[pptp-server] Detailed Instruction Set
Michael Walter
walterm at Gliatech.com
Wed Aug 11 16:09:08 CDT 1999
Hello All,
Well, my poptop server is up and running perfectly(Thanks for all the help).
The final part of this project was to document how to recreate it from
scratch for other administrators at my company. This installation is very
specific to redhat 6.0. This is also writen for a complete newbie. In
addition I wrote it while over-caffeinated and under slept and haven't had a
chance to proof it. But it may help some who are still struggling out. It
is in word 97 format(Sorry that's what we use).
Michael J. Walter mcse
Gliatech, Inc.
walterm at gliatech.com
mwalter at drwalter.com
HOWTO Setup a Secure Redhat Linux 6.0 VPN
1) Introduction
I initially prepared this document as an internal howto so that other
administrators in my organization would be able to set up comparable VPN's
without the learning curve that I went through. It is designed for a
complete Linux/VPN newbie and goes into a large amount of detail. It also
assumes that the installed computer will ONLY be a VPN and is completely
blank at the start. The systems we are using have 3com 3c905b Ethernet
cards that are plug and play and recognized by the Linux kernel. There may
be slight differences in installation for different systems but this will
give you a general idea of how things should work. Please note: I am
NEITHER a Linux nor a security expert. This represents what I believe will
be a secure implementation, but I make no guarantees. I also know that
other users have had success with different installation methods and I am
sure that there are better ways to do this. I am mailing this document to
the Poptop users group purely out of appreciation for all the help that I
was given when I started this project. Feel free to make any changes to
this document that you wish for your own purposes. I claim no
responsibility for this documents content or accuracy.
2) Software Information
a) Redhat-6.0 Kernel-2.2.5-15
b) PPP-2.3.8
c) Pptpd-0.9.9-1
3) Hardware Information
4) Install the initial Redhat Linux 6.0 OS
a) Insert the redhat boot floppy and/or redhat install CD.
b) Allow the system to boot, when the, "Installation Path" window appears
choose "install".
c) In the "Installation Class" window choose "custom".
d) In the "SCSI Configuration" window choose "No".
e) In the "Disk Setup" window choose "Disk Druid".
f) Use Disk Druid to create a Linux swap partition of 120meg in size.
g) Use Disk Druid to create a Linux Native partition of the remaining hard
drive space with a Mount Point of "/". Choose "OK" to exit Disk Druid.
h) In the "Active Swap Space" window make sure there is a "*" next to the
device and that "Check for bad blocks during format" does not have a "*".
Choose "OK".
i) In the "Partitions to Format" window make sure there is a "*" next to the
device and that "Check for bad blocks during format" does not have a "*".
Choose "OK".
j) In the "Components to Install" window place a "*" next to the following
components and clear all others. Then choose "OK"
1) X Windows System
2) GNOME
3) Networked Workstation
4) Dialup Workstation
5) C Development
6) Development Libraries
7) C++ Development
8) X Development
9) GNOME Development
10) Kernel Development
11) Extra Documentation
k) In the "Install Log" window choose "OK".
l) Redhat will start installing files... When it finishes the "Probing
Result" window will appear. Redhat should have found your mouse, choose
"OK".
m) The "Configure Mouse" window will now appear. Choose your mouse type
(normally Generic Mouse or Microsoft Compatible) then choose "OK".
n) The "Network Configuration" window will now appear. Choose "Yes".
o) The "Probe" window should now appear. One of your network cards should
be listed. Choose "OK".
p) The "Boot Protocol" window will appear. Choose "Static IP address" then
choose "OK".
q) The "Configure TCP/IP" window will appear.
1) Next to "IP address:" type the internal network IP address for this
server.
2) Next to "Netmask:" type your internal Netmask.
3) Next to "Default gateway (IP):" type the IP address of your Internet
router.
4) Next to "Primary nameserver:" type the address of your primary Internet
DNS server.
5) Choose "OK".
r) The "Configure Network" window should now appear.
1) Next to "Domain name: " type your TCP/IP domain name, do not include the
name of this computer.(Note: this is not the same as your Windows NT domain)
2) Next to "Host name:" choose the internal name of this computer, redhat
should append the domain name to your computer name.
3) Next to "Secondary nameserver (IP):" type the IP address of your
secondary Internet DNS server if you have one, or leave this blank if you
don't.
4) Next to "Tertiary nameserver (IP):" type the IP address of your internal
DNS server or the address of a third Internet DNS server.
5) Choose "OK".
s) The "Configure Timezones" window should appear.
1) 1) If your BIOS clock is set to Greenwich Mean Time place a "*" next to
the "Hardware clock set to GMT".
2) Beneath the "Hardware clock set to GMT" item choose your local time zone.
3) Choose "OK".
t) The "Services" window should now appear. Make sure there are "*"'s next
to the following items and blanks next to any others.
1) Gpm- Mouse Driver
2) Keytable- Keyboard Driver
3) Network- Runlevel and network driver
4) Random- Probably a random number generator
5) Syslog- System Logger driver
6) Choose "OK".
u) The "Configure Printer" window will appear, choose "No".
v) The "Root Password" window will appear. Enter your password next to the
"Password:" and "Password (again):" items then choose "OK".
w) The "Authentication Configuration" window will now appear, remove the
"*"'s from all the items in this window then choose "OK".
x) The "Bootdisk" window will now appear, choose "No".
y) The "Lilo Installation" window will appear, choose "OK".
z) The "Lilo Installation" window will appear, choose "OK".
aa) Now the Xwindows setup windows will begin to appear, Xwindows is out of
the scope of this document, just make sure that your video card and monitor
both work, as we will need to use Xwindows later in the install.
bb) After Xwindows is installed Redhat will reboot your computer. Be sure
to remove the floppy disk and CD-ROM. If you miss, wait for the initial
install window to appear then remove the floppy and CD-ROM and reboot the
system.
5) Build installable module support into your kernel
a) After the reboot your login screen should appear. Next to login type
"root"
b) The "Password:" prompt will appear, enter the password you chose above in
section 4 step v.
c) Type "cd /usr/src/linux"
d) Type "make menuconfig"
e) After a while and several lines of text the "Main Menu" window should
appear. I highly encourage you to explore the options available in this
window but for now we will stick to what we need for the VPN.
1) Use your arrow keys to scroll to the "Networking Options" item and hit
"Enter".
a) a) The "Networking options" window should appear.
b) Use your arrow keys to scroll down to "IP: masquerading" and type "N".
c) Use your arrow keys to scroll down to "IP: tunneling" and type "N".
d) Use your arrow keys to scroll down to "IP: aliasing support" and type
"N".
e) Use your arrow keys to scroll down to "IP: Reverse ARP" and type "N".
f) Use your arrow keys to scroll down to "The IPX protocol" and type "N".
g) Use your arrow keys to scroll down to "Appletalk DDP" and type "N".
h) Use your right arrow key to highlight "<Exit>" at the bottom of the
screen and hit "Enter"
f) Use your right arrow key to highlight "<Exit>" at the bottom of the
screen and hit "Enter"
g) A titleless window should now appear, choose "<Yes>".
h) Type "make dep"
i) Type "make clean"
j) Type "make bzImage" (Go get some coffee, take a nap, whatever-it's gonna
be a while)
k) This probably is not necessary, but I always reboot here, type "shutdown
-r now"
6) Build the Microsoft Compatible Point to Point Protocol
a) After the reboot your login screen should appear. Next to login type
"root"
b) The "Password:" prompt will appear, enter the password you chose above in
section 4 step v.
c) You will now need to download the ppp-2.3.8 source files. I get them
from ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.3.8.tar.gz Note: you must
get the tar.gz version NOT the RPM.
d) Go to the directory where you downloaded ppp-2.3.8.tar.gz and type "cp
ppp-2.3.8.tar.gz /usr/src/linux"
e) Type "cd /usr/src/linux"
f) Type "tar xvzf ppp-2.3.8.tar.gz"
g) Now, you will need to obtain the SSLeay-0.6.6b files. I get them from
ftp://ftp.psy.uq.oz.au/ Note: the previous address is not the complete URL
as I was not able to connect at the time I made this document. Note: once
again you will need to get the tar.gz version NOT the rpm.
h) Go to the directory where you downloaded SSLeay-0.6.6b.tar.gz and type
"cp SSLeay-0.6.6b.tar.gz ~/root"
i) Type "cd ~/root"
j) Type "tar xvzf SSLeay-0.6.6b.tar.gz"
k) Type "cd ~/SSLeay-0.6.6b/crypto/rc4"
l) Type "cp rc4.h /usr/src/linux/ppp-2.3.8/linux"
m) Type "cp rc4_enc.c /usr/src/linux/ppp-2.3.8/linux"
n) Now you will need to obtain the ppp patch
ppp-2.3.8-mppe-others-norc4_TH7.diff.gz. I get it from
http://www.moretonbay.com/vpn/releases/ppp-2.3.8-mppe-others-norc4_TH7.diff.
gz
o) Go to whatever directory you downloaded the patch to and type "cp
ppp-2.3.8-mppe-others-norc4_TH7.diff.gz /usr/src/linux/ppp-2.3.8"
p) Type "cd /usr/src/linux/ppp-2.3.8"
q) Type "patch -p1 < ppp-2.3.8-mppe-others-norc4_TH7.diff.gz"
r) Type "./configure"
s) Type "cd /usr/src/linux/ppp-2.3.8/linux"
t) Type "./kinstall.sh"
u) Type "cp * /usr/src/linux/drivers/net"
v) You will be prompted several times about overwriting files, overwrite ALL
files.
w) Type "cd .."
x) Type "make"
y) Type "cat pppd/pppd > /sbin/pppd"
z) Type "cd /usr/src/linux"
aa) Type "make modules SUBDIRS=drivers/net"
bb) Type "make modules_install"
cc) Type "insmod slhc"
dd) Type "insmod ppp"
ee) Type "insmod bsd_comp"
ff) Type "insmod ppp_deflate"
gg) Type "insmod ppp_mppe"
7) Setup and Configure Networking
a) Note: I am assuming that you are using Plug and Play Ethernet adapters
here.
b) type "linuxconf"
c) An information screen will appear, hit "tab" until "quit" is highlighted
then hit "enter".
d) The "Linuxconf" window should now appear. Use your arrow keys to scroll
down to "Basic host information" then hit "enter".
e) Your first device should already be set up. Use your arrow keys to
scroll down to "Adaptor 2" and make the following changes.
1) Scroll to "Enabled" and hit "space"
2) Next to "Primary name + domain" enter the Internet name and Internet
domain of your compute in the form name.domain.com.
3) Next to "IP address" enter your Internet IP address.
4) Next to "Netmask (opt)" enter your Internet netmask.
5) Next to "Net device" type "eth1" Note: this assumes you use Ethernet to
connect to the Internet.
6) Next to "Kernel module" type the driver name for your Ethernet card.
Note: for a 3c905b the driver name is 3c59x.
7) Hit "Tab" until the "Accept" button is highlighted, then hit "Enter"
8) Hit "Tab" until the "Quit" button is highlighted then hit "Enter"
9) The "Status of the system" window should appear, hit "tab" until "Quit"
is highlighted then hit "Enter"
10) You should now be able to ping the internal computers and the Internet.
If you can't, try switching adapter 1 to eth1 and adapter2 to eth0
8) Install Poptop
a) You will need to obtain the latest version of poptop. I get them from
http://www.moretonbay.com/vpn/releases/pptpd-0.9.9-1.i386.rpm Note: I
believe this is the only site where this file is available. Note: Here you
will want to get the RPM.
b) Go to the directory in which you placed the pptpd rpm and type "cp
pptpd-0.9.9-1.i386.rpm ~/"
c) Type "startx"
d) You will probably get a few warnings about logging into Xwindows as root,
close these and any other open windows.
e) Click the "Paw" Button at the lower left of your screen and scroll up to
"System". Scroll over to "GnoRPM" and click.
f) The "Gnome RPM" window should appear. Click the "Install" button.
g) The "Install" window should now appear. Click the "Add" button.
h) The "Add Packages" window should now appear. Under directories double
click "../" until the "Directories" section stops changing. Then scroll
down in the "Directories" section until you see "root/"
i) Double click "root/"
j) Under the "Files" section find "pptpd-0.9.9-1.i386.rpm" and click it once
to highlight it.
k) Click the "Add" button.
l) Click the "Close" button.
m) The "Install" window should now have the focus. Click the "Install"
button.
n) Click the "Close" button.
o) The "Gnome RPM" window should now have the focus. Click the "Packages"
menu item and scroll down and click "Quit".
p) Once again click the "Paw" button and choose "Log out".
q) The "Really log out?" Window should now appear. Click the "Yes" button.
9) Setup Your Configuration Files
a) I am not going to go into how to edit a file here, if you need more
information type "man vi"
b) Anything that appears in <> is meant for you to add your own settings to
c) Create or edit the etc/ppp/options file so that it looks like
this(Without the numbers)
1) lock
2) debug
3) auth
4) name <YOUR INTERNAL SERVER NAME>
5) +chap
6) +chapms
7) +chapms-v2
8) mppe-40
9) mppe-stateless
10) netmask <YOUR INTERNAL NETMASK>
11) ms-wins <YOUR INTERNAL WINS SERVER IF YOU HAVE ONE IF NOT DELETE THIS
LINE>
12) proxyarp
d) Create or edit the etc/ppp/chap-secrets file so that it looks like this
(Without the numbers) Note: All VPN users appear twice, once with the
domain name and once without. This is so that if they are internal/dialup
network users they don't need to do any configuring when they switch
1) <VPN USER1 LOGIN> * <PASSWORD> *
2) <INTERNAL WINDOWS DOMAIN NAME>\\<VPN USER1 LOGIN> * <PASSWORD> *
e) Create or edit the etc/pptpd.conf file so that it looks like this(Without
the numbers)
1) speed 115200
2) localip <INTERNAL IP ADDRESS OF THE VPN>
3) remoteip <INTERNAL IP ADDRESS YOU WOULD LIKE TO ASSIGN THE CLIENT>
f) edit the /etc/syslog.conf file and add the following line(Without the
numbers)
1) daemon.debug /var/log/pptpd.log
g) edit the /etc/conf.modules file and add the following lines(Without the
numbers)
1) alias ppp-compress-18 ppp_mppe
2) alias ppp-compress-21 slhc
3) alias ppp-compress-24 bsd_comp
4) alias ppp-compress-26 ppp_deflate
10) Setup Firewall Features
a) create a new file called /etc/rc.d/init.d/firewall_rules
b) type "cd /etc/rc.d/init.d/firewall_rules"
c) type "chmod +x firewall_rules"
d) edit the "firewall_rules" file such that it looks like the
following(Without the numbers)(enter your own information where you see <>)
1) #### SET DEFAULT RULES TO DENY
2) /sbin/ipchains -P input DENY
3) /sbin/ipchains -P forward DENY
4) #### ALLOW ALL PORTS ON THE INTERNAL INTERFACE
5) ipchains -A input -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
6) ipchains -A forward -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
7) #### ALLOW AND FORWARD INCOMING VPN PACKETS
8) ipchains -A input -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
9) ipchains -A input -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
10) ipchains -A forward -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
11) ipchains -A forward -p tcp -s <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
13) ipchains -A forward -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
14) ipchains -A forward -p 47 -s <EXTERNAL IP ADDRESS> -j ACCEPT
e) type "startx"
f) As usual, close all the windows that Xwindows opens.
g) Click the "paw" icon then choose "System" and finally "Control Panel"
h) Click the "Stop Light" icon at the very top of the "Control Panel"
i) The "SYSV Runlevel Manager" window should appear. Under available,
single click to highlight "firewall_rules"
j) Click the "Add" button.
k) A new window should appear, in this window Push in the button next to
"Start firewall_rules"
l) Under "in runlevel:" push in button "3".
m) Click the "Done" button.
n) The "Where" window should now appear. Click into the box beneath "The
Number for firewall_rules is:" and type "98"
o) Click the "Done" button.
p) The "SYSV Runlevel Manager" window should now have the focus. Click the
"File" menu item and choose "Quit"
q) Once again click the "Paw" button and choose "Log out".
r) The "Really log out?" Window should now appear. Click the "Yes" button.
11) Reboot and Connect
a) type "shutdown -r now"
b) When the system comes back on-line you will be ready to roll with your
VPN.
c) Setup your clients. Note: you will need to download a patch from
Microsoft for windows95 and windows98 in order to use Data Encryption.
More information about the pptp-server
mailing list