Home

PoPToP, a Secure and Free VPN Solution

Issue 74

From Issue #74
June 2000

Jun 01, 2000  By Matthew Ramsay
 in
When the expense of a remote access server is no longer attractive, it's time to look at the solution offered by a VPN.
The Free PoPToP

PoPToP is the PPTP VPN server for Linux. Ports exist for Solaris, OpenBSD, FreeBSD and others. PoPToP allows Linux servers to function seamlessly in PPTP VPN environments, enabling administrators to leverage the considerable benefits of both Microsoft and Linux. The current release version of PoPToP supports Windows 95, 98, NT and Windows 2000 PPTP clients, as well as the Linux PPTP client.

PoPToP is a PPTP access concentrator (PAC) that employs an enhanced GRE (generic routing encapsulation—protocol 47) mechanism for carrying PPP packets, and a control channel (port 1723) for PPTP control messages. The basic operation of PoPToP is to wrap PPP packets up in IP and send them across the public Internet infrastructure. At the other end of the connection, the PPP packets are stripped from their IP packets and handed to the PPP daemon. The operation is almost identical to a dial-in session, except the PPP packets are wrapped in IP and sent over an IP network as opposed to a generic phone line and modem configuration.

PoPToP can be set up to work with a patched PPP daemon to support MSCHAPv2 authentication and RC4-compatible 40-128-bit encryption. A Linux server running PoPToP can effectively replace a Windows NT PPTP VPN server. However, PoPToP does not support PNS operation, so it does not replace a Windows NT server when PNS is required.

Another advantage of PoPToP (and PPTP in general) is that it is transparent to the encryption and authentication mechanism. Porting an alternate encryption algorithm (such as Blowfish) to a PPP compressor module would not be a difficult task. The only issue with developing your own encryption and authentication mechanism is the simple fact that you will break generic Windows client support. However, the Linux PPTP client is available under the GNU GPL and will work seamlessly with any PPP changes.

Finally, PoPToP is simple. It has a tiny memory footprint and has undergone performance tweaks. This makes PoPToP very attractive to embedded platforms and edge networks. When teamed up with the Linux PPTP client, solution providers can offer cheap VPN solutions with their own defined security protocols.

PoPToP was originally pioneered by Moreton Bay (http://www.moretonbay.com/) in February 1999 for their eLIA (embedded Linux Internet appliance) platform. It was released under the GNU GPL in April 1999, and has since found widespread acceptance on standard Linux servers and firewalls in both large production sites and small business and home networks. PoPToP is in the current Debian “potato” code freeze and SuSE 6.2.

Setting Up PoPToP

Setting up PoPToP with a standard PPP daemon (without MSCHAPv2 or RC4-compatible encryption) is a painless task. Below is a quick setup guide.

  • Grab the latest stable version of PoPToP from www.moretonbay.com/vpn/download_pptp.html.

  • Log in as root to install and run PoPToP.

  • If you downloaded the PoPToP v1.0.0 tar file and stored it in /usr/local/src/, type the following commands:

        cd /usr/local/src/
        tar zxvf pptpd-1.0.0.tgz
        cd pptpd-1.0.0
        ./configure make
        make install

  • If you downloaded the PoPToP RPM (pptpd-1.0.0-1.i386.rpm), type the following:

        rpm --install pptpd-1.0.0-1.i386.rpm

  • PoPToP's binaries are placed in /usr/local/sbin. Check to make sure pptpd and pptpctrl are there before continuing.

  • Set up PoPToP configuration files. Example configuration files are shown in Listings 1 and 2. This configuration will use CHAP as the authentication mechanism. The user login is “billy” and the password is “bob”.

  • Now that the configuration files are set up, you are ready to launch PoPToP. Simply type pptpd.

Listing 1

Listing 2

Any standard Windows client with PPTP VPN installed should now be able to connect to your PoPToP-enabled VPN Linux server. On Windows 98, you can install it via Control Panel-->Add Remove Programs-->Windows Setup-->Communications-->Virtual Private Networking.

Conclusion

Remote access for employees no longer needs to be an expensive process. VPNs can easily replace dedicated lines or remote access servers without compromising security. PPTP is one VPN technology that is ready now. Although criticized in the past for its security flaws, recent enhancements to the authentication and encryption protocols have made PPTP an attractive solution to business. PoPToP is the PPTP VPN solution for Linux that can take advantage of MSCHAPv2 and RC4-compatible 40-128-bit encryption available to the countless Windows client machines. PoPToP is easily installed and is free. PoPToP is simple, and due to its small memory footprint, very attractive to embedded platforms and edge networks.

Resources

Glossary

email: matthewr@moreton.com.au

Matt Ramsay (matthewr@moreton.com.au) is a full-time, low-level Linux application hacker living in sunny Brisbane, Australia. In addition to PoPToP, he has also developed and released under the GNU GPL a “micro” DHCP server for Linux. His main professional focus is writing small and fast applications for embedded Linux systems.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Free VPN for China

Ben's picture
Submitted by Ben (not verified) on Wed, 08/18/2010 - 11:28.

This is the best free VPN I came across while I was in China. Very fast and reliable. http://ugotfile.com/file/1915100/witopia.exe It's Chinese, the first button means ON, the bottom button is OFF. It works in IE and in Firefox (you need to set HTTP/HTTPS proxy in Firefox to 127.0.0.1 port 1234 or alternatively you can tell Firefox to use system proxy). Enjoy !

Hi, I'm Damian from

Damian's picture
Submitted by Damian (not verified) on Thu, 07/29/2010 - 12:23.

Hi, I'm Damian from Canada.
Now i lived in Indonesia that has slow internet connection and also too many restriction. So i usually use VPN from KeepHide at www.keephide.us

Cheap but reliable and fast. Just my experience with them guys!

They using openvpn.. stable for me (est. 6 months now)

Mike

Anonymous's picture
Submitted by Anonymous on Thu, 05/06/2010 - 17:32.

Good article!

I'm using www.pptpvpn.org to surf anonymous and secure. I only pay €5 a month for unlimited bandwidth.

vpn

spascho's picture
Submitted by spascho (not verified) on Sat, 02/28/2009 - 08:53.

If you love blogging then I am sure you heard about proxy . There are many companies offering you some protection service for your data in the online world. Make sure that you choose the trustable company for it so you can safe your data

hamachi

proxy's picture
Submitted by proxy (not verified) on Fri, 02/20/2009 - 20:03.

I've now employed Hamachi as well and ditched the problematic MS VPN solution.
There would be miss dials, I'd have to restart the
"Routing and Remote Access" service sometimes as well as power cycle the modem.
Now I have no issues. Install Hamachi on the client pc's and set their
hosts file up and all is well. The notebook users benefit as well.
Hamachi is intelligent and knows when to use the
Local Area Network to peer when it can.
When remote and there is an internet connect a route is found via the net.
Hamchi - it just works - it's great!!!

Does not work!

Neil's picture
Submitted by Neil (not verified) on Tue, 04/07/2009 - 12:21.

I installed Hamachi on 2 computers and it did exactly NOTHING!!!

Virtual Private Network

Serj's picture
Submitted by Serj (not verified) on Sun, 02/15/2009 - 09:32.

Virtual Private Network proxy has become a much promising service for the most pat of the Internet users. The used shared network infrastructure lets a secure access between 2 networks. Thus the user is being able to securely connect remotely to his corporate network. Fantastic! I adore it!

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions