PPTP server
Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
This entry will show you on how to create a PPTP server in Arch.
Installation
Configuration
/usr/share/doc/pptpd
directory.A typical configuration may look like:
/etc/pptpd.conf
# Read man pptpd.conf, see samples in /usr/share/doc/pptpd # and write your pptpd configuration here # pppd options file. By default, /etc/ppp/options is used option /etc/ppp/options.pptpd # Server IP in local network localip 192.168.1.2 # IP address ranges used to assign IPs to new connecting clients # Here we define two ranges for our 192.168.1.* subnet: 234-238 and 245 remoteip 192.168.1.234-238,192.168.1.245
Now create the pppd options file, in our example this is /etc/ppp/options.pptpd
:
/etc/ppp/options.pptpd
# Read man pppd to see the full list of available options # The name of the local system for authentication purposes name pptpd # Refuse PAP, CHAP or MS-CHAP connections but accept connections with # MS-CHAPv2 or MPPE with 128-bit encryption refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 # Add entry to the ARP system table proxyarp # For the serial device to ensure exclusive access to the device lock # Disable BSD-Compress and Van Jacobson TCP/IP header compression nobsdcomp novj novjccomp # Disable file logging nolog # DNS servers for Microsoft Windows clients. Using Google's public servers here ms-dns 8.8.8.8 ms-dns 8.8.4.4
Now create credentials file for authenticating users:
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses user2 pptpd 123 *
Now you can be authenticated with user2 as username and 123 for password.
Create a sysctl configuration file /etc/sysctl.d/30-ipforward.conf
and enable kernel packet forwarding that allow connecting clients to have access to your subnet (see also Internet Share#Enable packet forwarding):
/etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
Now apply changes to let the sysctl configuration take effect:
# sysctl --system
iptables firewall configuration
Configure your iptables settings to enable access for PPTP Clients
# Accept all packets via ppp* interfaces (for example, ppp0) iptables -A INPUT -i ppp+ -j ACCEPT iptables -A OUTPUT -o ppp+ -j ACCEPT # Accept incoming connections to port 1723 (PPTP) iptables -A INPUT -p tcp --dport 1723 -j ACCEPT # Accept GRE packets iptables -A INPUT -p 47 -j ACCEPT iptables -A OUTPUT -p 47 -j ACCEPT # Enable IP forwarding iptables -F FORWARD iptables -A FORWARD -j ACCEPT # Enable NAT for eth0 on ppp* interfaces iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
Now save the new iptables rules with:
# iptables-save > /etc/iptables/iptables.rules
To load /etc/iptables/iptables.rules automatically after boot, enable the iptables.service
unit.
# systemctl enable iptables.service
Read Iptables for more information.
UFW firewall configuration
Configure your ufw settings to enable access for PPTP Clients.
You must change default forward policy in /etc/default/ufw
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
Now change /etc/ufw/before.rules
, add following code after header and before *filter line
/etc/ufw/before.rules
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from clients to eth0 -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE # commit to apply changes COMMIT
Allow GRE packets (protocol 47) in /etc/ufw/before.rules
, find the line with: # drop INVALID packets
and add rule:
/etc/ufw/before.rules
# drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -p 47 -i $iface -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
Open pptp port 1723
ufw allow 1723
Restart ufw for good measure
ufw disable ufw enable
Start the server
Now you can start and enable your PPTP Server using pptpd.service
.
Troubleshooting
As with any service, see Systemd#Troubleshooting to investigate errors.
Error 619 on the client side
Search for the logwtmp
option in /etc/pptpd.conf
and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.
#logwtmp
pptpd[xxxxx]: Long config file line ignored
Add a blank line at the end of /etc/pptpd.conf
. [1]
ppp0: ppp: compressor dropped pkt
If you have this error while a client is connected to the server, add the following script to /etc/ppp/ip-up.d/mppefixmtu.sh
:
#!/bin/sh CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`" FIXED_MTU="`expr $CURRENT_MTU + 4`" ip link set $1 mtu $FIXED_MTU
Make the script executable:
# chmod 755 /etc/ppp/ip-up.d/mppefixmtu.sh
See also: [2]