It would be unfair to say that Poptop wasn’t doing a good job as my choice of PPTP server on OpenBSD for quite some time. It did meet all my requirements: it worked on OpenBSD, provided my Windows users with the ability to connect to VPN with software included in base system, and authenticated users from Active Directory. I was never quite happy administering it, however. I am not sure if it was due to its obstreperous and incomprehensible config files or terrible session monitoring capabilities. One way or another, we never got used to each other. As of OpenBSD 5.3, npppd – New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.

This article has been corrected in April of 2020 to use pppx(4) instead of tun(4) interface, due to the instability I experienced when number of pptp clients increased from ~20 to ~200, as described on OpenBSD @misc mailing list.

In order for npppd to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf:

echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf

Only one config file – npppd.conf – is needed to configure all the aspects of npppd. Mine looks as follows:

set max-session 200
set user-max-session 1

tunnel EXAMPLE protocol pptp {
 listen on
 pptp-vendor-name "openbsd-npppd"
 mppe required
 mppe-key-length 128
 mppe-key-state stateless
 idle-timeout 3600

ipcp EXAMPLE {
 pool-address ""
 allow-user-selected-address no

interface pppx0 address ipcp EXAMPLE

authentication RADIUS type radius {
 strip-nt-domain yes
 strip-atmark-realm yes
 authentication-server {
 address secret "CanYouHackMe"
 address secret "CanYouHackMe"
 accounting-server {
 address secret "CanYouHackMe"
 address secret "CanYouHackMe"

bind tunnel from EXAMPLE authenticated by RADIUS to pppx0

Here’s brief explanation of the above config file. Maximum of 200 concurrent sessions is allowed in total, one account is restricted to single session at the time. PPTP server listens on public IP address, and presents itself to clients with as its hostname, and openbsd-npppd as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients, and disconnects clients which do not send or receive any traffic through VPN tunnel over period of one hour. Clients’ tunnel interface will be assigned with IP addresses from pool, and DNS servers at and Clients are not allowed to ignore assigned IP addresses and specify their own. Server and clients communicate through multiple pppx(n) point-to-point interfaces, where each session gets its own interface. Here's how it looks in ifconfig output:

pppx67: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
        description: stanley.kubrick
        index 4675 priority 0 llprio 3
        groups: pppx
        inet --> netmask 0xffffffff

You need to adjust IP addresses to your environment, I used IPv4 Address Blocks Reserved for Documentation described in RFC5737

You don't need to create pppx0 or other pppx interfaces manually, either by ifconfig, or by MAKEDEV script in /dev. They won't be created automatically upon start of npppd daemon, either. pppx interfaces will be created once clients start connecting, one for each session.

Finally, authentication and accounting is performed by two RADIUS servers which reside on and, respectively, and we bind all the clients to pppx0 interface.

Let’s instruct system to start npppd at boot time:

rcctl enable npppd

After reboot, which will apply our changes to sysctl.conf and start npppd, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won’t be able to connect.

Once clients start to connect, we can check basic information about active sessions with npppctl session brief which gives us the following output:

Ppp Id     Assigned IPv4   Username             Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
        56     stanley.kubrick      PPTP
        76      francisford.coppola  PPTP
        77     david.lynch          PPTP

Use npppctl session all for more detailed info:

Ppp Id = 56
          Ppp Id : 56
          Username : stanley.kubrick
          Realm Name : RADIUS
          Concentrated Interface : pppx0
          Assigned IPv4 Address :
          Tunnel Protocol : PPTP
          Tunnel From :
          Start Time : 2013/05/10 08:30:11
          Elapsed Time : 19125 sec (5 hours and 18 minutes)
          Input Bytes : 14307506 (13.6 MB)
          Input Packets : 42915
          Input Errors : 1 (0.0%)
          Output Bytes : 32365828 (30.9 MB)
          Output Packets : 48668
          Output Errors : 0 (0.0%)

Next Post Previous Post