[pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch
tfasko at cyberacc.com
tfasko at cyberacc.com
Fri Aug 4 13:48:39 CDT 2000
Here is the modified HOW TO that I made after fixing the problem you were
having:
Travis J Fasko
Notes Administrator
CyberAccess, Inc.
(216) 524-5005 Ext. 130
tfasko at cyberacc.com
Good Luck!!
without MSCHAPv2/MPPE:
Note: [] are example commands to run
1. Get the following files from the RedHat (ftp.redhat.com) site or
suitable mirror:
ftp://ftp.redhat.com/redhat/redhat-6.1/i386/RedHat/RPMS/
kernel-headers-2.2.12-20.i386.rpm
kernel-source-2.2.12-20.i386.rpm
kernel-2.2.12-20.i386.rpm
ppp-2.3.10-1.i386.rpm
*NOTE* before performing the next step make sure you have access to
a boot floppy or can
access the old kernel. For more information see:
http://www.linux.org/help/ldp/mini/minihowto.html
and search for LILO Mini-HOWTO
2. Change lilo.conf to access your old and new kernel then issue
this command:
[/sbin/lilo]
3. Upgrade your 2.2.5-15 kernel to 2.2.12-20:
[rpm -Uvvh kernel-2.2.12-20.i386.rpm]
4. Upgrade ppp:
[rpm -Uvvh ppp-2.3.10-1.i386.rpm]
5. Grab the PoPToP rpm and init file:
http://www.moretonbay.com/vpn/releases/pptpd-1.0.0-1.i386.rpm
http://www.moretonbay.com/vpn/releases/pptpd.init
6. Store the pptpd.init file in the /etc/rc.d/init.d directory and
make sure permissions
are set correctly.
You need to edit the pptpd.init file to start the pptpd daemon
differently.
Before:
daemon /usr/sbin/pptpd
After:
/usr/sbin/pptpd -d
7. Rpm the PoPTop Server:
[rpm -ivvh pptpd-1.0.0-1.i386.rpm]
8. Setup your chap-secrets file in the /etc/ppp directory. It
should look something like this:
# /etc/ppp/chap-secrets
#username servername secret
ipaddress
validname * validpass *
For authentication with windows clients use
DOMAINNAME\\validname * validpass *
The domain name may be in caps or lowercase. Check the logs in
/var/log/messages.
If you want to learn more about the chap-secrets file see:
http://www.linux.org/help/ldp/howto/PPP-HOWTO-13.html#ss13.4
9. Edit /etc/inittab and comment out the reference to pptpd. We
will use the pptpd daemon.
[init Q] # rereads /etc/inittab
10. Your options file in /etc/ppp/ should at a minimum have the
following:
lock
debug
auth
+chap
proxyarp
OK here I had to create a new file:
/etc/ppp/ip-up.local
IT is an executable script with this one line:
echo 1 > /proc/sys/net/ipv4/ip_forward
(This is what fixed all my problems, well actualy making it
executable is what fixed them:-)
11. Modify the /etc/pptpd.conf file. Look in the configuration
file for settings.
Here is a working sample:
debug #This can be removed
when things are working
localip 192.168.1.80-89 #look in the
/etc/pptpd.conf file for more info about settings
remoteip 192.168.1.70-79
At this point vpn should be working without encryption.
4.0 PPP with MSCHAPv2/MPPE Installation
----------------------------------------------------------------
*NOTE* You must complete section three above for this to work.
*NOTE*
If you want to add encryption do the following below:
1. Grab yourself a clean copy of the PPP daemon v2.3.10
(ppp-2.3.10.tar.gz).
I usually go here for my PPP files:
ftp://cs.anu.edu.au/pub/software/ppp/
Note: You must get the tarball (tar.gz) and *not* the RPM.
2. Grab yourself the MSCHAP/MPPE patch file from:
http://www.moretonbay.com/vpn/releases/ppp-2.3.10-openssl-norc4-mppe.patch.gz
3. Grab yourself the SSLeay-0.6.6b file from:
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.6.6b.tar.gz
4. You should now have 3 files:
ppp-2.3.10.tar.gz
ppp-2.3.10-openssl-norc4-mppe.patch.gz
SSLeay-0.6.6b.tar.gz
Copy these files to your preferred location (RedHat uses
/usr/src/redhat/SOURCES)
Assuming your files are in /usr/src/redhat/SOURCES and your current
working directory is the same, do the following:
[tar -zxvf ppp-2.3.10.tar.gz]
[gunzip ppp-2.3.10-openssl-norc4-mppe.patch.gz]
[tar -zxvf SSLeay-0.6.6b.tar.gz]
[cp SSLeay-0.6.6b/crypto/rc4/rc4.h ppp-2.3.10/linux/]
[cp SSLeay-0.6.6b/crypto/rc4/rc4_enc.c ppp-2.3.10/linux/]
[cd ppp-2.3.10] # should now be in
/usr/local/redhat/SOURCES/ppp-2.3.10
[patch -p1 << ../ppp-2.3.10-openssl-norc4-mppe.patch]
it is actualy this command:
patch -p1 < ../ppp-2.3.10-openssl-norc4-mppe.patch
Comment out or delete the reference to rc4_skey.c in
/usr/src/redhat/SOURCES/ppp-2.3.10/linux/ppp_mppe.c
Evidently it is not needed.
Now rpm the kernel files we downloaded earlier:
[rpm -ivvh kernel-headers-2.2.12-20.i386.rpm]
[rpm -ivvh kernel-source-2.2.12-20.i386.rpm]
[cd /usr/src/linux]
[make menuconfig] # Unless you have a special setup you
probably will not need
# to change any of the settings. Just
do this so that you can
#save the config for later steps
[make dep]
[make clean]
[cd /usr/src/redhat/SOURCES/ppp-2.3.10]
[./configure]
[make]
[make kernel]
[make install]
[cd /usr/src/linux]
There are 2 files that have to be copied to
/usr/src/linux-2.2.14/drivers/net, they are the crypto files here
is the command I used...
[cp /usr/src/redhat/SOURCES/SSLeay-0.9.0b/crypto/rc4/rc4_locl.h
/usr/src/linux-2.2.14/drivers/net]
[cp /usr/src/redhat/SOURCES/SSLeay-0.9.0b/crypto/rc4/rc4_skey.c
/usr/src/linux-2.2.14/drivers/net]
Then vi /usr/src/linux/drivers/net/ppp.c
then do a /kill_fasync
after SITIO add this: ,NULL
This fixes an issue with not enought arguments for that command..
[make modules SUBDIRS=drivers/net]
[make modules_install]
Add to your options file (/etc/ppp/options):
+chapms
+chapms-v2
mppe-40
mppe-128
mppe-stateless
Edit the /etc/conf.modules (or modules.conf) with the following
info:
alias char-major-108 off # This will be different for 2.3.x kernels
alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
[modprobe -r ppp]
# if necessary remove the following modules by hand
[rmmod ppp]
[rmmod slhc]
[rmmod bsd_comp]
[rmmod ppp_deflate]
# now get things rolling
[depmod -a]
[modprobe ppp]
That should do it. Don't forget to make a link to the pptpd.init in
whatever
runlevel your using so that the pptpd daemon will start automatically upon
boot.
We use runlevel 3 so make a link like this:
[ln -s /etc/rc.d/init.d/pptpd.init /etc/rc.d/rc3.d/S52pptpd]
5.0 Windows Client Setup
------------------------
Note that the Win95 routine is similar but requires Dial Up Networking
Update 1.3
and both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be
installed first.
Try here for the DUN1.3 and the vpnupdate:
Windows 95
http://www.microsoft.com/windows95/downloads
Windows 98
http://www.microsoft.com/windows98/downloads/corporate.asp
1a. For Win95 machines install the DUN 1.3.
1b. For Win98 machines use the add-remove programs tool to uninstall the
VPN software.
Some of the OEM's don't install this properly.
Re-Install it using the add-remove programs tool. Go to windows setup (tab)
select communications and press the details button. Scroll down and check
the VPN support.
2. Install the vpupdate for your particular machine (win95/98 not 98SE).
take a little nap here...
Once your Machine is back
1.go to dial-up networking
(usually start->programs->Accessories->communications->Dial-up
Networking) YMMV
2.Click make new connection
3.Name the Connection whatever you'd like.
4.Select Microsoft VPN adapter as the device
5.click next
6.type in the ip address or hostname of your pptp server
7.click next
8.click finish
9.Right-click on the intranet icon
10.select properties
11.choose server types
12.check require encrypted password
13.uncheck netbeui, ipx/spx compatible
14.click tcp/ip settings
15.turn off use IP header compression (May not be necessary)
16.turn off use default gw on remote network
17.click ok.
18.start that connection
19.type in your username and pw (yadda, yadda, yadda)
20.once it finishes its connection your up.
UPDATE: 128bit windows Client (for USA and Canada)
You can download the 128 bit version of the Windows 98 Dial-Up Networking
Security Update from the following
URL:
http://support.microsoft.com/Support/NTServer/128Eula.asp
Accept the EULA, then choose the appropriate 128-bit DUN
Update.<color><param>7F00,0000,0000</param>
</color>6.0 Firewall Setup
------------------
If your using Masquerading you will probably need to add some rules to the
firewall.
These rules are just examples, don't rely only on them to completely shut
out hackers.
This section also assumes that you already have a working connection to the
internet
from your Linux box and any workstations that might be connected to it.
I like to keep a clean firewall so we added some scripting to
/etc/ppp/ip-up.local and
/etc/ppp/ip-down.local. These files don't normally exist so you may have
to create new
ones.
Here are is an example of each of the scripts:
ip-up.local
---- cut ----
#!/bin/sh
INTERNAL_NET1="192.168.1.0/24"
case $2
in
/dev/pts/*)
echo "$(date): ip-up 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6"
>> /var/log/pptpd.log
/sbin/ipchains --insert forward -j ACCEPT -s $5 -i
eth0
# ^ local
interface
/sbin/ipchains --insert forward -j ACCEPT -d $5 -i $1
# ^
incoming pptpd interface
/sbin/ipchains --insert input -i $1 -s $INTERNAL_NET1
-j ACCEPT
/sbin/ipchains --insert output -i $1 -d $INTERNAL_NET1
-j ACCEPT
echo "$(date): ip-up Firewall rules set for $1:$5" >>
/var/log/pptpd.log
;;
esac
---- cut ----
ip-down.local
---- cut ----
#!/bin/sh
INTERNAL_NET1="192.168.1.0/24"
case $2
in
/dev/pts/*)
echo "$(date): ip-down 1:$1 2:$2 3:$3 4:$4 5:$5
6:$6" >> /var/log/pptpd.log
/sbin/ipchains --delete forward -j ACCEPT -s $5 -i
eth0
# ^ local
interface
/sbin/ipchains --delete forward -j ACCEPT -d $5 -i $1
# ^
incoming pptpd interface
/sbin/ipchains --delete input -i $1 -s $INTERNAL_NET1
-j ACCEPT
/sbin/ipchains --delete output -i $1 -d $INTERNAL_NET1
-j ACCEPT
echo "$(date): ip-down Firewall rules removed for
$1:$5" >> /var/log/pptpd.log
;;
esac
---- cut ----
More information about the pptp-server
mailing list