MS-CHAP-v2 authentication. Nearly there.. Win98 ONLY: ----------- Rename C:\WINDOWS\SYSTEM\PPPMAC.VXD to something else Open the DUN128.EXE file in (e.g.) WinZip. Copy the PPPMAC.VXD from this archive to the original location. Reboot. Hey, it worked for me... Win98SE ONLY: ------------- Apply the DUN128.EXE update. (Untested by this author). Probably the hack above for Win98 (e.g renaming/copying PPPMAC.VXD only) would work. (Untested by this author). Reboot. ObSarkyComment: --------------- It is a complete mystery to me why the above procedure is acceptable, and supposed to be easier for the user than installing a VPN client (e.g. a single install/reboot). Ho hum. Setting Up The VPN Connection: ============================== * Navigate to My Computer->Explore->Dial-Up Networking * Double-click 'Make New Connection' * Type in a name for the Connection (e.g. 'CreditMinders'), ensure that the Microsoft VPN Adaptor device is selected. Click 'Next' when done. * Enter the hostname or IP address. Presently, use 'AAA.BBB.CCC.nnn' for external connections to 'bastille'. Click 'Next' & 'Finish' * Right-click on the icon just created, select 'Properties'. Select the 'Server Types' tab. * Ensure that: 'Log On To Network' (*) 'Enable Software Compression' (*) 'Require Encrypted Password' 'Require data encryption' ARE checked (* = checked by default). Ensure that: 'NetBEUI' 'IPX/SPX Compatible' are NOT checked. Ensure that: 'TCP/IP' IS checked Now click on the 'Advanced Settings' button. Ensure that: 'Server Assigned IP Address' 'Server Assigned name server addresses' 'Use IP header compression' ARE checked, and that: 'Use default gateway on remote network' is NOT checked. * Click 'OK' on both Properties dialog boxes, which will close. * If desired, right-click on newly-created icon, select 'New->Shortcut'. It will ask if you wish to place this on the desktop, say 'Yes'. * Double click new shortcut on desktop. Enter VPN login and VPN password provided by IS. Check the 'Remember Password' option if desired, but be aware that this means than anyone with access to your machine can access the VPN with it, thus loss of this machine should be reported immediately (so that the VPN account can be disabled. You should be good to go. Win2000 ONLY: ------------- It shouldn't be necessary to install any additional software. It is only necessary to set up a PPTP connection. To do this: i) Start Menu->Settings->Network and Dial-Up Connections->Make New Connection ii) Network Connection Wizard starts. Click 'Next' iii) Check 'Connect to a private network through the Internet', click 'Next'. iv) If using xDSL or Cable Modem, it isn't necessary to dial an initial connection. Therefore, check 'Do not dial the initial connection', click 'Next'. v) Type in the name or IP address of the PPTP host. 'bastille' is 192.168.1.5 internally, or AAA.BBB.CCC.nnn externally (there is no name service for this address). vi) Type in a descriptive name for the connection, e.g. 'Corporate PPTP VPN', click 'Next'. vii) Dialog box displays your current login name. Press 'Properties' button. Select the 'Networking' tab. Select 'Internet Protocol (TCP/IP)', and click the 'Properties button. Press 'Advanced' button, De-select 'Use default gateway on remote network', press 'OK' three times. Note: Not doing the above step may mean that default traffic will be routed out over the PPTP connection, rather than your ISP. Note: All settings under the 'Security' tab default to the desired settings. Note: It may be desirable/necessary to enter DNS search information to the DNS tab in 'Advanced TCP/IP Settings', and possibly disable 'Register this connection's addresses in DNS'. viii) Enter your assigned PPTP account name (probably NOT the same as your regular login account) and your login password (which will be long and horrible). You probably want to check the 'Save Password' button to avoid having to enter this again. If sent your password via email or in a text file, you can paste it into the password field to save having to type it at all. If all is well, your machine should establish a PPTP connection at this point. Additional: ----------- Note that the internal Samba server is specifically announcing to the broadcast address of the PPTP subnet (e.g. 'remote announce AAA.BBB.CCC.255/WORKGROUP'). AFAIK, there's no way to do this with a real Windows machine, so cross-subnet browsing won't work without this. YMMV. Verifying Windows Network Connectivity (all versions): ------------------------------------------------------ Check to ensure that you can: i) Resolve names via DNS, e.g. the *nix servers in the office, such as 'unix1', 'unix2'. (Use 'nslookup' in a command window). ii) Resolve names via WINS, e.g. the Win machines in the office, such as your own desktop machine etc. (Use 'nbtstat' in a command window). iii) Browse the Network Neighbourhood for your workgroup. iv) Connect to network shares, such as \\bigserver\public, and \\bigserver\<YOUR_NAME_HERE> etc. If all the above works, then you're all set! Enjoy! WARNING: ======== Your machine can now access the internal LAN (when the PPTP tunnel is running) without additional authentication, potentially from anywhere in the world. Report loss of the machine ASAP to IS. Enable locking on your screensaver. Use a non-trivial password for both your account and your screensaver (preferably don't use the same one for both). Win9x cannot be secured. See: http://www.boran.com/security/it16-pc.html et al. Additional Sources Of Information: ================================== Fairly detailed. Helpful: http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt Searchable. Invaluable: http://lists.schulte.org/mailman/listinfo/pptp-server Obsolete Information: ===================== (but possibly still useful as background): http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt http://www.vibrationresearch.com/pptpd/example.html --==_Exmh_-1386206620-- --==_Exmh_-135644228P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE8gaxqPHh895bDXeQRAj/oAJsF3iT17sk5p5QG5oSoaV9WcpWCegCeJgYN DRTzvfnavs2XYNdCs1nOy88= =Uw9Y -----END PGP SIGNATURE----- --==_Exmh_-135644228P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020303045402.DE3CD3E17>