Difference between revisions of "PPTP VPN Server"

From Baranoski.ca
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
  
 
==User Config==
 
==User Config==
For starters, you will need some users created.  The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.  It might work with external authentication like TACACS+ or RADIUS, but I haven't tried it.
+
For starters, you will need some users created.  You can either use local accounts or external authentication.
 +
 
 +
===Local Accounts===
 +
The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.
  
 
<PRE>
 
<PRE>
 
username vpnuser password vpnpassword
 
username vpnuser password vpnpassword
 +
</PRE>
 +
 +
===External Authentication===
 +
I haven't tried RADIUS, but I have confirmed TACACS+.
 +
 +
<PRE>
 +
aaa authentication ppp default group tacacs+
 
</PRE>
 
</PRE>
  
Line 66: Line 76:
 
  peer default ip address dhcp-pool PPTP-VPN
 
  peer default ip address dhcp-pool PPTP-VPN
 
</PRE>
 
</PRE>
 +
 +
 +
==Client Setup==
 +
In Windows, the only change that might be necessary in the client is to disable using the default gateway from the network.  It should get it's DNS servers and any static routes from PPTP.
 +
 +
Ubuntu doesn't seem to get the DNS servers from DHCP (maybe it uses another option), so you're best off configuring the connection for "Get addresses only", then manually specifying the DNS server IP(s).

Latest revision as of 10:42, 16 December 2015

A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.


User Config

For starters, you will need some users created. You can either use local accounts or external authentication.

Local Accounts

The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.

username vpnuser password vpnpassword

External Authentication

I haven't tried RADIUS, but I have confirmed TACACS+.

aaa authentication ppp default group tacacs+


VPDN Config

Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface.

vpdn enable
!
vpdn-group 1
 description PPTP VPN
 accept-dialin
  protocol pptp
  virtual-template 1


Interface Config

There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface. The former lets you drop VPN clients into your existing LAN. The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies. The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway. To send static routes to the client, see Assigning Static Routes To Clients Using DHCP.

interface Virtual-Template1
 description PPTP VPN
 ip unnumbered FastEthernet0
 ip nat inside
 no logging event link-status
 keepalive 30
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

There are multiple options for the MPPE encryption and the authentication method. Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols.


IP Assignment

Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool.

The local pool option is simple. For a local pool, you just need to specify the start and end IPs.

ip local pool PPTP-POOL 192.168.10.230 192.168.10.234

interface Virtual-Template1
 peer default ip address pool PPTP-POOL

The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc.

ip dhcp pool PPTP-VPN
   network 192.168.10.0 255.255.255.0
   domain-name internal.local
   option 121 hex 10c0.a8c0.a80a.01
   option 249 hex 10c0.a8c0.a80a.01
   dns-server 192.168.10.1

interface Virtual-Template1
 peer default ip address dhcp-pool PPTP-VPN


Client Setup

In Windows, the only change that might be necessary in the client is to disable using the default gateway from the network. It should get it's DNS servers and any static routes from PPTP.

Ubuntu doesn't seem to get the DNS servers from DHCP (maybe it uses another option), so you're best off configuring the connection for "Get addresses only", then manually specifying the DNS server IP(s).