It would be unfair to say that PopTop wasn’t doing a good job as my choice of PPTP server on OpenBSD for quite some time. It did meet all my requirements: it worked on OpenBSD, provided my Windows users with the ability to connect to VPN with software included in base system, and authenticated users from Active Directory. I was never quite happy administering it, however. I am not sure if it was due to its obstreperous and incomprehensible config files, terrible session monitoring capabilities, or the fact that it creates new tun interface for each new session. One way or another, we never got used to each other. As of OpenBSD 5.3, npppd – New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.

In order for npppd to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf:

echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf

Only one config file – npppd.conf – is needed to configure all the aspects of npppd. Mine looks as follows:

set max-session 50
set user-max-session 3

tunnel MIMAR protocol pptp {
 listen on
 pptp-vendor-name "openbsd-npppd"
 mppe required
 mppe-key-length 128
 mppe-key-state stateless
 idle-timeout 3600

ipcp MIMAR {
 pool-address ""
 allow-user-selected-address no

interface tun1 address ipcp MIMAR

authentication RADIUS type radius {
 strip-nt-domain yes
 strip-atmark-realm yes
 authentication-server {
 address secret "CanYouHackMe"
 address secret "CanYouHackMe"
 accounting-server {
 address secret "CanYouHackMe"
 address secret "CanYouHackMe"

bind tunnel from MIMAR authenticated by RADIUS to tun1

Here’s brief explanation of the above config file. Maximum of 50 concurrent sessions is allowed in total, one account is restricted to 3 sessions at the time. PPTP server listens on public IP address, and presents itself to clients with as its hostname, and openbsd-npppd as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients, and disconnects clients which do not send or receive any traffic through VPN tunnel over period of one hour. Clients’ tunnel interface will be assigned with IP addresses from pool, and DNS servers at and Clients are not allowed to ignore assigned IP addresses and specify their own. Server and clients communicate through tun1 interface (we have already assigned tun0 to another service), whose IP address is Authentication and accounting is performed by two RADIUS servers which reside on and, respectively. Finally, we bind all the clients to tun1 interface.

Let’s instruct system to start npppd at boot time:

rcctl enable npppd

After reboot, which will apply our changes to sysctl.conf and start npppd, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won’t be able to connect.

Once clients start to connect, we can check basic information about active sessions with npppctl session brief which gives us the following output:

Ppp Id     Assigned IPv4   Username             Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
        56 stanley.kubrick      PPTP
        76  francisford.coppola  PPTP
        77 david.lynch          PPTP

Use npppctl session all for more detailed info:

Ppp Id = 56
          Ppp Id : 56
          Username : stanley.kubrick
          Realm Name : RADIUS
          Concentrated Interface : tun1
          Assigned IPv4 Address :
          Tunnel Protocol : PPTP
          Tunnel From :
          Start Time : 2013/05/10 08:30:11
          Elapsed Time : 19125 sec (5 hours and 18 minutes)
          Input Bytes : 14307506 (13.6 MB)
          Input Packets : 42915
          Input Errors : 1 (0.0%)
          Output Bytes : 32365828 (30.9 MB)
          Output Packets : 48668
          Output Errors : 0 (0.0%)

Next Post Previous Post