-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thought I'd document this here as it's likely to be of use to other
people building a VPN server for Windows XP clients.

- ----------------------------------------------------------------------

Setting up pptppd on Slackware 10.0

There's a few things to watch out for in setting up pptpd on a
Slackware 10.0 system. The basic steps are as follows:

1) Download and compile the pptpd deamon. This is straight forward.
2) Patch and recompile the ppp package to include mppe/mppc support.
3) Patch the linux kernel for mppe/mppc and recompile.


pptpd
Compiling pptpd is easy. This is the regular ./configure; make; make
install song and dance.

ppp
This is more difficult at first. The ppp.Slackbuild file included with
Slackware 10.0 as of the time of this writing (2004-09-14) is broken.
It will not create a complete ppp package. This is a result of the
newer pcap version no longer using net/bpf.h. This has been replaced
with pcap-bpf.h. Uncompress the ppp-2.4.2.loopback.gz patch file and
append the following to it:

- --- ./pppd/demand.c 2003-03-03 00:11:45.000000000 -0500
+++ ./pppd/demand.c 2004-09-14 20:28:06.000000000 -0400
@@ -50,7 +50,7 @@
#include <sys/socket.h>
#ifdef PPP_FILTER
#include <net/if.h>
- -#include <net/bpf.h>
+#include <pcap-bpf.h>
#include <pcap.h>
#endif

- --- ./pppd/sys-linux.c 2004-01-12 23:05:20.000000000 -0500
+++ ./pppd/sys-linux.c 2004-09-14 20:28:21.000000000 -0400
@@ -141,7 +141,7 @@
#endif /* IPX_CHANGE */

#ifdef PPP_FILTER
- -#include <net/bpf.h>
+#include <pcap-bpf.h>
#include <linux/filter.h>
#endif /* PPP_FILTER */

(Note, I submitted that little patch to Patrick but whether he includes
it or not as an update is in the air. It's not actually a package after
all. I would be surprised to see this problem persist in 10.1 when it's
released. Either Pat will have fixed the build script, or a new version
of ppp will know about pcap-bpf.h.)

Now gzip that patch back up. The ppp package will compile now, but
we're not done yet. You need to download the mppe/mppc ppp patch from

http://www.polbox.com/h/hs001/

Now edit the ppp.Slackbuild file and add the following line above the
slackdiff patch. Note: this should all be one line.

zcat $CWD/ppp-2.4.2-mppe-mppc-1.1.patch.gz | patch -p1 --verbose \
- --backup --suffix=.orig

You should also consider incrimenting the BUILD number by one to differ
this package from the default ppp package included with Slackware.

kernel
You can use either the 2.4.27 kernel or the 2.6.7 kernel. Patches
aren't yet out for 2.6.8. Update: A patch is now available for 2.6.8. I
haven't used this one though so consider yourself warned.

Patching the kernel is as easy as 1, 2, well... there is no third step.
:^)

cd /usr/src/linux-$VERSION
zcat ../linux-$VERSION-mppe-mppc-1.1.patch.gz | patch -p1

Now configure your kernel. Make sure to include support for ppp and the
ppp-mppe-mppc module. Compile as you normally would.

CONFIGURING

pptpd
/etc/pptpd.conf is well commented and the man page gives good
information. The important options are the "options, local_ip, and
remote_ip" fields.

ppp
This is more tricky. There are a lot of possible options for ppp. The
following /etc/ppp/options.pptpd file works for me. Note that this was
shamelessly pulled from http://gfxcafe.com/VPN%20Howto.html

/etc/ppp/options.pptpd
name *
lock
mtu 1450
mru 1450
proxyarp
auth
ipcp-accept-local
ipcp-accept-remote
#icp-echo-failure 3
#icp-echo-interval 5
deflate 0

# Handshake auth method
+chap
+mschap-v2

# Data Encryption Methods
mppe required

You'll have to add a username, password, and server combination to
chap-secrets. This is trivial and documented in that file. I won't
insult your intelligence by adding anything here.

Ok, maybe I will. :^)

echo "username * password *" >> /etc/ppp/chap-secrets

Note this does not have to be a valid uinx user in /etc/passwd.

You should be able to login now from Microsoft Windows XP clients. I
have not tested with 9x, but do know for a fact that Mac OSX's VPN
client wouldn't connect to it. Go figure.

Setting up routing with ppp is beyond the scope of this mini-HOWTO.
Hope this has been helpful.

- ----------------------------------------------------------------------

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD4DBQFBSGIblKR45I6cfKARAlyFAKCjb9wDfyKXZINJa21lKC zNf1j5PACYpRdU
i2JGq9LJBLJmsse6Lb0hqg==
=T8N8
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+Alan Hicks+ <alan@lizella.netWORK> wrote:

> Setting up routing with ppp is beyond the scope of this mini-HOWTO.
> Hope this has been helpful.

IIRC, it's as simple as

echo 1 > /proc/sys/net/ipv4/ip_forward

All the rest is (should be?) automagical. Could be wrong, my
memory ain't what it was.

I set up PPTP on 9.1 a while ago, it's still running beautifully at
multiple sites. Maybe I should have made notes at the time...

I actually had more hassles getting Samba to work over the resulting
VPN.

Nice mini-HOWTO.

- --
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQUhZFUlp3nJf7PixEQJfgQCfd7nYOT6FWWAoli7tIFxcsI 2Q05IAn0NP
+T54UrXA+WPy5uX7z1DMTCcB
=0Co7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, George Georgakis dared to utter,
>> Setting up routing with ppp is beyond the scope of this mini-HOWTO.
>
> IIRC, it's as simple as
> echo 1 > /proc/sys/net/ipv4/ip_forward

Yeah, that's what I did and it works fine, but ppp is one of those
swiss army knife things. There's all kinds of issues you can have with
it, especially if you're integrating both pptpd and dial-up pppd
services.

Also, IIRC there's a way on most clients to only partially VPN. That
is, use the local IP information for routing packets to non-VPN
addresses. I'm not sure if there's a server option to turn that on or
not; I haven't dug in deep enough to know.

And then of course there's running it behind a firewall in which case
you have to have a firewall that understands GRE to ensure everything
goes right, etc, etc.

> I set up PPTP on 9.1 a while ago, it's still running beautifully at
> multiple sites. Maybe I should have made notes at the time...

Heh. That's why I made these. I've got a package up for pptpd on
linuxpackages.net. I'm going to add an updated one for ppp with this
patch. No way am I going to fool around with kernel packages though.
:^) You're on your own for that.

> I actually had more hassles getting Samba to work over the resulting
> VPN.

Really? Anything in particular that was hard, as this is exactly what
I'm intending to do. I would think that no additional samba
configuration would be necessary provided your clients are on the same
subnet. This machine is going to be a general purpose server for a
client. It will handle internet routing with NAT, run samba for file
sharing, do their backups to cd-rw media (everything that's
irreplaceable will fit on a single cd, no need for yet, so we're
putting in a DVD-RW drive. That'll be my first mkisofs; cdrecord backup
script), and run pptpd so they can grab files from home and their
remote office in another city can get the occasional file as well.

> Nice mini-HOWTO.

Thanks. I decided to pop it here before I go through the trouble of
putting it on my website. By the time it gets there, I'd've probably
lost it. Now google's got it. :^)

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBSPsTlKR45I6cfKARAmtMAJ4i98ytHiedkzydpPyHBv DOxmj1zQCfU02b
VY4c0AiZflVHHCdc2MraEtU=
=AUMC
-----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

Hicks, Alan
188 Shady Dale Dr
Lizella, GA 31052
478-935-8132

+Alan Hicks+ <alan@lizella.network> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In alt.os.linux.slackware, George Georgakis dared to utter,
>>> Setting up routing with ppp is beyond the scope of this mini-HOWTO.
>>
>> IIRC, it's as simple as
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Yeah, that's what I did and it works fine, but ppp is one of those
> swiss army knife things. There's all kinds of issues you can have with
> it, especially if you're integrating both pptpd and dial-up pppd
> services.
>
> Also, IIRC there's a way on most clients to only partially VPN. That
> is, use the local IP information for routing packets to non-VPN
> addresses. I'm not sure if there's a server option to turn that on or
> not; I haven't dug in deep enough to know.
>
> And then of course there's running it behind a firewall in which case
> you have to have a firewall that understands GRE to ensure everything
> goes right, etc, etc.
>
>> I set up PPTP on 9.1 a while ago, it's still running beautifully at
>> multiple sites. Maybe I should have made notes at the time...
>
> Heh. That's why I made these. I've got a package up for pptpd on
> linuxpackages.net. I'm going to add an updated one for ppp with this
> patch. No way am I going to fool around with kernel packages though.
> :^) You're on your own for that.
>
>> I actually had more hassles getting Samba to work over the resulting
>> VPN.
>
> Really? Anything in particular that was hard, as this is exactly what
> I'm intending to do. I would think that no additional samba
> configuration would be necessary provided your clients are on the same
> subnet. This machine is going to be a general purpose server for a
> client. It will handle internet routing with NAT, run samba for file
> sharing, do their backups to cd-rw media (everything that's
> irreplaceable will fit on a single cd, no need for yet, so we're
> putting in a DVD-RW drive. That'll be my first mkisofs; cdrecord backup
> script), and run pptpd so they can grab files from home and their
> remote office in another city can get the occasional file as well.
>
>> Nice mini-HOWTO.
>
> Thanks. I decided to pop it here before I go through the trouble of
> putting it on my website. By the time it gets there, I'd've probably
> lost it. Now google's got it. :^)
>
> - --
> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFBSPsTlKR45I6cfKARAmtMAJ4i98ytHiedkzydpPyHBv DOxmj1zQCfU02b
> VY4c0AiZflVHHCdc2MraEtU=
> =AUMC
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+Alan Hicks+ <alan@lizella.netWORK> wrote:

> And then of course there's running it behind a firewall in which case
> you have to have a firewall that understands GRE to ensure everything
> goes right, etc, etc.

Yep, lots of people don't understand that there's more to networking than
TCP and UDP over IP. Catches 'em right out.

>> I actually had more hassles getting Samba to work over the resulting
>> VPN.
>
> Really? Anything in particular that was hard, as this is exactly what
> I'm intending to do. I would think that no additional samba
> configuration would be necessary provided your clients are on the same
> subnet.

My reference: http://www.shorewall.net/PPTP.htm#Samba. For some reason I
also had to enable NetBIOS over TCP/IP on some (but not all) XP machines.
In some cases I even had to add entries to the Windows' HOSTS file.

Go figure.

- --
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQUjuP0lp3nJf7PixEQIeegCg9tb7AUx7ZKiOw3+Ex5UTZz 2LcvsAn0XB
1FfJ0SOUsyrBRw8H6gCIb/uM
=Pbox
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, George Georgakis dared to utter,
>> And then of course there's running it behind a firewall in which case
>> you have to have a firewall that understands GRE to ensure everything
>> goes right, etc, etc.
>
> Yep, lots of people don't understand that there's more to networking than
> TCP and UDP over IP. Catches 'em right out.

We had to install this Symantec firewall/router one time for a client
who was, shall we say, careful with money. They didn't want to pay
$1,500 for a linux box to act as a firewall and router. Normally I'd
only charge about $1,000 for that, but they made use of a few different
VPNs to other remote networks so there could have been extra work
involved, but I digress. That thing was the biggest piece of shit
firewall I've ever seen. It was suppossed to allow stateless outbound
traffic, but it had no GRE support and the VPN connections just died,
straight up died. We finally had to turn off all packet filtering,
install a weak firewall on each of the handful of windows machines, and
give those windows machines static IPs from their pool (they were
willing to pay for a fractional T1 line, but not a strong firewall, go
figure). Wound up owing us about $4,000 for all the labor. I don't
think they ever paid up.

>> I would think that no additional samba
>> configuration would be necessary provided your clients are on the same
>> subnet.
>
> My reference: http://www.shorewall.net/PPTP.htm#Samba. For some reason I
> also had to enable NetBIOS over TCP/IP on some (but not all) XP machines.
> In some cases I even had to add entries to the Windows' HOSTS file.
>
> Go figure.

Thanks for the heads up. I wasn't planning on it, but I may work it out
so that each machine that connects always gets a static IP, and run
BIND to try to cut back naming issues. WINS is a black box I've never
been able to understand.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBSY57lKR45I6cfKARAiOHAKCNXPB87oTXRE2Y20mWBz 4rYUeCuACdEUmg
ej+36q3rJP+dsXe0VsZAGJE=
=3yMC
-----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

Hicks, Alan
188 Shady Dale Dr
Lizella, GA 31052
478-935-8132

George Georgakis <geeg@tripleg.go.away.spammers.net.au> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> +Alan Hicks+ <alan@lizella.netWORK> wrote:
>
>> And then of course there's running it behind a firewall in which case
>> you have to have a firewall that understands GRE to ensure everything
>> goes right, etc, etc.
>
> Yep, lots of people don't understand that there's more to networking than
> TCP and UDP over IP. Catches 'em right out.
>
>>> I actually had more hassles getting Samba to work over the resulting
>>> VPN.
>>
>> Really? Anything in particular that was hard, as this is exactly what
>> I'm intending to do. I would think that no additional samba
>> configuration would be necessary provided your clients are on the same
>> subnet.
>
> My reference: http://www.shorewall.net/PPTP.htm#Samba. For some reason I
> also had to enable NetBIOS over TCP/IP on some (but not all) XP machines.
> In some cases I even had to add entries to the Windows' HOSTS file.
>
> Go figure.
>
> - --
> George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
> SlackBuild Central - http://slackpack.tripleg.net.au/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBQUjuP0lp3nJf7PixEQIeegCg9tb7AUx7ZKiOw3+Ex5UTZz 2LcvsAn0XB
> 1FfJ0SOUsyrBRw8H6gCIb/uM
> =Pbox
> -----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

Hicks, Alan
188 Shady Dale Dr
Lizella, GA 31052
478-935-8132

+Alan Hicks+ <alan@lizella.network> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In alt.os.linux.slackware, George Georgakis dared to utter,
>>> And then of course there's running it behind a firewall in which case
>>> you have to have a firewall that understands GRE to ensure everything
>>> goes right, etc, etc.
>>
>> Yep, lots of people don't understand that there's more to networking than
>> TCP and UDP over IP. Catches 'em right out.
>
> We had to install this Symantec firewall/router one time for a client
> who was, shall we say, careful with money. They didn't want to pay
> $1,500 for a linux box to act as a firewall and router. Normally I'd
> only charge about $1,000 for that, but they made use of a few different
> VPNs to other remote networks so there could have been extra work
> involved, but I digress. That thing was the biggest piece of shit
> firewall I've ever seen. It was suppossed to allow stateless outbound
> traffic, but it had no GRE support and the VPN connections just died,
> straight up died. We finally had to turn off all packet filtering,
> install a weak firewall on each of the handful of windows machines, and
> give those windows machines static IPs from their pool (they were
> willing to pay for a fractional T1 line, but not a strong firewall, go
> figure). Wound up owing us about $4,000 for all the labor. I don't
> think they ever paid up.
>
>>> I would think that no additional samba
>>> configuration would be necessary provided your clients are on the same
>>> subnet.
>>
>> My reference: http://www.shorewall.net/PPTP.htm#Samba. For some reason I
>> also had to enable NetBIOS over TCP/IP on some (but not all) XP machines.
>> In some cases I even had to add entries to the Windows' HOSTS file.
>>
>> Go figure.
>
> Thanks for the heads up. I wasn't planning on it, but I may work it out
> so that each machine that connects always gets a static IP, and run
> BIND to try to cut back naming issues. WINS is a black box I've never
> been able to understand.
>
> - --
> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFBSY57lKR45I6cfKARAiOHAKCNXPB87oTXRE2Y20mWBz 4rYUeCuACdEUmg
> ej+36q3rJP+dsXe0VsZAGJE=
> =3yMC
> -----END PGP SIGNATURE-----

+Alan Hicks+ <alan@lizella.netWORK> wrote:

> We had to install this Symantec firewall/router one time

<snip>

> That thing was the biggest piece of shit firewall I've ever seen.

I'm curious. What model was that?

--
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, George Georgakis dared to utter,
>> We had to install this Symantec firewall/router one time
>> That thing was the biggest piece of shit firewall I've ever seen.
>
> I'm curious. What model was that?

http://enterprisesecurity.symantec.c...m?ProductID=63

I believe it is the 100 model of that line of "firewall/VPN appliance"
(read: stupid POS). Now that I'm looking at the available PDF on that
page, it most definately is the Model 100. I distinctly remember it
having only one WAN and 4 LAN ports. The VPN support is "Gateway to
Gateway", which basically means if you have two offices with this thing
in it you may use it to connect those two offices. The damn thing just
wouldn't do GRE tunnels, and heaven forbide you even think about doing
GRE over NAT!

Symantec's "support" is a joke. Like Microsoft, they want you to pay by
the hour for phone support. I managed to wrangle out of that by calling
sales and getting presales support, which is usually better anyway. You
know how tech companies are, once you've bought the product, you're on
your own. :^)

FWIW they recommended we purchase the model 200R because it has support
for "Remote client to Gateway VPN". They said purchasing this would
solve all the problems. For some reason they didn't seem to understand
that I didn't want to access a local VPN, but rather leave the local
network and connect to a remote VPN. Go figure.

If you're looking at using one of these things, here's my honest
opinion. Save your time and energy. The monetary savings you _might_
see from using one of these pales in comparison to the possible
troubles.

PROS: Decently intuitive HTTP configuration utility. Small form factor,
low noise, low power consumption. Good for protecting a small LAN that
has no need to do anything fancy with nodes outside their LAN.

CONS: Limited functionality. Even in the most expensive model you're
bound to run up against things that it just won't do. No ability to
perform additional tasks. Lack of non-fee support including online
resources. IIRC no support for any IDS.

IMO this is a great little device for very few businesses. It's
definately not aimed towards casual home users with its price tag. Does
basically the same thing a $70 Linksys router does only worse. Of
course, using a Linksys router doesn't give PHBs that feeling of
security that uses a little grey and yellow thing with lots of steel
and blinking lights. If a business can't think of an el cheapo SOHO
router/firewall as good enough, and doesn't want to trust a *nix box to
do that role, then you may be stuck with something like this. I
recommend doing whatever it takes to talk them out of it. Most small
businesses interested in this are going to need different things as
their needs change. This is just not a versatile piece of equipment.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBSlWJlKR45I6cfKARAv0MAJ9Og+ALvexI4wXWbG8Ui9 gWlyPWTQCfZt8g
KNImu08dLlhKXEsRyNaIsiI=
=Pmvu
-----END PGP SIGNATURE-----