PPTP server

From VyOS Wiki
Jump to: navigation, search

Note: MPPE encryption used by the PPTP protocol has been proven weak (no better than DES). PPTP should be considered insecure and is not recommended for new deployments.

PPTP protocol

PPTP stands for "Point-to-Point Tunneling Protocol". It's a protocol developed by a vendor consortium (including Cisco and Microsoft) for client-server virtual private networks. It's described in RFC2637[1] which is informational and isn't accepted as an Internet standard (L2TP is recommended instead). Nevertheless it's still widely used, especially for Microsoft Windows clients (and Windows has a built-in client for it).

PPTP uses two different connection for its operation. The first is TCP/1723 connection for session control. The second is GRE tunnel for data transmission which encapsulates PPP.

Pptp architecture.png

PPTP supports various authentication algorithms (PAP, CHAP, MS-CHAP, MS-CHAP-v2) and MPPE encryption algorithm for data security.

Server configuration

Configuration options for PPTP are:

  • Authentication mode: local or RADIUS. If local is specified, user information is stored in the configuration, otherwise a RADIUS AAA-server is used to check authentication information.
  • Client IP pool. It's an IP range (e.g. 192.168.1.50-192.168.1.100) addresses for client tunnel endpoints are taken from.
  • Outside address. It's an IP address VyOS will listen for PPTP connections on (typically your WAN address).
  • DNS servers. Addresses of DNS servers your client will obtain when initializing PPTP session.
  • WINS servers. Addresses of WINS (Windows legacy name resolution protocol) your clients will obtain.

Configuring authentication options

Authentication options are mandatory, you can not commit PPTP configuration if authentication isn't configured.

Local authentication

If you want to use local authentication, it will be:

edit vpn pptp remote-access
set authentication mode local

Then you need to create at least one user, otherwise your configuration will not be accepted:

set authentication local-users username TEST_USER password TEST_Password

RADIUS authentication

RADIUS authentication is preferred for large setups with numerous users (or when the same users are shared between multiple access servers). You obviously need a configured and properly working RADIUS server (e.g. FreeRADIUS[2] or any other) to use this authentication type.

When you have a RADIUS server, use the following commands:

set authentication mode radius
set authentication radius-server X.X.X.X key MyPasword

Where "X.X.X.X" is your server IP address and "MyPassword" is password you set for Vyatta client.

Configuring client IP pool

Client IP pool is a mandatory option, and you can not commit your PPTP configuration until you specify it.

edit vpn pptp remote-access
set client-ip-pool start 192.168.1.50
set client-ip-pool stop 192.168.1.100

Configuring outside address

Outside address is optional. If you set it, VyOS will listen for PPTP connections only on this address; otherwise it will listen on all addresses present in your system. To set it use command:

set outside-address X.X.X.X

Warning: if you specify an address not present in your system, it will not cause an error. Check carefully what you type there.

Configuring DNS servers

DNS servers are optional, but you may specify them (up to two servers).

set dns-servers server-1 X.X.X.X
set dns-servers server-2 Y.Y.Y.Y

Configuring WINS servers

WINS servers are also optional. The only case you need them is when you want your clients to access Windows (or other SMB-aware) machines by legacy (not DNS) names (like \\server\resource). You may specify up to two of them:

set wins-servers server-1 X.X.X.X
set wins-servers server-2 Y.Y.Y.Y

Example configuration

After you went through these steps you end up with something like this (example is about local authentication):

 vpn {
     pptp {
         remote-access {
             authentication {
                 local-users {
                     username FirstUser {
                         password SomePassword
                     }
                     username SecondUser {
                         password AnotherPassword
                     }
                     username ThirdUser {
                         password OneMorePassword
                     }
                 }
                 mode local
             }
             client-ip-pool {
                 start 172.19.0.11
                 stop 172.19.0.254
             }
             dns-servers {
                 server-1 10.91.19.1
                 server-2 192.168.3.1
             }
         }
     }

Firewall

Setting up the rules

If you are using a firewall, you need to add some rules to make PPTP connections work. At the first place you need to add a rule to allow TCP/1723 connections. TCP/1723 is used to initiate the session, so if it's not allowed clients will be unable even to connect.

 rule 20 {
     action accept
     description "Allow PPTP access from the Internet"
     destination {
         port 1723
     }
     protocol tcp
 }

Then you need to allow GRE data connections. Otherwise clients will be able to initiate the session, but not to transmit any data. GRE is an IP protocol with number 47[3]. You may specify it expclicitly:

 rule 30 {
     action accept
     description "Allow PPTP access from the Internet"
     protocol gre (or "protocol 47")
 }

Other (and perhaps better) way to let PPTP data go is to rely on netfilter connections tracking. You may create a rule like:

 rule 1 {
     action accept
     state {
         established enable
         related enable
     }
 }

It allows any incoming replies to connection already initiated from inside, and also connections "related" to existing ones. GRE connection for PPTP is recognized as related and passed.

Attaching the firewall to an interface

If you run PPTP on the same router you are configuring the firewall, you need to attach it to interfaces you want PPTP connection on as "local". If you have a firewall in front of your PPTP server, attach it as "in".

Full example

Here's an example for firewall on the same router (variant with using connection state):

firewall {
    name InternetToRouter {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow PPTP access from the Internet"
            destination {
                port 1723
            }
            protocol tcp
        }
}

interfaces {
   ethernet eth0 {
       address 192.0.2.1/24
       description "WAN interface"
       firewall {
          local {
             name InternetToRouter
           }
       }
    }
}

If you want to use PPTP server behind NAT, connection state tracking is the only way to make it work.

PPTP server operations

You may see open VPN session with an operational command:

show vpn remote-access

PPTP sessions can be recognized by "PPTP" in "Proto" (protocol) field. Example output (real user names are replaced with "x"):

# run show vpn remote-access 
Active remote access VPN sessions:

User       Time      Proto Iface Remote IP       TX pkt/byte   RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
xxxxxxxx   07h06m53s PPTP  ppp7  172.19.0.17     283.6K 244.7M   1.1M  65.0M
xxxxxxxx   00h30m35s PPTP  ppp5  172.19.0.15          8    104     10    808
xxx        01d16h11m PPTP  ppp3  172.19.0.13        292 306.8K    251  93.7K
xxxxx      00h32m28s PPTP  ppp9  172.19.0.19       2.4K 416.2K   3.8K 371.5K

You also may administratively disconnect a user session with:

clear vpn remote-access user USERNAME

Default PPTP settings

VyOS uses the most secure (as it's possible for PPTP) options:

  • Authentication: MS-CHAP-v2
  • Encryption: MPPE-128
  • Compression: None

These options are used in Windows clients by default, other clients (including linux PPTP client) may require you to set them manually.

You can change the required protocol with the following option:

set vpn pptp remote-access authentication require <pap|chap|ms-chap|ms-chap-v2>

References