Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: francesco_r on December 13, 2008, 12:17:50 am
-
I like OpenVPN, especially for Site-to-Site VPN. But for road warriors, PPTP is more simple to setup and immediately available in Windows and Max OSX.
This simple guide explain how to setup a PPTP server in Ebox using the Ebox Samba credentials.
I know that at the moment the internal Ebox firewall does not support the Protocol IP 47 GRE (is it right?) and so i think it's a problem. In my setup i use an external router with port forwarding of 1723/TCP to the lan ip of Ebox and works well.
Install winbind and pptpdsudo apt-get install winbind pptpd
You can leave all the default settings and modify only a few things:sudo nano /etc/pptpd.conf
and add
remoteip 192.168.1.230-250
This is the range of unused IP address for the clients in the same subnet of the Ebox server (my server is for example at 192.168.1.10).
Enable the Samba/PDC authentication in PPTP instead of the flat chap secrets:
sudo nano /etc/ppp/pptpd-options
and add
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Restart PPTPD:sudo /etc/init.d/pptpd restart
UPDATE 06/08/2009
Perhaps the winbind version supplied with Ubuntu Hardy is buggy, i don't know. But you must join the domain to make it works:
sudo net rpc join -U administrator
where "administrator" is an ebox user with administration rights.
Now on a windows client create a connection toward the public IP address of the server and login with the ebox username/password (PDC account must be enabled)
In the Windows client remember to remove from the VPN connection the "default remote gateway" options in the TCP/IP properties.
Francesco
-
Hey Francesco,
Thanks a lot for this how to. We will probably include a small module ebox-pptp to automatize this as it's pretty simple.
Thanks!!!1
-
I am using the router to share my internet access and using the dhcp function on my router as well!
Shall I need to start the dhcp server in Ebox when I use your method to install the PPTP server on my ebox ??
-
I am using the router to share my internet access and using the dhcp function on my router as well!
Shall I need to start the dhcp server in Ebox when I use your method to install the PPTP server on my ebox ??
No, the client addresses are assigned by PPTPD daemon (option remoteip).
-
I have one problem...
when i try connect, windows machine respond: worong user name...
in the logs, i have this:
Feb 14 10:42:40 brsvr0014 pppd[29148]: Plugin winbind.so loaded.
Feb 14 10:42:40 brsvr0014 pppd[29148]: WINBIND plugin initialized.
Feb 14 10:42:40 brsvr0014 pppd[29148]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Feb 14 10:42:40 brsvr0014 pppd[29148]: pptpd-logwtmp: $Version$
Feb 14 10:42:40 brsvr0014 pppd[29148]: pppd 2.4.4 started by root, uid 0
Feb 14 10:42:40 brsvr0014 pppd[29148]: using channel 13
Feb 14 10:42:40 brsvr0014 pppd[29148]: Using interface ppp0
Feb 14 10:42:40 brsvr0014 pppd[29148]: Connect: ppp0 <--> /dev/pts/1
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp> <callback CBCP>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp>]
Feb 14 10:42:40 brsvr0014 pppd[29148]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x6ece0fad> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc7cc32a3> <pcomp> <accomp>]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP EchoReq id=0x0 magic=0xc7cc32a3]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [CHAP Challenge id=0xd8 <e3ae9fc50ed7affb984922359d52100d>, name = "pptpd"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP Ident id=0x2 magic=0x6ece0fad "MSRASV5.10"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP EchoRep id=0x0 magic=0x6ece0fad]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [CHAP Response id=0xd8 <1f825f92c6543a0ab534dd666a988c9a0000000000000000dfdf2a3ad3a9640b5734d7050e49146d047e420fc0ea362900>, name = "gazambuja"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: Winbind has declined authentication for user!
Feb 14 10:42:43 brsvr0014 pppd[29148]: No logon servers
Feb 14 10:42:43 brsvr0014 pppd[29148]: Peer gazambuja failed CHAP authentication
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [CHAP Failure id=0xd8 "E=691 R=1 C=e3ae9fc50ed7affb984922359d52100d V=0 M=No logon servers"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: sent [LCP TermReq id=0x2 "Authentication failed"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: rcvd [LCP TermAck id=0x2 "Authentication failed"]
Feb 14 10:42:43 brsvr0014 pppd[29148]: Connection terminated.
Feb 14 10:42:43 brsvr0014 pppd[29148]: Exit.
Feb 14 10:42:43 brsvr0014 pptpd[29147]: CTRL: Reaping child PPP[29148]
so i try:
root@brsvr0014:~# wbinfo -p
Ping to winbindd succeeded on fd 4
root@brsvr0014:~# wbinfo -a EBOX\\gazambuja%test
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user EBOX\gazambuja%test with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user EBOX\gazambuja with challenge/response
more logs:
root@brsvr0014:~# tail /var/log/samba/log.wb-EBOX
[2009/02/14 11:53:47, 10] lib/events.c:get_timed_events_timeout(295)
timed_events_timeout: 292/847052
[2009/02/14 11:53:47, 10] lib/util_sock.c:read_data(525)
read_data: read of 2088 returned 0. Error = Success
[2009/02/14 11:53:47, 3] nsswitch/winbindd_dual.c:child_read_request(52)
Got invalid request length: 0
[2009/02/14 11:53:52, 0] libsmb/clientgen.c:cli_receive_smb(111)
Receiving SMB: Server stopped responding
some ideas??
i have ebox running in ubuntu 8.04 server all updated.
-
I have the samo problem. Can someone help us?!
-
I like OpenVPN, especially for Site-to-Site VPN. But for road warriors, PPTP is more simple to setup and immediately available in Windows and Max OSX.
Francesco, OpenVPN is much more secure than PPTP, and yes you need some client on the road warriors' laptops, but the cost of configuring and installing is nothing compared to what you'll lose if one of your guys sessions is hi-jacked.
Remember that security always costs too much, until it looks cheap in comparison!
Also take it one step further and get them whole disk encryption on the laptops and make them use it... check out the costs of a "Small" data breach where they get a few thousand SSN's, your exposure could be in the 6 to 8 figure range... lose your customer database, or a "Copy" that your developers copied so that they could develop against "real" data and you could easily be looking at 10 to 12 figures to fix and protect those folks whose data you lost, assuming that none get victimized and decide to sue.
-jeff
-
So can someone help us???
-
Well Windows doesn't just use PPTP; that's the least secure connection in it. There's always L2TP/IPsec.
-
To all people that have problems with winbind follow the steps of this ticket (particularly the third comment):
http://trac.ebox-platform.com/ticket/1268
-
Didn't help
-
So, is there some way to enable pptp on ebox server?!
-
I had the same problem on a fresh setup. I have updated the guide with the solution.
-
What I should add to the firewall because it blocks the connection.
If i use: iptables -I INPUT -j ACCEPT I can connect.
Update:
I added the PPTP as a service.
Added to it's configuration :
Protocol Source port Destination port
TCP any 1723
Added to firewall's section Filtering rules from external networks to ebox the newly created service with decision: ALLOW
And the firewall returns:
30.8.2009 20:00 eth2 78.90.82.89 78.90.82.221 TCP 55026 1723 DROP
30.8.2009 20:00 eth2 78.90.82.89 78.90.82.221 TCP 55026 1723 DROP
-
Thanks very much vlados for helping to resolve this issue ;).
-
ahahha :)))) I didn't ;)
-
I have a problem with step :
sudo net rpc join -U Administrator
Answer is always: Unable to find a suitable server for domain EBOX
PLS someone help me!
-
Just a thought, but
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Could easily be changed to
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=pptp"
To restrict PPTP VPN usage to certain people easily.
-
Hey Francesco,
Thanks a lot for this how to. We will probably include a small module ebox-pptp to automatize this as it's pretty simple.
Thanks!!!1
I'm assuming this was never made, but it still seems like a good idea to include since it would probably be pretty simple to setup. I mean, it's even more simplistic than OpenVPN, it gives people more choice and a lot more flexibility, and it's a fantastic way to compete with the big name small- and medium-sized business servers which rely on the simplistic Microsoft and Apple VPN services. It's also easy enough to setup in a Linux Live; especially on Ubuntu Desktop and variants like Linux Mint.
Just a thought, but
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Could easily be changed to
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=pptp"
To restrict PPTP VPN usage to certain people easily.
This looks extremely useful. How would the session get hijacked anyway? Dictionary attacks? Isn't EAP-TLS supposed to be really secure for PPTP? If you guys leave way to better security options and permissions for a PPTP connection, I think you'll hit the jackpot. It would be nice to say "let this computer into the network, but all it gets access to is RDP" so port 3389. That's all some people use VPN for anyway.
-
I am trying to setup EBox 1.4 as a PDC for our small office (10 users). Users need to be able to access the domain and shares from remote locations using a VPN. Since, PPTP is built into windows I am trying to setup pptpd. I have followed the instructions on this post as well as the one from ticket 1268. I am able to connect to the pptp server but it does not accept the username and password. The log says: DOMAIN\\user failed CHAP authentication. Any help regarding this matter is greatly appreciated. Thank you.
-
Hey Francesco,
Thanks a lot for this how to. We will probably include a small module ebox-pptp to automatize this as it's pretty simple.
Thanks!!!1
Even Microsoft {MurderSoft} drop this PPTP thing in favour for L2TP
I'd like to see L2TP thow as it is really a better solution - Implemented on the Level 2 of the OSI Stack it make more sense. I have a couple Sony-Ericson X10's and they have native L2TP / PPTP IPSec Support in Android (The Google Mobile Phone Software)