Example PPTPD Configuration

Here is my list of firewall rules and other configuration details for a setup that is working with Windows browsing and file sharing. With this configuration my VPN machines can access the local machines, and the internal machines can access the VPN machines. I am assume the following are located in /usr/src:

ppp-2.3.11.tar.gz
Apply ppp-2.3.11-openssl-0.9.5-mppe.patch.gz patch to ppp-2.3.11
Apply ppp_mppe_compressed_data_fix.diff patch to the ppp-2.3.11/linux/ppp_mppe.c file (after the openssl-mppe patch is applied)
if_ppp_2.2.17.diff (used to patch the Linux source after ppp-2.3.11 makes it's changes)
pptpd-1.1.2.tar.gz
kernel linux-2.2.17.tar.gz
also, I assume samba-2.0.5a-12 is installed in the ordinary manner, although the exact version shouldn't matter

Building and installing pptpd

cd /usr/src tar xzf pptpd-1.1.2.tar.gz cd pptpd-1.1.2 ./configure --prefix=/usr --with-pppd-ip-alloc make make install

Extracting the kernel

Note: this must be done prior to building ppp

cd /usr/src tar xzf linux-2.2.17.tar.gz

Extract and patch ppp

cd /usr/src tar xzf ppp-2.3.11.tar.gz gunzip ppp-2.3.11-openssl-0.9.5-mppe.patch.gz cd ppp-2.3.11 patch -p1 < ../ppp-2.3.11-openssl-0.9.5-mppe.patch cd linux patch < ../../ppp_mppe_compressed_data_fix.diff cd .. ./configure make kernel

The following fixes a bug that may cause a segfault when debugging is on:

edit ppp-2.3.11/pppd/lcp.c around line 1541 and change the line which reads:
LCPDEBUG((LOG_INFO, "lcp_reqci: rcvd CBCP");
to read:
LCPDEBUG(("lcp_reqci: rcvd CBCP"));

Building and installing the kernel

Note: The procedure described below rebuilds the entire kernel. It is possible to build just the ppp-related modules IF your kernel sources exactly match the currently installed kernel.

First you need to patch some things that the ppp "make kernel" command did that don't work with kernel version 2.2.17:

cd /usr/src/linux patch -p1 < ../if_ppp_2.2.17.diff

Configure your kernel as appropriate. Make sure you enable at least the following. The Netwoking options settings are needed for the firewall and masquerading. The PPP support and PTY support are required for PPTPD and PPPD.

make menuconfig

Networking options-->
- [*] Network firewalls
- [*] IP: firewalling
- [*] IP: transparent proxy support
- [*] IP: masquerading
- [*] IP: ICMP masquerading
Network device support-->
- <M> PPP (point-to-point) support
Character devices-->
- [*] Unix98 PTY support
- (256) Maximum number of Unix98 PTYs in use (0-2048)

make dep make clean make bzImage make modules make modules_install cp arch/i386/boot/bzImage /boot/bzImage-2.2.17 cp System.map /boot/System.map-2.2.17

Building and installing ppp

cd /usr/src/ppp-2.3.11 make make install

At this point you should set up LILO, or whatever you use for booting, to use the new kernel image from /boot/bzImage-2.2.17. Refer to /usr/src/linux/README and also the Kernel-HOWTO and Upgrading the Linux Kernel on Red Hat Linux systems for more details on compiling and installing a kernel. Then reboot the machine using the new kernel.

The configuration

eth0 is connected to my DSL line
eth1 is the internal network, IP addresses 192.168.1.*
ppp* is the VPN dialup, given addresses 192.168.1.40-44

Note that both the VPN machines and the local machines have IP addresses on the same subnet. This works, and avoids the need for NAT to translate addresses from one net to the other. I am using pptpd's "./configure --with-pppd-ip-alloc" option to assign fixed IP addresses (assigned in chap-secrets) for each individual VPN user. If you don't do this (i.e. you use the default dynamic IP address assignment) the VPN machines will still be able to access the local network, but the local network machines won't be able to access the VPN machines because they won't have a fixed name-to-IP address matchup.

The Linux configuration files are:

Network Neighborhood

Network neighborhood browsing will work IF the machine running pptpd is also running samba, and is maintaining a browse list (look for /var/lock/samba/browse.dat on the pptpd/samba machine). The VPN machines will be able to get the browse list from the machine running pptpd, but I don't think it will be able to get browse lists from any other machine. The reason is because browsing uses broadcast packets, and these broadcast packets will make it from the VPN machine to the pptpd machine through the PPTP link, but the pptpd machine will not echo them onto the local network (broadcast doesn't go through routing).

If you can browse, but not access machines (you get "\\machinename is not accessible The network path was not found" errors when you double-click on a machine), then you are not getting proper name-to-IP resolution. The solution for this is to set up a c:\windows\hosts and c:\windows\lmhosts file containing the IP addresses and names of all of the machines on the local network. (In WinNT/2k this is in c:\winnt\system32\drivers\etc\hosts and lmhosts)

Alternatively, you can set up a wins server to aid in browsing and name resolution. To do this, add the line

ms-wins 192.168.1.1

to your /etc/ppp/options.pptp file, where 192.168.1.1 must be the address of a valid WINS server (could be samba, could be winnt) for your local network. My setup is working just fine WITHOUT any WINS configuration, however.