PoPToP Daemon in the Year 2024

Wiki.TerraBase.info
Revision as of 14:37, 11 February 2024 by Root (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Is it possible to install the PoPToP Daemon / PPTPD in the year 2024? Yes!

OK, shhhhhh.... All the faults are understood, etc. But at this late date, it's almost like storing all you're passwords in an unencrypted voice message on an 8-Track Tape. Sure it's unprotected, but how is anyone going to figure out what the passwords are without a ton of work?

Anyway, the short version of the installation process is as follows;

  • Do NOT install via DNF (no packages are available, IE, dnf install pptpd has no packages available as it has been removed from the EPEL repository, as it should have been done)
  • Do NOT install via an RPM package (because the 1.4.0 version of PPTPD was built against PPP 2.4.5, and as of 2024, the current version of PPP is 2.4.9)
  • Pre-requisites;
    • dnf install ppp ppp-devel
  • Install PPTPD
    • Download the Source Code: https://sourceforge.net/projects/poptop/files/pptpd/pptpd-1.4.0/
    • Untar it into a build directory (steps omitted)
    • Run the following commands;
      • ./configure
      • make
      • make check
      • make install
    • Configure (see below for working examples)
      • /etc/pptpd.conf
      • /etc/ppp/options
      • /etc/ppp/chap-secrets
      • /usr/lib/systemd/system/pptpd.service
      • /etc/sysconfig/ppptd
    • After the above Configuration Files are done
      • systemctl enable pptpd
      • ...before starting the PPTPD Service;
        • By default, when compiling the PPTPD from source, the pptpd binary file will be located here: /usr/local/sbin/pptpd, not in the 'usual RPM location' of : /usr/sbin/pptpd, so;
          • ln -s /usr/local/sbin/pptpd /usr/sbin/pptpd (this will keep things as simple as possible if recompiling PPTPD, unlikely for many reasons including the fact the version 1.4.0 is 11 years old as of 2024, but just in case, do it this way)
      • systemctl start pptpd
    • Issues or Errors?
      • Enable "debug" in
      • Check /var/log/messages
    • Do additional stuff if desired;
      • Webmin, etc., change the below items for Webmin to start and stop the PPTPD Service
        • systemctl start pptpd
        • systemctl stop pptpd

Below are examples of files referenced above;

/etc/pptpd.conf
localip 192.168.1.200-209
remoteip 192.168.1.210-219
(use your own local subnet above instead of the generic 192.168.1.X)


/etc/ppp/options

logfile /var/log/ppp.log
noipdefault
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
refuse-pap
refuse-chap
require-mppe-128
refuse-mschap
require-mschap-v2


/etc/ppp/chap-secrets 
WhatEverUserName WhatEverServerName WhatEverPassword "*"
("*" = "Answer from any IP Address in the world)

Create the following File, then systemctl daemon-reload, systemctl enable pptpd

[Unit]
Description=PoPToP Point to Point Tunneling Server
After=network.target

[Service]
EnvironmentFile=/etc/sysconfig/pptpd
ExecStart=/usr/sbin/pptpd -f $OPTIONS

[Install]
WantedBy=multi-user.target

And for the above "systemctl file", make sure the below file exists: /etc/sysconf/pptpd, below are the default contents from the CentOS RPM /etc/sysconfig/pptpd File

OPTIONS=

For additional PPTPD.conf options, see below;

/etc/pptpd.conf###############################################################################
# $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
#	Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: vrf <vrfname>
#	Switches PPTP & GRE sockets to the specified VRF, which must exist
#	Only available if VRF support was compiled into pptpd.
#
#vrf test

# TAG: bcrelay <if>
#	Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: delegate
#	Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#	These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than the value of connections,
#	   it will start at the beginning of the list and go until it
#	   gets connections IPs.  Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

For options.pptp, sometimes options.pptpd (in /etc/ppp): REMEMBER: For some reason, either because of the compiled PPTPD binary or the PPP RPM that comes with modern versions of Linux, the options.pptpd or options.pptp File is completely ignored, so, put the below options into /etc/ppp/options;

###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes 
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)


# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}


# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40	# enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}


# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address.  The default local IP address used at the server
# end is often the same as the address of the server.  To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp 

# Disable Van Jacobson compression 
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd, 
# which may trigger a loopback
nologfd

# put plugins here 
# (putting them higher up may cause them to sent messages to the pty)