With this tip you will be able to work from home using VPN and that too from Linux / FreeBSD system for the proprietary Microsoft Point-to-Point vpn server.
Different organization uses different VPN connection options such as SSL, PPTP or IPSEC. When you need to access corporate network and its services, you need to login using VPN.
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. It works on Data link layer (#2 layer) on TCP/IP model. Personally I prefer IPSEC. PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers.
But many originations use PPTP because it is easy to use and works with Windows, Mac OS X, Linux/*BSD and other handled devices.
Compatibility note
I’ve tested instructions and pptp on:
[a] CentOS / RHEL / Fedora Core Linux running 2.6.15+ kernel
[b] Ubuntu and Debian Linux running 2.6.15+ kernel
[c] FreeBSD etc
I've found that pptp client is 100% compatible with the following servers/products:
[a] Microsoft Windows VPN Server
[b] Linux PPTP Server
[c] Cisco PIX etc
How do I install PPTP client under Linux?
By default most distro installs PPTP client called PPTP-linux which is the client for the proprietary Microsoft Point-to-Point Tunneling. Use apt-get or yum command to install pptp client:
$ sudo apt-get install pptp-linux network-manager-pptp
Fedora Core user can install client using rpm command:
# rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm
# yum --enablerepo=pptp-stable install pptpconfig
[a] network-manager-pptp or pptpconfig - A gui network management framework (PPTP plugin) for network-admin tool (frontend)
[b] pptp-linux - Point-to-Point Tunneling Protocol (PPTP) command line client
How do I configure client using command line (cli)?
You need to edit / create following configuration files
- /etc/ppp/chap-secrets - Add your login name / password for authentication using CHAP. Pppd stores secrets for use in authentication in secrets files.
- /etc/ppp/peers/myvpn-name - A dialup connection authenticated with PAP / CHAP configuration file. You need to add your dialup server name and other information in this file.
Sample configuration data
- PPTP server name: pptp.vpn.nixcraft.com
- VPN User Name : vivek
- VPN Password: VpnPassword
- Connection name: delhi-idc-01
Open /etc/ppp/chap-secrets file:
# vi /etc/ppp/chap-secrets
OR
$ sudo vi /etc/ppp/chap-secrets
Append line as follows:
vivek PPTP VpnPassword *
Save and close the file.
Create a connection file called /etc/ppp/peers/delhi-idc-01 (replace delhi-idc-01 with your connection name such as office or vpn):
# vi /etc/ppp/peers/delhi-idc-01
Append configuration data as follows:
pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd"
name vivek
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam delhi-idc-01
Close and save the file. Where,
- pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd": Specifies that the command script is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The script will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the record option is used in conjunction with the pty option, the child process will have pipes on its standard input and output.). In this case we are using pptp client to establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). pptp.vpn.nixcraft.com is my host name (or IP address) for the PPTP server. --nolaunchpppd option means do not launch pppd but use stdin as the network connection. Use this flag when including pptp as a pppd connection process using the pty option.
- name vivek: VPN username
- remotename PPTP: Set the assumed name of the remote system for authentication purposes to name. If you don't know name ask to network administrator
- require-mppe-128: Require the use of MPPE, with 128-bit encryption. You must encrypt traffic using encryption.
- file /etc/ppp/options.pptp: Read and apply all pppd options from options.pptp file. Options used by PPP when a connection is made by a PPTP client.
- ipparam delhi-idc-01 : Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts (optional).
Route traffic via ppp0
To route traffic via PPP0 interface add following route command to /etc/ppp/ip-up.d/route-traffic
# vi /etc/ppp/ip-up.d/route-traffic
Append following sample code (modify NET an IFACE as per your requirments):
#!/bin/bash
NET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
Save and close the file:
# chmod +x /etc/ppp/ip-up.d/route-traffic
Task: connect to PPTP server
Now you need to dial out to your office VPN server. This is the most common use of pppd. This can be done with a command such as:
# pppd call delhi-idc-01
If everything is went correctly you should be online and ppp0 should be up. Remote server will assign IP address and other routing information. Here is the message from my /var/log/messages file:
# tail -f /var/log/messages
Output:
Jun 11 23:38:00 vivek-desktop pppd[30088]: pppd 2.4.4 started by root, uid 0 Jun 11 23:38:00 vivek-desktop pppd[30088]: Using interface ppp0 Jun 11 23:38:00 vivek-desktop pppd[30088]: Connect: ppp0 <--> /dev/pts/4 Jun 11 23:38:03 vivek-desktop pppd[30088]: CHAP authentication succeeded Jun 11 23:38:03 vivek-desktop kernel: [37415.524398] PPP MPPE Compression module registered Jun 11 23:38:03 vivek-desktop pppd[30088]: MPPE 128-bit stateless compression enabled Jun 11 23:38:05 vivek-desktop pppd[30088]: local IP address 10.5.3.44 Jun 11 23:38:05 vivek-desktop pppd[30088]: remote IP address 10.0.5.18
Task: Disconnect PPTP server vpn connection
Simply kill pppd service, enter:
# killall pppd
OR
# kill {pppd-PID}
How do I configure PPTP client using GUI tools?
If you are using Debian / Ubuntu, just click on Network configuration Icon on taskbar > VPN Connection > Configure VPN > Add:
Click forward :
(click to enlarge)
Select PPTP tunnel > Forward:
(click to enlarge)
Enter Connection Name, VPN Server / Gateway hostname/IP address > Click on diffrent tabs to configure other parameters > Forward >
(click to enlarge)
Save and close the dialog box. To connect via VPN click on Network Icon > Select VPN Connection > Connection name (Mumbai VSNL IDC) > Enter your VPN username and password and click on Ok
If you are using Fedora core Linux, run pptpconfig as root and just follow on screen instructions:
# pptconfig &
Troubleshooting hints
If the connection fails, you might need to gather more information and try out following troubleshooting tips.
Q. I'm authenticated successfully but cannot route traffic..
A. Use route command to add route manually:
# ip route add {NETWORK} dev ppp0
# ip route add 10.0.0.0/8 dev ppp0
Or use route command:
# route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0
Q. I'm authenticated successfully, I can ping to remote gateway but cannot access host by name...
A. Setup correct DNS server names in /etc/resolv.conf file:
# cat /etc/resolv.conf
Output:
search nixcraft.com
nameserver 10.0.6.1
nameserver 10.0.6.2
nameserver 208.67.222.222
Q. How do I open my local network (laptop, desktop and other system) to talk with any computer behind VPN server via this local Linux ppp0 interface (i.e. act this computer as router)...?
A. Append following two rules in your existing iptables rules to turn on routing (adjust IP address range as per your setup):
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
Q. Point-to-Point Encryption is not working and I'm not able to connect to remote PPTP server...
A. Make sure you are using 2.6.15 or above kernel. If you are using old kernel version upgrade to latest version and compile support for ppp_mppe kernel module. If you are using latest version, load driver using modprobe:
# modprobe ppp_mppe
# pppd call myoffice
Note: You can always get more information by reading pptp diagnosis howto here.
A note to readers
As I said earlier I prefer to use open source solution such as OpenVPN or IPsec as they are more secure. The PPTP is not secure enough for some information security policies. Next time I will write about OpenVPN and IPsec.
Further readings
- Please read pppd, pptp, iptables man pages.
- Official pptp client home page
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Jan/7/2008
{ 22 comments… read them below or add one }
Obligitory post to point out that Microsoft’s PPTP was, as initially implimented, very insecure. It may be that Microsoft has completely rewritten it since then and fixed every problem, I don’t know. Wikipedia says it can be compromized if MSCHAP-V2 is used and user’s choose weak passwords, so you’d want to try to avoid MSCHAP-V2. It appears to me that this article configures PPTP with MSCHAP-V2. You’d also need to check all your Microsoft Windows machines to be sure they’re not using a broken implimentation.
An easy alternative is OpenVPN, which has a MS Windows installer and is all-around easy to impliment.
Kari,
The PPTP is not secure enough for some information security policies and I personally like to use OpenVPN. PPTP is known to be a faulty protocol and your link in FAQ proves the same. This tutorial is for those who can’t switch to OpenVPN.
Appreciate your post!
Great guide! This helped me get beyond my problems using the GUI tools, which don’t report all the info. Also, the “fault tree” link on the pptpclient page is a good debugging resource.
I appreciate the command line tool approach, as that shows you more what is happening under the covers, and to test your config step by step.
Hi,
I need to connect my linux centos4.4 server to VPN windows 2003. I tried to install pptpclient while I do not have apt-get and use
yum –enablerepo=pptp-stable install pptpconfig with independencies error
Error: Missing Dependency: libxml.so.1 is needed by package php4-pcntl-gtk
Error: Missing Dependency: libglade.so.0 is needed by package php4-pcntl-gtk
Please help me I will be thankfull
Regards
Adnan
Hi
My Lan is connected to internet using the Linux firewall and ADSL Modem.
My Lan Architecture:
vpnclient–>Linux–>ADSL MODEM–>net–>VPNSERVER
From ADSL modem asigned public IP.
Now My Question??
How I will connect my LAN(VPN client) to server.
Please help me out.
I will be thankfull
Arul
Hello !
I set up pptpd on ubuntu 6.10
i did manage to connect to the pptpd server
but I am having issues with my default gateways.
my clients are windows boxes.
I connect to the VPN and this is what i see in my
PPP adapter ramsam:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . .:00-53-45-00-00-00
Dhcp Enabled. . . . : No
IP Address. . . . . . : 192.168.1.50
Subnet Mask . . . . . : 255.255.255.255
Default Gateway . . . : 192.168.1.50
DNS Servers . . . . . : 192.168.1.1
4.2.2.2
How do I make sure my vpn clients get the default gateway of 192.168.1.1 and why is it taking the ipaddress assigned to it as the gw.
my DHCP runs on my router 192.168.1.1
It simply does not work
No default route set, no connection at all
I had to go back to WindowsXP
in my system there is no item by this name “pptp tunnel”
pls help me!!
I’m using Arch Linux (all current), and it worked perfectly. Thanks for the help!
Excellent article! I was able to setup this one without much difficulty on CentOS 5. Thanks a lot!
Worked perfectly on my Ubuntu system.
Vivek – you can add a note in your excellent article – ‘10.0.0.0/8′ this is the network at the work place. For example the VPN server that I am trying to connect to is on the network ‘192.168.17.0/24′.
I just had to make that change to the config file – route-traffic – and everything worked fine.
hello.
Thanks for the tutorial! worked great!
I have come across a problem though. The connection times out every 1000 minutes or so.
Does anyone have any ideas on what could be causing this?
Thanks!
There is an OpenSource alternative to Microsoft PPTP Server, and is called PopTop. Runs on Linux, however works only with 128 bits encryption and MS CHAP v2 authentication that are the least insecure PPTP options.
Best Regards.
I know this is an old thread, but I followed these instructions and my VPN connection worked great. Then later on it stopped working and I couldn’t determine why for the longest time. I thought Firestarter may have been the culprit, so I uninstalled it. Didn’t help. Finally last night I uninstalled other vpn software I had loaded, but wasn’t using: OpenSwan, IKE and probably a couple others. And viola, my PPTP VPN connection began working again.
Very good explanation, but the repository appears not to be valid. I have not been able to find a new one, so I am in dependancy hell trying to get it to work. If anybody knows the door out let me know. :)
Could you please update the GUI settings for the Jaunty?
Hi,
I have small problem ,i already using ppptd and now running but i have ip still using DHCP (old ISP/IP Private) not from ip vpn (new ISP/IP Public) ,what cause this ?
i tried to ping from network-tools.com and the message is ” Timed out ” but i can ping the vpn gateway also got reply quickly.
log message :
May 24 12:28:30 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
May 24 12:28:30 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 ‘Outgoing-Call-Request’
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer’s call ID 27914).
May 24 12:28:31 cpe-134-112 pppd[15906]: CHAP authentication succeeded
May 24 12:28:31 cpe-134-112 pppd[15906]: CCP terminated by peer (No compression negotiated)
May 24 12:28:31 cpe-134-112 pppd[15906]: Compression disabled by peer.
May 24 12:28:31 cpe-134-112 pppd[15906]: local IP address 202.147.201.119
May 24 12:28:31 cpe-134-112 pppd[15906]: remote IP address 202.147.205.1
Let me know about this..
thanks,
Please send me the ppt of following configuration
Users of KDE 4 can’t use gui tools to connect over pptp vpn. If anybody needed this feature, please register and vote for it.
https://bugs.kde.org/show_bug.cgi?id=174439
No luck here. I have tried both commandline and gui on ubuntu jaunty and no luck. via the gui it says that I am connected to my work VPN, however i can not login to my machine or ping anything on the network.
Any ideas? I am at my wits end.
Also.. What is the proper NET and IFACE?
#!/bin/bashNET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
hi friends i have some problem for inretnet I want install a net hub so how to install Please help me I will be thankfull