Thursday, 21 June 2012

RaspberryPi as a PPTP VPN Server - HOWTO

*Introduction*


IMPORTANT UPDATE: Severe security issues found in MSChapV2, ie the scheme described below, see http://jmparound.blogspot.com/2012/08/severe-security-issues-with-mschapv2.html for discussion of how it relates to the RasPi VPN.

Having received a Raspberry Pi, the best usage I saw for it was as a £35, 5W VPN endpoint. Maybe at some point in the future I'll add other features (SMB, Radius Auth, Log files from router) but for now, that would rock.

I looked at VPN schemes. OpenVPN crops up a few times on blogs, but with a significant problem that you generally need a client for it that isnt always available. My goal is to have a VPN that works "out of the box" with windows 7 (laptop) and iPad. The best option seems to be a PPTP VPN. There are a couple of guides to getting this working but none which were idiot-proof to my level of idiocy so I am currently trying to work it out.

First things first, I copied the RasPi Debian image onto an SD card with unetbootin. This didnt work. The Raspberry Pi just sits there with a power led and no activity leds.The diskimagerpro or whatever is recommended on the RasPi site is needed.

I copied over the debian image and changed the name of boot_enable_ssh.rc to boot.rc to enable ssh. I figured at some point i would need to run iptables so tried to fire it up but no luck. It seems the RasPi debian kernel is configured without the modules needed for iptables.

One note before you start, if you havent discovered the linux "screen" command, do it before you start, theres a bunch of stages that either take ages or make your connection drop so running commands within screen will save your bacon as when the connection drops itll just detach and your commands keep running. You can then reattach when the connection comes back up.

*Getting SSH, HDMI and pacman working on Arch on the Pi*

I decided to compile my own kernel (first time!) and so followed the guide at http://elinux.org/RPi_Kernel_Compilation exactly. This meant installing Arch. Arch linux on the Raspberry Pi didnt start an SSH server and wouldnt recognise my HDMI connection. Some people in the #raspberrypi room at freenet pointed me at some docs that showed editing the config.txt file on the SD card to add "hdmi_safe" instead of "hdmi_mode=19" worked. The SSH host key had apparently dissapeared so recreated it with ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key After this i could administer it by SSH. I needed to install things like "screen" so tried "pacman -S screen" but got 404 errors. Some googling suggested i needed to synchronize the repositories so "pacman -Sy pacman" and then pressing "n" when it asked seemed to magically make it work. After that I followed the kernel compilation guide but discovered it wasnt fully n00b friendly. 


*Kernel Compilation for PPTP*
I git cloned the raspberry pi kernel but did need to use "--depth 1" to not get a memory error. I cloned it to /root/raspberrypi. i used zcat to create the .config file at /root/raspberrypi/linux/.config and then in the ../linux directory ran "menuconfig"
I followed the notes at http://en.gentoo-wiki.com/wiki/PPTP to give me an idea as to the kernel options to select. Following that i ran "make" (in a screen session!!) and left it overnight
The kernel image needed to be prepared for the pi and the page at elinux said to use the tools download. GIT cloning them always resulted in out of memory errors so i downloaded the files manually from a windows box, copied them over and ran dos2unix on them to make sure they were ok. Note here, the tutorial suggests you just need the python file, you need all of them. Once i had prepared the image, i copied it as per the tutorial and rebooted. Win.
<edit: i have since found out that iptables is already enabled in the Arch image, still, im not sure the other bits needed for PPTP is so it may be worth following this>

*Installing PPTP Server in Arch*
I followed the page at https://wiki.archlinux.org/index.php/PPTP_Server which was generally pretty good. Installed pptpd using pacman -S pptpd and then followed the guide. The only changes i made was to change the DNS servers from googles (8.8.8.8) to my main router.I also didn't need to do the ufw-config bit as had configured iptables already. The only bit that required some understanding was the remoteip bit. It seems that localip is the ip address of the RasPi and remoteip is the addresses you want VPN clients to assume.

*Client Config*
So, i supposedly had the Pi configured as a VPN server. I set up dynamic DNS so i could track my IP as it changed and then port forwarded tcp 1723 to the Pi. Thankfully my router worked out forwarding GRE itself as there were no obvious options for it. For Win7, open "Network and Sharing" centre and click "Set up a new Connection or Network". Select "Connect to a Workplace" and then choose "no, create a new connection". Click "Use my internet connection" and for the internet address use your home IP or the dynamic DNS name you have set up. Select, "dont connect now, just create", you can then skip the next stage without putting in credentials.

It will have created the adapter so go back to Network and sharing centre and click "manage network adapters". Right click on the newly created VPN adapted and choose "properties". On the security tab, change "type of VPN" to "PPTP" and underneath uncheck the boxes so that only MS-CHAP v2 is allowed. Click ok and try to connect. It should work once you have entered the username and password that correspond to what you put in the "ms-chap-secrets" file.

Now i got a wierd problem here. I could connect to www.google.com but not any complex site. Ping worked but anything more complex didnt seem to. Some very smart people helped me debug it and it found that there had been something screwy in the MTU (maximum transmissable unit) set by windows. Ie the RasPi was forwarding the packets but they were never making it to my windows box. After (much) trial and stress, I eventually found this solution http://support.microsoft.com/kb/826159 which (following a reboot) seems to work like a charm. If this doesnt work for you then one thing I did do that might have affected it was change the MTU on the RasPi's ethernet connection to 1395. I did this through ifconfig eth0 mtu 1395 and then ifconfig eth0 down && ifconfig eth0 up. Not certain this is necessary though.

*iPad config*
Ipad wasnt too bad, goto the network settings page, in there find the vpn part and configure a new connection. Put in all the basic details and away you go! Worked first time for me.