PPTP server

Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

This entry will show you on how to create a PPTP server in Arch.

Warning: The PPTP protocol is inherently insecure. See http://poptop.sourceforge.net/dox/protocol-security.phtml for details.

Installation

Install the pptpd package.

Configuration

Tip: Configuration examples can be found in the /usr/share/doc/pptpd directory.

A typical configuration may look like:

/etc/pptpd.conf

# Read man pptpd.conf, see samples in /usr/share/doc/pptpd
# and write your pptpd configuration here

# pppd options file. By default, /etc/ppp/options is used
option /etc/ppp/options.pptpd

# Server IP in local network
localip 192.168.1.2

# IP address ranges used to assign IPs to new connecting clients
# Here we define two ranges for our 192.168.1.* subnet: 234-238 and 245
remoteip 192.168.1.234-238,192.168.1.245

Now create the pppd options file, in our example this is /etc/ppp/options.pptpd:

/etc/ppp/options.pptpd

# Read man pppd to see the full list of available options

# The name of the local system for authentication purposes
name pptpd

# Refuse PAP, CHAP or MS-CHAP connections but accept connections with
# MS-CHAPv2 or MPPE with 128-bit encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

# Add entry to the ARP system table
proxyarp

# For the serial device to ensure exclusive access to the device
lock

# Disable BSD-Compress and Van Jacobson TCP/IP header compression
nobsdcomp
novj
novjccomp

# Disable file logging
nolog

# DNS servers for Microsoft Windows clients. Using Google's public servers here
ms-dns 8.8.8.8
ms-dns 8.8.4.4

Note: Ensure the file ends with a newline to prevent possible parsing issues.

Now create credentials file for authenticating users:

Now you can be authenticated with user2 as username and 123 for password.

Create a sysctl configuration file and enable kernel packet forwarding that allow connecting clients to have access to your subnet (see also Internet Share#Enable packet forwarding):

Now apply changes to let the sysctl configuration take effect:

# sysctl --system

iptables firewall configuration

Configure your iptables settings to enable access for PPTP Clients

Now save the new iptables rules with:

# iptables-save > /etc/iptables/iptables.rules

To load /etc/iptables/iptables.rules automatically after boot, enable the iptables.service unit.

Read Iptables for more information.

UFW firewall configuration

Configure your ufw settings to enable access for PPTP Clients.

You must change default forward policy in /etc/default/ufw

Now change , add following code after header and before *filter line

Allow GRE packets (protocol 47) in , find the line with: and add rule:

Open pptp port 1723

Restart ufw for good measure

Start the server

Now you can start and enable your PPTP Server using .

Troubleshooting

As with any service, see Systemd#Troubleshooting to investigate errors.

Error 619 on the client side

Search for the option in /etc/pptpd.conf and comment it out. When this is enabled, wtmp will be used to record client connections and disconnections.

#logwtmp

pptpd[xxxxx]: Long config file line ignored

Add a blank line at the end of /etc/pptpd.conf.

ppp0: ppp: compressor dropped pkt

If you have this error while a client is connected to the server, add the following script to /etc/ppp/ip-up.d/mppefixmtu.sh:

#!/bin/sh
CURRENT_MTU="`ip link show $1 | grep -Po '(?<=mtu )([0-9]+)'`"
FIXED_MTU="`expr $CURRENT_MTU + 4`"
ip link set $1 mtu $FIXED_MTU

Make the script executable.