version 10, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
MattPurvis |
1 |
''In future this document may become a fully-fledged HOWTO. Right now it's just my experience getting Windows clients to open an encrypted [PPTP] tunnel to a Linux [pptpd(8)] server.'' |
| |
|
2 |
|
| |
|
3 |
!!Introduction |
| |
|
4 |
|
| |
|
5 |
Wireless LANs are notoriously insecure. Even with WEP encryption enabled, it is trivial for people to crack your key and enter your network. I believe you should scrap WEP altogether and set up encrypted tunnels from your WLAN clients into your wired LAN. |
| |
|
6 |
|
| 5 |
GreigMcGill |
7 |
I recently got two D-Link DWL-650+ !AirPlus PCMCIA 802.11b cards and a DWL-900AP+ AccessPoint. Because D-Link aren't releasing Linux drivers for these cards until December 2002 I have been forced to use them under Windows. |
| 1 |
MattPurvis |
8 |
|
| |
|
9 |
!!Software |
| |
|
10 |
|
| |
|
11 |
I've currently only setup [pptpd(8)] but a completed setup will require a firewall as well. |
| |
|
12 |
|
| |
|
13 |
While attempting to set up [pptpd(8)] I found out that the default VPN software in Windows (9x, Me, 2000, XP) requires Microsoft Point-to-Point Encryption ([MPPE]). The default Debian kernel and [pppd(8)] packages don't support this, and I had a hell of a time getting it to work. So I wouldn't forget how I did it, and to help anyone who wants to do this, I'm slowing writing this document. :) |
| |
|
14 |
|
| |
|
15 |
You will need the following software: |
| |
|
16 |
* PoPToP Point to Point Tunneling Server >= 1.1.2 (Debian package __pptpd__). |
| |
|
17 |
* Point-to-Point Protocol (PPP) daemon 2.4.1 (you'll need to patch and rebuild this from source). |
| |
|
18 |
* Kernel 2.4.19 (you'll need to patch and rebuild this too). |
| |
|
19 |
* Patches to add support for [MPPE] to ppp and the kernel. |
| |
|
20 |
|
| |
|
21 |
!PoPToP installation |
| |
|
22 |
|
| |
|
23 |
Install your distribution's pptpd package. No patching or modifications are required. |
| |
|
24 |
|
| |
|
25 |
!Kernel Patching |
| |
|
26 |
|
| |
|
27 |
The kernel [MPPE] patch is available for many kernel versions, but I used 2.4.19. You can download the patch from [http://public.www.planetmirror.com/pub/mppe/linux-2.4.19-openssl-0.9.6b-mppe.patch.gz]. |
| |
|
28 |
|
| |
|
29 |
Put the patch file into /usr/src and gunzip it. Download the kernel source and extract it into /usr/src/linux-2.4.19. Apply the patch like so: |
| |
|
30 |
|
| |
|
31 |
root@box:/usr/src/linux-2.4.19# patch -p1 < ../linux-2.4.19-openssl-0.9.6b-mppe.patch |
| |
|
32 |
|
| |
|
33 |
If you use Debian, you can use make-kpkg to do the rest for you. The following command will allow you to configure your kernel and then it will build the kernel and modules and place them into a .deb package for you. |
| |
|
34 |
|
| |
|
35 |
root@box:/usr/src/linux-2.4.19# make-kpkg --config=menuconfig kernel_image |
| |
|
36 |
|
| |
|
37 |
If you don't use Debian, you're on your own. ;P |
| |
|
38 |
|
| |
|
39 |
Once the kernel is built, install it and reboot your system. |
| |
|
40 |
|
| |
|
41 |
You'll need to add a module alias to your /etc/modules.conf. If you use Debian, add this line to /etc/modutils/ppp and then run update-modules. |
| |
|
42 |
|
| |
|
43 |
alias ppp-compress-18 ppp_mppe |
| |
|
44 |
|
| |
|
45 |
If you use a different distribution, just add the above line to your /etc/modules.conf. |
| |
|
46 |
|
| |
|
47 |
!PPP Patching |
| |
|
48 |
|
| |
|
49 |
You'll need to remove the ppp package, if it's installed. Unfortunately pptpd depends on ppp, so you'll probably have to install pptpd first and then remove ppp with the command: |
| |
|
50 |
|
| |
|
51 |
root@box:~# dpkg --remove --force-depends ppp |
| |
|
52 |
|
| |
|
53 |
You really should build a new Debian package of the patched ppp but I'm not sure how so I'll have to add that later. :) |
| |
|
54 |
|
| |
|
55 |
Download the ppp-2.4.1 source tarball from [ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.4.1.tar.gz]. Also grab the patches [http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-MSCHAPv2-fix.patch.gz] and [http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz]. |
| |
|
56 |
|
| |
|
57 |
Put the above three files into /usr/local/src. Extract ppp-2.4.1.tar.gz and gunzip the two patch files. Apply the patches: |
| |
|
58 |
|
| |
|
59 |
root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-openssl-0.9.6-mppe-patch |
| |
|
60 |
root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch |
| |
|
61 |
|
| |
|
62 |
Configure ppp: |
| |
|
63 |
|
| |
|
64 |
root@box:/usr/local/src/ppp-2.4.1# ./configure |
| |
|
65 |
|
| |
|
66 |
Edit the Makefile to change the install path. Change it to something like this: |
| |
|
67 |
|
| |
|
68 |
BINDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/sbin |
| |
|
69 |
MANDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/man |
| |
|
70 |
ETCDIR = /etc/ppp |
| |
|
71 |
|
| 2 |
MattPurvis |
72 |
If you don't use [stow(8)] (which you ''should'') change BINDIR to /usr/local/sbin and MANDIR to /usr/local/man. |
| 1 |
MattPurvis |
73 |
|
| |
|
74 |
Now you can build and install ppp: |
| |
|
75 |
|
| |
|
76 |
root@box:/usr/local/src/ppp-2.4.1# make && make install |
| |
|
77 |
|
| 2 |
MattPurvis |
78 |
If you use stow then you'll now need to do this: |
| 1 |
MattPurvis |
79 |
|
| |
|
80 |
root@box:/usr/local/stow# stow -v ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix |
| |
|
81 |
|
| |
|
82 |
Finally, add a link to /usr/local/sbin/pppd so that pptpctrl will be able to find it. It took me about an hour to figure out that an error I was getting was caused by pptpctrl not finding pppd. |
| |
|
83 |
|
| |
|
84 |
root@box:~# ln -s /usr/local/sbin/pppd /usr/sbin/pppd |
| |
|
85 |
|
| |
|
86 |
!PPTP Configuration |
| |
|
87 |
|
| |
|
88 |
The standard /etc/ppp/pptpd-options will need a couple of modifications to offer Windows clients the encryption and handshaking they require. Add or uncomment the following lines: |
| |
|
89 |
|
| |
|
90 |
+chapms |
| |
|
91 |
+chapms-v2 |
| |
|
92 |
mppe-40 |
| |
|
93 |
mppe-128 |
| |
|
94 |
mppe-stateless |
| |
|
95 |
|
| |
|
96 |
That will enable Microsofts CHAP and CHAPv2, as well as turn on 40-bit and 128-bit stateless encryption. |
| 6 |
OlavAdema |
97 |
|
| |
|
98 |
!PPP user account |
| |
|
99 |
The users who are allowed to use the VPN connection can be specified in the file /etc/ppp/chap-secrets |
| |
|
100 |
|
| |
|
101 |
It looks like this: |
| 7 |
OlavAdema |
102 |
Secrets for authentication using CHAP |
| 8 |
OlavAdema |
103 |
client server secret IP addresses |
| |
|
104 |
Madcat madcatServer MyPwd * |
| 6 |
OlavAdema |
105 |
|
| 8 |
OlavAdema |
106 |
This will allow user "Madcat" with password "MyPwd" to gain access. |
| 6 |
OlavAdema |
107 |
The servername must be the same as in the options file (/etc/ppp/pptpd-options) under the name "name" |
| |
|
108 |
|
| 8 |
OlavAdema |
109 |
Like this: |
| 7 |
OlavAdema |
110 |
change 'servername' to whatever you specify as your server name in chap-secrets |
| 8 |
OlavAdema |
111 |
name madcatServer |
| 6 |
OlavAdema |
112 |
|
| |
|
113 |
!IP range of the VPN network |
| |
|
114 |
In the file /etc/pptpd.conf you can configure the IP range you would like for your tunnel |
| |
|
115 |
The localip is the ipadress of your server and the remoteip range is the ip's that can be given |
| |
|
116 |
|
| |
|
117 |
for example: |
| 8 |
OlavAdema |
118 |
localip 10.0.1.1 |
| |
|
119 |
remoteip 10.0.1.2-100 |
| |
|
120 |
listen 300.300.100.100 (this should be your outside adress, it's set to a fake adress) |
| 6 |
OlavAdema |
121 |
|
| |
|
122 |
This way the tunnel ip of the server will be 10.0.1.1 and the first user who will login on IP 300.300.100.100 with the passwd as specified in /etc/pptpd.conf will gain 10.0.1.2, the second 10.0.1.3.. etc |
| |
|
123 |
|
| |
|
124 |
!So how can i login on my Windows XP Pro machiene? |
| |
|
125 |
|
| 9 |
OlavAdema |
126 |
Start -> settings -> control panel |
| 6 |
OlavAdema |
127 |
goto network connections-> create a new connection |
| |
|
128 |
next -> "connect to workplace" -> vpn -> "fill your name in here " -> |
| |
|
129 |
you might get an question about automaticly connecting, fill in what you like. but i prefer not to auto connect |
| |
|
130 |
-> fill here the IP of your server in as specified in /etc/pptpd.conf as "listen" -> finisch |
| |
|
131 |
|
| |
|
132 |
If you did not got the encryption (mppe module) working do this: |
| |
|
133 |
goto properties -> security -> advanced -> check CHAP and change data encryption to optional |
| |
|
134 |
you get a warning that it might be unsafe, to fix it read the above :) |
| |
|
135 |
|
| |
|
136 |
You also might need to disable LCP to get it working |
| |
|
137 |
networking -> settings -> uncheck LCP |
| |
|
138 |
|
| |
|
139 |
Now the fun part comes, creating the connection. |
| |
|
140 |
hit connect and enter the user/pwd as specified in /etc/ppp/chap-secrets |
| |
|
141 |
|
| |
|
142 |
! Errors |
| |
|
143 |
|
| |
|
144 |
Todo |
| 1 |
MattPurvis |
145 |
|
| |
|
146 |
!!TODO |
| |
|
147 |
|
| |
|
148 |
I still need to add information about: |
| |
|
149 |
|
| 6 |
OlavAdema |
150 |
* /etc/pptpd.conf and /etc/ppp/chap-secrets (mostly done) |
| 7 |
OlavAdema |
151 |
* Configuring Windows clients (mostly done) |
| 6 |
OlavAdema |
152 |
* Errors explanation |
| 1 |
MattPurvis |
153 |
|
| 4 |
MattPurvis |
154 |
Until then you can find out this information at [http://www.schumann.cx/wavelan/] |
| 10 |
AristotlePagaltzis |
155 |
|
| |
|
156 |
---- |
| |
|
157 |
CategoryHowto |
