How To Set Up PPTP VPN Server With OpenBSD and npppd

Convenient but utterly insecure

3 minutes, 10 seconds 10th Jun 2013 Marko Cupać

How To Set Up PPTP VPN Server With OpenBSD and npppd

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. It has many well known security issues, and nowadays shouldn't be used at all. However, all Microsoft Windows versions from last two decades ship with PPTP client included which makes it very convenient. As of OpenBSD 5.3, npppd – New Point to Point Protocol Daemon – became a part of OpenBSD base system. The following article describes how to configure it as a PPTP server which authenticates users from RADIUS.

In order for npppd to successfully perform its role of a PPTP server, we need to enable pipex and GRE in sysctl.conf: This can be done by typing below commands as root:

echo 'net.pipex.enable=1' >> /etc/sysctl.conf
echo 'net.inet.gre.allow=1' >> /etc/sysctl.conf

Only one config file – npppd.conf – is needed to configure all the aspects of npppd. Mine looks as follows:

#/etc/npppd.conf

# GLOBAL
set max-session 200
set user-max-session 1

# TUNNEL
tunnel EXAMPLE protocol pptp {
  listen on 203.0.113.1
  pptp-hostname vpn.example.org
  pptp-vendor-name "openbsd-npppd"
  ingress-filter yes
  mppe required
  mppe-key-length 128
  mppe-key-state stateless
}

# IPCP
ipcp EXAMPLE {
  pool-address "192.0.2.0/24"
  dns-servers 198.51.100.11 198.51.100.12
  allow-user-selected-address no
}

# INTERFACE
interface pppac0 address 192.0.2.1 ipcp EXAMPLE

# AUTHENTICATION
authentication RADIUS type radius {
  strip-nt-domain yes
  strip-atmark-realm yes
  authentication-server {
    address 198.51.100.21 secret "changeme"
    address 198.51.100.22 secret "changeme"
  }
  accounting-server {
    address 198.51.100.21 secret "changeme"
    address 198.51.100.22 secret "changeme"
  }
}

bind tunnel from EXAMPLE authenticated by RADIUS to pppac0

Here's brief explanation of the above config file. Maximum of 200 concurrent sessions is allowed in total, one account is restricted to single session at the time. PPTP server listens on public IP address 203.0.113.1, and presents itself to clients with vpn.example.org as its hostname, and openbsd-npppd as its vendor string. It requests maximum 128-bit mppe encryption for communication with its clients. Client's tunnel interface will be assigned with IP addresses from 192.0.2.0/24 pool, and DNS servers at 198.51.100.11 and 198.51.100.12. Clients are not allowed to ignore assigned IP addresses and specify their own. Server communicates with client through single pppac0 point-to-point interface. Here's how it looks in ifconfig output:

pppac0: flags=843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 65532
    index 48 priority 0 llprio 3
    inet 203.0.113.1 netmask 0xffffffff

pppac0 is created automatically upon start of npppd daemon

Authentication and accounting is performed by two RADIUS servers which reside on 198.51.100.21 and 198.51.100.22, respectively, and we bind all the clients to pppac0 interface.

setting up RADIUS server is out of scope of this document

Let's instruct system to start npppd at boot time by typing below command as root:

rcctl enable npppd

After reboot, which will apply our changes to sysctl.conf and start npppd, we need to make sure to allow tcp port 1723 and gre protocol on firewalls between server and clients, otherwise clients won't be able to connect.

Once clients start to connect, we can check basic information about active sessions by typing below command as user:

npppctl session brief

We should get output similar to:

Ppp Id     Assigned IPv4   Username             Proto Tunnel From
---------- --------------- -------------------- ----- -------------------------
      56   192.0.2.11      john.doe             PPTP  203.0.113.127:51285
      57   192.0.2.12      jane.doe             PPTP  203.0.113.219:23946

More detailed info could be obtained by replacing brief with all:

npppctl session all

We should get output similar to:

Ppp Id = 56
          Ppp Id                  : 56
          Username                : john.doe
          Realm Name              : RADIUS
          Concentrated Interface  : pppac0
          Assigned IPv4 Address   : 192.0.2.102.11
          MRU                     : 1400
          Tunnel Protocol         : PPTP
          Tunnel From             : 203.0.113.127:51285
          Start Time              : 2013/05/10 08:30:11
          Elapsed Time            : 4383 sec (1 hour and 13 minutes)
          Input Bytes             : 5847307 (5.6 MB)
          Input Packets           : 24707
          Input Errors            : 0 (0.0%)
          Output Bytes            : 25553311 (24.4 MB)
          Output Packets          : 29461
          Output Errors           : 0 (0.0%)

If you are still using PPTP make sure to switch to more secure VPN solution as soon as possible.