It would be unfair to say that Poptop wasn’t doing a good job as my choice of PPTP server on OpenBSD for quite some time. It did meet all my requirements: it worked on OpenBSD, provided my Windows users with the ability to connect to VPN with software included in base system, and authenticated users from Active Directory. I was never quite happy administering it, however. I am not sure if it was due to its obstreperous and incomprehensible config files or terrible session monitoring capabilities. One way or another, we never got used to each other. As of OpenBSD 5.3, npppd
– New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.
This article has been corrected in April of 2020 to use pppx(4) instead of tun(4) interface, due to the instability I experienced when number of pptp clients increased from ~20 to ~200, as described on OpenBSD @misc mailing list.
In order for npppd
to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf
:
echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf
Only one config file – npppd.conf
– is needed to configure all the aspects of npppd
. Mine looks as follows:
# GLOBAL
set max-session 200
set user-max-session 1
# TUNNEL
tunnel EXAMPLE protocol pptp {
listen on 203.0.113.1
pptp-hostname vpn.example.org
pptp-vendor-name "openbsd-npppd"
mppe required
mppe-key-length 128
mppe-key-state stateless
idle-timeout 3600
}
# IPCP
ipcp EXAMPLE {
pool-address "192.0.2.0/24"
dns-servers 198.51.100.11 198.51.100.12
allow-user-selected-address no
}
# INTERFACE
interface pppx0 address 192.0.2.1 ipcp EXAMPLE
# AUTHENTICATION
authentication RADIUS type radius {
strip-nt-domain yes
strip-atmark-realm yes
authentication-server {
address 198.51.100.21 secret "CanYouHackMe"
address 198.51.100.22 secret "CanYouHackMe"
}
accounting-server {
address 198.51.100.21 secret "CanYouHackMe"
address 198.51.100.22 secret "CanYouHackMe"
}
}
bind tunnel from EXAMPLE authenticated by RADIUS to pppx0
Here’s brief explanation of the above config file. Maximum of 200 concurrent sessions is allowed in total, one account is restricted to single session at the time. PPTP server listens on public IP address 203.0.113.1, and presents itself to clients with vpn.example.org
as its hostname, and openbsd-npppd
as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients, and disconnects clients which do not send or receive any traffic through VPN tunnel over period of one hour. Clients’ tunnel interface will be assigned with IP addresses from 192.0.2.0/24 pool, and DNS servers at 198.51.100.11 and 198.51.100.12. Clients are not allowed to ignore assigned IP addresses and specify their own. Server and clients communicate through multiple pppx(n)
point-to-point interfaces, where each session gets its own interface. Here's how it looks in ifconfig
output:
pppx67: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
description: stanley.kubrick
index 4675 priority 0 llprio 3
groups: pppx
inet 192.0.2.1 --> 192.0.2.205 netmask 0xffffffff
You need to adjust IP addresses to your environment, I used IPv4 Address Blocks Reserved for Documentation described in RFC5737
You don't need to create pppx0
or other pppx
interfaces manually, either by ifconfig, or by MAKEDEV script in /dev
. They won't be created automatically upon start of npppd daemon, either. pppx
interfaces will be created once clients start connecting, one for each session.
Finally, authentication and accounting is performed by two RADIUS servers which reside on 198.51.100.21 and 198.51.100.22, respectively, and we bind all the clients to pppx0
interface.
Let’s instruct system to start npppd
at boot time:
rcctl enable npppd
After reboot, which will apply our changes to sysctl.conf
and start npppd
, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won’t be able to connect.
Once clients start to connect, we can check basic information about active sessions with npppctl session brief
which gives us the following output:
Ppp Id Assigned IPv4 Username Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
56 192.0.2.102 stanley.kubrick PPTP 219.124.222.178:14872
76 192.0.2.89 francisford.coppola PPTP 217.23.216.127:26571
77 192.0.2.147 david.lynch PPTP 108.233.228.178:15875
Use npppctl session all
for more detailed info:
Ppp Id = 56
Ppp Id : 56
Username : stanley.kubrick
Realm Name : RADIUS
Concentrated Interface : pppx0
Assigned IPv4 Address : 192.0.2.102.102
Tunnel Protocol : PPTP
Tunnel From : 219.124.222.178:14872
Start Time : 2013/05/10 08:30:11
Elapsed Time : 19125 sec (5 hours and 18 minutes)
Input Bytes : 14307506 (13.6 MB)
Input Packets : 42915
Input Errors : 1 (0.0%)
Output Bytes : 32365828 (30.9 MB)
Output Packets : 48668
Output Errors : 0 (0.0%)