I’m posting this for posterity’s sake. Tested on OpenBSD 4.2 and 4.3 servers and Win XP SP2, Mac OS X 10.5.2 and iPhone 2.0.1 clients
Download and install the Poptop package found here.
Create additional tunnel devices:
# cd /dev
# ./MAKEDEV tun? (where ? is the device number)
/dev/tun0 to /dev/tun3 exists by default. The number of devices here determines the number of concurrent users allowed
By default, Poptop looks for its configuration file in /etc/pptpd.conf. So let’s create that file now:
# pppd configuration file
option /etc/ppp/ppp.conf
# IP address of your server-side PPTP connection
# Should be from an unused subnet
localip 10.10.10.1
# IP address range of your PPTP clients
remoteip 10.10.10.100-200
# IP address where Poptop will bind to
listen 123.123.123.123
# PID file (can be used for monitoring)
pidfile /var/run/pptpd.pid
noipparam
Now, let’s create the pppd config file. It doesn’t have to be named like this. It can be /etc/ppp/shitballs.conf as long as you call it right in pptpd.conf
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set mppe * stateless
set ifaddr 10.10.10.1 10.10.10.100-10.10.10.200 255.255.255.255
set server /tmp/loop “” 0177loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode directpptp:
load loop
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
set dns 192.168.1.1
set nbns 192.168.1.1
set filter in 0 deny 192.168.1.0/24 0
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 6 permit 0/0 192.168.1.0/24
set filter out 6 permit 192.168.1.0/24 0/0
set filter in 7 permit icmp
set filter out 7 permit icmp
set filter in 8 permit udp dst gt 33433
set filter out 9 permit udp dst gt 33433
set device !/etc/ppp/secure
We also need to create the /etc/ppp/secure file and make sure it has the execute bit
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in
The next file to create is /etc/ppp/ppp.secret. This contains the usernames, passwords and optionally, static IP of dial-in users
# username password static IP
johndoe mysupersecretpassword *
janedoe johnisgay 10.10.10.150
admin secret *
Secure the file. It should be mode 0400.
Remember to create ppp.log and reload syslogd:
# touch /var/log/ppp.log
# kill -HUP <syslogd PID>
There will be two syslogd processes running, so you need to kill the one running as root.
Add the following lines to /etc/rc.local to make Poptop run to start automatically after reboot.
if [ -x /usr/local/sbin/pptpd ]; then
echo -n ” pptpd”; /usr/local/sbin/pptpd -d
fi
Last but not the least, we need to allow traffic from pptp clients. Add these to your pf.conf and reload pf.
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep statepass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all
It is a good practice to give the machine a reboot to see if everything went well.
NOTE: For Mac OS X clients (including the iPhone), edit your /Library/Preferences/SystemConfiguration/preferences.plist file and change the value of CCPEnabled to 0
One Comment
Hi,
I use your conf word for word (almost, and if fails).
Have you tried with a recent iphone and openbsd ?