Printer-friendly version

There are many different flavors of pptp clients, most of them graphical.  Although if you're unfortunate enough to be on a MS (Windows) system, you're stuck with theirs and all of its limitations, those of us who are fortunate enough to be working on linux can do much better.  This article will focus on setting up PPTP (Point-To-Point Tunnelling Protocol) clients from the command line.  The huge advantage that we gain by switching to the CLI (Command Line Interface), is that we're no longer limited in the number of open connections we can have.  It's also a very great deal faster to use the command line, both for setup and connection, and it's really quite simple.

To begin, you'll need to have the pptp client installed on your machine.  For those on debian and ubuntu systems

apt-get install pptp-linux

will install pptp-linux (and ppp, if you don't already have it).  If that won't work for you, you can get it at the pptpclient project page.  Once you have it installed, you'll want to get up and running!  Keep in mind that to issue these commands, you either have to be the 'root' user, or you'll need to 'sudo' them.  To set up your first pptp connection, use the pptpsetup command like so:

 pptpsetup --create <tunnelname> --server <remote endpoint> --username <user> --password <passwd> --encrypt

This will create the appropriate files for you in /etc/ppp, namely a file named <tunnelname> in /etc/ppp/peers/. 

Note:
If you don't have the pptpsetup command, you likely have an older version of pptp installed. You can download the latest version from the aforementioned project page, your use the attached version of the pptpsetup command. It's just a simple perl script that writes the appropriate files, so it should work for older versions just fine. Once downloaded, put it in /usr/local/bin and make it executable with

chmod +x /usr/local/bin/pptpsetup

and then you can run it as indicated above.

Then, to start up the tunnel, you just do:

pon <tunnelname>

and to close it again

poff <tunnelname>

or

poff -a

to close all open tunnels.  PPTP will automatically assign the next numbered "pppN" interface to your tunnel.  I haven't discovered a limit to the number of open connections yet.  Should you be connecting to a subnet and not just one machine, you'll need to add some routing for your network.  You have several options here.  Firstly, you could open up your /etc/ppp/peers/<connectionname> file and add the lines 'defaultroute' to add a default route to your routing table, or 'replacedefaultroute' to replace your existing default route.  This is a bit messy though, and will effectively limit you to having one tunnel up at a time.  To add specific routes through the remote endpoint, you can use a script, placed in /etc/ppp/ip-up.d.  The sample one here is called 'vpnroutes'.  It doesn't really matter what it's called though, just make sure it's executable and in that directory.

#!/bin/sh
# pppd ip-up script for tunnel-specific routing

# provided by pppd: string to identify connection aka ipparam option
CONNECTION=$6
if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi

# provided by pppd: interface name
TUNNEL=$1
if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi

# if we are being called as part of the tunnel startup
NETS=""
case ${CONNECTION} in
    connection1)
        NETS="192.168.1.0/24"
    ;;
    connection2)
        NETS="192.168.2.0/24 192.168.3.0/24"
    ;;
    connection3)
        NETS="192.168.4.0/24
              192.168.5.0/24
              192.168.6.0/24"
    ;;
esac
for i in $NETS; do
    route add -net ${i} gw $IPREMOTE
done

Here, we have three connections named 'connection1', 'connection2' and 'connection3'.  These are the names of the connections, not the actual endpoints.  When each one is connected, the script is called, and sets up the appropriate routes.  These routes are automatically removed by the kernel when the connection is terminated, so no need to worry about removing them.  And since they're network-specific, they won't effect the rest of your local machine's routing.

If you are constantly adding, modifying and removing pptp connections, you might change the script to parse a file that contains route listings, as opposed to editing the script every time you had a new route to add.

If you're having trouble getting connected the command

plog

will give you the last few lines from the /var/log/ppp.log file. It makes use of the tail command, so any arguments you might pass to tail (i.e., '-n 20' or '-f') you can pass to plog.

A word of caution, though. If you can avoid using pptp for a vpn connection, do so. It's rather insecure. If you're connecting one GNU/Linux system to another, use OpenVPN or ipsec instead. Just because GNU/Linux has a pptp client, doesn't mean it's secure. It's available primarily for interoperability with Windows systems and older equipment.