openbsd-ports/net/poptop/files/README.OpenBSD
naddy 12046a279b GRE support no longer requires re-compilation of the kernel.
Modified README.OpenBSD to show this.  Enabled with @sysctl.
From: Craig Barraclough <craigba@creative.com.au>
2004-11-11 18:15:53 +00:00

58 lines
2.7 KiB
Plaintext

PoPToP - Unix PPTP Server
----------------------------
1. GRE Support
PoPToP requires GRE support to be enabled. As of 3.6, this is now done
via a sysctl - net.inet.gre.allow. Modify /etc/sysctl.conf, adding a
line such as:
net.inet.gre.allow=1 # GRE Support for PoPToP
2. Configuration of PPTP
A sample configuration file is copied into your configuration directory
(normally /etc) as pptpd.conf. Personalise this config file to suit. At
least configure 'localip' and 'remoteip'. Only 'localip' needs to be
configured on one of your interfaces.
3. Configuration of PPP
PoPToP only handles a small part of the PPTP connection, most of the work
is done by PPP.
3.1 /etc/ppp/options
General desired options:
proxyarp
For Microsoft clients you will want the following options:
+MSChap-V2 mppe-128 mppe-stateless
Lower cryptography level (40-bit v 128-bit) is also available, but not
recommended.
mppe-40
Optional for Microsoft clients (not preferred)
+MSChap
3.2 /etc/ppp/ppp.conf
In ppp.conf create a section pptp
pptp: enable proxy set dns IP.Of.DNS.Server1 IP.Of.DNS.Server2 set
ifaddr Local.IP Remote.IP set timeout 0
For non-Microsoft clients chose your authentication method (one or more
of):
enable pap enable chap
For Microsoft clients you will also want:
enable MSChapV2
If you chose "+MSChap" in options above you can enable it with
enable MSChap
If you have a WINS server:
set nbns IP.Of.WINS.Server
3.3 Users and Passwords
You will now need to create username/password entries for your users in
/etc/ppp/ppp.secret. See /etc/ppp/ppp.secret.sample for examples. If you
assigned a range to 'remoteip' in the above configuration files, you can
assign per-user IPs for accounting purposes here (third field).
4. Firewalls
There are three flows you will need to create. An inbound TCP connection
to port 1723 (Initial connection)
pass in quick on $ext_if proto tcp from any to $ext_ip port = 1723 \
modulate state
An inbound and outbound GRE connection (The main data channel)
pass in quick on $ext_if proto gre from any to $ext_ip keep state
pass out quick on $ext_if proto gre from $ext_ip to any keep state
Where $ext_ip is the externally accessable IP address ('host' in the PPTP
client config).
Also, make sure you have flows defined to allow the traffic out of your
server. The traffic will appear to be from the IP address defined in
ppp.secret, or if not defined there, Remote.IP as defined in ppp.conf
(first available if this a pool).