Increasing the security of PPTP by adding two-factor authentication to poptop
Security Issues and Poptop
PPTP does not have the best history in terms of security. The original Microsoft implementation for PPTP faired very poorly. MS-CHAPV2 solved these weaknesses - for wired networks. Unfortunately, back in 2004, Joshua Wright released a version of ASLEAP capable of brute-force attacking PPTP passwords in a wireless environment. As a systems administrator for the VPN, you can't tell if a user is connecting via some public WiFi service where someone might be running a tool like ASLEAP. Yet, the presense of PPTP client software on Windows machines makes using PPTP very tempting. The best answer to this problem is to utilize two-factor authentication. If a one-time passcode is brute-forced, it won't matter as it can't be used again.
Choose your appropriate repo, here is FC6:
# rpm -Uvh http://poptop.sourceforge.net/yum/stable/fc6/i386/pptp-release-4-2.fc6.noarch.rpm
yum --enablerepo=poptop-stable install pptpd
yum install pptphttp://www.members.optushome.com.au/~wskwok/poptop_ads_howto_3.htm#pforward
For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
The change will be effective on the next reboot. To enable it immediately:
sudo sysctl -p
We also need radiusclient:
yum install radiusclient
I created a sym link to the microsoft dictionary in /etc/radiusclient:
ln -s /usr/share/freeradius/dictionary.microsoft dictionary.microsoftEdit /etc/radiusclient/servers and add wikid server along with a s shared secret:
#Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone your.wikidserver.com wikidserver_secret
Please note that pptpd by default has a 100 connections limit. You can override it by the "connections" parameter in the pptp.conf file. Read the remarks in the file.
You need port 47 and 1723 open for pptp traffic:
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
Edit /etc/pptpd.conf with your favorite editor:
option /etc/ppp/options.pptpd logwtmp localip 192.168.0.1 remoteip 192.168.0.234-238,192.168.0.245
Set your remote IP range using remoteip.
lock noauth refuse-eap refuse-chap refuse-mschap nobsdcomp nodeflate ms-dns 184.108.40.206 plugin radius.so
Obviously, plugin radius.so specifies that we will use Radius.
auth_order radius,local login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver your.wikidserver.com 1812 acctserver localhost servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
Edit /etc/radiusclient/servers and add server and secret:
Start the pptpd service:
service pptpd start
Configure the WiKID server
Log into the WiKID server using the WiKIDAdmin browser interface and click on the Domains Tab (If you already have a domain setup, you can skip this step.)
Click on Create a New Domain,
Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 220.127.116.11, the WiKID server code would be 216239051099. Click "Create".
Click Network Clients tab and on "Create a new Network Client".
Enter the information requested. For the IP Address, use the IP address of the PPTP server. Select Radius and the domain you just created. Click "Add" when you're finished.
On the next page, enter the shared secret you entered in /etc/raddb/server. You do not have to enter any information under "Return Attributes".
Important: From the WiKID server's console or via SSH, you will need to run "wikidctl restart" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)