PPTP Server Running on your Firewall

Configuring Samba
You will need a WINS server (Samba configured to run as a WINS server is fine). Global section from /etc/samba/smb.conf on my WINS server (1 !.1"#.1.$) is%
[global] workgroup = TDM-NSTOP netbios name = WOOKI ser!er string = "N#$%inu& 'o& en(r)pt passwor*s = +es log ,ile = $!ar$log$samba$-m.log ma& log si/e = 0 so(ket options = T1P2NOD %3+ SO2415'#6=789: SO2SND'#6=789: os le!el = ;< *omain master = True pre,erre* master = True *ns pro&) = No wins support = +es printing = lprng [=omes] (omment = >ome Dire(tories !ali* users = -S rea* onl) = No (reate mask = 0;;? *ire(tor) mask = 0@@< [printers] (omment = 3ll Printers pat= = $!ar$spool$samba printable = +es

Configuring pppd
&ere is a co'y of my /etc/'''/o'tions.'o'to' file%
ipparam PoPToP lo(k mtu 8?90 mru 8?90 ms-wins 89:.8;7.8.A ms-*ns :0;.8:?.8?;.8@@ multilink pro&)arp aut= B(=ap B(=apms B(=apms-!: ip(p-a((ept-lo(al ip(p-a((ept-remote l(p-e(=o-,ailure A0

l(p-e(=o-inter!al < *e,late 0 mppe-8:7 mppe-stateless reCuire-mppe reCuire-mppe-stateless

Note

System 1 !.1"#.1.$ acts as a WINS server so I (ave included t(at I) as t(e *ms+wins, value. I (ave 'ointed t(e remote clients at my -NS server ++ it (as e.ternal address !/".1!0.10".111. I am re2uiring 1!#+bit stateless com'ression.

&ere3s my /etc/'''/c(a'+secrets%
Se(rets ,or aut=enti(ation using 1>3P D (lient ser!er se(ret IP a**resses 1PETDMFFT astep G Hs======I 89:.8;7.8.@ T astep G Hs======I 89:.8;7.8.@

I am t(e only user w(o connects to t(e server but I may connect eit(er wit( or wit(out a domain being s'ecified. 4(e system I connect from is my la'to' so I give it t(e same I) address w(en tunneled in at it (as w(en I use its wireless 56N card around t(e (ouse. You will also want t(e following in /etc/modules.conf%
alias alias alias alias ppp-(ompress-87 ppp-(ompress-:8 ppp-(ompress-:? ppp-(ompress-:; ppp2mppe bs*2(omp ppp2*e,late ppp2*e,late

Configuring pptpd
)o)4o' (''t'd) is available from (tt'%//www.'o'to'.org/. &ere is a co'y of my /etc/''t'd.conf file%
option $et($ppp$options.poptop spee* 88<:00 lo(alip 89:.8;7.8.:<? remoteip 89:.8;7.8.AA-A7

Note

I s'ecify t(e /etc/'''/o'tions.'o'to' file as my ''' o'tions file (I (ave several).

4(e local I) is t(e same as my internal interface3s (1 !.1"#.1.!70). I (ave assigned a remote I) range t(at overla's my local networ8. 4(is9 toget(er wit( *'ro.yar', in my /etc/'''/o'tions.'o'to' file ma8e t(e remote (osts loo8 li8e t(ey are 'art of t(e local subnetwor8.

I use t(is file to start/sto' ''t'd ++ I (ave t(is in /etc/init.d/''t'd%

DJ$bin$s= D D $et($r(.*$init.*$pptp* D D (=k(on,igK < 8: 7< D *es(riptionK (ontrol pptp ser!er D (ase LM8L in startN e(=o 8 I $pro($s)s$net$ip!?$ip2,orwar* mo*probe ppp2as)n( mo*probe ppp2generi( mo*probe ppp2mppe mo*probe sl=( i, $usr$lo(al$sbin$pptp*O t=en tou(= $!ar$lo(k$subs)s$pptp* ,i OO stopN killall pptp* rm -, $!ar$lo(k$subs)s$pptp* OO restartN killall pptp* i, $usr$lo(al$sbin$pptp*O t=en tou(= $!ar$lo(k$subs)s$pptp* ,i OO statusN i,(on,ig OO GN e(=o L#sageK M0 PstartQstopQrestartQstatusRL OO esa(

Configuring Shorewall
Basic Setup &ere3 a basic setu' t(at treats your remote users as if t(ey were 'art of your loc :one. Note t(at if your 'rimary internet connection uses '''/9 t(en be sure t(at loc follows net in /etc/s(orewall/:ones.

$et($s=orewall$tunnels% DT+P pptpser!er SON net "3T W3+ 0.0.0.0$0 "3T W3+ SON

$et($s=orewall$inter,a(es% DSON lo( INT 4631 pppB '4O3D13ST OPTIONS

Remote Users in a Separate one If you want to 'lace your remote users in t(eir own :one so t(at you can control connections between t(ese users and t(e local networ89 follow t(is e.am'le. Note t(at if your 'rimary internet connection uses '''/ t(en be sure t(at vpn follows net in /etc/s(orewall/:ones as s(own below.
$et($s=orewall$tunnels% DT+P pptpser!er SON net "3T W3+ 0.0.0.0$0 "3T W3+ SON

$et($s=orewall$/ones% DSON net lo( !pn T+P ip!? ip!? ip!?

$et($s=orewall$inter,a(es% DSON net lo( !pn INT 4631 et=0 et=: pppB '4O3D13ST :0;.8:?.8?;.:<< 89:.8;7.80.:<< OPTIONS nor,(8987

Your 'olicies and rules may now be configured for traffic to/from t(e vpn :one. !ultiple Remote Networ"s ;ften t(ere will be situations w(ere you want multi'le connections from remote networ8s wit( t(ese networ8s (aving different firewalling re2uirements.

&ere3s (ow you configure t(is in S(orewall. Note t(at if your 'rimary internet connection uses '''/ t(en be sure t(at t(e vpn#$%&' :ones follows net in /etc/s(orewall/:ones as s(own below.
$et($s=orewall$tunnels% DT+P pptpser!er SON net "3T W3+ 0.0.0.0$0 "3T W3+ SON

$et($s=orewall$/ones% DSON ,w net lo( !pn8 !pn: !pnA T+P ,irewall ip!? ip!? ip!? ip!? ip!?

$et($s=orewall$inter,a(es% DSON net lo( INT 4631 et=0 et=: pppB '4O3D13ST :0;.8:?.8?;.:<< 89:.8;7.80.:<< OPTIONS nor,(8987

$et($s=orewall$=osts%

DSON !pn8 !pn: !pnA

>OSTTSN pppBK89:.8;7.8.0$:? pppBK89:.8;7.:.0$:? pppBK89:.8;7.A.0$:?

OPTIONS

Your 'olicies and rules can now be configured using se'arate :ones (v'n19 v'n!9 and v'n$) for t(e t(ree remote networ8.

PPTP Server Running Behind your Firewall

If you (ave a single e.ternal I) address9 add t(e following to your /etc/s(orewall/rules file%
$et($s=orewall$rules% D31TION PO4TTSN DN3T DN3T SO#41 net net D ST lo(K<server address> lo(K<server address> P4OTO t(p ?@ D ST 8@:A

If you (ave multi'le e.ternal I) address and you want to forward a single <external address=9 add t(e following to your /etc/s(orewall/rules file%
$et($s=orewall$rules% D31TION PO4TTSN D PO4TTSN DN3T DN3T SO#41 SO#41 net D ST D ST O4I"IN3% P4OTO D ST

lo(K<server address> <external address> net lo(K<server address> <external address>

t(p ?@

8@:A -

You will also want to add t(is entry to your $et($s=orewall$masC file%
DINT 4631 Hexternal interfaceI S#'N T Hserver addressI 3DD4 SS Hexternal addressI P4OTO ?@

(mportant
>e sure t(at t(e above entry comes before any ot(er entry t(at mig(t matc( t(e server3s address.

PPTP Clients Running Behind your Firewall

You s(ouldn3t (ave to ta8e any s'ecial action for t(is case unless you wis( to connect multi'le clients to t(e same e.ternal server. In t(at case9 you must install t(e ))4) connection/trac8ing and N64 'atc( from Netfilter )atc(+;+?atic (some distributions are

now s(i''ing wit( t(is 'atc( installed). I recommend t(at you also add t(ese four lines to your /etc/s(orewall/modules file%
loa*mo*ule loa*mo*ule loa*mo*ule loa*mo*ule ip2(onntra(k2proto2gre ip2(onntra(k2pptp ip2nat2pptp ip2nat2proto2gre

@or 5A6@/>ering users9 t(e !.0.!/ 8ernel as already been 'atc(ed as described at t(e BC5 above and t(e t(ree modules are included in t(e >ering 1.! modules tarball.

)arning
Installing t(e above modules will 'revent any GCA tunnels t(at you (ave from wor8ing correctly.

PPTP Client Running on your Firewall

4(e 8ey elements of t(is setu' are as follows% 1. -efine a :one for t(e remote networ8 accessed via ))4). !. 6ssociate t(at :one wit( a ''' interface. $. -efine rules for ))4) traffic to/from t(e firewall. 0. -efine rules for traffic two and from t(e remote :one. &ere are e.am'les from one of my old setu's%
$et($s=orewall$/ones% DSON (pC T+P ip!?

$et($s=orewall$inter,a(es% DSON INT 4631 pppB '4O3D13ST OPTIONS

/etc/s(orewall/(osts%
DSON (pC >OSTTSN pppBKJ89:.8;7.8.0$:? OPTIONS

$et($s=orewall$tunnels% DT+P pptp(lient SON net "3T W3+ 0.0.0.0$0 "3T W3+ SON

I use t(e combination of interface and (osts file to define t(e *c'2, :one because I also run a ))4) server on my firewall (see above). Bsing t(is tec(ni2ue allows me to distinguis( clients of my own ))4) server from arbitrary (osts at Dom'a2E I assign addresses in 1 !.1"#.1.//!0 to my ))4) clients and Dom'a2 doesn3t use t(at C@D1 1# Dlass D subnet. I use t(is scri't in /etc/init.d to control t(e client. 4(e reason t(at I disable ADN w(en connecting is t(at t(e Dom'a2 tunnel servers don3t do ADN yet and reFect t(e initial 4D) connection re2uest if I enable ADN %+(
DJ$bin$s= D D $et($r(.*$init.*$pptp D D (=k(on,igK < ;0 7< D *es(riptionK PPTP %ink 1ontrol D N3M =LTan*emL 3DD4 SS=tunnel-tan*em.(ompaC.(om #S 4=UTan*emFtomm)U 1N=0 D '#"= start2pptpTN P e(=o M 1N I $pro($s)s$net$ip!?$t(p2e(n i, $usr$sbin$pptp M3DD4 SS user M#S 4 noaut= MD '#"O t=en tou(= $!ar$lo(k$subs)s$pptp e(=o LPPTP 1onne(tion to MN3M Starte*L ,i R stop2pptpTN P i, killall $usr$sbin$pptp :I $*e!$nullO t=en e(=o LStoppe* pptpL else rm -, $!ar$run$pptp$G ,i D i, killall ppp*O t=en D e(=o LStoppe* ppp*L D ,i rm -, $!ar$lo(k$subs)s$pptp e(=o 8 I $pro($s)s$net$ip!?$t(p2e(n R (ase LM8L in startN e(=o LStarting PPTP 1onne(tion to MPN3M R...L start2pptp OO stopN e(=o LStopping MN3M PPTP 1onne(tion...L stop2pptp

OO restartN e(=o L4estarting MN3M PPTP 1onne(tion...L stop2pptp start2pptp OO statusN i,(on,ig OO GN e(=o L#sageK M0 PstartQstopQrestartQstatusRL OO esa(

&ere3s my /etc/'''/o'tions file%

D D I*enti,) t=is (onne(tion D ipparam 1ompaC D D %o(k t=e port D lo(k D D We *onUt nee* t=e tunnel ser!er to aut=enti(ate itsel, D noaut= B(=ap B(=apms B(=apms-!: multilink mrru 8;8? D D Turn o,, transmission proto(ols we know wonUt be use* D nobs*(omp no*e,late D D We want MPP D mppe-8:7 mppe-stateless D D We want a sane mtu$mru D mtu 8000 mru 8000 D D Time t=is t=ing out o, it goes poo, D

l(p-e(=o-,ailure 80 l(p-e(=o-inter!al 80

?y /etc/'''/i'+u'.local file sets u' t(e routes t(at I need to route Dom'a2 traffic t(roug( t(e ))4) tunnel%
D$bin$s= (ase M; in 1ompaCN route a** -net 8;.0.0.0 netmask :<<.0.0.0 gw M< M8 route a** -net 8A0.:<:.0.0 netmask :<<.:<<.0.0 gw M< M8 route a** -net 8A8.8:?.0.0 netmask :<<.:<<.0.0 gw M< M8 ... OO esa(

@inally9 I run t(e following scri't every five minutes under crond to restart t(e tunnel if it fails%
DJ$bin$s= restart2pptpTN P $sbin$ser!i(e pptp stop sleep 80 i, $sbin$ser!i(e pptp startO t=en $usr$bin$logger LPPTP 4estarte*L ,i R i, [ -n LVps a& Q grep $usr$sbin$pptp Q grep -! grepVL ]O t=en e&it 0 ,i e(=o L3ttempting to restart PPTPL restart2pptp I $*e!$null :IW8 W

&ere3s a scri't and corres'onding i'+u'.local from Gerry Honau HX!onauY=ome.(omI t(at controls two ))4) connections.

PPTP Client running on your Firewall with PPTP Server in an *+S, !odem
Some 6-S5 systems in Auro'e (most notably in 6ustria and t(e Net(erlands) feature a ))4) server built into an 6-S5 *?odem,. In t(is setu'9 an et(ernet interface is dedicated to su''orting t(e ))4) tunnel between t(e firewall and t(e *?odem, w(ile t(e actual internet access is t(roug( ))4) (interface '''/). If you (ave t(is ty'e of setu'9 you need to modify t(e sam'le configuration t(at you downloaded as described in t(is section. These changes are in addition to those described in the -uic"Start .uides/

5ets assume t(e following%

6-S5 ?odem connected t(roug( et(/ ?odem I) address I 1 !.1"#.1.1 et(/ I) address I 1 !.1"#.1.!

4(e c(anges you need to ma8e are as follows% 1. 6dd t(is entry to /etc/s(orewall/:ones%
:. DSON mo*em T+P ip!?

4(at entry defines a new :one called *modem, w(ic( will contain only your 6-S5 modem. $. 6dd t(e following entry to /etc/s(orewall/interfaces%
?. DSON mo*em INT 4631 et=0 '4O3D13ST 89:.8;7.8.:<< OPTIONS *=(p

You will of course modify t(e *net, entry in /etc/s(orewall/interfaces to s'ecify *'''/, as t(e interface as described in t(e Juic8Start Guide corres'onding to your setu'. 7. 6dd t(e following to /etc/s(orewall/tunnels%
;. DT+P pptp(lient SON mo*em "3T W3+ 89:.8;7.8.8 "3T W3+ SON

4(at entry allows a ))4) tunnel to be establis(ed between your S(orewall system and t(e ))4) server in t(e modem.