From TBP Wiki
Jump to: navigation, search

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.

PPTP uses a TCP control channel and a Generic Routing Encapsulation tunnel to encapsulate PPP packets. Many modern VPNs use various forms of UDP for this same functionality.

The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement any and all security functionalities.

The PPTP implementation that ships with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide security levels and remote access levels comparable with typical VPN products.

PPTP Server

This will show how to set up a PPTP server on Arch Linux.

Install the pptpd package.

Configuration examples can be found in the /usr/share/doc/pptpd directory. Create /etc/ppp/options.pptpd with the following options:

   # Read man pppd to see the full list of available options
   # The name of the local system for authentication purposes
   name pptpd
   # Refuse PAP, CHAP or MS-CHAP connections but accept connections with
   # MS-CHAPv2 or MPPE with 128-bit encryption
   # Add entry to the ARP system table
   # For the serial device to ensure exclusive access to the device
   # Disable BSD-Compress and Van Jacobson TCP/IP header compression
   # Disable file logging

Create /etc/ppp/chap-secrets for logins:

   # Secrets for authentication using CHAP
   # client	server	secret			IP addresses
     username1         pptpd   password1                     *

Be aware that this file is stored in plaintext along with usernames and passwords.

Create /etc/sysctl.d/30-ipforward.conf with the following:


Apply the configuration:

   sysctl --system

Now run the following to configure iptables settings to enable access for PPTP Clients:

   # Accept all packets via ppp* interfaces (for example, ppp0)
   iptables -A INPUT -i ppp+ -j ACCEPT
   iptables -A OUTPUT -o ppp+ -j ACCEPT
   # Accept incoming connections to port 1723 (PPTP)
   iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
   # Accept GRE packets
   iptables -A INPUT -p 47 -j ACCEPT
   iptables -A OUTPUT -p 47 -j ACCEPT
   # Enable IP forwarding
   iptables -F FORWARD
   iptables -A FORWARD -j ACCEPT
   # Enable NAT for eth0 on ppp* interfaces
   iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
   iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE

Replace "eth0" with the proper interface name.

Save the new iptables rules with:

   iptables-save > /etc/iptables/iptables.rules

To load /etc/iptables/iptables.rules automatically after boot, enable the iptables.service unit:

   systemctl enable iptables.service

Open port 1723 to the server and start and enable the PPTP Server using the following:

   systemctl enable pptpd.service
   systemctl start pptpd.service