Readers will learn how to configure the EdgeRouter as a PPTP (Point to Point Tunneling Protocol) server using RADIUS authentication. Please see the PPTP VPN Server article for information on how to setup local authentication with PPTP.
|ATTENTION: Packets passed through a PPTP tunnel are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.|
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
Equipment used in this article:
- Windows Server 2016 Network Policy Server (NPS)
- Test clients
Table of Contents
- Network Diagram
- Steps: PPTP VPN Server
- Steps: Windows Server
- Steps: Windows Client
- Steps: Testing & Verification
- Related Articles
The network topology is shown below and the following interfaces are in use on the EdgeRouter:
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
Steps: PPTP VPN Server
For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.
The ports and protocol that are relevant to PPTP are:
- TCP 1723 (PPTP)
- Protocol 47 (GRE)
|CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.|
1. Enter configuration mode.
2. Add a firewall rule for the PPTP traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description PPTP
set firewall name WAN_LOCAL rule 30 destination port 1723
set firewall name WAN_LOCAL rule 30 protocol tcp
NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.
3. Configure the server authentication settings (replace <secret> with your desired passphrases).
set vpn pptp remote-access authentication radius-server 192.168.1.10 key <secret>
set vpn pptp remote-access authentication radius-server 192.168.1.10 port 1812
set vpn pptp remote-access authentication mode radius
NOTE: The default port used for RADIUS authentication in EdgeOS is UDP 1812.
4. Define the IP address pool that will be used by the VPN clients.
set vpn pptp remote-access client-ip-pool start 192.168.100.240
set vpn pptp remote-access client-ip-pool stop 192.168.100.249
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.
5. Define the DNS server(s) that will be used by the VPN clients.
set vpn pptp remote-access dns-servers server-1 220.127.116.11
set vpn pptp remote-access dns-servers server-2 18.104.22.168
(Optional) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.
set vpn pptp remote-access dns-servers server-1 192.168.1.1
set service dns forwarding options "listen-address=192.168.1.1"
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1
6. Define the WAN interface which will receive PPTP requests from clients.
Configure only one of the following statements. Decide on which command is best for your situation using these options:
(A) Your WAN interface receives an address through DHCP.
set vpn pptp remote-access dhcp-interface eth0
(B) Your WAN interface is configured with a static address.
set vpn pptp remote-access outside-address 203.0.113.1
(C) Your WAN interface receives an address through PPPoE.
set vpn pptp remote-access outside-address 0.0.0.0
7. (Optional) Lower the MTU for PPTP traffic.
Experiment with lowering the MTU value if the performance of the PPTP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).
set vpn pptp remote-access mtu <mtu-value>
8. Commit the changes and save the configuration.
commit ; save
Steps - Windows Server
The section below (briefly) focuses on configuring the Network Policy and Access Services (NPS) role on a Windows 2016 server. There are multiple guides available online that go into more detail than this article.
1. Add the NPS role.
Server Manager > Add Roles and Features > Network Policy and Access Services
2. Add the EdgeRouter to the RADIUS clients (replace <secret> with your desired passphrase).
Network Policy Server Console (NPS) > Radius Clients and Servers > Radius Clients > New
Friendly Name: ER-4 (does not have to match device hostname)
Address (IP or DNS): 192.168.1.1 (the source address of the router)
Shared Secrets Template: None
Shared Secret: Manual
Shared Secret / Confirm: <secret>
NOTE: You can also create a ‘RADIUS Shared Secret Template’ and use the same passphrase for all RADIUS Clients.
3. Create a Network Policy for the RADIUS clients.
NPS > Policies > Network Policy > New
Policy Name: ER Radius Clients
Type of Network Access Server: Unspecified
Specify Conditions > Add
Client Friendly Name: ER-?
User Groups: UBNT\Network Engineers
NOTE: You can use Active Directory (AD) or local users (Windows Group) for authentication. In this example, the users allowed to authenticate to the ER are ‘Network Engineers’ in the UBNT domain. You can use expressions when matching the ‘Client Friendly Name’. For example 'ER-?' matches device names starting with 'ER-'.
Next > Specify Access Permission
Next > Configure Authentication Methods
Uncheck all methods and check ‘Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2)’
Next > Configure Constraints > Next > Configure Settings > Radius Attributes: Standard
Routing and Remote Access > Encryption
Uncheck all methods and check ‘Strongest Encryption (MPPE 128-bit)
Steps - Windows Client
There are different ways to connect to a PPTP server using a multitude of applications and operating systems. In this article, we are focusing on on only one, the built-in Windows 10 VPN client. Please note that the built-in macOS PPTP client was removed starting from MacOS Sierra.
1. Navigate to the Windows 10 VPN settings and add a new connection.
Settings > Network & Internet > VPN > Add a VPN connection
VPN Provider: Windows (built-in)
Connection name: L2TP
Server name: 203.0.113.1
VPN Type: Point to Point Tunneling Protocol (PPTP)
Type of sign-in info: User name and password
User name: <username>
2. Navigate to the Windows 10 Network connections.
Settings > Network & Internet > Status > Change Adapter Options > PPTP Adapter properties
Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
Steps - Testing & Verification
1. Verify that the traffic is increasing the counters on the PPTP firewall rule.
show firewall name WAN_LOCAL statistics
IPv4 Firewall "WAN_LOCAL" [WAN to router]
Active on (eth0,LOCAL)
rule packets bytes action description
---- ------- ----- ------ -----------
10 1549 142354 ACCEPT Allow established/related
20 0 0 DROP Drop invalid state
30 6 312 ACCEPT PPTP
10000 9 702 DROP DEFAULT ACTION
2. Capture the PPTP traffic on the WAN interface.
sudo tcpdump -i eth0 -n tcp dst port 1723
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [S], seq 2520152954, win 64240, options
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [.], ack 2843548513, win 256, length 0
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [P.], seq 0:156, ack 1, win 256, length 156: pptp
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [P.], seq 156:324, ack 157, win 256, length 168: pptp
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [P.], seq 324:348, ack 189, win 255, length 24: pptp
IP 192.0.2.1.30540 > 203.0.113.1.1723: Flags [P.], seq 348:372, ack 189, win 255, length 24: pptp
NOTE: This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.
3. Verify the status of the remote access users and interfaces.
show vpn remote-access
Active remote access VPN sessions:
User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
user1 00h05m57s PPTP pptp0 192.168.100.240 8 104 87 7.5K
user2 00h03m20s PPTP pptp1 192.168.100.241 12 367 80 6.4K
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
pptp0 10.255.254.0 u/u User: user1
pptp1 10.255.254.0 u/u User: user2
4. Analyze the PPTP log messages.
show log | match pppd
ubnt pppd: pppd 2.4.4 started by root, uid 0
ubnt pppd: Connect: ppp0 <--> /dev/pts/2
ubnt pppd: peer from calling number 192.0.2.1 authorized
ubnt pppd: MPPE 128-bit stateless compression enabled
ubnt pppd: local IP address 10.255.254.0
ubnt pppd: remote IP address 192.168.100.240
ubnt pppd: pppd 2.4.4 started by root, uid 0
ubnt pppd: Connect: ppp1 <--> /dev/pts/3
ubnt pppd: peer from calling number 198.51.100.1 authorized
ubnt pppd: local IP address 10.255.254.0
ubnt pppd: remote IP address 192.168.100.241
5. Capture the RADIUS authentication requests and responses on the internal interface.
sudo tcpdump -i eth1 -n -vv udp dst port 1812
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:37:12.507645 IP (tos 0x0, ttl 64, id 51495, offset 0, flags [DF], proto UDP (17), length 172)
192.168.1.1.59172 > 192.168.1.100.1812: [udp sum ok] RADIUS, length: 144
Access-Request (1), id: 0x8d, Authenticator: 7c5624329f1acdad11da5cde16e9ce37
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
User-Name Attribute (1), length: 7, Value: user1
0x0000: 7573 6572 31
Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
Vendor Attribute: 11, Length: 16, Value: v_..\a....|.|..F
0x0000: 0000 0137 0b12 765f c9ff 5c61 dd1c fbad
0x0010: 7c85 7c00 9a46
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 25, Length: 50, Value: ..........h..._............n}......v...w*(.&..a.K.
0x0000: 0000 0137 1934 9900 bf2e c0ba e60b cb8a
0x0010: 68e1 f39a 5faa a0c3 0000 0000 0000 0000
0x0020: c06e 7dbd 2ebb a8cc 8476 a1e2 b877 2a28
0x0030: a126 d9d4 61a9 4bc6
Calling-Station-Id Attribute (31), length: 11, Value: 192.0.2.1
0x0000: 3139 322e 302e 322e 31
NAS-IP-Address Attribute (4), length: 6, Value: 127.0.1.1
0x0000: 7f00 0101
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000
6. Analyze the event logs on the RADIUS server.
Event Viewer > Custom Views > ServerRoles > Network Policy and Access Services
NOTE: If access to the user is granted but the PPTP connection fails to establish, verify the MPPE encryption settings on the NPS server. The PPTP logs will show the 'MPPE required, but keys are not available. Possible plugin problem?' error message if this is the case.