Penguin
Recent Changes
Note: You are viewing an old revision of this page. View the current version.

In future this document may become a fully-fledged HOWTO. Right now it's just my experience getting Windows clients to open an encrypted PPTP tunnel to a Linux pptpd(8)? server.

Introduction

Wireless LANs are notoriously insecure. Even with WEP encryption enabled, it is trivial for people to crack your key and enter your network. I believe you should scrap WEP altogether and set up encrypted tunnels from your WLAN clients into your wired LAN.

I recently got two D-Link DWL-650+ AirPlus? PCMCIA 802.11b cards and a DWL-900AP+ AccessPoint. Because D-Link aren't releasing Linux drivers for these cards until December 2002 I have been forced to use them under Windows.

Software

I've currently only setup pptpd(8)? but a completed setup will require a firewall as well.

While attempting to set up pptpd(8)? I found out that the default VPN software in Windows (9x, Me, 2000, XP) requires Microsoft Point-to-Point Encryption (MPPE). The default Debian kernel and pppd(8) packages don't support this, and I had a hell of a time getting it to work. So I wouldn't forget how I did it, and to help anyone who wants to do this, I'm slowing writing this document. :)

You will need the following software:

  • PoPToP Point to Point Tunneling Server >= 1.1.2 (Debian package pptpd).
  • Point-to-Point Protocol (PPP) daemon 2.4.1 (you'll need to patch and rebuild this from source).
  • Kernel 2.4.19 (you'll need to patch and rebuild this too).
  • Patches to add support for MPPE to ppp and the kernel.

PoPToP installation

Install your distribution's pptpd package. No patching or modifications are required.

Kernel Patching

The kernel MPPE patch is available for many kernel versions, but I used 2.4.19. You can download the patch from http://public.www.planetmirror.com/pub/mppe/linux-2.4.19-openssl-0.9.6b-mppe.patch.gz.

Put the patch file into /usr/src and gunzip it. Download the kernel source and extract it into /usr/src/linux-2.4.19. Apply the patch like so
root@box:/usr/src/linux-2.4.19# patch -p1 < ../linux-2.4.19-openssl-0.9.6b-mppe.patch

If you use Debian, you can use make-kpkg to do the rest for you. The following command will allow you to configure your kernel and then it will build the kernel and modules and place them into a .deb package for you.

root@box:/usr/src/linux-2.4.19# make-kpkg --config=menuconfig kernel_image

If you don't use Debian, you're on your own. ;P

Once the kernel is built, install it and reboot your system.

You'll need to add a module alias to your /etc/modules.conf. If you use Debian, add this line to /etc/modutils/ppp and then run update-modules.

alias ppp-compress-18 ppp_mppe

If you use a different distribution, just add the above line to your /etc/modules.conf.

PPP Patching

You'll need to remove the ppp package, if it's installed. Unfortunately pptpd depends on ppp, so you'll probably have to install pptpd first and then remove ppp with the command
root@box:# dpkg --remove --force-depends ppp

You really should build a new Debian package of the patched ppp but I'm not sure how so I'll have to add that later. :)

Download the ppp-2.4.1 source tarball from ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.4.1.tar.gz. Also grab the patches http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-MSCHAPv2-fix.patch.gz and http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz.

Put the above three files into /usr/local/src. Extract ppp-2.4.1.tar.gz and gunzip the two patch files. Apply the patches
root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-openssl-0.9.6-mppe-patch root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
Configure ppp
root@box:/usr/local/src/ppp-2.4.1# ./configure
Edit the Makefile to change the install path. Change it to something like this
BINDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/sbin MANDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/man ETCDIR = /etc/ppp

If you don't use stow? (which you should) change BINDIR to /usr/local/sbin and MANDIR to /usr/local/man.

Now you can build and install ppp
root@box:/usr/local/src/ppp-2.4.1# make && make install
If you use stow? then you'll now need to do this
root@box:/usr/local/stow# stow -v ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix

Finally, add a link to /usr/local/sbin/pppd so that pptpctrl will be able to find it. It took me about an hour to figure out that an error I was getting was caused by pptpctrl not finding pppd.

root@box:# ln -s /usr/local/sbin/pppd /usr/sbin/pppd

PPTP Configuration

The standard /etc/ppp/pptpd-options will need a couple of modifications to offer Windows clients the encryption and handshaking they require. Add or uncomment the following lines
  • chapms
  • chapms-v2

mppe-40 mppe-128 mppe-stateless

That will enable Microsofts CHAP and CHAPv2, as well as turn on 40-bit and 128-bit stateless encryption.

TODO

I still need to add information about:

  • /etc/pptpd.conf and /etc/ppp/chap-secrets
  • Configuring Windows clients

Until then you can find out this information at http://www.schumann.cx/wavelan/