10 September 2006

PopTop - PPTP Windows VPN on a Linux Server

Our old PPTP server finally died last week.

It was an old Windows NT (!!!) server, and we were just wondering how long it would take before it got taken down. Well, it finally got found, and was subsequently infected with numerous viruses by the script kiddies out there. Comparitively, it lasted long enough, a good 8 years plus, so it had a good run!

We got rid of the viruses, and put it back on, and within a day, it got infected again.

Fortunately we dont have anything important running on it, most of our VPN requirements have been converted to IPSec. However is a small number of users who do want to connect from home, via the very convenient PPTP connections on their Windows machines. Very easy to set up and run. Not a crucial requirement, but nice to have...

So we decided to try PopTop.
"Using Poptop, Linux servers can now function seamlessly in a PPTP VPN environment. This enables administrators to leverage the considerable benefits of both Microsoft and Linux operating systems."
Setting this up was relatively easy. I followed the online instructions as described here: Redhat-howto. However there were problems.

At first the WinXP client would not connect to the server. Upon checking, I found out that the firewall was enabled on the server. So we opened up port 1723 for PPTP.

Then the WinXP client connected, but complained about the server not supporting certificates; either 40bit or 128bit encryption. My fault, didnt set the options.pptp file correctly with require-mschap-v2 and require-mppe-128 as options.

I used the webmin-PPTP-Server to do the administration (comes standard with webmin), and it was pretty much full featured except that it didnt have a section to define the MS-DNS and MS-WINS options as in the options.pptp file. Not a major problem; vi helped.

Its hard to debug the connection. Somehow I never got to ping the PPTP server when connected. So for a good 3 hours I was trying to find out what was wrong, and making sure that the routes are correct. Its annoying because a 'route print' nor a 'ipconfig' on the WinXP doesnt provide any useful information regarding the VPN setup.

And then finally I found this nugget of information: 'deselect "Use default gateway on remote network"' I tried it, and mysteriously it worked.

It took me longer that I anticipated to set up the server, however it was not because of the server setup, rather it was an obscure setting on the client to get it to work.

So now we have completely replaced the unsupported, defunct, aging, crackable Windows NT with a shiny new Fedora Core 5 server running PopTop. Users just have to make a small adjustment to their client setting to reconnect. I have since brought up the firewall to only allow certain traffic to flow through this connection to prevent future cracks.

Its amazing what FOSS can do for you.

yk.