- Install the PoPToP pptpd package
In most Linux distro's the pptpd package is part of the operating system and
can be installed using your favourite package manager, e.g.
# yum install pptpd
- Install the patched pppd binary
Several Linux distro's now include the ppp + EAP-TLS binary out of the box, hence it
can be installed using a package manager. If this is not the case for your distro then
you can install the pppd binary manually:
# cd ..../pppd-2.4.6-eaptls/pppd
# cp pppd /usr/local/sbin
- Set up /etc/pptpd.conf file
The pptpd.conf file contains only a few lines to specify the location of the
pppd binary, the location of the options-pptpd-eaptls file and the
IP-ranges used for the PPTP server:
ppp /usr/local/sbin/pppd
option /etc/ppp/options-pptpd-eaptls
localip 172.16.1.1
remoteip 172.16.1.10-20
- Set up /etc/ppp/options-pptpd-eaptls file
The options-pptpd-eaptls file contains all configuration options used
for starting the pppd daemon.
The name might sound a little misleading, you should/can read it as the
pppd options file used for starting pptpd with eap-tls support.
In 99% of the cases you'll be tweaking this file to make sure your PPTP server is
running smoothly with EAP-TLS/Certificate support enabled.
Here's an example:
name pptp-server
lock
mtu 1500
mru 1450
auth
lcp-echo-failure 3
lcp-echo-interval 5
nodeflate
nobsdcomp
nopredictor1
nopcomp
noaccomp
require-eap
require-mppe-128
debug
logfile /tmp/pppd.log
The most important options used here are
name pptp-server
auth
require-eap
require-mppe-128
The name option specifies the name of the service and this name should match the
second entry in the eaptls-server file. It is also useful to make this name
equal to the /CN= part of the pptp-server.crt file.
The auth option determines that the other end should authenticate itself. This
option, together with the next one, more or less put pppd into 'server mode'
and not in 'client mode'.
The require-eap option specifies that the other end should do EAP authentication.
Finally, the require-mppe-128 option specifies that we only want to do MPPE
encryption using 128 bit ciphers.
NOTE: If you want to test the new TLSv1.3 handshake protocol, then make sure you have compiled
and linked the pppd-eap-tls code against an OpenSSL version that supports TLSv1.3 and add an extra line
max-tls-version 1.3
to both client and server configurations.
- Set up /etc/ppp/eaptls-server file
The last file that needs to be set up before the PPTP service can be started is the
eaptls-server file. The path for this file is hardcoded into pppd
for security reasons (a non-root user might otherwise gain root access under certain
rare circumstances).
Into this file insert a line for each server instance with which you use EAP-TLS.
It is also possible to list the same server instance multiple times with different
client identities, so that you can use different IP addresses for different clients,
while still using a single PPTP server instance.
The format of each line is:
- Client name:
the name used by the client for authentication, can be *
- Server name:
the name of the server, can be *
- Client certificate file:
if you want to specify the certificate that the client is required to use,
put the certificate file name, else put a dash '-'.
- Server certificate file:
the file containing the certificate chain for the server in PEM format.
- CA certificate file:
the file containing the trusted CA certificates in PEM format.
- Server private key file:
the file containing the server private key in PEM format.
- Addresses:
a list of IP addresses the client is allowed to use. This address should be within the
range of IP addresses that is listed in the /etc/pptpd.conf file.
For this example the following file was used:
* pptp-server - /etc/ppp/keys/pptp-server.crt /etc/ppp/keys/ca.crt /etc/ppp/keys/pptp-server.key *
NOTE If you're puzzled about the (lack of) logic in the order of these options: the order has
grown historically and cannot be easily modified without breaking existing setups.
- Run the daemon
Running the pptpd daemon is just a matter of using
# pptpd --conf /etc/ppp/pptpd.conf
Or you can use system provided service scripts as well, such as
# service pptpd start
When the pptpd daemon starts it will not launch a pppd process directly, this
will happen when a client attempts to make a connection. Thus, after starting the pptpd
process it is rarely needed to restart it again. Modifications made to the options-pptpd-eaptls
file are automatically picked up when the next client connects.