Most of our clients use Windows desktop computers - so when it comes to setting up a VPN, the best choice is to use the PPTPD protocol, because it comes as standard in Windows desktops, and the client side is very easy to configure even for non technical users.

The default Linux PPTPD server is Poptop, and it is really easy to configure ; if you check on the website there are numerous useful resources for a variety of Linux distributions. Here is our own setup, running on Debian Etch/testing :

Install PPTPD

apt-get install pptpd

Configure the IP addresses

There are two addresses ; the IP address of the server as seen by the client, and the IP addresses that the server gives to the clients. Note that this is a point-to-point connection, so the addresses are only seen by the machines, not by the whole networks. It's best to give IP addresses that are on neither of the LANs.

Edit /etc/pptpd.conf, and change those two lines :


localip 192.168.11.2
remoteip 192.168.11.100-200


'localip' is that of the server (as seen by the VPN clients), and 'remoteip' is that of the clients, attributed by the server (so in that case, the server will give addresses from 192.168.11.100 up to 192.168.11.200)

You need to restart PPTPD after doing those changes :


/etc/init.d/pptpd restart


Configure encryption level

By default, PPTPD only accepts MPPE encryption with 128 bits keys. However older Windows clients do not support 128 bit keys.
The PPTPD options file is in /etc/ppp/pptpd-options by default (if not, the 'options' directive in /etc/pptpd.conf will tell you where the file is). The following is the default configuration (so you don't need to change it), which makes sure that it only accepts mschap-v2 authentication (which is the safer one) :


refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2


Following this is this line :


require-mppe-128


This forces the use of 128 bits encryption. To relax this to allow 40 bits encryption when 128 bits encryption is not available, change the line to :


require-mppe


Adding users

To add users, edit the file /etc/ppp/chap-secrets. Entries are of the form


<username> <servicename> <password> <ip addresses>


• 'servicename' is defined in the /etc/ppp/pptpd-options file under the directive 'name' - the default entry is 'pptpd' (which is perfectly fine!)
• 'ip addresses' list the IP addresses from which this user can connect. Unless the remote workers are in an office with fixed IP, you'll want to use '*' here, which allows connections from all IPs.

So for a user 'john' with password 'jkLLhgM', the typical entry would be :


john pptpd jkLLhgM *


Trouble shooting authentication problems

If the connection doesn't work, add the following line at the top of /etc/pptpd-options :


debug dump


Then try connecting again, and look at the file /var/log/debug. If you see an entry that contains


MPPE required but peer negotiation failed


It means that there is an incompatibility between the encryption settings of your server and client. The previous lines would look something like this :


sent [CCP ConfReq id=0x1 <mppe>]
rcvd [CCP ConfReq id=0x5 <mppe>]


• 'sent' represents what options the server supports. In that case it supports 'H' and 'S', but doesn't support 'M', 'L' 'D' and 'C'
• 'rcvd' represents what options the client supports. In that case it supports 'H', 'M', 'L' and 'C' but nod 'S' and 'D'

The codes are detailed on this page. If you look there you will see that 'S' stands for 128 bits encryption, 'M' for 56 bit encryption, and 'L' for 40 bit encryption. The problem here is that the server only supports 128 bits, while the client doesn't.

You can either change the server to support 40 bit encryption (see 'Configure Encryption level') or, if you client is Windows XP, enable 128 bit encryption (in the 'Properties' dialog of the connection, under the 'Security' tab, select advanced, and in Data encryption, select "Maximum strength encryption")

If this isn't your problem, you will find a lot of help on the Poptop website