Trinity Hall CSG

Setting up PPTP vpns in Linux

Getting the VPN working in linux is unfortunately slightly difficult. The VPN uses PPTP with MPPE encryption, which is not included in the vanilla kernel. Several distributions may have kernel packages with MPPE support - but you will probably have to patch & recompile the kernel yourself. For Debian users, here is a deb of the kernel patch (also available via apt-get), which can be used with Debian kernel source and the Debian make-kpkg program. If you want to compile against the latest vanilla sources, then we have patches for 2.4 kernels and 2.6 kernels. You need to enable CONFIG_PPP_MPPE in the kernel config with the debian and 2.6 patches, however in the 2.4 patch above it is automatic. Also enable all the other ppp options, and recompile.

The default pppd also needs recompiling. Again, I've already produced a patched and recompiled Debian package for stable (woody) i386 here (you may have to put the package on hold in dpkg to stop it being upgraded automatically - run "echo "ppp hold" | dpkg --set-selections"). If you have Debian sarge (currently testing) or later, then the default pppd already has MPPE support and you don't need to compile a new one. If you do need to recompile it from sources you need the following patches. These are for a slightly old version of pppd, but it will work. If you want to get the latest patches and pppd, please try the patches link below.

• ppp-2.4.1.tar.gz
• ppp-2.4.1-MSCHAPv2-fix.patch.gz
• ppp-2.4.1-mppe.patch
• ppp-2.4.1-openssl-0.9.6-mppe-patch
• require-mppe.diff

Finally, you also need the pptp-linux client software. This is in the main Debian archives (available via apt), and also the other main ditributions. A copy of the source tar is here if you need to compile it.

These files may become out of date, a good source of all the patches is: http://public.www.planetmirror.com/pub/mppe/.

I shall assume that readers are competent with recompiling the neccessary packages and kernel, if not the Kernel HOWTO might help, otherwise email the CSG for advice. Once all of the packages are compiled and installed, to connect to the VPN you need to actually connect:

Add alias ppp-compress-18 ppp_mppe to /etc/modules.conf (in Debian add it to /etc/modutils/ppp and run update-modules) - this will auto-load the mppe modules.

Add your username and password to /etc/ppp/chap-secrets:

<username> pptp <password> *

To connect to the VPN, you first need to configure and bring up your wirless interface, using DHCP to get an IP address. This will give you an internal IP address with which to talk to the VPN server.

Now run pptp with the options:

pptp gateway name <username> -- +chap require-mppe -deflate noauth defaultroute noipdefault

(or you can put everything after the username in /etc/ppp/options). Apparrently nodeflate may have to be used instead of -deflate. These options have been updated for recent ppp versions. If they don't work try sprinkling mppe-128 mppe-stateless +mschap-v2 +mschap +chapms +chapms-v2 around to see if it helps.

This should bring up a point to point link via pppd to the server, and give you an external IP address on that, and setup your default route. At this point you should have a connection to the internet. If you are using the VPN via a public network, then you may have to change the routing table before connecting:

   route add -host gateway.trinhall.cam.ac.uk gw <your gateway> <network interface>
   route add -host <your DNS server> gw <your gateway> <network interface>
   route del default
   pptp gateway user <user> defaultroute

After disconnecting the VPN you will need to reset your default route to the original with:

   route add default gw <your gateway>

If you have problems with the connection freezing on large data transfers, try setting the mru and mtu to 1000.

If you have further problems, please let us know (csg@trinhall.cam.ac.uk), and you may also want to check out http://pptpclient.sourceforge.net/howto-diagnosis.phtml (courtesy of Piotr Zielinski).