the PPTP Masquerade patch


The PPTP Masquerade patch is a patch to the Linux kernel, versions 2.0.30 - 2.0.36, on the x86 architecture only, which enables masquerading of PPTP-based Virtual Private Network clients.

This patch is primarily for masquerading PPTP clients:

PPTP        Linux                                  PPTP
Client -+-> Masq and --> Internet --> Firewall --> Server
        |   Firewall
Others -'

If you have a PPTP server behind a Linux firewall...

PPTP                    Linux        PPTP
Client --> Internet --> Firewall --> Server
...then you will need this patch if your PPTP server does not have a valid Internet IP address, in order to masquerade the PPTP traffic outbound from the server. You will also need the ipportfw port-forwarding kernel patch and configuration tool to forward the initial 1723/TCP control channel traffic and the IPFwd generic IP forwarding utility to forward the initial GRE traffic in to your server. Details are available in the PPTP Masquerade HOWTO.


Once this patch is installed, you will no longer need to dial your ISP directly from your PPTP client to access your PPTP server. This means that all of the benefits of Linux masqueraded access to the Internet remain available even while you are using PPTP to access a remote network - assuming, of course, your PPTP server is available over the Internet. If it isn't then this patch probably won't buy you much.

In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over PPTP) from all of the computers on your local network. I do this regularly while working from my home. Note for W'95/'98 PPTP client users: sorry, but the W'95/'98 IP stack does not support forwarding (can we say "Brain Dead"?) or more than one PPTP session.


Obtaining the PPTP Masquerade patch

You can download the patch from:
[ HTTP Mirror 1 | HTTP Mirror 2 | FTP Mirror 1 | Linux Mama ]

Version 2.0, which implements Call ID masquerading, is available:
[ HTTP Mirror 1 | HTTP Mirror 2 | FTP Mirror 1 ]
According to Alan Cox, this will be going into the 2.0.37 kernel.

To download using Lynx: highlight the link, press "d" (download), and select "Save to Disk".


Installation

First, you should be comfortable with recompiling your kernel...

Second, make sure that you have IP Masquerading compiled into your kernel and working properly. Setting up masquerading itself is beyond the scope of this document, and there is a HOWTO already available that describes the process. Also, I have written a GUI wrapper for the ipfwadm command that makes managing firewall and masquerade setup easier.

Third, make sure that PPTP works when you dial your ISP directly from your PPTP client system. This modification will go down much more easily if you take small bites and chew them thoroughly. Said another way, don't try to change six things simultaneously...

To install the PPTP Masquerade patch, follow the directions given in the PPTP Masquerade HOWTO, available at:
[ HTTP Mirror 1 | HTTP Mirror 2 | FTP Mirror 1 ]


Notes

The 2.0 version of this patch is slated be included in the 2.0.37 kernel.

Please visit the Microsoft security announcements site for an important PPTP security update for Microsoft PPTP clients and servers. You may also be interested in an analysis of Microsoft's implementation of the PPTP protocol by one of the most respected members of the Crypto community. Other analyses are available here and here.

Profuse thanks to Gordon Chaffee for coding and sharing a patch to traceroute that allows tracing GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic is being blocked somewhere. Get the patch from:
[ HTTP Mirror 1 | HTTP Mirror 2 | FTP Mirror 1 ]

The code changes are fairly simple and are restricted entirely to ip_masq.c - basically all I've added is NAT for GRE. (Of course, the Call-ID masquerading makes it a little more complex...)

I've been using this with great success since September 7, 1997.

I only have an x86 box to test this on (hence the "x86 only" comment above). Comments from users on other architectures are welcome.

The 2.1.65+ kernels natively support a tunnelling protocol based on GRE, but do not support PPTP natively in any way. See the HOWTO for more details on 2.1.x and 2.2.x kernels.

There is also work proceeding on a native Linux PPTP client and server. Note that this software currently does not support encryption, but see this site for what appears to be a M$-compatible encryption/compression patch for pppd...

This patch currently conflicts with the IP Firewall Chains patch in trying to patch the kernel config files. This is non-critical. See the HOWTO for more details.

I am currently developing Masquerade for IPSEC and ISAKMP. If you use IPSEC/ISAKMP and would be willing to test masquerade of encrypted traffic, drop me a line. Please do not contact me unless you already have working IPSEC/ISAKMP in place. Note that this is intended to allow use of an IPSEC host from behind a masquerading firewall in the same manner that the PPTP patch allows you to use a PPTP host from behind a masquerading firewall. If you want to implement an IPSEC-based VPN, please visit the Linux FreeS/WAN site.


You can contact me at <jhardin@wolfenet.com>. I'd like to hear your comments and suggestions, and particularly your problems with this patch. You can also visit the current version of this document, and take a look at my home page...

Disclaimer: No guarantees of functionality. Keep a working compiled kernel around in case this blows up.


The Linux Webring: [ Home | Index | Next | Prev | Random | Stats ]

Linux: the soul of the Internet    Bobby approved    Best viewed with Any Browser

© 1999 by John Hardin. You may copy this page as long as the content is unchanged (you can change the formatting to fit your site if you want) and the link to the original page is left intact.
$Id: ip_masq_pptp.html,v 1.51 1999-02-15 17:52:11-08 jhardin Exp jhardin $