How To Set Up PPTP VPN Server With OpenBSD and npppd

openbsd npppd vpn pptp

It would be unfair to say that Poptop wasn’t doing a good job as my choice of PPTP server on OpenBSD for quite some time. It did meet all my requirements: it worked on OpenBSD, provided my Windows users with the ability to connect to VPN with software included in base system, and authenticated users from Active Directory. I was never quite happy administering it, however. I am not sure if it was due to its obstreperous and incomprehensible config files or terrible session monitoring capabilities. One way or another, we never got used to each other. As of OpenBSD 5.3, npppd – New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.

This article has been corrected in April of 2020 to use pppx(4) instead of tun(4) interface, due to the instability I experienced when number of pptp clients increased from ~20 to ~200, as described on OpenBSD @misc mailing list.

In order for npppd to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf:

echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf

Only one config file – npppd.conf – is needed to configure all the aspects of npppd. Mine looks as follows:

# GLOBAL
set max-session 200
set user-max-session 1

# TUNNEL
tunnel EXAMPLE protocol pptp {
 listen on 203.0.113.1
 pptp-hostname vpn.example.org
 pptp-vendor-name "openbsd-npppd"
 mppe required
 mppe-key-length 128
 mppe-key-state stateless
 idle-timeout 3600
}

# IPCP
ipcp EXAMPLE {
 pool-address "192.0.2.0/24"
 dns-servers 198.51.100.11 198.51.100.12
 allow-user-selected-address no
}

# INTERFACE
interface pppx0 address 192.0.2.1 ipcp EXAMPLE

# AUTHENTICATION
authentication RADIUS type radius {
 strip-nt-domain yes
 strip-atmark-realm yes
 authentication-server {
 address 198.51.100.21 secret "CanYouHackMe"
 address 198.51.100.22 secret "CanYouHackMe"
 }
 accounting-server {
 address 198.51.100.21 secret "CanYouHackMe"
 address 198.51.100.22 secret "CanYouHackMe"
 }
}

bind tunnel from EXAMPLE authenticated by RADIUS to pppx0

Here’s brief explanation of the above config file. Maximum of 200 concurrent sessions is allowed in total, one account is restricted to single session at the time. PPTP server listens on public IP address 203.0.113.1, and presents itself to clients with vpn.example.org as its hostname, and openbsd-npppd as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients, and disconnects clients which do not send or receive any traffic through VPN tunnel over period of one hour. Clients’ tunnel interface will be assigned with IP addresses from 192.0.2.0/24 pool, and DNS servers at 198.51.100.11 and 198.51.100.12. Clients are not allowed to ignore assigned IP addresses and specify their own. Server and clients communicate through multiple pppx(n) point-to-point interfaces, where each session gets its own interface. Here's how it looks in ifconfig output:

pppx67: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
        description: stanley.kubrick
        index 4675 priority 0 llprio 3
        groups: pppx
        inet 192.0.2.1 --> 192.0.2.205 netmask 0xffffffff

You need to adjust IP addresses to your environment, I used IPv4 Address Blocks Reserved for Documentation described in RFC5737

You don't need to create pppx0 or other pppx interfaces manually, either by ifconfig, or by MAKEDEV script in /dev. They won't be created automatically upon start of npppd daemon, either. pppx interfaces will be created once clients start connecting, one for each session.

Finally, authentication and accounting is performed by two RADIUS servers which reside on 198.51.100.21 and 198.51.100.22, respectively, and we bind all the clients to pppx0 interface.

Let’s instruct system to start npppd at boot time:

rcctl enable npppd

After reboot, which will apply our changes to sysctl.conf and start npppd, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won’t be able to connect.

Once clients start to connect, we can check basic information about active sessions with npppctl session brief which gives us the following output:

Ppp Id     Assigned IPv4   Username             Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
        56 192.0.2.102     stanley.kubrick      PPTP  219.124.222.178:14872
        76 192.0.2.89      francisford.coppola  PPTP  217.23.216.127:26571
        77 192.0.2.147     david.lynch          PPTP  108.233.228.178:15875

Use npppctl session all for more detailed info:

Ppp Id = 56
          Ppp Id : 56
          Username : stanley.kubrick
          Realm Name : RADIUS
          Concentrated Interface : pppx0
          Assigned IPv4 Address : 192.0.2.102.102
          Tunnel Protocol : PPTP
          Tunnel From : 219.124.222.178:14872
          Start Time : 2013/05/10 08:30:11
          Elapsed Time : 19125 sec (5 hours and 18 minutes)
          Input Bytes : 14307506 (13.6 MB)
          Input Packets : 42915
          Input Errors : 1 (0.0%)
          Output Bytes : 32365828 (30.9 MB)
          Output Packets : 48668
          Output Errors : 0 (0.0%)

Next Post Previous Post