It would be unfair to say that PopTop wasn’t doing a good job as my choice of PPTP server on OpenBSD for quite some time. It did meet all my requirements: it worked on OpenBSD, provided my Windows users with the ability to connect to VPN with software included in base system, and authenticated users from Active Directory. I was never quite happy administering it, however. I am not sure if it was due to its obstreperous and incomprehensible config files, terrible session monitoring capabilities, or the fact that it creates new tun interface for each new session. One way or another, we never got used to each other. As of OpenBSD 5.3, npppd – New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.

In order for npppd to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf:

echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf

Only one config file – npppd.conf – is needed to configure all the aspects of npppd. Mine looks as follows:

# GLOBAL
set max-session 50
set user-max-session 3

# TUNNEL
tunnel MIMAR protocol pptp {
 listen on 193.53.106.101
 pptp-hostname vpn.mimar.rs
 pptp-vendor-name "openbsd-npppd"
 mppe required
 mppe-key-length 128
 mppe-key-state stateless
 idle-timeout 3600
}

# IPCP
ipcp MIMAR {
 pool-address "192.168.166.0/24"
 dns-servers 10.40.66.11 10.40.66.12
 allow-user-selected-address no
}

# INTERFACE
interface tun1 address 192.168.166.1 ipcp MIMAR

# AUTHENTICATION
authentication RADIUS type radius {
 strip-nt-domain yes
 strip-atmark-realm yes
 authentication-server {
 address 10.40.66.21 secret "CanYouHackMe"
 address 10.40.66.22 secret "CanYouHackMe"
 }
 accounting-server {
 address 10.40.66.21 secret "CanYouHackMe"
 address 10.40.66.22 secret "CanYouHackMe"
 }
}

bind tunnel from MIMAR authenticated by RADIUS to tun1

Here’s brief explanation of the above config file. Maximum of 50 concurrent sessions is allowed in total, one account is restricted to 3 sessions at the time. PPTP server listens on public IP address 193.53.106.101, and presents itself to clients with vpn.mimar.rs as its hostname, and openbsd-npppd as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients, and disconnects clients which do not send or receive any traffic through VPN tunnel over period of one hour. Clients’ tunnel interface will be assigned with IP addresses from 192.168.66.0/24 pool, and DNS servers at 10.40.66.11 and 10.40.66.12. Clients are not allowed to ignore assigned IP addresses and specify their own. Server and clients communicate through tun1 interface (we have already assigned tun0 to another service), whose IP address is 192.168.66.1. Authentication and accounting is performed by two RADIUS servers which reside on 10.40.66.21 and 10.40.66.22, respectively. Finally, we bind all the clients to tun1 interface.

Let’s instruct system to start npppd at boot time:

rcctl enable npppd

After reboot, which will apply our changes to sysctl.conf and start npppd, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won’t be able to connect.

Once clients start to connect, we can check basic information about active sessions with npppctl session brief which gives us the following output:

Ppp Id     Assigned IPv4   Username             Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
        56 192.168.166.102 stanley.kubrick      PPTP  219.124.222.178:14872
        76 192.168.166.89  francisford.coppola  PPTP  217.23.216.127:26571
        77 192.168.166.147 david.lynch          PPTP  108.233.228.178:15875

Use npppctl session all for more detailed info:

Ppp Id = 56
          Ppp Id : 56
          Username : stanley.kubrick
          Realm Name : RADIUS
          Concentrated Interface : tun1
          Assigned IPv4 Address : 192.168.166.102
          Tunnel Protocol : PPTP
          Tunnel From : 178-222-124-219.dynamic.isp.telekom.rs:14872
          Start Time : 2013/05/10 08:30:11
          Elapsed Time : 19125 sec (5 hours and 18 minutes)
          Input Bytes : 14307506 (13.6 MB)
          Input Packets : 42915
          Input Errors : 1 (0.0%)
          Output Bytes : 32365828 (30.9 MB)
          Output Packets : 48668
          Output Errors : 0 (0.0%)

Next Post Previous Post