PPTP server

Since version 4.0 Vyatta supports PPTP remote access VPN server. This article describes its configuration and maintenance.

= PPTP protocol = PPTP stands for "Point-to-Point Tunneling Protocol". It's a protocol developed by a vendor consortium (including Cisco and Microsoft) for client-server virtual private networks. It's described in RFC2637 which is informational and isn't accepted as an Internet standard (L2TP is recommended instead). Nevertheless it's still widely used, especially for Microsoft Windows clients (and Windows has a built-in client for it).

PPTP uses two different connection for its operation. The first is TCP/1723 connection for session control. The second is GRE tunnel for data transmission which encapsulates PPP.



PPTP supports various authentication algorithms (PAP, CHAP, MS-CHAP, MS-CHAP-v2) and MPPE encryption algorithm for data security.

= Server configuration = Configuration options for PPTP are:
 * Authentication mode: local or RADIUS. If local is specified, user information is stored in the configuration, otherwise a RADIUS AAA-server is used to check authentication information.
 * Client IP pool. It's an IP range (e.g. 192.168.1.50-192.168.1.100) addresses for client tunnel endpoints are taken from.
 * Outside address. It's an IP address Vyatta will listen for PPTP connections on (typically your WAN address).
 * DNS servers. Addresses of DNS servers your client will obtain when initializing PPTP session.
 * WINS servers. Addresses of WINS (Windows legacy name resolution protocol) your clients will obtain.

Configuring authentication options
Authentication options are mandatory, you can not commit PPTP configuration if authentication isn't configured.

Local authentication
If you want to use local authentication, it will be: edit vpn pptp remote-access set authentication mode local

Then you need to create at least one user, otherwise your configuration will not be accepted: set authentication local-users username TEST_USER password TEST_Password

RADIUS authentication
RADIUS authentication is preferred for large setups with numerous users (or when the same users are shared between multiple access servers). You obviously need a configured and properly working RADIUS server (e.g. FreeRADIUS or any other) to use this authentication type.

When you have a RADIUS server, use the following commands:

set authentication mode radius set authentication radius-server X.X.X.X key MyPasword

Where "X.X.X.X" is your server IP address and "MyPassword" is password you set for Vyatta client.

Configuring client IP pool
Client IP pool is a mandatory option, and you can not commit your PPTP configuration until you specify it.

edit vpn pptp remote-access set client-ip-pool start 192.168.1.50 set client-ip-pool stop 192.168.1.100

Configuring outside address
Outside address is optional. If you set it, Vyatta will listen for PPTP connections only on this address; otherwise it will listen on all addresses present in your system. To set it use command:

set outside-address X.X.X.X

Warning: if you specify an address not present in your system, it will not cause an error. Check carefully what you type there.

Configuring DNS servers
DNS servers are optional, but you may specify them (up to two servers).

set dns-servers server-1 X.X.X.X set dns-servers server-2 Y.Y.Y.Y

Configuring WINS servers
WINS servers are also optional. The only case you need them is when you want your clients to access Windows (or other SMB-aware) machines by legacy (not DNS) names (like \\server\resource). You may specify up to two of them:

set wins-servers server-1 X.X.X.X set wins-servers server-2 Y.Y.Y.Y

Example configuration
After you went through these steps you end up with something like this (example is about local authentication): vpn { pptp { remote-access { authentication { local-users { username FirstUser { password SomePassword }                    username SecondUser { password AnotherPassword }                    username ThirdUser { password OneMorePassword }                }                 mode local }            client-ip-pool { start 172.19.0.11 stop 172.19.0.254 }            dns-servers { server-1 10.91.19.1 server-2 192.168.3.1 }        }     }

Setting up the rules
If you are using a firewall, you need to add some rules to make PPTP connections work. At the first place you need to add a rule to allow TCP/1723 connections. TCP/1723 is used to initiate the session, so if it's not allowed clients will be unable even to connect. rule 20 { action accept description "Allow PPTP access from the Internet" destination { port 1723 }    protocol tcp } Then you need to allow GRE data connections. Otherwise clients will be able to initiate the session, but not to transmit any data. GRE is an IP protocol with number 47. You may specify it expclicitly: rule 30 { action accept description "Allow PPTP access from the Internet" protocol gre (or "protocol 47") } Other (and perhaps better) way to let PPTP data go is to rely on netfilter connections tracking. You may create a rule like: rule 1 { action accept state { established enable related enable } } It allows any incoming replies to connection already initiated from inside, and also connections "related" to existing ones. GRE connection for PPTP is recognized as related and passed.

Attaching the firewall to an interface
If you run PPTP on the same router you are configuring the firewall, you need to attach it to interfaces you want PPTP connection on as "local". If you have a firewall in front of your PPTP server, attach it as "in".

Full example
Here's an example for firewall on the same router (variant with using connection state): firewall { name InternetToRouter { default-action drop rule 1 { action accept state { established enable related enable }       }        rule 20 { action accept description "Allow PPTP access from the Internet" destination { port 1723 }           protocol tcp } }

interfaces { ethernet eth0 { address 192.0.2.1/24 description "WAN interface" firewall { local { name InternetToRouter }      }    } } If you want to use PPTP server behind NAT, connection state tracking is the only way to make it work. = PPTP server operations =

You may see open VPN session with an operational command:

show vpn remote-access

PPTP sessions can be recognized by "PPTP" in "Proto" (protocol) field. Example output (real user names are replaced with "x"): Active remote access VPN sessions:
 * 1) run show vpn remote-access

User      Time      Proto Iface Remote IP       TX pkt/byte   RX pkt/byte -- - - - --- -- -- -- -- xxxxxxxx  07h06m53s PPTP  ppp7  172.19.0.17     283.6K 244.7M   1.1M  65.0M xxxxxxxx  00h30m35s PPTP  ppp5  172.19.0.15          8    104     10    808 xxx       01d16h11m PPTP  ppp3  172.19.0.13        292 306.8K    251  93.7K xxxxx     00h32m28s PPTP  ppp9  172.19.0.19       2.4K 416.2K   3.8K 371.5K You also may administratively disconnect a user session with:

clear vpn remote-access user USERNAME

= Default PPTP settings =

Vyatta uses the most secure (as it's possible for PPTP) options:
 * Authentication: MS-CHAP-v2
 * Encryption: MPPE-128
 * Compression: None

These options are used in Windows clients by default, other clients (including linux PPTP client) may require you to set them manually.

Unfortunately, there's currently no way to change options used by Vyatta.

= References =