2005-10-22 · in Tech Notes · 315 words

The University of Kent's Computing Service provide an MPPE VPN service for students and staff. This page shows how to use it from Linux.

General advice

The specific instructions here are for Ubuntu, although it should be trivial to adapt them for other Debian-based Linux distributions, and fairly straightforward to use them on other Unix-ish operating systems.

In all the following examples, my username is ats1, and I'll pretend my password is YourPasswordHere.

The terms of service say that you're not allowed to store the password, so you've got a few options: either edit the configuration files each time (and remove the password again afterwards), write a wrapper script that does that for you, or keep the appropriate file on a password-protected encrypted filesystem.

Ubuntu ships with MPPE support in its kernel (the module's called ppp_mppe_mppc.ko), but if you need a patch for other 2.6 kernels there's one here.

You'll need to install the pptp-linux and iproute packages on Ubuntu — run:

apt-get install pptp-linux iproute

For other operating systems, the pptp program is available from the pptpclient project on Sourceforge.

Since MPPE operates over IP protocol 47 (rather than something sensible like UDP), you'll need to make sure that you allow that protocol through your firewall. This is easy with iptables, but might be more awkward if you're using a dedicated router appliance.

Using the VPN

In /etc/ppp/peers/kentvpn:

pty "pptp venus.kent.ac.uk --nolaunchpppd"
name UKC\\ats1
remotename kentvpn
lock
noauth
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
require-mppe-128
ipparam kentvpn

In /etc/ppp/chap-secrets:

UKC\\ats1 kentvpn YourPasswordHere *

In /etc/ppp/ip-up.d/kentvpn (which should be mode 755; note that you won't see the output from this script if it breaks):

#!/bin/sh
[ "$PPP_IPPARAM" != "kentvpn" ] && exit
defroute="`ip route | grep ^default | sed 's/^default//'`"
ip route add 129.12.254.0/24 $defroute
ip route add 129.12.0.0/16 via $PPP_REMOTE

You can then either start it in the background with:

pon kentvpn

or run it in the foreground with:

pppd call kentvpn nodetach