Poptop is an open source VPN server supporting Microsoft's PPTP (Point-to-Point Tunneling Protocol). It allows you to use a Linux Server as a VPN Server for Windows machines. This way you can encrypt any communication between the Linux server and your Windows workstation easily. You can use NAT (Network Address Translation) to hide your workstation's IP address when you access the internet thru the VPN Server. Windows comes with a built-in and easy-to-configure VPN client. Nothing has to be installed on the Windows machine. In this post, I would like to share my recent experience installing Poptop.

Latest posts by Michael Pietroforte (see all)

But let me say a word about security first. PPTP has many critics. Crypto experts have shown that it is possible to crack this protocol under certain circumstances, especially MSCHAPv2 which is used for authentication, has its weaknesses. MPPE (Microsoft Point-to-Point Encryption) "only" uses a 128-bit-key. However, I think for most scenarios PPTP is secure enough. If you want to hide your communication from curious system administrators, PPTP will do the job quite well, but if you think that the NSA or Mr. Super Hacker will be interested in your data, better use a more secure VPN protocol like IPSec. The disadvantage is that things will usually become more complicated.

Installing Poptop is not difficult, if you are a Linux admin. The documentation is a bit poor, though. I think most Linux distributions already come with the necessary packages. I installed it with YaST on a SuSE 9.0 machine. The name of the package is "pptpd". If some other packages are missing, YaST will tell you which ones. I had a problem getting the pptpd service running in the beginning. After a while it turned out that my 2.4.29 kernel didn't like Poptop, somehow. I tried several other kernel versions, and it always worked fine with them.

These are four configuration files:

If you have an older Linux distribution, check your modules.conf for these entries:

alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe
alias ppp-comress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate

In pptpd.conf, I only uncommented the localip and the remoteip variables. I used private IPs for both variables. In options.pptpd, I enabled mppe-128. Most important is chap-secrets. Here you set the user name and the password. You can reduce the weakness of MSCHAPv2 by setting a strong password here. Use a random password, with a mixed of small and capital letters. Ten characters should be the minimum length. Don't use a password which you can remember easily. It is safer to let your VPN client store a strong password, instead of entering a weak and an easy-to-remember password whenever you connect to the VPN Server.

Then I configured the firewall to allow the PPTP protocol. With iptables, it looks like this:

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT

If you want to work with NAT (Network Address Translation), you have to add these lines to your iptables shell script:

iptables -A FORWARD -i ppp0 -o eth0 -s -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

The IP range here is the one you configured in pptpd.conf. You also have to enable IP forwarding which is disabled by default. On a SuSE box the easiest way to do this is by using YaST. You'll find it under network services/routing. If you don't use SuSE please check out Marius' post about IP Forwarding.

Then you have to setup the VPN client on your Windows machine. Please go to this site for more information. The default PPTP setting of Windows should work.

With this configuration, you can already access the internet thru your Linux server using NAT. To make sure that you always use the VPN connection to access applications on the server, you can change C:\WINDOWS\system32\drivers\etc\hosts. Add the IP address to hosts which you set before for localip in pptpd.conf for the domain names that you are hosting on your Linux server. You have to reboot after changing the hosts file.

Subscribe to 4sysops newsletter!

This way, your communication with the Linux host will always be encrypted regardless what application you use to access it. If you ever forget to establish the VPN connection first, you even won't be able to access the Linux machine.

  1. Tom 17 years ago

    Another great article!
    Linked you from my site. (again)
    You find some really great tools etc.
    Keep up the good work.

  2. not karl rove 15 years ago

    This seems like it would be an excellent candidate for bundling up into a VMWare-based (or other) virtual appliance– fire it up on a PC, forward all external traffic to its IP address instead of one of your physical hosts, and you’re probably pretty well protected.

    Nice work, and nice doc.

  3. sam 15 years ago

    poptop is not working with msn messenger.cant log in msn ?

  4. sam, I have no problems to use MSN messenger together with Poptop.

  5. linupf 14 years ago

    Hi, Michael :
    I had same problem with sam which not working with MSN via pptpd for centos

  6. Haraye 14 years ago

    This may not be revelant but i figured i’d post this anyway. If you’re using ubuntu 8.10 you may be in for some issues with the network manager. For some unknown reason it stops functioning. You will need to manually set you’re resolv.conf with your ISP’s DNS servers. That file is located in /etc/network/resolv.conf

  7. nicities 13 years ago

    this would be lovely rolled into a less than sudo user capabalbe wmware 6.5 or workstation 7 application creation guide to enable VPN applicance with less of the mess or resource hogging for xp users..

    I’ll poke out my eyes before “upgrading” to windows 7


  8. Dev kumar 13 years ago

    Am successful to have a VPN connection. But ran into couple of issues:
    1. Internet not working after VPN. Set OpenDNS as DNS servers
    2. Not sure how to set the communication between 2 networks as i have a public nic (149.x.x.x) and private (10.19.x.x).
    I set local IP to public and remote IP to,
    3. Currently IP tables is disabled.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account