Recipe for PPTP VPN from Debian to MS Server

Recipe for PPTP VPN from Debian to MS Server

Required Packages
-----------------
The versions of the following packages in testing as of 2007/09/18
work for
this recipe.
1. Kernel image: Includes the module ppp_mppe, which had to be built
with m-a in some earlier verions.
2. pptp-linux
3. ppp

Terms
-----
domain Windows domain name
user Windows user ID
password Windows user password
pptp_server Remote Windows machine that will be at the other end
of the
the VPN/tunnel (either name or IP address is fine).
my_tunnel What we will call the VPN/tunnel we want to start.
my_gw_IP Your local gateway; such as the broadband router at
home, or
the hotel router. The output of
ifconfig
will help you determine this.
my_nw_if Network interface you use to connect to the internet;
such as
eth1 (wireless device on my notebook), or wlan0,
etc.
The output of
ifconfig
will help you determine this.
pptp_vpn_if What the new interface representing my_tunnel will be
called.
Will be ppp0 usually. If your internet connection is
through
a modem, that interface will be ppp0 and this one
will be
ppp1.

Files
-----
In the following, replace terms in angle braces, like <my_gw_IP>, with
its
value, like 192.168.1.1.

All files will be owned by root, and the VPN will be started as root.
There are 6 files (A through F) described below.

Once these files are in place, start the tunnel with
pon <my_tunnel>
You can observe the progress of the connection with
tail -f /var/log/syslog
If you like, you can add this command to the gkrellm launcher plugin,
or other launcher (you need to use sudo so that pon can run as root).


A. /etc/ppp/peers/<my_tunnel>
Create this file specifically for this tunnel.

--- begin file ---
remotename <my_tunnel>
linkname <my_tunnel>
ipparam <my_tunnel>
pty "pptp <pptp_server> --nolaunchpppd "
name <domain>\\<user>

usepeerdns
require-mppe
refuse-eap

noauth

file /etc/ppp/options.pptp

--- end file ---


B. /etc/ppp/chap-secrets
Add the following line to this file, which already exists.

--- begin addition ---
<domain>\\<user> <my_tunnel> <password> *
--- end addition ---


C. /etc/ppp/ip-up.d/<my_tunnel>
Create this file specifically for this tunnel.

One you set up the VPN, MS PPTP wants all traffic to go through the
VPN. So these files, C & D, make the necessary chages to the routing.
These files are simplified by using hard-coded values specific to this
tunnel. If you will be connecting from many different networks, you
can generalize them using the variables described in /etc/ppp/ip-up.

--- begin file ---
# pppd ip-up script for all-to-tunnel routing

## direct tunnelled packets to the tunnel server
route add -host <pptp_server> gw <my_gw_IP> dev <my_nw_if>

## direct all other packets into the tunnel
route del default dev <my_nw_if>
route add default dev <pptp_vpn_if>

--- end file ---


D. /etc/ppp/ip-down.d/<my_tunnel>
Create this file specifically for this tunnel.

--- begin file ---
#!/bin/sh

route del -host <pptp_server> dev <my_nw_if>

route del default dev <pptp_vpn_if>
route add default dev <my_nw_if>

--- end file ---


E. /etc/ppp/options.pptp
This file is as distributed - no changes are required. I provide it
for
reference only.

--- begin file ---
################################################## #############################
# $Id: options.pptp,v 1.1 2005/02/18 01:40:23 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the
tunnel.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from http://ppp.samba.org/
# and the kernel MPPE module available from the CVS repository also on
# http://ppp.samba.org/, which is packaged for DKMS as
kernel_ppp_mppe.
################################################## #############################

# Lock the port
lock

# Authentication
# We don't need the tunnel server to authenticate itself
noauth

# We won't do EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
#refuse-eap
#refuse-chap
#refuse-mschap

# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)

# http://ppp.samba.org/ the PPP project version of PPP by Paul
Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# {{{
# Require MPPE 128-bit encryption
require-mppe-128
# }}}

# http://polbox.com/h/hs001/ fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
#mppe required,stateless
# }}}

--- end file ---


F. /etc/ppp/options
No changes are required to this file. I provide it for reference only.
It
is as distributed, except that it was very long, so I took out all the
comments and options that were commented out.

--- begin file ---
# /etc/ppp/options
#
# Originally created by Jim Knoble <jmknoble@mercury.interpath.net>
# Modified for Debian by alvar Bray <alvar@meiko.co.uk>
# Modified for PPP Server setup by Christoph Lameter
<clameter@debian.org>
#
# To quickly see what options are active in this file, use this
command:
# egrep -v '#|^ *$' /etc/ppp/options

asyncmap 0
auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx

--- end file ---