Security Issues and Poptop

PPTP does not have the best history in terms of security. The original Microsoft implementation for PPTP faired very poorly. MS-CHAPV2 solved these weaknesses - for wired networks. Unfortunately, back in 2004, Joshua Wright released a version of ASLEAP capable of brute-force attacking PPTP passwords in a wireless environment. As a systems administrator for the VPN, you can't tell if a user is connecting via some public WiFi service where someone might be running a tool like ASLEAP. Yet, the presense of PPTP client software on Windows machines makes using PPTP very tempting. The best answer to this problem is to utilize two-factor authentication. If a one-time passcode is brute-forced, it won't matter as it can't be used again.

This document describes how to install and configure the open source Poptop PPTP VPN server with two-factor authentication from WiKID Systems.


Install Poptop

Choose your appropriate repo, here is FC6:

 # rpm -Uvh
yum --enablerepo=poptop-stable install pptpd 

yum install pptp

For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:

net.ipv4.ip_forward = 0


net.ipv4.ip_forward = 1 

The change will be effective on the next reboot. To enable it immediately:

sudo sysctl -p

We also need radiusclient:

yum install radiusclient

I created a sym link to the microsoft dictionary in /etc/radiusclient:

 ln -s /usr/share/freeradius/
Edit /etc/radiusclient/servers and add wikid server along with a s shared secret:
#Server Name or Client/Server pair              Key             
#----------------                               ---------------                       hardlyasecret                      donttellanyone                         wikidserver_secret

Please note that pptpd by default has a 100 connections limit. You can override it by the "connections" parameter in the pptp.conf file. Read the remarks in the file.

You need port 47 and 1723 open for pptp traffic:

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT

Edit /etc/pptpd.conf with your favorite editor:

option /etc/ppp/options.pptpd

Set your remote IP range using remoteip.

Edit /etc/ppp/options.pptp


Obviously, plugin specifies that we will use Radius.

Edit /etc/radiusclient/radiusclient.conf

auth_order      radius,local
login_tries     4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver 1812 
acctserver      localhost
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
radius_timeout  10
radius_retries  3
login_local     /bin/login

Edit /etc/radiusclient/servers and add server and secret:

<wikid_server_ip>                                        wikidserver_secret

Start the pptpd service:

service pptpd start


Configure the WiKID server

Log into the WiKID server using the WiKIDAdmin browser interface and click on the Domains Tab (If you already have a domain setup, you can skip this step.)

Click on Create a New Domain,

Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is, the WiKID server code would be 216239051099. Click "Create".

Click Network Clients tab and on "Create a new Network Client".

Enter the information requested. For the IP Address, use the IP address of the PPTP server. Select Radius and the domain you just created. Click "Add" when you're finished.

On the next page, enter the shared secret you entered in /etc/raddb/server. You do not have to enter any information under "Return Attributes".

Important: From the WiKID server's console or via SSH, you will need to run "wikidctl restart" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)

Share this page:

0 Comment(s)

Add comment

Please register in our forum first to comment.