OpnBSD PPTP Client: Install and Create a VPN

I work form home, and I need to login into our corporate network (Microsoft based PPTP server) using a pptp based vpn. How do I configure and setup up a PPTP VPN client under OpenBSD desktop / laptop or router / server operating systems?

Tutorial details
Difficulty	Intermediate (rss)
Root privileges	Yes
Requirements	OpenBSD

pptp manages a virtual private network (VPN) connection using Microsoft PPTP protocols using IP GRE tunneling protocols. pptp uses ppp on a pseudo-tty to negotiate the connection with MS-CHAP authentication.

Warning: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.

Installation

First, set PKG_ADD path, enter:
# export PKG_PATH=http://mirror.esc7.net/pub/OpenBSD/`uname -r`/packages/`machine -a`/
Type the following command to install pptp client:
# pkg_add -i -v pptp
Sample outputs:

pptp-1.7.2p3: ok
--- +pptp-1.7.2p3 -------------------
PPTP IS NOT SECURE, see /usr/local/share/doc/pptp/PROTOCOL-SECURITY
and http://www.schneier.com/pptp.html for more information.

Sample setup

This example assumes that you want to use pptp to connect to a VPN and use the VPN connection to route traffic as follows:

Your vpn server ip address for remote office - 202.54.1.2
Your vpn username - nixcraft
Your vpn password - candyBar
Network - 10.0.0.0/8. I am using this sub/net for routing vpn traffic.

On the client side:

OpenBSD 5.x amd64/i386.
Vpn client - pptp.
Vpn config file name - /etc/ppp/ppp.conf

Vpn interface name - tun0

Configuration

First, edit /etc/ppp/ppp.conf, enter:
# vi /etc/ppp/ppp.conf
Add an entry for the VPN connection:

## set default option for ppp. See man page ##
default:
  set log Phase Chat LCP IPCP CCP tun command
 
## define our label. Use this label when connecting ##
office:
 ## set serer ip / host
 set device "!/usr/local/sbin/pptp --nolaunchpppd 202.54.1.1"
 
 ## Login name/username
 set authname nixcraft
 
 ## Login password
 set authkey candyBar
 
 ## Set other vales
 set timeout 0
 set ifaddr 0 0
 ## routing
 add 10.0.0.0/8 hisaddr
 disable ipv6cp
 set mppe 128 stateless

Save and close the file.

How do I connect?

Simply type the following command:
# ppp -ddial office
Type the following command to connection log:
# tail -f /var/log/daemon

Dec  1 12:52:23 router pptp[16271]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Dec  1 12:52:23 router ppp[3973]: tun0: LCP: deflink: LayerStart
Dec  1 12:52:23 router ppp[3973]: tun0: LCP: deflink: SendConfigReq(1) state = Stopped
Dec  1 12:52:23 router ppp[3973]: tun0: LCP:  ACFCOMP[2]
Dec  1 12:52:23 router ppp[3973]: tun0: LCP:  PROTOCOMP[2]
Dec  1 12:52:23 router ppp[3973]: tun0: LCP:  ACCMAP[6] 0x00000000
Dec  1 12:52:23 router ppp[3973]: tun0: LCP:  MRU[4] 1500
Dec  1 12:52:23 router ppp[3973]: tun0: LCP:  MAGICNUM[6] 0x4c01d09d
Dec  1 12:52:23 router ppp[3973]: tun0: LCP: deflink: State change Stopped --> Req-Sent
Dec  1 12:52:23 router pptp[16271]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Dec  1 12:52:23 router pptp[16271]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Dec  1 12:52:24 router pptp[16271]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Dec  1 12:52:24 router pptp[16271]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Dec  1 12:52:24 router pptp[16271]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 28621).
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: RecvConfigReq(41) state = Req-Sent
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  ACFCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  PROTOCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MRU[4] 1500
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MAGICNUM[6] 0x7edc7e64
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: SendConfigAck(41) state = Req-Sent
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  ACFCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  PROTOCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MRU[4] 1500
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MAGICNUM[6] 0x7edc7e64
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: State change Req-Sent --> Ack-Sent
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: RecvConfigAck(1) state = Ack-Sent
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  ACFCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  PROTOCOMP[2]
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  ACCMAP[6] 0x00000000
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MRU[4] 1500
Dec  1 12:52:24 router ppp[3973]: tun0: LCP:  MAGICNUM[6] 0x4c01d09d
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: State change Ack-Sent --> Opened
Dec  1 12:52:24 router ppp[3973]: tun0: LCP: deflink: LayerUp
Dec  1 12:52:24 router ppp[3973]: tun0: Phase: bundle: Authenticate
Dec  1 12:52:24 router ppp[3973]: tun0: Phase: deflink: his = CHAP 0x81, mine = none
Dec  1 12:52:24 router ppp[3973]: tun0: Phase: Chap Input: CHALLENGE (16 bytes)
Dec  1 12:52:25 router ppp[3973]: tun0: Phase: Chap Output: RESPONSE (SL98420)
Dec  1 12:52:25 router ppp[3973]: tun0: Phase: Chap Input: SUCCESS (S=F07D6A8715A54326BD8D8330DBFA54CC12EC5B4E)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: FSM: Using "deflink" as a transport
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: State change Initial --> Closed
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: LayerStart.
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: SendConfigReq(1) state = Closed
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  DEFLATE[4] win 15
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  PRED1[2]
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: State change Closed --> Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: Phase: deflink: lcp -> open
Dec  1 12:52:25 router ppp[3973]: tun0: Phase: bundle: Network
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: FSM: Using "deflink" as a transport
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: State change Initial --> Closed
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: LayerStart.
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: SendConfigReq(1) state = Closed
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 0.0.0.0
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  COMPPROTO[6] 16 VJ slots with slot compression
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: State change Closed --> Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: RecvConfigReq(6) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 10.0.31.18
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  COMPPROTO[6] 16 VJ slots without slot compression
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: SendConfigAck(6) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 10.0.31.18
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  COMPPROTO[6] 16 VJ slots without slot compression
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: State change Req-Sent --> Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: RecvConfigReq(4) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000060 (128/40 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: SendConfigNak(4) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: RecvConfigRej(1) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  DEFLATE[4] win 15
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  PRED1[2]
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: SendConfigReq(2) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: RecvConfigNak(1) state = Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 10.1.3.60
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] changing address: 0.0.0.0  --> 10.1.3.60
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: SendConfigReq(2) state = Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 10.1.3.60
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  COMPPROTO[6] 16 VJ slots with slot compression
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: RecvConfigReq(5) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: SendConfigAck(5) state = Req-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: State change Req-Sent --> Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: RecvConfigAck(2) state = Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: CCP:  MPPE[6] value 0x01000040 (128 bits, stateless)
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: State change Ack-Sent --> Opened
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: LayerUp.
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: MPPE: Input channel initiated
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: MPPE: Output channel initiated
Dec  1 12:52:25 router ppp[3973]: tun0: CCP: deflink: Out = MPPE[18], In = MPPE[18]
Dec  1 12:52:25 router ppp[3973]: tun0: LCP: Reducing MTU from 1500 to 1498 (CCP requirement)
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: RecvConfigAck(2) state = Ack-Sent
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  IPADDR[6] 10.1.3.60
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP:  COMPPROTO[6] 16 VJ slots with slot compression
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: State change Ack-Sent --> Opened
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: deflink: LayerUp.
Dec  1 12:52:25 router ppp[3973]: tun0: IPCP: myaddr 10.1.3.60 hisaddr = 10.0.31.18
Dec  1 12:52:25 router ppp[3973]: tun0: LCP: Reducing MTU from 1500 to 1498 (CCP requirement)

How do I verify connectivity?

Type the following command to see tun0 configuration:
# ifconfig | less
OR
# ifconfig tun0
Sample outputs:

Fig.01: OpenBSD pptp client connected to the server

Type the following command to see routing table for vpn sub/net:

# netstat  -nr
 # netstat -f inet -nr

Sample outputs:

Routing tables
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.1.2        UGS        1      374     -     8 vr0
10/8               10.0.31.18         UGS        0        0  1498     8 tun0
10.0.31.18         10.1.3.60          UH         1        0  1498     4 tun0 
127/8              127.0.0.1          UGRS       0        0 33196     8 lo0
127.0.0.1          127.0.0.1          UH         2        0 33196     4 lo0
173.192.255.227    192.168.1.2        UGHD       2      376     - L  56 vr0
192.168.1/24       link#1             UC         2        0     -     4 vr0
192.168.1.2        74:44:01:40:57:fb  UHLc       2       32     -     4 vr0
192.168.1.5        b8:ac:6f:65:31:e5  UHLc       1     2558     -     4 vr0
192.168.1.117      127.0.0.1          UGHS       0        0 33196     8 lo0
224/4              127.0.0.1          URS        0        0 33196     8 lo0

Finally, send ICMP ECHO_REQUEST packets to network hosts:
# ping -c4 10.10.29.72
Sample outputs:

PING 10.10.29.72 (10.10.29.72): 56 data bytes
64 bytes from 10.10.29.72: icmp_seq=0 ttl=61 time=271.268 ms
64 bytes from 10.10.29.72: icmp_seq=1 ttl=61 time=271.719 ms
64 bytes from 10.10.29.72: icmp_seq=2 ttl=61 time=272.265 ms
64 bytes from 10.10.29.72: icmp_seq=3 ttl=61 time=273.535 ms
--- 10.10.29.72 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 271.268/272.196/273.535/1.062 ms

You can use the traceroute command to print the route packets take to network host:
# traceroute 10.10.29.72

Recommend configuration

The pptp man page recommend the following configuration if you want to use pptp to connect to a VPN and use the VPN connection as your default route.
# cat /etc/ppp/ppp.conf
Sample outputs:

 
  default:
             set log Phase Chat LCP IPCP CCP tun command
  office:
             set device "!/usr/local/sbin/pptp --nolaunchpppd 202.54.1.1"
             set authname nixcraft
             set authkey candyBar
             set mppe 128 stateless

Next, you need to configure routing in /etc/ppp/ppp.linkup:
# cat /etc/ppp/ppp.linkup
Sample outputs:

   offcie:
         add! default HISADDR

If 202.54.1.1. does not reside on the local network, we have to add a host route pointing to 202.54.1.1 in order to avoid a chicken-and-egg problem once the default route is set to the VPN tunnel. Assuming the standard default route is 192.168.1.254:
# cat /etc/ppp/ppp.linkup:
Sample outputs:

 
       office:
         add 202.54.1.1 192.168.1.254
         add! default HISADDR

If your default route is not fixed, for example if you connect to the VPN from many different networks while on the road, use a script to figure out the current default route and add the host route to the VPN gateway. For example:
# cat /etc/ppp/vpn-default-route.sh
Sample outputs:

 
             #!/bin/sh
             gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
             /sbin/route add -host 202.54.1.1 ${gw}

Call the script from /etc/ppp/ppp.linkup:

 
       office:
         ! sh /etc/ppp/vpn-default-route.sh
         add default HISADDR

Make sure the changes to the routing table are reversed in /etc/ppp/ppp.linkdown:
# cat /etc/ppp/ppp.linkdown
Sample outputs:

 
       office:
         delete 202.54.1.1