Zentyal 3.2 PPTP Server

Here is howto install Zentyal 3.2 PPTP Server. Since Zentyal 3.2 the developers have decided to remove the PPTP Server and now provide a more secured implementation together with L2TP and IPSec.

But as i can notice L2TP with IPSec is buggy and I’ve managed to fix the issue that i have but also decided to install PPTP Server and remove it after there is more stable release.

This example is for the Zentyal 3.2 Server installation which is using Ubuntu 12.04 LTS.

Install and configure the PPTP Server

Login as root and install the PPTP Server

sudo su
apt-get install pptpd

My /etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns <my Zentyal IP>
proxyarp
nodefaultroute
debug
lock
nobsdcomp
mtu 1200
mru 1200
plugin winbind.so
ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="MYDOMAIN\\VPN-Clients"'

The last two lines are for Authentication, this line will allow PPTP connections to all clinets that are members of my VPN-Clients group.

My /etc/pptpd.conf

option /etc/ppp/pptpd-options
logwtmp
bcrelay eth0
localip 192.168.0.170
remoteip 192.168.0.171-179

I’m using the bcrelay on my eth0 interface that is my internal LAN interface

Configure Zentyal Firewall

Now you need to allow traffic from your VPN clients to your local network. Create file /etc/zentyal/hooks/firewall.postservice and add your IP range to fnospoofmodules and inospoofmodules

vi /etc/zentyal/hooks/firewall.postservice
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.171/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.171/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.172/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.172/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.173/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.173/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.174/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.174/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.175/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.175/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.176/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.176/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.177/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.177/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.178/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.178/32 -j iaccept
/sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.179/32 -j faccept
/sbin/iptables -t filter -A inospoofmodules -s 192.168.0.179/32 -j iaccept
exit 0

Don’t forget the exit 0 at the end.

Now we need to allow PPTP traffic to our Zentyal Server. Go to Network -> Services and Add new PPTP Service with TCP 1723 and GRE protocol

Zentyal PPTP service

Now Allow the traffic on the WAN interfaces. Go to Firewall -> Packet Filter -> Filtering rules from external networks to Zentyal and add the PPTP service

Zentyal PPTP xternal interface

With this configuration you will be able to have PPTP clients connect to your Zentyal 3.2 Server and to enable client to connect just add him to VPN-Clients group.

Zentyalhttp://www.zentyal.org/

Nikola Stojanoski

System Administrator and Developer. Giving back to the community by blogging about my problems, solutions and practical howto's.

  • Damjan MOMIROVSKI

    How to access Zentyal through RDP.

    *Note*: this method is provided for reference only, and is not intended as a supported method of accessing Zentyal desktop interface. Use at your own risk.

    Question: How can I access Zentyal Server graphic environment using an RDP client (i.e. Windows Remote Desktop or Vinagre)?

    Answer:

    In order to access Zentyal through Remote Desktop Protocol, first we should install the xrdp daemon:

    sudo apt-get install xrdp

    Check that this should install, apart from xrdp, tightvncviewer server. In some scenarios, however, it installs vnc4server, or does not install any of these becausevnc4server is already installed.

    In those cases we will have to remove vnc4server in this way:

    sudo apt-get purge xrdp vnc4server
    sudo apt-get install tightvncserver
    sudo apt-get install xrdp

    Once done this, we just have to open the corresponding ports (3389 and 5910) in the appropriate section of Packet Filter in the Firewall, and we should be able to connect to Zentyal from remote machine using (i.e. Windows Remote Desktop or Vinagre).

  • Laurent

    Why adding identical rules so many times ?

    /sbin/iptables -t filter -A fnospoofmodules -s 192.168.0.179/32 -j faccept
    /sbin/iptables -t filter -A inospoofmodules -s 192.168.0.179/32 -j iaccept

    • nstojanoski

      it’s because I’ve added all the IP’s that i use for my PPTP connections in /etc/pptpd.conf:

      remoteip 192.168.0.171-179

      Regards

  • Jamo

    Nick, This is an awesome post. Everything work for me the first time. You are the man.

  • Manel

    hello, is this the same when adding pptp to zentyal 4.0 ?

    • nstojanoski

      Hello Manel,

      I haven’t tested it but it should work because I’m using the linux pptpd package and adding firewall rules so the server will not block the PPTP traffic.

      Regards,
      Nikola

      • Manel

        Hello Nikola,
        I do need your help please , when i modify /etc/ppp/pptpd-options and /etc/pptpd.conf
        it is impossible to save them because i have not the right it is read only . I tried to modify the right with this cmd ( chmod u+w /etc/ppp/pptpd-options) and i failed also. I have copied it and created a new file containing the file and i failed too . What should i do .Thank you for answering

        2016-03-17 8:44 GMT+01:00 lahmar manel :

        • nstojanoski

          type: sudo su
          enter your password and you will be logged in as root, then you will be able to change the file

          Regards,
          NIkola

          • Manel

            Hello Nikola,

            I can’t do it . Did you meant by “you will be able to have PPTP clients connect to your Zentyal 3.2 Server and to enable client to connect just add him to VPN-Clients group” i tried but i failed what should i do . I do really need your help please.