Seattle Firewall

PPTP


PPTP is Microsoft's protocol for tunneling. I support masquerading PPTP clients in Seattle Firewall because I telecommute and need PPTP to connect to our corporate intranet. With the help of Steve Cowles, I have added the ability to support masqueraded PPTP servers and to run PoPToP on the gateway system as well.

You must also edit /etc/protocols and add the following line:

gre 47 GRE # Generalized Routing Encapsulation

To masquerade either PPTP clients or a PPTP server, you will also need John Hardin's VPN Masquerade kernel patch.


Masquerading PPTP Clients

As of this writing, with all 2.2 kernels you will need to get John's patch and rebuild your kernel; I prefer to build the PPTP masquerade code as a module but the choice is up to you.

Also edit /etc/seawall.conf and set the pptpservers to the ip address(es) of the PPTP server(s) that you will be connecting to.

Example: pptpservers="204.160.3.23 207.8.145.2"

If you built the PPTP masquerade code as a module, you will also want to add "pptp" to the value of the modules variable.

Reboot your system with the modified kernel and you should now be able to connect to external PPTP servers from masqueraded windows clients.


Masquerading a PPTP Server

As of this writing, with all 2.2 kernels you will need to get John's patch and rebuild your kernel; I prefer to build the PPTP masquerade code as a module but the choice is up to you.

To masquerade a PPTP server, you will also need to install the following:

ipfwd from http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd.

ipmasqadm from http://juanjox.kernelnotes.org.

You must edit /etc/seawall.conf and set the pptpserver variable to the ip address of your PPTP server (example: pptpserver=192.168.1.4). If you built the PPTP masquerade code as a module, you will also want to add "pptp" to the value of the modules variable.

Seattle Firewall allows you to restrict PPTP clients that can connect to your server. If you wish to do that, set the pptpclients variable to the list of IP addresses of the clients permitted to connect (example: pptpclients="204.23.9.56 132.9.222.4"). If you leave pptpclients empty, any host will be allowed to connect to your server.

Once you have these changes in place and the above-listed software installed, reboot with your new kernel. Clients should now be able to log into your local PPTP server.


Running PoPToP on the Gateway System

Seattle Firewall allows you to run the Linux PPTP Server (PoPToP) on your gateway/firewall system. To run PoPToP on your gateway/firewall, you must interface to the internet by a means other than PPP. To configure PoPToP:

Here are excerpts from working configuration files:

/etc/ppp/options:

lock
mtu 1400
mru 1400
ms-wins 192.168.1.1
ms-dns 192.168.1.1
proxyarp
auth
+chap
+chapms
+chapms-v2
mppe-40
mppe-128
mppe_stateless

/etc/pptpd.conf

localip 192.168.1.1
remoteip 192.168.1.20-24

/etc/smb.conf

workgroup = SHORELINE
netbios name = FIREWALL
interfaces = 192.168.1.1/255.255.255.0 ppp*
encrypt passwords = Yes
...
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
hosts allow = 192.168.1. 127.
...

/etc/seawall.conf

...
poptop="eth1" # eth1 interfaces to 192.168.1.0/255.255.255.0
...

The example is running Linux 2.2.14 (patched by "make kernel" under ppp-2.3.11), Samba 2.0.6-9, pptpd-1.0.0 and ppp-2.3.11 with the mppe patch.


Last updated 5/6/2000 - Tom Eastep