This tries to be a fairly simple DIY guide to getting a PPTP server working on Debian GNU/Linux, with MS-CHAPv2 authentication and 128-bit MPPE encryption. This work was carried out while working for my employers, Laser-Scan.
Update: In newer Debian releases, a lot of the fiddling here is unnecessary. From the sarge release, the ppp package has MPPE support built-in, the CCP_MAX_OPTION_LENGTH problem has been fixed, and the alias in /etc/modutils/aliases is now included in the modutils package. Thanks to James Cameron for pointing this out.
Install the PPTP server from the pptpd Debian package. It's in both Potato and Woody.
Configure the IP addresses in /etc/pptpd.conf. The localip parameter will be the IP address of the ppp interface on the machine you're running PoPToP on. It really needs to be on the same subnet as remoteip, which is a list of the IP addresses you wish to assign to PPTP clients connecting to your server. I have:
speed 115200 option /etc/ppp/pptpd-options localip 192.168.210.127 remoteip 192.168.210.128-160
Now we need to build a kernel module to do MPPE data encryption. A kernel patch is available in Debian unstable (sarge) in the kernel-patch-mppe package. Install that package. It'll create some stuff in /usr/src/kernel-patches. Change directory to the top level of a kernel build tree and you should be able to say /usr/src/kernel-patches/all/apply/mppe to apply the MPPE patch.
Not quite there yet, though. Edit include/linux/ppp-comp.h and search for CCP_MAX_OPTION_LENGTH. Setting it to 128 will avoid problems with data encryption later.
Now make modules and make modules_install to put your new modules in place. If you do kernel autoloading of modules you probably want to define an alias in /etc/modutils/aliases:
alias ppp-compress-18 ppp_mppeand run /sbin/update-modules. I just modprobe the thing in by hand.
Googling reveals http://ftp.schlittermann.de/pub/debian-private/ppp-mppe/ which is a Debian package of a pppd someone else prepared earlier.
Mine looks a bit like:
name vpnserver.mydomain.com domain mydomain.com auth require-chapms-v2 +chapms +chapms-v2 mppe-128 #mppe-40 # if you can't get better mppe-stateless ms-dns 192.168.0.1 ms-dns 192.168.1.1 ms-wins 192.168.0.1 noipx nodefaultroute proxyarp lock
Blah. LCP extensions on, MSCHAP-v2 and data-encryption on. Software data compression off. Document incomplete author lazy blah.