Author Topic: PPTP VPN server with Ebox PDC authentication  (Read 13833 times)

francesco_r

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
PPTP VPN server with Ebox PDC authentication
« on: December 13, 2008, 12:17:50 am »
I like OpenVPN, especially for Site-to-Site VPN. But for road warriors, PPTP is more simple to setup and immediately available in Windows and Max OSX.
This simple guide explain how to setup a PPTP server in Ebox using the Ebox Samba credentials.
I know that at the moment  the internal Ebox firewall does not support the Protocol IP 47 GRE (is it right?) and so i think it's a problem. In my setup i use an external router with port forwarding of 1723/TCP to the lan ip of Ebox and works well.

Install winbind and pptpd
Code: [Select]
sudo apt-get install winbind pptpdYou can leave all the default settings and modify only a few things:
Code: [Select]
sudo nano /etc/pptpd.conf and add
Code: [Select]
remoteip 192.168.1.230-250 This is the range of unused IP address for the clients in the same subnet of the Ebox server (my server is for example at 192.168.1.10).

Enable the Samba/PDC authentication in PPTP instead of the flat chap secrets:
Code: [Select]
sudo nano /etc/ppp/pptpd-optionsand add
Code: [Select]
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

Restart PPTPD:
Code: [Select]
sudo /etc/init.d/pptpd restart
UPDATE 06/08/2009

Perhaps the winbind version supplied with Ubuntu Hardy is buggy, i don't know. But you must join the domain to make it works:
Code: [Select]
sudo net rpc join -U administratorwhere "administrator" is an ebox user with administration rights.

Now on a windows client create a connection toward the public IP address of the server and login with the ebox username/password (PDC account must be enabled)
In the Windows client remember to remove from the VPN connection the "default remote gateway" options in the TCP/IP properties.

Francesco

« Last Edit: August 06, 2009, 02:35:24 pm by francesco_r »

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #1 on: December 13, 2008, 11:42:05 pm »
Hey Francesco,

Thanks a lot for this how to. We will  probably include a small module ebox-pptp to automatize this as it's pretty simple.

Thanks!!!1

garysze

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #2 on: January 10, 2009, 05:44:22 pm »
I am using the router to share my internet access and using the dhcp function on my router as well!

Shall I need to start the dhcp server in Ebox when I use your method to install the PPTP server on my ebox ??

francesco_r

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #3 on: January 14, 2009, 10:55:59 am »
I am using the router to share my internet access and using the dhcp function on my router as well!

Shall I need to start the dhcp server in Ebox when I use your method to install the PPTP server on my ebox ??


No, the client addresses are assigned by PPTPD daemon (option remoteip).

gazambuja

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #4 on: February 14, 2009, 03:13:35 pm »
I have one problem...
when i try connect, windows machine respond: worong user name...
in the logs, i have this:

Code: [Select]
Feb 14 10:42:40 brsvr0014 pppd[29148]: Plugin winbind.so loaded.
Feb 14 10:42:40 brsvr0014 pppd[29148]: WINBIND plugin initialized.
Feb 14 10:42:40 brsvr0014 pppd[29148]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Feb 14 10:42:40 brsvr0014 pppd[29148]: pptpd-logwtmp: $Version$
Feb 14 10:42:40 brsvr0014 pppd[29148]: pppd 2.4.4 started by root, uid 0
Feb 14 10:42:40 brsvr0014 pppd[29148]: using channel 13
Feb 14 10:42:40 brsvr0014 pppd[29148]: Using interface ppp0
Feb 14 10:42:40 brsvr0014 pppd[29148]: Connect: ppp0 <--> /dev/pts/1
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp> <callback CBCP>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP EchoReq id=0x0 magic=0xc7cc32a3]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [CHAP Challenge id=0xd8 <e3ae9fc50ed7affb984922359d52100d>, name = "pptpd"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP Ident id=0x2 magic=0x6ece0fad "MSRASV5.10"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP EchoRep id=0x0 magic=0x6ece0fad]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [CHAP Response id=0xd8 <1f825f92c6543a0ab534dd666a988c9a0000000000000000dfdf2a3ad3a9640b5734d7050e49146d047e420fc0ea362900>, name = "gazambuja"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: Winbind has declined authentication for user!
Feb 14 10:42:43 brsvr0014 pppd[29148]: No logon servers
Feb 14 10:42:43 brsvr0014 pppd[29148]: Peer gazambuja failed CHAP authentication
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [CHAP Failure id=0xd8 "E=691 R=1 C=e3ae9fc50ed7affb984922359d52100d V=0 M=No logon servers"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP TermReq id=0x2 "Authentication failed"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP TermAck id=0x2 "Authentication failed"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: Connection terminated.
Feb 14 10:42:43 brsvr0014 pppd[29148]: Exit.
Feb 14 10:42:43 brsvr0014 pptpd[29147]: CTRL: Reaping child PPP[29148]

so i try:
Code: [Select]
root@brsvr0014:~# wbinfo -p
Ping to winbindd succeeded on fd 4
root@brsvr0014:~# wbinfo -a EBOX\\gazambuja%test
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user EBOX\gazambuja%test with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user EBOX\gazambuja with challenge/response

more logs:
Code: [Select]
root@brsvr0014:~# tail /var/log/samba/log.wb-EBOX
[2009/02/14 11:53:47, 10] lib/events.c:get_timed_events_timeout(295)
  timed_events_timeout: 292/847052
[2009/02/14 11:53:47, 10] lib/util_sock.c:read_data(525)
  read_data: read of 2088 returned 0. Error = Success
[2009/02/14 11:53:47, 3] nsswitch/winbindd_dual.c:child_read_request(52)
  Got invalid request length: 0
[2009/02/14 11:53:52, 0] libsmb/clientgen.c:cli_receive_smb(111)
  Receiving SMB: Server stopped responding

some ideas??
i have ebox running in ubuntu 8.04 server all updated.

vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #5 on: April 20, 2009, 10:10:38 pm »
I have the samo problem. Can someone help us?!

poundjd

  • Zen Warrior
  • ***
  • Posts: 243
  • Karma: +0/-0
  • To your own morals be true!
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #6 on: April 21, 2009, 04:39:12 am »
I like OpenVPN, especially for Site-to-Site VPN. But for road warriors, PPTP is more simple to setup and immediately available in Windows and Max OSX.

Francesco, OpenVPN is much more secure than PPTP, and yes you need some client on the road warriors' laptops, but the cost of configuring and installing is nothing compared to what you'll lose if one of your guys sessions is hi-jacked. 

Remember that security always costs too much, until it looks cheap in comparison! 

     Also take it one step further and get them whole disk encryption on the laptops and make them use it...  check out the costs of a "Small" data breach where they get a few thousand SSN's, your exposure could be in the 6 to 8 figure range...  lose your customer database, or a "Copy" that your developers copied so that they could develop against "real" data and you could easily be looking at 10 to 12 figures to fix and protect those folks whose data you lost, assuming that none get victimized and decide to sue.
-jeff
Jeffrey D. Pound, Sr.
CISSP
Still learning, hope to never stop!

vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #7 on: April 25, 2009, 08:44:37 pm »
So can someone help us???

Saturn2888

  • Zen Hero
  • *****
  • Posts: 707
  • Karma: +1/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #8 on: April 27, 2009, 01:46:36 am »
Well Windows doesn't just use PPTP; that's the least secure connection in it. There's always L2TP/IPsec.
« Last Edit: July 21, 2010, 09:47:25 am by Saturn2888 »

francesco_r

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #9 on: May 02, 2009, 09:24:37 pm »
To all people that have problems with winbind follow the steps of this ticket (particularly the third comment):

http://trac.ebox-platform.com/ticket/1268


vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #10 on: June 17, 2009, 06:25:29 am »
Didn't help

vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #11 on: July 23, 2009, 06:49:01 pm »
So, is there some way to enable pptp on ebox server?!

francesco_r

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #12 on: August 06, 2009, 01:39:37 pm »
I had the same problem on a fresh setup. I have updated the guide with the solution.

vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: PPTP VPN server with Ebox PDC authentication
« Reply #13 on: August 30, 2009, 06:39:31 pm »
What I should add to the firewall because it blocks the connection.
If i use: iptables -I INPUT -j ACCEPT I can connect.

Update:
I added the PPTP as a service.
Added to it's configuration :
Quote
Protocol      Source port      Destination port     
TCP       any       1723

Added to firewall's section  Filtering rules from external networks to ebox the newly created service with decision: ALLOW

And the firewall returns:
Quote
30.8.2009 20:00     eth2     78.90.82.89     78.90.82.221     TCP     55026     1723     DROP
30.8.2009 20:00     eth2     78.90.82.89     78.90.82.221     TCP     55026     1723     DROP
« Last Edit: August 30, 2009, 07:07:44 pm by vlados »

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: PPTP VPN server with Ebox PDC authentication
« Reply #14 on: August 30, 2009, 11:00:35 pm »
Thanks very much vlados for helping to resolve this issue ;).
My secret is my silence...