The problem

A bunch of servers in our company headquarters in Sofia needed to be accessed on daily basis. Branch offices are connected to the Central through Internet. One of the branches is located Plovdiv. A vpn concentrator running pptp was installed in Sofia to provide remote access. I as wondering how to save me the trouble of configuring all Plovdiv workstations with vpn connections and keep an eye on demanding users.


Network diagram

Network diagram

The solution

I decided to set up an old linux box running Slackware 8.0 to act as a pptp client and route all employee traffic to headquarters through the vpn tunnel. While providing a transparent service I was able to limit the number of connections to one.


Linux configuration

Files to change

To setup a pptp client the following files need to be modified:

Linux configuration files
 /etc/ppp/chap-secrets -if using chap for authentication as in our case
 /etc/rc.d/firewall -optionally to start vpn connection

To start with authentication.

PPP authentication is not necessarily bidirectional. Normally only clients authenticate with the server. In /etc/ppp/chap-secrets under client is provided the username, under secret the shared password, under server the  server username if authentication is required.  Usually a wildcard is used, which actually disables bidirectional authentication. The last field is the ip address of the server, again wildcarded to match any. If more than one ppp connection is configured with the same username and different password this may cause problems. But such cases are rare.

 etc/ppp/peers directory

In  /etc/ppp/peers directory a new config file is created bearing the name of the remote end. I named it “sofia”. Here, are specified connection parameters. Actually the missing ones are taken from /etc/ppp/options. So you can specify options in either places. At least the name must be specified, e.g. the username. In our case “plovdiv”. Another entry that must be present is:

 pty “/usr/sbin/pptp –nolaunchpppd”, where is the remote end ip

The option ” –nolauchpppd” specifies that this pty is used for communication and not as a terminal device. It will not launch pppd and use stdin as network connection. In the background pppd will allocate a pseudo-tty master-slave pair. The script will be the slave terminal device with pty master as standard input/output. It is a good practice to explicitly set the mtu and mru value to 1460. The “file” entry in /etc/ppp/peers/sofia points to another file containing defaults for options not listed. Usually this is the  /etc/ppp/options file. Yet another option – the “persist” option not surprisingly makes the connection persistent. If the connection is dropped it is reconnected automatically. Though it did not worked for me. You can try adding an entry in the /etc/inittab, something like this:

 pd:23:respawn:”/usr/sbin/pppd file /etc/ppp/peers/sofia”

An interesting option is “ipparam”, though not used in our case. It is very handy if you have several peers. You set it in /etc/ppp/peers/peer_name and check it through the environment variable PPP_IPPARAM. Suppose I have to add one more tunnel – bourgas branch office. How can I know which connection is starting, which route to add, through which interface? I can match the ipparam string in ip-up script like this:

 script: /etc/ppp/ip-up
Sample ip-up script

if [$PPP_IPPARAM==”sofia”]; then
route add -net ………. dev $PPP_IFACE
elif [$PPP_IPPARAM==”bourgas”]; then
route add -net ………. dev $PPP_IFACE

In our case a couple of lines are needed in ip-up script. It is executed on successful connection. So install the route for the remote network:

 route add -net netmask dev ppp0

NAT all local LAN addresses through the pptp tunnel:

  iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE



The script ip-down is executed when the connection terminates. Undo all created in ip-up (clear nat and delete routes).

  route del -net netmask dev ppp0

iptables -nat -D POSTROUTING -s -o ppp0 -j MASQUERADE



The /etc/ppp/options and /etc/ppp/options.pptp files may be left at their defaults. If tunnel encryption is required you can add an entry in /etc/ppp/options:


Unfortunately Microsoft Point to Point Encryption is not compiled in linux kernel 2.4.x by default. First you have to patch the source and when compiling enable the option CONFIG_PPP_MPPE.


Router configuration

Everything worked as expected until the branch bought a new Cisco router – ISR 2801 as a replacement for the linux box. It turned out to be quite a challenge to configure the router to act as a pptp client. Still my efforts were not a waste of time. Below is a listing of the router configuration. Some parts are skipped for clarity. The router acts  both as a pptp server, an Internet default gateway and a pptp client to Sofia. The pptp tunnel is established at startup and when terminated is reestablished automatically.

Cisco router configuration
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption

!Very important. Allows to view some previously hidden commands
service internal
hostname R-ITD

aaa new-model
aaa authentication login default local line

!the router is also acting as pptp server but this part of the config is skipped
aaa authentication ppp default local

!allow network access if authenticated
aaa authorization network default if-authenticated

ip cef
!start vpdn services
vpdn enable
!create a vpdn group
vpdn-group 2
!router is acting as a pptp client
!specify protocol
protocol pptp
!associate vpdn group with dialer interface created later
rotary-group 2
!the address of the pptp server
initiate-to ip
!interface to the ISP
interface FastEthernet0/0
description WAN ITD
ip dhcp client client-id ascii test
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1
description local LAN
ip address
ip nat inside
duplex auto
speed auto
!create a dialer interface
interface Dialer2
mtu 1460
!get an ip from the server
ip address negotiated
!specify it will perform PAT for internal LAN
ip nat outside
ip virtual-reassembly
encapsulation ppp
!specify dial-on-demand routing support
dialer in-band
!do no disconnect if no traffic
dialer idle-timeout 0
!must be present in the configuration with whatever value you wish or problems may arise
dialer string 123
!enable dialer interface to place vpdn calls
dialer vpdn
!associate the interface with interesting traffic defined by dialer-list 2
dialer-group 2
no cdp enable
ppp pfc local request
ppp pfc remote apply
!apply Microsoft encryption
ppp encrypt mppe auto
!provide username and password for authentication
ppp chap hostname plovdiv
ppp chap password 7 426756075B
!add a static route for the remote vpn network. It is installed in the routing table when the int dialer2 is up
ip route Dialer2
!perform PAT for Internet access
ip nat inside source route-map INTERNET interface FastEthernet0/0 overload

!perform PAT for vpn remote network
ip nat inside source route-map VPN interface Dialer2 overload
access-list 10 permit

!always stay connected
dialer-list 2 protocol ip permit
route-map INTERNET permit 10
match ip address 10
match interface FastEthernet0/0
route-map VPN permit 10
match ip address 10
match interface Dialer2