FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-24-2008, 04:48 PM
Bill Campbell
 
Default PPTP VPN server

On Mon, Nov 24, 2008, "Germ?n Andr?s Pulido F." wrote:
> Hi
>
> I've been using linux to give VPN access to my corporate LAN using the
> following software:
>
> Centos 5.2 x86
> kernel 2.6.18-92.1.18.el5xen
> pptpd (poptop) 1.3.4
> ppp 2.4.4
>
Headaches deleted.

I would highly recommend using OpenVPN rather than using pptp,
OpenVPN doesn't require kernel support as it's built on top of
SSL, is far more secure than PPTP (the product of ``Kindergarten
Cryptographers' according to one well-know security paper), and
there are clients for all flavors of Windows, Linux, and Mac OS X.

Some of our clients used PPTP when we were using SuSE Enterprise
Linux, but we moved them to OpenVPN when we moved to CentOS. I
had been trying to get them off PPTP anyway, and CentOS's lack of
standard support was the factor that got them to consider OpenVPN.
I wrote a couple of scripts to automatically generate the OpenVPN
certificates for clients making it easy for unsophisticated
clients to install them on their Windows and Macs machines, and
they now are much happier than the were with PPTP.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

DOS: n., A small annoying boot virus that causes random spontaneous system
crashes, usually just before saving a massive project. Easily cured by
UNIX. See also MS-DOS, IBM-DOS, DR-DOS.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2008, 04:56 PM
Les Mikesell
 
Default PPTP VPN server

Bill Campbell wrote:


I would highly recommend using OpenVPN rather than using pptp,
OpenVPN doesn't require kernel support as it's built on top of
SSL, is far more secure than PPTP (the product of ``Kindergarten
Cryptographers' according to one well-know security paper), and
there are clients for all flavors of Windows, Linux, and Mac OS X.


Microsoft has updated PPTP since the only paper I know about was
written. Does anyone know if there are still problems with it or if the
linux version is updated to match?


But, openvpn is easier to use if you control the clients.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2008, 05:14 PM
Paul Heinlein
 
Default PPTP VPN server

On Mon, 24 Nov 2008, Les Mikesell wrote:


Bill Campbell wrote:


I would highly recommend using OpenVPN rather than using pptp,
OpenVPN doesn't require kernel support as it's built on top of
SSL, is far more secure than PPTP (the product of ``Kindergarten
Cryptographers' according to one well-know security paper), and
there are clients for all flavors of Windows, Linux, and Mac OS X.


Microsoft has updated PPTP since the only paper I know about was
written. Does anyone know if there are still problems with it or if
the linux version is updated to match?


But, openvpn is easier to use if you control the clients.


If only Apple would add /dev/tun to the iPhone -- then our iPhone
users could run OpenVPN and the sysadmin portion of my life would
become somewhat less annoying...


--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2008, 05:38 PM
"Filipe Brandenburger"
 
Default PPTP VPN server

Hi,

On Mon, Nov 24, 2008 at 12:56, Les Mikesell <lesmikesell@gmail.com> wrote:
> Microsoft has updated PPTP since the only paper I know about was written.
> Does anyone know if there are still problems with it or if the linux

> version is updated to match?

From http://pptpclient.sourceforge.net/protocol-security.phtml:

"PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. But there remain the design vulnerabilities that cannot be fixed without changing the design. The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base."


And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):

In conclusion: Poptop suffers the same security vulnerabilities as the NT sever (this is because it operates with Windows clients).

Update: MSCHAPv2 has been released and addresses some of the security issues. Poptop works with MSCHAPv2, which is implemented in pppd.

Wikipedia (http://en.wikipedia.org/wiki/PPTP):


PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPSec.


From these sources, I can't tell for sure if the protocol has vulnerabilities by design or not, but in any case it seems to be agreement that other VPN protocols such as IPSec are much more secure and reliable than PPTP. I would not recommend starting a VPN implementation using PPTP.


L2TP/IPSec seems to be the best alternative regarding client support (built-in support on Windows XP, Mac and the iPhone), only it is very hard to implement on a Linux server, and there are issues with NAT traversal. OpenVPN is easy to implement and seems to work very well with NAT, but clients must be downloaded and installed for most platforms, and are not available, for instance, for the iPhone.


HTH,
Filipe


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 03:31 AM
"Germán Andrés Pulido F."
 
Default PPTP VPN server

Thanks everyone for your help. I still cannot guess what the problem is
with the rebooting of the server, but I'm currently reading about
openvpn, it seems to be the best solution for my issue.



Regards.



Filipe Brandenburger wrote:
Hi,



On Mon, Nov 24, 2008 at 12:56, Les Mikesell <lesmikesell@gmail.com>
wrote:

> Microsoft has updated PPTP since the only paper I know about was
written.

> Does anyone know if there are still problems with it or if the
linux

> version is updated to match?



>From http://pptpclient.sourceforge.net/protocol-security.phtml:



"PPTP on Linux, and Microsoft's PPTP, both implement fixes for
vulnerabilities that were detected years ago in Microsoft's PPTP. But
there remain the design vulnerabilities that cannot be fixed without
changing the design. The changes needed would break
interoperability. We can't change the Linux PPTP design, because it
would stop working with Microsoft PPTP. They can't change their design,
because it would stop working with all the other components out there,
such as Nortel and Cisco, embedded routers, ADSL modems and their own
Windows installed base."



And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):



In conclusion: Poptop suffers the same security vulnerabilities as
the NT sever (this is because it operates with Windows clients).

Update: MSCHAPv2 has been released and addresses some of the
security issues. Poptop works with MSCHAPv2, which is implemented in
pppd.



Wikipedia (http://en.wikipedia.org/wiki/PPTP):



PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and
IPSec.





>From these sources, I can't tell for sure if the protocol has
vulnerabilities by design or not, but in any case it seems to be
agreement that other VPN protocols such as IPSec are much more secure
and reliable than PPTP. I would not recommend starting a VPN
implementation using PPTP.



L2TP/IPSec seems to be the best alternative regarding client support
(built-in support on Windows XP, Mac and the iPhone), only it is very
hard to implement on a Linux server, and there are issues with NAT
traversal. OpenVPN is easy to implement and seems to work very well
with NAT, but clients must be downloaded and installed for most
platforms, and are not available, for instance, for the iPhone.



HTH,

Filipe





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos






--

Cordialmente,


GERMAN ANDRES PULIDO F.
Ingeniero de Proyectos
GLOBAL TECHNOLOGY SERVICES - GTS S.A.
-------------------------------------
Tel: (571) 658 34 10 ext 110
Carrera 7b No. 123-46
Bogotá-Colombia
Sitio Web: www.gtscolombia.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 08:49 AM
"Amos Shapira"
 
Default PPTP VPN server

2008/11/25 Les Mikesell <lesmikesell@gmail.com>:
> Microsoft has updated PPTP since the only paper I know about was written.
> Does anyone know if there are still problems with it or if the linux
> version is updated to match?

In addition to Filipe's detailed reply - when I was looking at details
for a new VPN server options in the last few days I noticed that PPTP
support was always mentioned as "PPTP+IPSEC", which doesn't gives an
impression like people who use or sell PPTP don't have much confidence
in its security when used stand-alone.

Cheers,

--Amos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 01:40 PM
Ross Walker
 
Default PPTP VPN server

On Nov 24, 2008, at 11:31 PM, "Germán Andrés Pulido F." <gpulido@gtscolombia.c
om> wrote:


Thanks everyone for your help. I still cannot guess what the problem
is with the rebooting of the server, but I'm currently reading about
openvpn, it seems to be the best solution for my issue.


There have been some show stopper bugs in Xen with regard to networking.

Maybe the handling of a large volume of GRE packets in your VM has hit
one of those.


Personnally I would give the free ESXi server a go and see how that
works it's network handling is more mature.


-Ross


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 03:03 PM
"Jason Pyeron"
 
Default PPTP VPN server

Sorry for the late jump in here, hence the top post
(missing earlier posts).
*
I have a working setup as you described with out the reboot problem.
There is one difference, we are using VMWare (free version).
*
It even authenticates against the domain controller for vpn
sessions.
*
I would be happy to help find the differences in your setup, or help you
"copy" ours.
*
-Jason
*




From: centos-bounces@centos.org
[mailto:centos-bounces@centos.org] On Behalf Of "Germán Andrés Pulido
F."
Sent: Monday, November 24, 2008 11:31 PM
To: CentOS
mailing list
Subject: Re: [CentOS] PPTP VPN
server


Thanks everyone for your help. I still cannot guess what the
problem is with the rebooting of the server, but I'm currently reading about
openvpn, it seems to be the best solution for my
issue.

Regards.

Filipe Brandenburger wrote:
Hi,

On Mon, Nov 24, 2008 at 12:56, Les Mikesell <lesmikesell@gmail.com> wrote:
>
Microsoft has updated PPTP since the only paper I know about was
written.
> Does anyone know if there are still problems with it or if
the linux
> version is updated to match?

>From http://pptpclient.sourceforge.net/protocol-security.phtml:

"PPTP
on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities
that were detected years ago in Microsoft's PPTP. But there remain the
design vulnerabilities that cannot be fixed without changing the design.
The changes needed would break interoperability. We can't change the Linux
PPTP design, because it would stop working with Microsoft PPTP. They can't
change their design, because it would stop working with all the other
components out there, such as Nortel and Cisco, embedded routers, ADSL
modems and their own Windows installed base."

And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):

In
conclusion: Poptop suffers the same security vulnerabilities as the NT
sever (this is because it operates with Windows clients).
Update:
MSCHAPv2 has been released and addresses some of the security issues.
Poptop works with MSCHAPv2, which is implemented in pppd.

Wikipedia
(http://en.wikipedia.org/wiki/PPTP):

PPTP
has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and
IPSec.


>From these sources, I can't tell for sure if the
protocol has vulnerabilities by design or not, but in any case it seems to
be agreement that other VPN protocols such as IPSec are much more secure and
reliable than PPTP. I would not recommend starting a VPN implementation
using PPTP.

L2TP/IPSec seems to be the best alternative regarding
client support (built-in support on Windows XP, Mac and the iPhone), only it
is very hard to implement on a Linux server, and there are issues with NAT
traversal. OpenVPN is easy to implement and seems to work very well with
NAT, but clients must be downloaded and installed for most platforms, and
are not available, for instance, for the
iPhone.

HTH,
Filipe


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


--

Cordialmente,


GERMAN ANDRES PULIDO F.
Ingeniero de Proyectos
GLOBAL TECHNOLOGY SERVICES - GTS S.A.
-------------------------------------
Tel: (571) 658 34 10 ext 110
Carrera 7b No. 123-46
Bogotá-Colombia
Sitio Web: www.gtscolombia.com
**--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-************************************************** ************ -
- Jason Pyeron********************* PD Inc. http://www.pdinc.us -
- Principal Consultant************* 10 West 24th Street #100*** -
- +1 (443) 269-1555 x333*********** Baltimore, Maryland 21218** -
-************************************************** ************ -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.* Any other use of the email by you
is prohibited.
*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 03:45 PM
"Germán Andrés Pulido F."
 
Default PPTP VPN server

Hi!

Thanks for your help. The free version of vmware is ESXi, that's what
you are using right? I also authenticate VPN sessions against the domain
controller, that also works beautifully. Only issue is the reboot of the
server. However, I found that terminal services is not the only think
that produces the reboot, once I managed to reboot it while just
browsing some of our internal web servers (plain HTTP) so the bug is not
strictly related to Terminal Services. Now, the fact that you have the
same configuration running seems to imply that the issue is with
something specific to my installation. Now, a quick question: did you
compile pptpd yourself? or you used RPMs from the official web site?


Thanks again.

Jason Pyeron wrote:
Sorry for the late jump in here, hence the top post (missing earlier
posts).

I have a working setup as you described with out the reboot problem.
There is one difference, we are using VMWare (free version).

It even authenticates against the domain controller for vpn sessions.

I would be happy to help find the differences in your setup, or help
you "copy" ours.

-Jason



--

Cordialmente,


GERMAN ANDRES PULIDO F.
Ingeniero de Proyectos
GLOBAL TECHNOLOGY SERVICES - GTS S.A.
-------------------------------------
Tel: (571) 658 34 10 ext 110
Carrera 7b No. 123-46
Bogotá-Colombia
Sitio Web: www.gtscolombia.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2008, 04:41 PM
"Jason Pyeron"
 
Default PPTP VPN server

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of "Germán
> Andrés Pulido F."
> Sent: Tuesday, November 25, 2008 11:46 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] PPTP VPN server
>
> Hi!
>
> Thanks for your help. The free version of vmware is ESXi,

http://www.vmware.com/download/server/ (using 1.x series)


> that's what you are using right? I also authenticate VPN
> sessions against the domain controller, that also works
> beautifully. Only issue is the reboot of the server. However,
> I found that terminal services is not the only think that
> produces the reboot, once I managed to reboot it while just

What is the uptime on the VM host?

> browsing some of our internal web servers (plain HTTP) so the
> bug is not strictly related to Terminal Services. Now, the
> fact that you have the same configuration running seems to
> imply that the issue is with something specific to my
> installation. Now, a quick question: did you compile pptpd
> yourself? or you used RPMs from the official web site?

No compiling here, we have no time... Direct from a CentOS yum repo near you.

[root@XXXXXXXXXXXXXX ~]# cat /etc/issue
CentOS release 5 (Final)
Kernel
on an m
[root@XXXXXXXXXXXXXX ~]# rpm -qf /usr/sbin/pptpd
pptpd-1.3.4-1.rhel5.1
[root@XXXXXXXXXXXXXX ~]# uname -a
Linux XXXXXXXXXXXXXX.ZZZZZZZZZZZZZZZZZZZZZZ 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5
11:36:49 EST 2008 i686 athlon i386 GNU/Linux
[root@XXXXXXXXXXXXXX ~]#

>
> Thanks again.
>
> Jason Pyeron wrote:
> > Sorry for the late jump in here, hence the top post
> (missing earlier
> > posts).
> >
> > I have a working setup as you described with out the reboot
> problem.
> > There is one difference, we are using VMWare (free version).
> >
> > It even authenticates against the domain controller for vpn
> sessions.
> >
> > I would be happy to help find the differences in your
> setup, or help
> > you "copy" ours.
> >
> > -Jason
> >
>
> --
>


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org