لطفا منتظر باشید ...
Configuring
PPTP in Linux
Because PPTP isn't a native Linux protocol,
installing and using it on a Linux system may require jumping through some
unusual hoops. The PoPToP server itself isn't very unusual, but it must
communicate with pppd , the Linux PPP daemon. To provide security, the entire system must
also use encryption features that aren't a standard part of pppd , so you
must replace the standard pppd with an expanded one. Clients for both Linux and Windows are
available, but of course they're configured and used differently.
Obtaining and Installing PoPToP
PoPToP ships with some Linux distributions,
such as Debian and Mandrake, usually under the package name pptpd or pptpd-server . If
your distribution ships with a PoPToP package, try using it first, because it
will probably be easier to install and configure than a generic PoPToP package.
If your distribution doesn't ship with a PoPToP package, you can obtain it from
the main PoPToP Web site ( target="_blank">http://poptop.lineo.com ). This site hosts the software in the form of a source tarball,
source RPMs, and binary RPMs for x 86 systems.Although you can install and run the PoPToP
package on a standard Linux system, the default Linux and PoPToP combination
provides a VPN with little in the way of security features. This is because
PPTP relies on special PPP encryption features that aren't part of the standard
Linux pppd . In particular, PPTP uses the Microsoft
Point-to-Point Encryption (MPPE) protocol. In order to enable
encryption, you must obtain and install MPPE encryption patches for the
standard Linux pppd and for your Linux kernel. Unfortunately, this process is tedious
and tricky. It's described in the upcoming section, "
PoPToP Server Configuration
Once you've downloaded and installed the
PoPToP package, you can activate it as follows:1. Edit the /etc/ppp/options file. This file controls the Linux pppd program, which
handles the network link between the VPN router and remote PPTP systems. The
file should contain entries like the following: 2. debug 3. name servername 4. auth 5. require-chap 6. proxyarp 7. 192.168.1.1:192.168.1.100
Most of these
items set critical PPTP options. The last line is optional; it sets the address
used by the VPN router on its local network ( 192.168.1.1 ) and the
address to be assigned to a VPN client ( 192.168.1.100 ). If
you omit this line, you can specify the IP address to be used in the VPN
client's configuration. The servername
is the hostname of the VPN server.8. Edit the /etc/ppp/chap-secrets file to specify the username and password you intend to use for VPN logins, one
entry per line. An example, specifying a username of vpn1 and a
password of vpnpass , is: 9. vpn1 * vpnpass *
WARNING
align=left border=0> The passwords stored in /etc/ppp/chap-secrets are not encrypted. This file is therefore extremely sensitive and
should be protected as well as is possible. Normally, root owns
the file and it's readable only to root . If your PoPToP
server is compromised, though, this file might be read, giving others remote
access to your network. For this reason, you should run as few servers as
possible on your VPN router.
3. Look for a reference to pptpd in your /etc/inittab file. If you find such a reference, disable it by adding a pound sign ( # ) to the
start of the line, then type telinit Q to activate this change. This
allows you to manually start pptpd to test its configuration
changes. Once you've settled on a working configuration, you can re-enable pptpd in /etc/inittab or start it like a more conventional server, as described in
the server.At this point, PoPToP should be running, and
you should be able to connect to the system using a PPTP client, as described
in the upcoming section "
to disable encryption on your client in order to make a connection. The
next section describes enabling PoPToP encryption.WARNING
align=left border=0> Although connecting to PoPToP without
encryption is a useful first step in testing your configuration, you should
not run it in this way as a routine matter. One of the primary reasons for
running a VPN is to provide secure connections, and when you disable
encryption, you lose these security benefits.
Additional PPTP-specific options are
controlled through the pptpd.conf file, which normally resides in /etc or /etc/ppp . Some
options you might want to set in this file include the following: debug Entering this option causes PoPToP to log more data to the system
log, which can be useful if you're having problems getting a connection to
work. localip PPTP works by using two IP addresses per client, one for use on
the local network and one for use by the client remotely. The PPTP router
responds to the local address itself, and passes data for it to the remote address.
This is similar to a network address translation (NAT) setup. You can specify
the local IP addresses with the localip option, using a comma-separated
list or a range with a dash. For instance, localip 192.168.9.7,192.168.9.100-150 assigns 192.168.9.7 and all the addresses from 192.168.9.100 to
192.168.9.150. Be sure that other computers on your local network don't use
these addresses. remoteip This option specifies the IP addresses to be used by the remote
clients. They're normally addresses on a private IP address block. You specify
IP addresses in the same format as for the localip option. listen You can have pptpd listen for connections on only one interface by listing the IP
address associated with that interface with this option. By default, PoPToP
listens to all interfaces, which permits PPTP connections within PPTP
connections.
Enabling Encryption Features
PoPToP relies on pppd , which in turn
relies upon the kernel. In PoPToP's implementation, encryption features require
support from pppd , and pppd requires that the Linux kernel include appropriate encryption
features. For this reason, using encryption with PoPToP requires patching or
replacing both pppd and your kernel.You may need to obtain patches and packages
from several different locations in order to activate PPTP encryption support
with PoPToP. Precisely how you go about this depends on the specific packages
you install.The easiest approach is to use a prepatched
version of pppd and a prepatched Linux kernel. You can obtain both of these from
begin with kernel , such as kernel-2.4.9-13mppe.
i386.rpm . Some of these packages are precompiled
binary kernels for specific system types, and others are kernel source
packages. If you download a source package, you must configure and compile it
for your system. The ppp package
Prepatched pppd packages have filenames like ppp-2.4.1-3mdk.i586.rpm .
You may be able to install such a package directly over your existing pppd package.The
your best chance of using these packages is if you use Mandrake. It's possible
that some of these packages, and particularly the ppp package, can be made
to work with other distributions, particularly other RPM-based distributions.TIP
align=left border=0> If you run a distribution that doesn't use
RPM, you may be able to use the alien utility to convert package
formats. This program is a standard part of Debian, and it allows you to
convert between RPM, Debian packages, and tarballs.
Another source of prepatched utilities is the
PPTP-Linux site, target="_blank">http://pptpclient.sourceforge.net . This site hosts PPTP client software, as described shortly, and
the ppp-mppe packages are pppd programs prepatched with MPPE support. These packages also include
kernel modules with MPPE support. Consult the Web site to determine what kernel
versions are supported when you download the file; the 2.4.0-4 packages
available when I wrote this supported the 2.2.19 kernel on updated Red Hat 6.2
and 7.0 systems. Because 2.4.x kernels are now
more common, this approach may not be desirable unless the files have been
updated by the time you read this.If you can't or don't want to use prebuilt
binaries, you must patch both PPP and your kernel. You'll need to obtain and
use at least five things: The Linux kernel You can obtain a standard Linux kernel source package from a site
like http://www.kernel.org . I
recommend using a standard Linux kernel, rather than a kernel from a Linux
distribution, because the latter have often been modified with their own
patches. This can make applying new patches difficult. The pppd source code Go to to obtain the original pppd source code. OpenSSL The MPPE patches require that you have OpenSSL and the OpenSSL
header files installed on your system. You can obtain these from
as linux-2.4.16-openssl-0.9.6b-mppe.patch.gz . pppd patches
The pppd patches are also available from
patch.gz , such as ppp-2.4.1-openssl-0.9.6-mppe-patch.gz . There are variants of many of these, such as a special version for
Alpha CPUs.Unfortunately, many of these patches and
utilities are very version-specific. It's best to begin with the patch files
and locate the exact kernel and pppd packages they support to avoid
problems caused by version changes. To patch and use these tools, you'll need
to uncompress the kernel and pppd source code packages, uncompress the patch files (with gunzip filename.patch.gz ), patch the source code (with cd source-dir ; patch -p1 < patchfile.patch ), configure the packages (with make menuconfig or make xconfig for the Linux kernel and ./configure for pppd ), compile
the packages (with make
bzImage and make modules for the
Linux kernel and make for pppd ), and install the packages (with make modules_install and LILO configuration for Linux and make install for pppd ).Whether you install your new encryption
support from prebuilt binaries, by patching and compiling your tools yourself,
or by a mixture, you'll need to reboot your computer to use the new kernel
before your encryption support will be available.
PPTP Client Configuration
If your PPTP clients are Windows systems,
using them with a PoPToP VPN is fairly straightforward because Windows includes
PPTP support. Linux clients require an extra software package. In either case,
once the VPN connection is made, it's as if the VPN client is part of the local
network, at least from a logical point of view. (As noted earlier, speed is
likely to be well below true local network speed.)
Using Linux PoPToP Clients
PoPToP is a Linux PPTP server. To link a Linux system (or a Linux router) to
a PoPToP or other PPTP server, you need another package: PPTP-Linux (
RPM formats, as well as binary RPMs for x 86 and
Alpha CPUs. You should download and, if necessary, compile one of these
packages, then install it.Like PoPToP, PPTP-Linux relies upon pppd and the
Linux kernel for MPPE encryption. Therefore, you must install appropriate
kernel and pppd changes before you can use an encrypted connection. The preceding
section, "
appropriate tools. Specifically, the ppp-mppe package is an
MPPE-patched pppd program and kernel modules (for the 2.2.19 kernel, as of ppp-mppe version 2.4.0-4).The PPTP-Linux package includes a setup
script called pptp-command . To use this tool, follow these steps:
2. The script displays a list of four options: start , stop , setup , and quit . Type
3 to use the setup procedures.
3. The script displays a list of nine items that you may
configure. Type 2
to select Add a New CHAP secret .
4. The system asks for your local
name. This is the name your system will have on your VPN-mediated network. If
the VPN router is a Windows system, you must include a NetBIOS domain name. For
instance, you might type arbor\\maple to give your system the name maple in the arbor domain.
5. The system asks for your remote
name. In most cases, you can leave this at the default (an empty string). You
only need to use this if your network has multiple entries with the same local
name but different passwords.
6. The system asks for a password. This
is the password that you entered in your PoPToP or other VPN server
configuration, such as Step 2 in "
7. The script again displays the list of nine items you
can set up. Select option 5, Add a
NEW PPTP Tunnel .
8. The system displays a list of
predefined tunnels. This will most likely be empty, including only an option
called Other . If you see a tunnel that's correct for you, select it; but most
likely you'll need to select Other .
9. The system prompts for assorted
pieces of information related to your tunnel definition, such as the tunnel's
name (use whatever you like), the VPN server's IP address, and routing commands
to be used with the tunnel. The latter are similar to those used with the route command
(described in
Network Configuration). For instance, add -host 172.19.87.1 gw DEF_GW sets up the system to use 172.19.87.1 as its default gateway, and add -net 172.19.0.0/16 TUNNEL_DEV tells it to pass all data for the 172.19.0.0/16 network through the
tunnel.
10. Once again, you see the list of nine items you can
configure. Select option 7, Configure
resolv.conf .
11. Select the tunnel configuration you created in Step 9. The system will
ask you for DNS information that would ordinarily go in /etc/resolv. conf (as described in
this information.
12. The 9-item list of options to configure appears
again. Select option 8, Select
a default tunnel .
13. The system asks for the name of a default tunnel. Select
the one you created in Step 9 (or some other tunnel if you're creating multiple
tunnels).
14. At the next appearance of the 9-item list, select option 9, Quit . This
terminates the setup program.
At this point, PPTP-Linux is configured to
use your PPTP server. You can bring up the PPTP VPN link by using the same pptp-command program you used to set up the link. Instead of choosing option 3 at the first
prompt, though, pick option 1 ( start ). The program asks for a tunnel
number. Enter it (probably 1 ) and pptp-command brings up the PPTP VPN link.NOTE
align=left border=0> Bringing up the VPN link requires the
existence of a regular network connection. Thus, you may need to configure
your system to use a regular connection, as described in
bring up a dial-up PPP link, before you can activate your VPN link.
You can test your VPN link by using route to view
your routing table, and by attempting to contact servers on the VPN system. If
you can't reach your VPN servers, try pinging the VPN router. You might also
try using traceroute to see if your packets are going over the VPN link. If traceroute shows packets traversing your normal (non-VPN) Internet connection, then
something is wrong with your routing table. There should be a path to the VPN
systems via the VPN's PPP link. If there isn't, Linux will try to route the
packets to that network via its normal Internet connection.
Using Windows PPTP Clients
Frequently, PPTP clients are Windows
computers belonging to frequent travelers, telecommuters, or others who need to
work away from an office. Windows 9 x /Me and
Windows NT/2000/XP include PPTP clients, although they're usually not installed
by default. The PPTP software works only after you have a working Internet
connection, be it via a broadband ISP, a dial-up PPP ISP, or some other
mechanism. The procedure for running a Windows Me PPTP client is as follows:
from the Control Panel. This produces the Add/Remove Programs Properties dialog
box.
2. Click the Windows Setup tab in the
Add/Remove Programs Properties dialog box.
3. Double-click the Communications item in the list of
component types. This brings up the Communications dialog box.
4. Check the Virtual Private
Networking item in the Communications dialog box.
5. Click OK in both the Communications and Add/Remove
Programs Properties dialog boxes. Windows will install the PPTP software, and
will probably require you to reboot the computer. Do so.
6. After the system reboots, open the
Dial-Up Networking folder in the Control Panel.
7. Double-click the Make New
Connection icon. This produces the Make New Connection Wizard (shown in
26.3. Be sure to choose the Microsoft VPN Adapter when creating a VPN link, not
the modem over which the connection goes.
> 8. Type an identifying name for the
link and select the Microsoft VPN Adapter device, as shown in
9. Click Next. The Make New Connection window now
provides a text entry field in which you type the hostname or IP address of the
VPN server. Enter this information.
10. Click Next. The system now informs you that the new device is
available. Click Finish to dismiss the Make New Connection window.
A new icon now appears in the Dial-Up Networking
window. When you double-click this icon, Windows displays the Connect To dialog
box shown in
should enter the username and password you use on the VPN server, and you may
adjust the VPN server's name or IP address, if desired. When you click Connect,
Windows initiates the connection, which may take a few seconds. Thereafter,
your system has an additional IP address, corresponding to one on the VPN
server's network. You can access systems on that network as if they were local,
including performing actions such as browsing the network in My Network Places
(Network Neighborhood in earlier versions of Windows) and using any resources
that are available only to local computers. Remember, though, that the physical
networking is not local, so you don't get the
same sort of speed that you would get if your system were directly connected to
the same networking medium as the VPN systems.
Figure 26.4. You can
control a VPN link from the Connect To dialog box.
the Connect To dialog box before initiating a connection. As shown in
can elect to have Windows remember (save) your password. If you do this, you
can have Windows initiate the connection whenever it starts up by selecting
Connect Automatically. Further options are available by clicking Properties.
This brings up a dialog box named after your VPN connection, as shown in
most interesting options are on the Networking and Security tabs. From the
Networking tab, you can control whether the system uses software compression or
keeps a log of the session. You can also control what network protocols are
passed through the VPN. If you click TCP/IP Settings, you can tell the system
to obtain its IP address from the PPTP server or request a particular address
itself, and do the same for DNS server addresses. The Security tab lets you set
the username, password, and NetBIOS domain names. It also lets you enable or
disable password and data encryption (both are enabled by default, and
disabling them removes much of the benefit of a VPN).
