OpenBSD Journal

PPTP Recipe

Contributed by jose on from the insecure-VPNs dept.

Obviously you should be using IPSec if at all possible, but a lot of OpenBSD hackers have to use PPTP on networks they don't control. In a helpful misc posting, qstreb posted a PPTP recipe for getting connected via PPTP. Note that you'll have to recompile your kernel and probably do some updating for the PF rules. However, this seems like a good place to start.

Note that the PPTP toolkits may not be very stable, but it's something (and maybe you can even improve upon it). Also, PPTP has known security vulnerabilities, this is only for situations where you have to use it. If you have any better documents, feel free to share them.

(Comments are closed)


Comments
  1. By Anonymous Coward () on


    ..what are they?

    ..how serious are they?

    Comments
    1. By Dries Schellekens () on http://www.counterpane.com/pptp.html

      If you searched the web, you would have found the following papers.
      http://www.counterpane.com/pptp-paper.html
      http://www.counterpane.com/pptpv2-paper.html

      Comments
      1. By Anonymous Coward () on

        http://www.openbsd.org

      2. By Anonymous Coward () on

  2. By Anonymous Coward () on

    Speaking of this... Anyone know how to setup a PPTP server on OpenBSD? I know, sounds lame. I can use IPSec, but I'm curious though. I've never seen any docs on how to setup a PPTP server; only client.

    Comments
    1. By chris () spam@makenode.com on mailto:spam@makenode.com

      I wouldn't say it's a bad idea. I setup poptop on my gateway for my home wlan.. so my win2k laptop could use a vpn over the wireless connection. Worked for me.

      http://www.poptop.org/

      ::chris

      Comments
      1. By Anonymous Coward () on

        Kewl. thx Chris!

      2. By Anonymous Coward () on

        Why did you use pptp w2k supports IPSec (although it aint pretty what I've heared, it is supported). You may need to add some ms-patches though (for stronger encryption).

        Comments
        1. By mra () on

          Because you can be a pawn in a larger organization which is a MS shop. Or at least someone who is not in charge of deciding the remote access protocol.

  3. By RC () on

    If you are looking for something else, you can setup a SOCKS server and tunnel the traffic through SSH. That's an easy way to get everything working, even though you need to have socks support on the clients. On the plus side, having client software gives you control over which connections should go over the tunnel, and which should not.

    As for the socks server of choice, Dante works quite well, and it's BSD-licensed.

    Comments
    1. By mra () on

      For a second I thought you were talking about the -D flag for openssh.

      snip from the man page :
      -D port
      Specifies a local ``dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

      Comments
      1. By RC () on

        For one thing, SOCKS4 does not allow anything other than TCP/IP (eg. no UDP, ICMP, etc). That can be a problem.

        For another thing, it looks like -D wasn't introduced until 3.0, which was (ironically) around the time I no longer needed to do this.

        I'll check this out some more, but from reading it, it sounds like it may have a few defeciencies compared to a REAL SOCKS server.

  4. By djm () on

    The free PPTP server (PoPToP) is pretty poor - the 'stable' version dies on out-of-order packets and the development version is a little unstable. It also seems to be unmaintained.

    Comments
    1. By Steve () steve@netwaynetworks.com.au on mailto:steve@netwaynetworks.com.au

      The question i have is how does one get around the out-of-packets problem?

      I've seen it twice in the last 2 days, and it doesnt look friendly imho. Is there a patch around for it?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]