RedHat-PoPToP HOWTO ---------------- Last Updated: 20001005 Send changes to: Mike Barsalou < This HOWTO was compiled from PoPToP help pages and the PoPToP Mailing List (hosted by Christopher Schulte) by Mike Barsalou. Much of this HOWTO was taken from what Mathew Ramsay had put together. Be sure to browse through the FAQ section of Matthew's HOWTO/FAQ because it has important background information. http://poptop.lineo.com/releases/HOWTO-PoPToP.txt Contents -------- 1.0 Introduction 1.1 About PoPToP 1.2 Credits 1.3 Feedback Credits 2.0 System Requirements 3.0 PoPToP Installation 4.0 PPP with MSCHAPv2/MPPE Installation 5.0 Windows Client Setup 6.0 Firewall Setup 7.0 Troubleshooting 7.1 Setting debug for PoPTop 7.2 Client Side Errors (Win 95/98) 7.2.1. Error 629: You have disconnected from the computer you dialed..... 7.2.2. Error 645: The microsoft Dial-up adapter is in use or not responding properly. 7.2.3. Error 650: The Remote Access server is not responding. 7.2.4. Error 691: Access denied because username and/or password is invalid on the domain. 7.2.5. Error 742: The remote server does not support encryption. 7.2.6. Error 751: The remote computer refused the connection..... 7.3 Server Side Errors (Linux) 7.3.1a. console: createHostSocket: Address already in use 7.3.1b. log: MGR: Couldn't create host socket 7.3.2. log:modprobe cannot locate module ppp-compress-18 (or 21,24, 26) 7.3.3. log:modprobe cannot locate module char-major-108 8.0 PPP option files 8.1 PoPToP Server 8.2 PPTP-Linux client 1.0 Introduction ---------------- 1.1 About PoPToP PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to function seamlessly in the PPTP VPN environment. This enables administrators to leverage the considerable benefits of both Microsoft and Linux. The current pre-release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. PoPToP is free GNU software. PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html 1.2 Credits PoPToP was originally started by Matthew Ramsay under the control of Moreton Bay Ventures (http://www.moretonbay.com). Around March 1999 PoPToP was publicly released under the GNU GPL by Moreton Bay. PoPToP is what it is today due to the help of a number of intelligent and experienced hackers. More specifically Kevin Thayer, David Luyer and Peter Galbavy. More contributors to PoPToP (in various forms) include Allan Clark, Seth Vidal, Harald Vogt, Ron O'Hara and Chris Wong and Michael Barsalou. And finally, credit to all the PoPToP followers who test and report problems. 1.3 Feedback Credits Thanks to the following people for giving feedback about changes. Chris Williams < Christopher Biow < JASON LIN < bryan ntekop < Niall Keegan [n.keegan@solus.net] Alex Stagg < Frost < 2.0 System Requirements ----------------------- 1. This HOWT/FAQ is directly aimed at RedHat 6.0. It may work for other distributions but has not been tested. Let us know if it does or doesn't. 2. PPP 2.3.11 (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft compatible authentication and encryption). 3. PoPToP v1.0.1. (or 1.1.2 which adds packet reordering) 3.0 PoPToP Installation ----------------------- Follow these instructions to install PoPToP without MSCHAPv2/MPPE: Note: [] are example commands to run 1. Get the following files from the RedHat (ftp.redhat.com) site or suitable mirror: ftp://ftp.redhat.com/redhat/redhat-6.1/i386/RedHat/RPMS/ kernel-headers-2.2.12-20.i386.rpm kernel-source-2.2.12-20.i386.rpm kernel-2.2.12-20.i386.rpm ppp-2.3.10-1.i386.rpm *NOTE* before performing the next step make sure you have access to a boot floppy or can access the old kernel. For more information see: http://www.linux.org/help/ldp/mini/minihowto.html and search for LILO Mini-HOWTO 2. Change lilo.conf to access your old and new kernel then issue this command: [/sbin/lilo] 3. Upgrade your 2.2.5-15 kernel to 2.2.12-20: [rpm -Uvvh kernel-2.2.12-20.i386.rpm] 4. Upgrade ppp: [rpm -Uvvh ppp-2.3.10-1.i386.rpm] 5. Grab the PoPToP rpm and init file: http://poptop.lineo.com/releases/pptpd-1.0.0-1.i386.rpm http://poptop.lineo.com/releases/pptpd.init 6. Store the pptpd.init file in the /etc/rc.d/init.d directory and make sure permissions are set correctly. You need to edit the pptpd.init file to start the pptpd daemon differently. Before: daemon /usr/sbin/pptpd After: /usr/sbin/pptpd -d 7. Rpm the PoPTop Server: [rpm -ivvh pptpd-1.0.0-1.i386.rpm] 8. Setup your chap-secrets file in the /etc/ppp directory. It should look something like this: # /etc/ppp/chap-secrets #username servername secret ipaddress validname * validpass * For authentication with windows clients use DOMAINNAME\\validname * validpass * The domain name may be in caps or lowercase. Check the logs in /var/log/messages. If you want to learn more about the chap-secrets file see: http://www.linux.org/help/ldp/howto/PPP-HOWTO-13.html#ss13.4 9. Edit /etc/inittab and comment out the reference to pptpd. We will use the pptpd daemon. [init Q] # rereads /etc/inittab 10. Your options file in /etc/ppp/options.pptp should at a minimum have the following: lock debug auth +chap proxyarp 11. Modify the /etc/pptpd.conf file. Look in the configuration file for settings. Here is a working sample: debug #This can be removed when things are working option /etc/ppp/options.pptp localip 192.168.1.80-89 #look in the /etc/pptpd.conf file for more info about settings remoteip 192.168.1.70-79 At this point vpn should be working without encryption. 4.0 PPP with MSCHAPv2/MPPE Installation ---------------------------------------------------------------- *NOTE* You must complete section three above for this to work. *NOTE* If you want to add encryption do the following below: 1. Grab yourself a clean copy of the PPP daemon v2.3.11 (ppp-2.3.11.tar.gz). I usually go here for my PPP files: ftp://cs.anu.edu.au/pub/software/ppp/ Note: You must get the tarball (tar.gz) and *not* the RPM. 2. Grab yourself the MSCHAP/MPPE patch file from (this includes the rc4* encryption files): ftp://ftp.binarix.com/pub/ppp-mppe/ppp-2.3.11-openssl-0.9.5-mppe.patch.gz 3. Grab the mppe compressed data fix patch from (this patch fixes the problem with ppp_mppe not re-syncing after a packet is lost): http://www.vibrationresearch.com/pptpd/ppp_mppe_compressed_data_fix.diff 4. You should now have 3 files: ppp-2.3.11.tar.gz ppp-2.3.11-openssl-0.9.5-mppe.patch.gz ppp_mppe_compressed_data_fix.diff Copy these files to your preferred location (for example, /usr/src) Assuming your files are in /usr/src, do the following: [cd /usr/src] [tar -zxvf ppp-2.3.11.tar.gz] [gunzip ppp-2.3.11-openssl-0.9.5-mppe.patch.gz] [cd ppp-2.3.11] # should now be in /usr/src/ppp-2.3.11 [patch -p1 < ../ppp-2.3.11-openssl-0.9.5-mppe.patch] [cd linux] # should now be in /usr/src/ppp-2.3.11/linux [patch < ../../ppp_mppe_compressed_data_fix.diff] [cd ../..] Now rpm the kernel files we downloaded earlier: [rpm -ivvh kernel-headers-2.2.12-20.i386.rpm] [rpm -ivvh kernel-source-2.2.12-20.i386.rpm] [cd /usr/src/linux] [make menuconfig] # Unless you have a special setup you probably will not need # to change any of the settings. Just do this so that you can #save the config for later steps [make dep] [make clean] [cd /usr/src/ppp-2.3.11] [./configure] [make] [make kernel] [make install] Now build the kernel modules. This assumes that the kernel sources match the installed kernel, and that both are 2.2.12-20. It is safest to completely rebuild and install the most recent kernel version, (see the Kernel-HOWTO for the full details) but you probably can get away with just doing the following: [cd /usr/src/linux] [make modules SUBDIRS=drivers/net] [cd drivers/net] [cp ppp.o slhc.o bsd_comp.o ppp_deflate.o ppp_mppe.o /lib/modules/2.2.12-20/net] Edit the /etc/conf.modules (or modules.conf) with the following info: alias char-major-108 off # This will be different for 2.3.x kernels alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate [lsmod] # if necessary remove the following modules by hand [rmmod ppp] [rmmod slhc] [rmmod bsd_comp] [rmmod ppp_deflate] # now get things rolling [depmod -a] [modprobe ppp] Set your options file (/etc/ppp/options.pptp): lock debug proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless Set your pptpd configuration file (/etc/pptpd.conf): debug option /etc/ppp/options.pptp localip 192.168.1.80-89 #look in the /etc/pptpd.conf file for more info about settings remoteip 192.168.1.70-79 That should do it. Don't forget to make a link to the pptpd.init in whatever runlevel your using so that the pptpd daemon will start automatically upon boot. We use runlevel 3 so make a link like this: [ln -s /etc/rc.d/init.d/pptpd.init /etc/rc.d/rc3.d/S52pptpd] 4.1 Adding chap authentication Add the following lines to /etc/ppp/options.pptp auth require-chap +chap name pptpd Set the /etc/ppp/chap-secrets to the following (with appropriate uid/pw) userid is the username the Windows user uses to log in secret is the password the Windows user uses to log in server must match the "name" line in the /etc/ppp/options.pptp file IP addresses says * to match anything, i.e. don't care. When using pppd-ip-alloc (see the following section) you would list the IP address to assign to that user's computer when they log in. # Secrets for authentication using CHAP # userid server secret IP addresses loginname pptpd "mypasswd" * 4.2 Adding fixed IP addresses based on userid Download the pptpd-1.0.1.tar.gz file from http://poptop.lineo.com/releases/pptpd-1.0.1.tar.gz Extract, configure, and build the pptpd and pptpctrl programs [cd /usr/src] [tar xzf pptpd-1.0.1.tar.gz] [cd pptpd-1.0.1] [./configure --with-pppd-ip-alloc] [make] [make install] Set up the /etc/ppp/options.pptp file. This maps the userid to IP address # Secrets for authentication using CHAP # userid server secret IP addresses loginname pptpd "mypasswd" 192.168.1.100 hislogin pptpd "hispasswd" 192.168.1.101 herlogin pptpd "herpasswd" 192.168.1.102 Set up the /etc/pptpd.conf file debug option /etc/ppp/options.pptp Run the pptpd server (kill any previously running version first) [/usr/local/sbin/pptpd] 4.3 Adding packet reordering If you have a bad network which delivers many out-of-order packets, you may get a significant speed boost by installing the development version of pptpd which has code to do simple packet reordering. The 1.0.1 version just drops packets which come in out-of-order (this is what the pptp RFC specifies should happen). The 1.1.2 version attempts to buffer and reorder the packets so that none of the packets are lost. Download the pptpd-1.1.2.tar.gz file from http://poptop.lineo.com/releases/pptpd-1.1.2.tar.gz Extract, configure, and build the pptpd and pptpctrl programs [cd /usr/src] [tar xzf pptpd-1.1.2.tar.gz] [cd pptpd-1.1.2] [./configure] [make] [make install] Run the pptpd server (kill any previously running version first) [/usr/local/sbin/pptpd] 4.4 Making VPN-connected machines appear on the local network (also, appropriate ipchains configuraton to allow PPTP traffic) If you assign IP addresses from the same subnet as the local network, then you can get VPN machines to see the local machines, and vice versa. This example assumes your local network is 192.168.1.0 with mask 255.255.255.0 It also assumes the machine running pptpd is also connected to the internet, and is doing IP masquerading for the machines on the local network. This machine has local IP address 192.168.1.1 on eth1 and internet IP address w.x.y.z on eth0 Option 1) Set up fixed IP address assignments as described in 4.2, above Option 2) Use dynamic IP addresses by setting your pptpd configuration file (/etc/pptpd.conf) to the following: debug option /etc/ppp/options.pptp localip 192.168.1.80-89 remoteip 192.168.1.70-79 The first option is preferable, because this way you can also map machine names and IP addresses for all of your VPN machines in the hosts and lmhosts files, to enable connections from local machines to VPN machines (and from one VPN machine to another). With dynamic IP assignment, you never know which VPN machine will have which IP address. Make sure your /etc/ppp/options.pptp contains the line proxyarp Set up the appropriate ipchains rules. Note that you might have more than this, because the following rules don't make a complete firewall. # Enable IP forwarding ipchains -P forward DENY ipchains -A forward -i eth0 -j MASQ # Create a chain for outputs on the eth0 dialup device ipchains -N eth0-out ipchains -A output -i eth0 -j eth0-out # Allow all GRE protocol packets to pass ipchains -A eth0-out -p 47 -j ACCEPT # Create a chain for inputs on the eth0 dialup device ipchains -N eth0-in ipchains -A input -i eth0 -j eth0-in # Log and accept all incoming pptp connections ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 pptp -j ACCEPT -l ipchains -A eth0-in -p TCP -d 0.0.0.0/0 pptp -j ACCEPT # Allow all GRE protocol packets to pass ipchains -A eth0-in -p 47 -j ACCEPT # Deny all other TCP and UDP traffic ipchains -A eth0-in -p TCP -y -j DENY ipchains -A eth0-in -p UDP -j DENY # Enable packet forwarding to/from the pptpd connection # This is the critical rule to allow traffic from the local # network to make it to the pptpd connection, and vice versa ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT # Enable forwarding/masquerading echo 1 > /proc/sys/net/ipv4/ip_forward List the IP addresses and machine names in /etc/hosts on the Linux machines, and in BOTH c:\windows\hosts and c:\windows\lmhosts on the Win9x machines. In Windows2000 these files are in c:\winnt\system32\drivers\etc\hosts and c:\winnt\system32\drivers\etc\lmhosts 192.168.1.1 gateway 192.168.1.2 localmachine2 192.168.1.3 localmachine3 192.168.1.4 localmachine4 192.168.1.5 localmachine5 192.168.1.100 loginname 192.168.1.101 hislogin 192.168.1.102 herlogin Here is is assumed the machine identification (in the Network Control Panel on the Windows machines) for the 3 VPN machines are "loginname", "hislogin", and "herlogin". These machine names don't necessarily have to match the pptpd login names, but the network identification should match the name listed in the hosts file. If this does not match for the VPN machines, the VPN machines will still be able to access the local network machines, but the local network machines will not be able to access the VPN machines. Configure Windows on the VPN machines appropriately. This includes setting up the VPN adapter and the Dial-up Networking adapter appropriately. To access the local machines from the VPN machine, you must install the Client for Microsoft Networks, and bind to it from the TCP->Dialup Adapter. To access the VPN machine from the local machines, you must also install the "File and printer sharing for Microsoft Networks" and bind to it from the TCP->Dialup Adapter. Note that if you are using 2 dial-up adapters, the first will be used for connecting your modem connection, and the second will be used for connecting the VPN. In this case, you would want the Client and Service bound to the SECOND dial-up adapter. At this point you should be able to log in from your Windows machine, and access the local machines by doing "Start..Run" and entering \\gateway (where gateway is the name of the machine on the local network.) Note that the Network Neighborhood uses Browsing, and simple browsing done by Windows requires broadcast packets. Broadcast packets do not go through a routed connection (i.e. they won't pass though the VPN link) so simple browsing (probably) will not work. I say probably, because I have seen browsing work without a WINS setting configured! If you have a machine on the local network that acts as a WINS server (could be a Samba machine or a WinNT machine), you can configure your Windows machine to use that machine's IP address as a WINS server, and then browsing will work. You can also force a WINS configuration on the VPN machines by adding the following line to the /etc/ppp/options.pptp file: ms-wins 192.168.1.1 5.0 Windows Client Setup ------------------------ Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 and both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed first. Try here for the DUN1.3 and the vpnupdate: Windows 95 http://www.microsoft.com/windows95/downloads Windows 98 http://www.microsoft.com/windows98/downloads/corporate.asp 1a. For Win95 machines install the DUN 1.3. 1b. For Win98 machines use the add-remove programs tool to uninstall the VPN software. Some of the OEM's don't install this properly. Re-Install it using the add-remove programs tool. Go to windows setup (tab) select communications and press the details button. Scroll down and check the VPN support. 2. Install the vpupdate for your particular machine (win95/98 not 98SE). take a little nap here... Once your Machine is back 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV 2.Click make new connection 3.Name the Connection whatever you'd like. 4.Select Microsoft VPN adapter as the device 5.click next 6.type in the ip address or hostname of your pptp server 7.click next 8.click finish 9.Right-click on the intranet icon 10.select properties 11.choose server types 12.check require encrypted password 13.uncheck netbeui, ipx/spx compatible 14.click tcp/ip settings 15.turn off use IP header compression (May not be necessary) 16.turn off use default gw on remote network 17.click ok. 18.start that connection 19.type in your username and pw (yadda, yadda, yadda) 20.once it finishes its connection your up. UPDATE: 128bit windows Client (for USA and Canada) You can download the 128 bit version of the Windows 98 Dial-Up Networking Security Update from the following URL: http://support.microsoft.com/Support/NTServer/128Eula.asp Accept the EULA, then choose the appropriate 128-bit DUN Update.7F00,0000,0000 6.0 Firewall Setup ------------------ If your using Masquerading you will probably need to add some rules to the firewall. These rules are just examples, don't rely only on them to completely shut out hackers. This section also assumes that you already have a working connection to the internet from your Linux box and any workstations that might be connected to it. I like to keep a clean firewall so we added some scripting to /etc/ppp/ip-up.local and /etc/ppp/ip-down.local. These files don't normally exist so you may have to create new ones. Here are is an example of each of the scripts: ip-up.local ---- cut ---- #!/bin/sh INTERNAL_NET1="192.168.1.0/24" case $2 in /dev/pts/*) echo "$(date): ip-up 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log /sbin/ipchains --insert forward -j ACCEPT -s $5 -i eth0 # ^ local interface /sbin/ipchains --insert forward -j ACCEPT -d $5 -i $1 # ^ incoming pptpd interface /sbin/ipchains --insert input -i $1 -s $INTERNAL_NET1 -j ACCEPT /sbin/ipchains --insert output -i $1 -d $INTERNAL_NET1 -j ACCEPT echo "$(date): ip-up Firewall rules set for $1:$5" >> /var/log/pptpd.log ;; esac ---- cut ---- ip-down.local ---- cut ---- #!/bin/sh INTERNAL_NET1="192.168.1.0/24" case $2 in /dev/pts/*) echo "$(date): ip-down 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log /sbin/ipchains --delete forward -j ACCEPT -s $5 -i eth0 # ^ local interface /sbin/ipchains --delete forward -j ACCEPT -d $5 -i $1 # ^ incoming pptpd interface /sbin/ipchains --delete input -i $1 -s $INTERNAL_NET1 -j ACCEPT /sbin/ipchains --delete output -i $1 -d $INTERNAL_NET1 -j ACCEPT echo "$(date): ip-down Firewall rules removed for $1:$5" >> /var/log/pptpd.log ;; esac ---- cut ---- 7.0 Troubleshooting ------------------- 7.1 Setting debug for PoPTop If you want to enable debugging follow these steps: 1. Edit the /etc/syslog.conf file and add the line: daemon.debug /var/log/pptpd.log 2. Restart the syslog daemon: [/etc/rc.d/init.d/syslogd restart] 3. Make sure the options file you are using (i.e. /etc/ppp/options) has the following: debug Setting the debug option here affects all PPP and PPTP connections. 4. Edit the /etc/pptpd.conf file to contain the following: debug pptpd errors and messages should now start showing up in /var/log/pptpd.log 7.2 Client side errors: Windows Client 95/98 7.2.1. Error 629: You have disconnected from the computer you dialed..... Possible causes: - pptpd daemon not running - pptpctrl not setup properly in /etc/inetd.conf Possible solutions: - run the pptpd daemon [pptpd -d] - setup pptpctrl per README.inetd instructions 7.2.2. Error 645: The microsoft Dial-up adapter is in use or not responding properly. Possible causes: - VPN software not setup correctly by OEM Manufacturer. Possible solutions: - Follow the instructions in the section titled "Windows Client Setup". Pay specific attention to uninstalling the VPN software first. Then reinstall and add updates. 7.2.3. Error 650: The Remote Access server is not responding. Possible causes: - There is a problem with packets getting through Possible solutions: - Check firewalls between you and server. Make sure all can pass protocol 47 (GRE) and tcp port 1723. 7.2.4. Error 691: Access denied because username and/or password is invalid on the domain. Possible causes: - check /etc/ppp/chap-secrets file for existence/correcteness Possible solutions: - Edit the /etc/ppp/chap-secrets file on the server to include the username and password. Possibly use DOMAINNAME\\username for windows clients. The message log may contain more hints about what is expected. 7.2.5. Error 742: The remote server does not support encryption. Possible causes: - ppp_mppe module not loaded Possible solutions: [insmod ppp_mppe] or include 'alias ppp-compress-18 ppp_mppe' in the /etc/conf.modules file 7.2.6. Error 751: The remote computer refused the connection..... Possible causes: - pptpd daemon not running - pptpctrl not setup properly in /etc/inetd.conf Possible solutions: - run the pptpd daemon [pptpd -d] - setup pptpctrl per README.inetd instructions 7.2.7. Can see machines from the local network in Network Neighborhood, but get "Machine does not exist" errors when trying to double-click on them. Solution: This can be caused by 2 things: 1) The ipchains rules don't enable forwarding between the pptp connection and the local network. You should have an ipchains rule like the following (see section 4.4, above, for more information): # Enable packet forwarding to/from the pptpd connection # This is the critical rule to allow traffic from the local # network to make it to the pptpd connection, and vice versa ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT 2) The c:\windows\hosts and c:\windows\lmhosts don't list the proper IP address/machine name connections. Check to see that all of your local network machines are listed in BOTH of these files on the machine dialing in to the network through Virtual Private Networking. 7.3 Server side errors: In this section the error is proceeded by where it most likely would be seen. console: This error would show up on the console log: This error would show up in one of the logs (i.e. /var/log/messages) 7.3.1a. console: createHostSocket: Address already in use or 7.3.1b. log: MGR: Couldn't create host socket Possible causes: pptpd is already running. Some other daemon may be using the 1723 port. Possible solutions: 1. Use 'ps ax | grep pptpd' to check to see if pptpd is already running. 2. Edit /etc/inittab and comment out the reference to pptpd. The type: init Q pptpd -d 3. Reconfigure the other daemon not to use port 1723. 7.3.2. log:modprobe cannot locate module ppp-compress-18 (or 21,24, 26) Possible causes: The compression modules for PPP are not loaded Possible solutions: insmod the following modules:ppp_mppe (for 18), bsd_comp (for 21), ppp_deflate (for 24 and 26). or modify the /etc/conf.modules file to include alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate 7.3.3. log:modprobe cannot locate module char-major-108 Possible causes: < Possible solutions: modify the /etc/conf.modules file to include alias char-major-108 off 7.3.4. The VPN link works for a while, but then stops working, and the /var/log/debug file shows the following: pppd[10544]: rcvd [Compressed data] 10 32 ae 68 c0 8e e1 92 ... Solution: Patch the /usr/src/linux/drivers/net/ppp_mppe.c file with the patch http://www.vibrationresearch.com/pptpd/ppp_mppe_compressed_data_fix.diff and then recompile and reinstall the ppp_mppe.o module 7.3.5. Get PPP_VERSION undefined error message while compiling ppp kernel modules Solution: add the following lines to /usr/src/linux/include/linux/if_ppp.h #define PPP_VERSION "2.3.7" #define PPP_MAGIC 0x5002 /* Magic value for the ppp structure */ 7.3.6. Get symbols not defined for ppp_mppe module when doing "depmod -a" Solution: Probably missing some of the rc4* files (most likely rc4_skey.c) This typically happens when getting rc4* files from a different source than was suggested in the corresponding patch file. If I remember right, if you use the SSLeay-0.6.6 files you don't have an rc4_skey.c file, but if you use the SSLeay-0.9.0 files you must have the rc4_skey.c file. Using OpenSSL-0.9.5 may have different requirements. Best solution is to use the complete patch for your appropriate ppp version from the following ftp server, as these patches include the rc4* files: ftp://ftp.binarix.com/pub/ppp-mppe/ 8.0 PPP options files --------------------- 8.1 PoPToP Server On a RedHat system options files are usually located in the /etc/ppp directory. There are some choices that need to be made with regard to which options files to use. To set options for all inbound/outbound PPP type connections (this would include PPTP) use the /etc/ppp/options file. According to the man page for pppd the daemon strips the leading /dev/ portion of the device name and converts any subsequent slashes into periods. If you want to set options for a particular pptp connection use /etc/ppp/options.pts.x file. x represents the number of possible connections that you are going to have. This may not work very well because at this point you don't have direct control over which option file any particular pptp user is going to use. PPTP uses /dev/pts/0, /dev/pts/1, etc. so you would use /etc/ppp/options.pts.0, /etc/ppp/options.pts.1, etc. as the options file names, respectively. If you were going to be dialling out you would use /etc/ppp/options.modem or /etc/ppp/options.ttyS0 depending on which device was configured as your dial-out connection. In our case we used the /etc/ppp/options.pts.x files because we also have outbound ppp connections to other networks. For these other connections we used a named file in the /etc/ppp/peers directory. See the man page for pppd and the PPP HOWTO for more specific information about how the options files work. http://www.linux.org/help/ldp/howto/PPP-HOWTO.html 8.2 PPTP-Linux Client (by C.S. Ananian) The PPTP-Linux Client can be found at: http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/ Michael Barsalou barjunk@attglobal.net