The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.
PPTP uses a TCP control channel and a Generic Routing Encapsulation tunnel to encapsulate PPP packets. Many modern VPNs use various forms of UDP for this same functionality.
The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement any and all security functionalities.
The PPTP implementation that ships with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide security levels and remote access levels comparable with typical VPN products.
This will show how to set up a PPTP server on Arch Linux.
Configuration examples can be found in the /usr/share/doc/pptpd directory. Create /etc/ppp/options.pptpd with the following options:
# Read man pppd to see the full list of available options # The name of the local system for authentication purposes name pptpd # Refuse PAP, CHAP or MS-CHAP connections but accept connections with # MS-CHAPv2 or MPPE with 128-bit encryption refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 # Add entry to the ARP system table proxyarp # For the serial device to ensure exclusive access to the device lock # Disable BSD-Compress and Van Jacobson TCP/IP header compression nobsdcomp novj novjccomp # Disable file logging nolog ms-dns 184.108.40.206 ms-dns 220.127.116.11
Create /etc/ppp/chap-secrets for logins:
# Secrets for authentication using CHAP # client server secret IP addresses username1 pptpd password1 *
Be aware that this file is stored in plaintext along with usernames and passwords.
Create /etc/sysctl.d/30-ipforward.conf with the following:
Apply the configuration:
Now run the following to configure iptables settings to enable access for PPTP Clients:
# Accept all packets via ppp* interfaces (for example, ppp0) iptables -A INPUT -i ppp+ -j ACCEPT iptables -A OUTPUT -o ppp+ -j ACCEPT # Accept incoming connections to port 1723 (PPTP) iptables -A INPUT -p tcp --dport 1723 -j ACCEPT # Accept GRE packets iptables -A INPUT -p 47 -j ACCEPT iptables -A OUTPUT -p 47 -j ACCEPT # Enable IP forwarding iptables -F FORWARD iptables -A FORWARD -j ACCEPT # Enable NAT for eth0 on ppp* interfaces iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
Replace "eth0" with the proper interface name.
Save the new iptables rules with:
iptables-save > /etc/iptables/iptables.rules
To load /etc/iptables/iptables.rules automatically after boot, enable the iptables.service unit:
systemctl enable iptables.service
Open port 1723 to the server and start and enable the PPTP Server using the following:
systemctl enable pptpd.service systemctl start pptpd.service