Getting PPTP to work on Debian GNU/Linux

This tries to be a fairly simple DIY guide to getting a PPTP server working on Debian GNU/Linux, with MS-CHAPv2 authentication and 128-bit MPPE encryption. This work was carried out while working for my employers, Laser-Scan.

Update: In newer Debian releases, a lot of the fiddling here is unnecessary. From the sarge release, the ppp package has MPPE support built-in, the CCP_MAX_OPTION_LENGTH problem has been fixed, and the alias in /etc/modutils/aliases is now included in the modutils package. Thanks to James Cameron for pointing this out.

Install and configure PoPToP

Install the PPTP server from the pptpd Debian package. It's in both Potato and Woody.

Configure the IP addresses in /etc/pptpd.conf. The localip parameter will be the IP address of the ppp interface on the machine you're running PoPToP on. It really needs to be on the same subnet as remoteip, which is a list of the IP addresses you wish to assign to PPTP clients connecting to your server. I have:

speed 115200
option /etc/ppp/pptpd-options
localip 192.168.210.127
remoteip 192.168.210.128-160

Build the PPP MPPE kernel module

Now we need to build a kernel module to do MPPE data encryption. A kernel patch is available in Debian unstable (sarge) in the kernel-patch-mppe package. Install that package. It'll create some stuff in /usr/src/kernel-patches. Change directory to the top level of a kernel build tree and you should be able to say /usr/src/kernel-patches/all/apply/mppe to apply the MPPE patch.

Not quite there yet, though. Edit include/linux/ppp-comp.h and search for CCP_MAX_OPTION_LENGTH. Setting it to 128 will avoid problems with data encryption later.

Now make modules and make modules_install to put your new modules in place. If you do kernel autoloading of modules you probably want to define an alias in /etc/modutils/aliases:

alias ppp-compress-18   ppp_mppe
and run /sbin/update-modules. I just modprobe the thing in by hand.

Get an MPPE and MSCHAP-v2 capable pppd

Googling reveals http://ftp.schlittermann.de/pub/debian-private/ppp-mppe/ which is a Debian package of a pppd someone else prepared earlier.

Configure your /etc/ppp/pptpd-options

Mine looks a bit like:

name vpnserver.mydomain.com
domain mydomain.com

auth
require-chapms-v2
+chapms
+chapms-v2
mppe-128
#mppe-40 # if you can't get better
mppe-stateless

ms-dns 192.168.0.1
ms-dns 192.168.1.1
ms-wins 192.168.0.1

noipx
nodefaultroute
proxyarp
lock

Configure your Windows client

Blah. LCP extensions on, MSCHAP-v2 and data-encryption on. Software data compression off. Document incomplete author lazy blah.


Owen Dunn / owen@greenend.org.uk / Home