PoPToP, a Secure and Free VPN Solution

When the expense of a remote access server is no longer attractive, it's time to look at the solution offered by a VPN.

Traditionally, remote access for employees has been through dedicated lines or a remote access server (RAS). A RAS typically consists of a collection of modems and telephone lines connected to a central machine. RAS can be quite reliable and secure, but it is expensive in its setup and long-distance-call costs. A Virtual Private Network (VPN) offers a secure, flexible and cheap solution in place of RAS and dedicated lines. PoPToP, the PPTP (point-to-point tunneling protocol) VPN solution for Linux, is a free VPN solution that businesses can take advantage of now.

VPN

A virtual private network is a private network capable of communicating over the public Internet infrastructure with a defined level of security. VPNs can exist between two or more private networks, often referred to as a server-server VPN, or between individual client machines and private networks, often referred to as a client-server VPN (see Figure 1). VPNs overcome the need for expensive dedicated lines or RAS dial in call and setup costs.

Figure 1. Example Client-Server VPN

In Figure 1, the remote client is handed a real IP address from their local ISP. This remote client can log into the VPN server, and hence gain access to the private network behind the firewall. The remote client can then browse and use other network services on the private network as if it were a machine on that network.

VPNs may also exist between multiple private networks (server-server VPN). For example, suppose your company has an R&D office in Australia and a sales and marketing office in the United States. Both locations have private networks that are connected to the Internet (the method, modem, DSL or something else, is transparent to the VPN). Traditionally, if the offices wish to share files on their networks, they would either have to e-mail the files to each other, dial in to each other or have some form of dedicated link between them. VPNs offer a cost-effective solution for joining these two networks seamlessly, without compromising system security.

Different Types of VPNs

The most popular VPN technologies available today are PPTP and IPsec. Much debate and analysis has occurred recently between proponents of these competing VPN technologies. Both PPTP and IPsec have an important role to play in VPN solutions. But neither PPTP nor IPsec is without flaws.

PPTP is an open-documented standard published by the Internet Engineering Task Force (IETF) as RFC 2637, available at ftp.ietf.org/rfc/rfc2637.txt.

The operation of PPTP as a VPN is performed by encapsulating the point-to-point protocol (PPP) in IP and tunneling it through an IP network. All communication, authentication and encryption is handled almost exclusively by PPP, which currently supports PAP, CHAP, MSCHAP and MSCHAPv2 authentication. PPP encryption is performed through compressor modules, and available patches under Linux allow PPP to support RC4-compatible 40-128-bit encryption. Some people make the mistake of assuming that since PPTP uses PPP, you need a modem. This is not the case. In fact, the connection mechanism to the IP network is transparent to PPTP.

PPTP is widely deployed in both client and server forms due to its default existence in Microsoft Windows platforms.

IPsec

IPsec is a new series of authentication and encryption security protocols that can be employed for sending data securely over IP networks. IPsec offers encryption, authentication, integrity and replay protection to network traffic. IPsec also specifies a key management protocol for establishing encryption keys. IPsec, like PPTP, is an open standard developed by the IETF.

PPTP vs. IPsec

PPTP is transparent to the authentication and encryption mechanism. Microsoft's version of PPTP was recently upgraded to include MSCHAPv2 and MPPE-enhanced (and more secure) security protocols. Patches are available for the Linux PPP daemon that allow PPTP solutions such as PoPToP to take advantage of Microsoft's enhanced VPN security.

Bruce Schneier, Chief Technical Officer of Counterpane Internet Security, Inc., and perhaps the chief guru of Internet security, recently analyzed Microsoft's MSCHAPv2 and MPPE security protocols. Schneier concluded that this release of MSCHAPv2 from Microsoft addressed the major security weaknesses found in MSCHAP.

IPsec was also recently analyzed by Schneier (with the help of Niels Ferguson). In their analysis, they concluded that IPsec's complexity effectively makes it impossible to implement a secure solution. They believe IPsec will never result in a secure operational system. They emphasize that although IPsec has its flaws, it is a more secure solution than PPTP.

IPsec remains a new technology, and future improvements are sure to enhance its security further and increase its attractiveness to business. Additionally, with its default presence in Windows 2000, IPsec will offer small to medium-sized businesses a more secure and affordable solution.

Affordable PPTP VPN (with MSCHAPv2 and 40-128-bit RC4 encryption) is available now. With the countless Windows machines already out there supporting PPTP VPN, the cost-effective solution is obvious. Windows 98 has VPN client software as an install option. Windows NT 4.0 comes with PPTP (server and client) by default. Patches (Microsoft Dial-up Networking patch) exist for upgrading Windows 95 machines to include a PPTP client. Windows 2000 has PPTP by default.

The Free PoPToP

PoPToP is the PPTP VPN server for Linux. Ports exist for Solaris, OpenBSD, FreeBSD and others. PoPToP allows Linux servers to function seamlessly in PPTP VPN environments, enabling administrators to leverage the considerable benefits of both Microsoft and Linux. The current release version of PoPToP supports Windows 95, 98, NT and Windows 2000 PPTP clients, as well as the Linux PPTP client.

PoPToP is a PPTP access concentrator (PAC) that employs an enhanced GRE (generic routing encapsulation—protocol 47) mechanism for carrying PPP packets, and a control channel (port 1723) for PPTP control messages. The basic operation of PoPToP is to wrap PPP packets up in IP and send them across the public Internet infrastructure. At the other end of the connection, the PPP packets are stripped from their IP packets and handed to the PPP daemon. The operation is almost identical to a dial-in session, except the PPP packets are wrapped in IP and sent over an IP network as opposed to a generic phone line and modem configuration.

PoPToP can be set up to work with a patched PPP daemon to support MSCHAPv2 authentication and RC4-compatible 40-128-bit encryption. A Linux server running PoPToP can effectively replace a Windows NT PPTP VPN server. However, PoPToP does not support PNS operation, so it does not replace a Windows NT server when PNS is required.

Another advantage of PoPToP (and PPTP in general) is that it is transparent to the encryption and authentication mechanism. Porting an alternate encryption algorithm (such as Blowfish) to a PPP compressor module would not be a difficult task. The only issue with developing your own encryption and authentication mechanism is the simple fact that you will break generic Windows client support. However, the Linux PPTP client is available under the GNU GPL and will work seamlessly with any PPP changes.

Finally, PoPToP is simple. It has a tiny memory footprint and has undergone performance tweaks. This makes PoPToP very attractive to embedded platforms and edge networks. When teamed up with the Linux PPTP client, solution providers can offer cheap VPN solutions with their own defined security protocols.

PoPToP was originally pioneered by Moreton Bay (http://www.moretonbay.com/) in February 1999 for their eLIA (embedded Linux Internet appliance) platform. It was released under the GNU GPL in April 1999, and has since found widespread acceptance on standard Linux servers and firewalls in both large production sites and small business and home networks. PoPToP is in the current Debian “potato” code freeze and SuSE 6.2.

Setting Up PoPToP

Setting up PoPToP with a standard PPP daemon (without MSCHAPv2 or RC4-compatible encryption) is a painless task. Below is a quick setup guide.

  • Grab the latest stable version of PoPToP from www.moretonbay.com/vpn/download_pptp.html.

  • Log in as root to install and run PoPToP.

  • If you downloaded the PoPToP v1.0.0 tar file and stored it in /usr/local/src/, type the following commands:

        cd /usr/local/src/
        tar zxvf pptpd-1.0.0.tgz
        cd pptpd-1.0.0
        ./configure make
        make install
  • If you downloaded the PoPToP RPM (pptpd-1.0.0-1.i386.rpm), type the following:

        rpm --install pptpd-1.0.0-1.i386.rpm
  • PoPToP's binaries are placed in /usr/local/sbin. Check to make sure pptpd and pptpctrl are there before continuing.

  • Set up PoPToP configuration files. Example configuration files are shown in Listings 1 and 2. This configuration will use CHAP as the authentication mechanism. The user login is “billy” and the password is “bob”.

  • Now that the configuration files are set up, you are ready to launch PoPToP. Simply type pptpd.

Listing 1

Listing 2

Any standard Windows client with PPTP VPN installed should now be able to connect to your PoPToP-enabled VPN Linux server. On Windows 98, you can install it via Control Panel-->Add Remove Programs-->Windows Setup-->Communications-->Virtual Private Networking.

Conclusion

Remote access for employees no longer needs to be an expensive process. VPNs can easily replace dedicated lines or remote access servers without compromising security. PPTP is one VPN technology that is ready now. Although criticized in the past for its security flaws, recent enhancements to the authentication and encryption protocols have made PPTP an attractive solution to business. PoPToP is the PPTP VPN solution for Linux that can take advantage of MSCHAPv2 and RC4-compatible 40-128-bit encryption available to the countless Windows client machines. PoPToP is easily installed and is free. PoPToP is simple, and due to its small memory footprint, very attractive to embedded platforms and edge networks.

Resources

Glossary

email: matthewr@moreton.com.au

Matt Ramsay (matthewr@moreton.com.au) is a full-time, low-level Linux application hacker living in sunny Brisbane, Australia. In addition to PoPToP, he has also developed and released under the GNU GPL a “micro” DHCP server for Linux. His main professional focus is writing small and fast applications for embedded Linux systems.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Free VPN for China

Ben's picture

This is the best free VPN I came across while I was in China. Very fast and reliable. http://ugotfile.com/file/1915100/witopia.exe It's Chinese, the first button means ON, the bottom button is OFF. It works in IE and in Firefox (you need to set HTTP/HTTPS proxy in Firefox to 127.0.0.1 port 1234 or alternatively you can tell Firefox to use system proxy). Enjoy !

Hi, I'm Damian from

Damian's picture

Hi, I'm Damian from Canada.
Now i lived in Indonesia that has slow internet connection and also too many restriction. So i usually use VPN from KeepHide at www.keephide.us

Cheap but reliable and fast. Just my experience with them guys!

They using openvpn.. stable for me (est. 6 months now)

Mike

Anonymous's picture

Good article!

I'm using www.pptpvpn.org to surf anonymous and secure. I only pay €5 a month for unlimited bandwidth.

vpn

spascho's picture

If you love blogging then I am sure you heard about proxy . There are many companies offering you some protection service for your data in the online world. Make sure that you choose the trustable company for it so you can safe your data

hamachi

proxy's picture

I've now employed Hamachi as well and ditched the problematic MS VPN solution.
There would be miss dials, I'd have to restart the
"Routing and Remote Access" service sometimes as well as power cycle the modem.
Now I have no issues. Install Hamachi on the client pc's and set their
hosts file up and all is well. The notebook users benefit as well.
Hamachi is intelligent and knows when to use the
Local Area Network to peer when it can.
When remote and there is an internet connect a route is found via the net.
Hamchi - it just works - it's great!!!

Does not work!

Neil's picture

I installed Hamachi on 2 computers and it did exactly NOTHING!!!

Virtual Private Network

Serj's picture

Virtual Private Network proxy has become a much promising service for the most pat of the Internet users. The used shared network infrastructure lets a secure access between 2 networks. Thus the user is being able to securely connect remotely to his corporate network. Fantastic! I adore it!

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix