Security Issues and Poptop

PPTP does not have the best history in terms of security. The original Microsoft implementation for PPTP faired very poorly. MS-CHAPV2 solved these weaknesses - for wired networks. Unfortunately, back in 2004, Joshua Wright released a version of ASLEAP capable of brute-force attacking PPTP passwords in a wireless environment. As a systems administrator for the VPN, you can't tell if a user is connecting via some public WiFi service where someone might be running a tool like ASLEAP. Yet, the presense of PPTP client software on Windows machines makes using PPTP very tempting. The best answer to this problem is to utilize two-factor authentication. If a one-time passcode is brute-forced, it won't matter as it can't be used again.

This document describes how to install and configure the open source Poptop PPTP VPN server with two-factor authentication from WiKID Systems.

Install Poptop

Choose your appropriate repo, here is FC6:

# rpm -Uvh http://poptop.sourceforge.net/yum/stable/fc6/i386/pptp-release-4-2.fc6.noarch.rpm

yum --enablerepo=poptop-stable install pptpd

yum install pptp

For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1 

The change will be effective on the next reboot. To enable it immediately:

sudo sysctl -p

We also need radiusclient:

yum install radiusclient

I created a sym link to the microsoft dictionary in /etc/radiusclient:

ln -s /usr/share/freeradius/dictionary.microsoft dictionary.microsoft

#Server Name or Client/Server pair              Key             
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
your.wikidserver.com                         wikidserver_secret

Please note that pptpd by default has a 100 connections limit. You can override it by the "connections" parameter in the pptp.conf file. Read the remarks in the file.

You need port 47 and 1723 open for pptp traffic:

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

iptables -A INPUT -p 47 -j ACCEPT

Edit /etc/pptpd.conf with your favorite editor:

option /etc/ppp/options.pptpd
logwtmp
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

Set your remote IP range using remoteip.

Edit /etc/ppp/options.pptp

lock
noauth
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
ms-dns 74.188.41.129
plugin radius.so

Obviously, plugin radius.so specifies that we will use Radius.

Edit /etc/radiusclient/radiusclient.conf

auth_order      radius,local
login_tries     4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      your.wikidserver.com 1812 
acctserver      localhost
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

Edit /etc/radiusclient/servers and add server and secret:

<wikid_server_ip>                                        wikidserver_secret

Start the pptpd service:

service pptpd start

Configure the WiKID server

Log into the WiKID server using the WiKIDAdmin browser interface and click on the Domains Tab (If you already have a domain setup, you can skip this step.)

Click on Create a New Domain,

Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create".

Click Network Clients tab and on "Create a new Network Client".

Enter the information requested. For the IP Address, use the IP address of the PPTP server. Select Radius and the domain you just created. Click "Add" when you're finished.

On the next page, enter the shared secret you entered in /etc/raddb/server. You do not have to enter any information under "Return Attributes".

Important: From the WiKID server's console or via SSH, you will need to run "wikidctl restart" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)