Penguin

In future this document may become a fully-fledged HOWTO. Right now it's just my experience getting Windows clients to open an encrypted PPTP tunnel to a Linux pptpd(8)? server.

Introduction

Wireless LANs are notoriously insecure. Even with WEP encryption enabled, it is trivial for people to crack your key and enter your network. I believe you should scrap WEP altogether and set up encrypted tunnels from your WLAN clients into your wired LAN.

I recently got two D-Link DWL-650+ !AirPlus? PCMCIA 802.11b cards and a DWL-900AP+ AccessPoint. Because D-Link aren't releasing Linux drivers for these cards until December 2002 I have been forced to use them under Windows.

Software

I've currently only setup pptpd(8)? but a completed setup will require a firewall as well.

While attempting to set up pptpd(8)? I found out that the default VPN software in Windows (9x, Me, 2000, XP) requires Microsoft Point-to-Point Encryption (MPPE). The default Debian kernel and pppd(8) packages don't support this, and I had a hell of a time getting it to work. So I wouldn't forget how I did it, and to help anyone who wants to do this, I'm slowing writing this document. :)

You will need the following software:

  • PoPToP Point to Point Tunneling Server >= 1.1.2 (Debian package pptpd).
  • Point-to-Point Protocol (PPP) daemon 2.4.1 (you'll need to patch and rebuild this from source).
  • Kernel 2.4.19 (you'll need to patch and rebuild this too).
  • Patches to add support for MPPE to ppp and the kernel.

PoPToP installation

Install your distribution's pptpd package. No patching or modifications are required.

Kernel Patching

The kernel MPPE patch is available for many kernel versions, but I used 2.4.19. You can download the patch from http://public.www.planetmirror.com/pub/mppe/linux-2.4.19-openssl-0.9.6b-mppe.patch.gz.

Put the patch file into /usr/src and gunzip it. Download the kernel source and extract it into /usr/src/linux-2.4.19. Apply the patch like so
root@box:/usr/src/linux-2.4.19# patch -p1 < ../linux-2.4.19-openssl-0.9.6b-mppe.patch

If you use Debian, you can use make-kpkg to do the rest for you. The following command will allow you to configure your kernel and then it will build the kernel and modules and place them into a .deb package for you.

root@box:/usr/src/linux-2.4.19# make-kpkg --config=menuconfig kernel_image

If you don't use Debian, you're on your own. ;P

Once the kernel is built, install it and reboot your system.

You'll need to add a module alias to your /etc/modules.conf. If you use Debian, add this line to /etc/modutils/ppp and then run update-modules.

alias ppp-compress-18 ppp_mppe

If you use a different distribution, just add the above line to your /etc/modules.conf.

PPP Patching

You'll need to remove the ppp package, if it's installed. Unfortunately pptpd depends on ppp, so you'll probably have to install pptpd first and then remove ppp with the command
root@box:# dpkg --remove --force-depends ppp

You really should build a new Debian package of the patched ppp but I'm not sure how so I'll have to add that later. :)

Download the ppp-2.4.1 source tarball from ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.4.1.tar.gz. Also grab the patches http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-MSCHAPv2-fix.patch.gz and http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz.

Put the above three files into /usr/local/src. Extract ppp-2.4.1.tar.gz and gunzip the two patch files. Apply the patches
root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-openssl-0.9.6-mppe-patch root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
Configure ppp
root@box:/usr/local/src/ppp-2.4.1# ./configure
Edit the Makefile to change the install path. Change it to something like this
BINDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/sbin MANDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/man ETCDIR = /etc/ppp

If you don't use stow(8)? (which you should) change BINDIR to /usr/local/sbin and MANDIR to /usr/local/man.

Now you can build and install ppp
root@box:/usr/local/src/ppp-2.4.1# make && make install
If you use stow then you'll now need to do this
root@box:/usr/local/stow# stow -v ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix

Finally, add a link to /usr/local/sbin/pppd so that pptpctrl will be able to find it. It took me about an hour to figure out that an error I was getting was caused by pptpctrl not finding pppd.

root@box:# ln -s /usr/local/sbin/pppd /usr/sbin/pppd

PPTP Configuration

The standard /etc/ppp/pptpd-options will need a couple of modifications to offer Windows clients the encryption and handshaking they require. Add or uncomment the following lines
  • chapms
  • chapms-v2

mppe-40 mppe-128 mppe-stateless

That will enable Microsofts CHAP and CHAPv2, as well as turn on 40-bit and 128-bit stateless encryption.

PPP user account

The users who are allowed to use the VPN connection can be specified in the file /etc/ppp/chap-secrets

It looks like this
Secrets for authentication using CHAP client server secret IP addresses Madcat madcatServer MyPwd? *

This will allow user "Madcat" with password "MyPwd?" to gain access. The servername must be the same as in the options file (/etc/ppp/pptpd-options) under the name "name"

Like this
change 'servername' to whatever you specify as your server name in chap-secrets name madcatServer

IP range of the VPN network

In the file /etc/pptpd.conf you can configure the IP range you would like for your tunnel The localip is the ipadress of your server and the remoteip range is the ip's that can be given

for example
localip 10.0.1.1 remoteip 10.0.1.2-100 listen 300.300.100.100 (this should be your outside adress, it's set to a fake adress)

This way the tunnel ip of the server will be 10.0.1.1 and the first user who will login on IP 300.300.100.100 with the passwd as specified in /etc/pptpd.conf will gain 10.0.1.2, the second 10.0.1.3.. etc

So how can i login on my Windows XP Pro machiene?

Start -> settings -> control panel goto network connections-> create a new connection next -> "connect to workplace" -> vpn -> "fill your name in here " -> you might get an question about automaticly connecting, fill in what you like. but i prefer not to auto connect

  • fill here the IP of your server in as specified in /etc/pptpd.conf as "listen" -> finisch

If you did not got the encryption (mppe module) working do this: goto properties -> security -> advanced -> check CHAP and change data encryption to optional you get a warning that it might be unsafe, to fix it read the above :)

You also might need to disable LCP to get it working networking -> settings -> uncheck LCP

Now the fun part comes, creating the connection. hit connect and enter the user/pwd as specified in /etc/ppp/chap-secrets

Errors

Todo

TODO

I still need to add information about:

  • /etc/pptpd.conf and /etc/ppp/chap-secrets (mostly done)
  • Configuring Windows clients (mostly done)
  • Errors explanation

Until then you can find out this information at http://www.schumann.cx/wavelan/


CategoryHowto