EAP-TLS patch for pppd

Documentation: Linux PPTP Client setup

How to run a Linux PPTP client with X.509 certificate support

Before setting up the pptp client first make sure that you have created your X.509 certificates. A short tutorial on how to do this is given here.

There are two methods for using pptp + ppp+EAP-TLS:

Using command-line options to specify the public/private keypair and CA certificate
Using a file /etc/ppp/eaptls-client to specify the public/private keypair and CA certificate

Both methods are described below:

Install the pptp package
In most Linux distro's the pptp package is part of the operating system and can be installed using your favourite package manager, e.g.
```
    # yum install pptp
```

Install the patched pppd binary
Several Linux distro's now include the ppp + EAP-TLS binary out of the box, hence it can be installed using a package manager. If this is not the case for your distro then you can install the pppd binary manually:
```
  # cd ..../pppd-2.4.6-eaptls/pppd
  # cp pppd /usr/local/sbin
```

Set up the /etc/ppp/options-pptp-eaptls file
This step is not strictly necessary: all options for running pppd can be specified on the command-line, but it is often handy to store the 'static' set of options in a separate file.
We use the following set of options, which partially mirror the options set in the server-side /etc/ppp/options-pptpd-eaptls file (notice the use of pptp vs pptpd):
```
  name pptp-client          ## The /CN= part of the client certificate
  remotename pptp-server    ## The /CN= part of the server certificate
  
  noauth 
  ipcp-accept-local 
  ipcp-accept-remote 
  noipdefault
  nodeflate 
  nobsdcomp
  nopredictor1
  nopcomp
  noaccomp
  
  refuse-pap
  refuse-chap
  refuse-mschap
  
  require-mppe-128
  # need-peer-eap     ## this ensures the server MUST authenticate us using EAP
  
  password MyPassword ## if the private key is protected using a passphrase
                      ## you can specify the passphrase here.
  debug
  logfile /tmp/pppd.log
```
NOTE: the option require-eap should not be present in the client-side configuration.
This option 'triggers' the pppd code to go into 'server mode' and it will start looking for an /etc/ppp/eaptls-server file.

NOTE: If you want to test the new TLSv1.3 handshake protocol, then make sure you have compiled and linked the pppd-eap-tls code against an OpenSSL version that supports TLSv1.3 and add an extra line
```
  max-tls-version 1.3
```
to both client and server configurations.
Method #1: using command-line options
Most, if not all options that are specified in the options-pptp-eaptls file can also be specified on the command-line.
To connect to a pptpd server named 'pptp.example.com' you can use
```
  ./pppd file options-pptp-eaptls \
         cert /etc/ppp/keys/pptp-client.crt  \
         key  /etc/ppp/keys/pptp-client.key  \
         ca   /etc/ppp/keys/ca.crt \
         pty  "pptp pttp.example.com --nolaunchpppd" 
```
The command will return immediately to the shell prompt.
Check the contents of the /tmp/pppd.log file to see the actual connection progress.
If all went well the bottom part of the /tmp/pppd.log file should list something like
```
  local  IP address 172.16.1.10
  remote IP address 172.16.1.1
  Script /etc/ppp/ip-up started (pid 29711)
  Script /etc/ppp/ip-up finished (pid 29711), status = 0x0
```

Method #2: using an /etc/ppp/eaptls-client file
Instead of specifying the certificates and private key on the command-line they can also be specified in the /etc/ppp/eaptls-client file.
The format of this file is very similar to the server side /etc/ppp/eaptls-server file:
- Client name: the name used by the client for authentication, can be *
- Server name: the name of the server, can be *
- Client certificate file: the file containing the certificate chain for the client in PEM format.
- Server certificate file: if you want to specify the certificate that the server is required to use, put the certificate file name, else put a dash '-'.
- CA certificate file: the file containing the trusted CA certificates in PEM format.
- Client private key file: the file containing the client private key in PEM format.
For this example the following file was used:
```
  *  pptp-server  /etc/ppp/keys/pptp-client.crt  -  /etc/ppp/keys/ca.crt  /etc/ppp/keys/pptp-client.key
```
Again, to connect to a pptpd server named 'pptp.example.com' you can use
```
  ./pppd file options-pptp-eaptls pty "pptp pttp.example.com --nolaunchpppd" 
```
The command will return immediately to the shell prompt.
Check the contents of the /tmp/pppd.log file to see the actual connection progress.
If all went well the bottom part of the /tmp/pppd.log file should list something like
```
  local  IP address 172.16.1.10
  remote IP address 172.16.1.1
  Script /etc/ppp/ip-up started (pid 29711)
  Script /etc/ppp/ip-up finished (pid 29711), status = 0x0
```

Bootnote: using **only** command-line options
For debugging purposes it is often useful to not use an options-pptp-eaptls file at all, but to specify everything on the command-line:

  ./pppd  noauth refuse-pap refuse-chap refuse-mschap ipcp-accept-local ipcp-accept-remote \
          noipdefault nodeflate nobsdcomp nopredictor1 nopcomp noaccomp \
          cert /etc/ppp/keys/pptp-client.crt key /etc/ppp/keys/pptp-client.key ca /etc/ppp/keys/ca.crt \
          name pptp-client remotename pptp-server debug logfile /tmp/pppd.log \
          pty "pptp pptp.example.com --nolaunchpppd" passive require-mppe-128 need-peer-eap

As you can see the order of the command-line parameters is not fixed.

You can/should also read the documentation
How to run a Linux PPTP server with X.509 certificate support
and
Connecting a Windows client to a PPTP server using X.509 certificates