Here is my working info on 3.7. I am running Openbsd 3.7 stable with Generic kern. I am running latest stable version of poptop I run pf on this system
My clients are windows 2000+ but this would work with windows 98 but We do not desire 9x junk... We are running a custom client that we built because we have 36 locations and we want to route pptp connections via 1 server but do not want the clients to be using the default route as we don't want them sitting at home checking out their junk online and having that go via our PPTP server, thus eating up our bandwidth and slowing them up. it also allows no setup for the client side as we got creative and built it to use scp, ssh and such to create authpf connections without the user having to do much. Anyhow, try this out, it worked for me well. Now, I havn't tried this on anything other then windows, so I can't say how it would work. If you search the list, I have posted the details on how to get poptop to work on OpenBSD 3.5 in the past as when I first did this, I found the details where all over the place and everyone did it differently so I wanted to put together the full details on how I got it working.. in 3.5, you had to do a custom kern removing GRE, in 3.7 do not do this for poptop, it works now without a custom Kern. Here are my details of everything PF rules for PPTP access ############################################################# # Setup PPTP Ability from clients # pass in quick log on $ext inet proto gre from any to $extip keep state pass in quick log on $ext inet proto tcp from any to $extip port = 1723 keep state pass out quick log on $ext inet proto gre from $extip to any keep state pass out quick log on $ext inet proto tcp from $extip to any port = 1723 keep state $ext is my external interface $extip is the IP I am listening on because this system is also doing nat, natp and redirect and this allows me to control the connection as to not mess up anything. /etc/pptpd.conf rights are 644 owned by root group is wheel FILE CONTENT IS ---------------- ############################## # PPTPD CONFIG # # Remote Net Access # # By: James Mackinnon # # On: June 29th 2005 # ############################## speed 11500 option /etc/ppp/options.pptpd localip 192.168.0.254 remoteip 192.168.0.235-236 /etc/ppp/options rights are 640 owned by root group is wheel FILE IS EMPTY /etc/ppp/options.pptpd rights are 664 owned by root group is wheel FILE CONTENT IS --------------- name pptpconnect lock mtu 1450 mru 1450 proxyarp auth #+chap require-mschap-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 require-mppe-128 #mppe-40 mppe-stateless /etc/ppp/ppp.conf rights are 664 owned by root group is wheel FILE CONTENT IS --------------- pptp: set dial set login set ifaddr 192.168.0.243 192.168.0.235-192.168.0.236 255.255.255.255 set log phase lcp ipcp command set timeout 1800 # enable chap # enable pap # enable mschap enable mschapv2 enable proxy # enable mssfixup accept dns set dns 192.168.0.3 set nbns 192.168.0.3 /etc/ppp/ppp.secret rights are 660 owned by root group is wheel FILE CONTENT IS joeuser joepass janeuser janepass /etc/ppp/secure rights are 660 owned by root group is wheel FILE CONTENT IS --------------- #!/bin/sh exec /usr/sbin/ppp -direct loop-in On 11/3/2005, "Logical One" <[EMAIL PROTECTED]> wrote: >Thanks all for the help, but I am still getting stuck at the error: > >PPP: tun0: Warning: chat script failed >PPTP: log[decaps_hdlc:pptp_gre.c:129]: short read (0): invalid argument > >I am using the stock ppp.conf sample file with the below text appended and >values changed to match my environment, but upon running the 'ppp >-background pptpclient' command, I get the above errors. I'm using the pptp >version from the packages and have also tried compiling my own from source >(1.7.0) with no success. Although this may be documented well, there >doesn't seem to be a clear concise howto or mini-howto for setting it up >with all the software together. > >Thanks again, >Logical_1 > >-----Original Message----- >From: Mark Rolen [mailto:[EMAIL PROTECTED] >Sent: Wednesday, November 02, 2005 9:38 PM >To: Logical One >Subject: Re: PPTP in 3.7 > >I'm writing this assuming you're connecting to a MS VPN server on the other >end? The default on OpenBSD seems to be to use pppd, instead of ppp, and >the later is the one that supports a MS VPN connection. First, install the >pptp package for OpenBSD. Then, in /etc/ppp/ppp.conf, put: > >pptpclient: >set device "!/usr/local/sbin/pptp <ip or host name of your VPN server> >--nolaunchpppd" >set authname <my username> >set authkey <my password> >set mtu max 1490 >set mru max 1490 >set mppe 40 stateless >set timeout 60 >disable pap >disable chap >accept chap81 >disable ipv6cp >disable deflate pred1 >deny deflate pred1 >set login >set ifaddr 10.10.10.100/0 10.10.10.10/0 255.255.255.255 0.0.0.0 > >For the "authname" parameter, if you need to include a domain, ala >"nerdish\mark", use two backslashes instead of one: nerdish\\mark. I found >that the MS VPN server I was connecting to didn't require the domain at all, >just needed the valid username and password to successfully connect. > >Then, for a 'manual' connect, do "ppp -background pptpclient", or to have >ppp automatically establish the connection whenever traffic tries to use one >of the routes you've at your tunnel, do "ppp -auto pptpclient". > >For me, adding routes via ppp.conf didn't seem to work to swell. >Instead, there's a ppp.linkup file that works much better. I believe >there's an example file in /etc/ppp/. > >HTH, >Mark > > >Logical One wrote: > >>I am trying to find some current documentation or pointers on how to >>setup a PPTP connection from my OpenBSD 3.7 firewall to my work VPN running >PPTP. >>I've seen quite a few things, but most are outdated or conflicting in >>the instructions they give. I have seen some references to the kernel >>supporting this functionality natively while other say that recompiling >>the kernel is necessary and still others say a third party program is >>needed. I am just looking for somewhere to start that has current >>information or maybe even a copy of the configs from someone who has >>set this up before. I'd also like to find information on what settings >>are needed in pf if a PPTP connection is used, but the networks is >>bridges are using the same addressing scheme. I also need to know how >>to configure the router >>(OpenBSD) to pass traffic to certain addresses out the VPN connection, >>others back into the LAN, and the rest out my cable connection. I need >>to know how to configure the VPN so that it is not my default gateway >>out since my home connection is much faster than the T1 at my office >>where the VPN connects. >> >>Thanks for any pointers, hints, advice, configs or whatever else anyone >>has to contribute and I'm sorry for being a bother, but while the >>information is out there, I have been unable to find what is relevant to my >config. >> >>Thanks, >>Logical_1
