by James Cameron
26th May 2008
These are instructions for installing PPTP Client on Debian GNU/Linux.
Installing MPPE Support
|This step can be skipped if you are running Debian GNU/Linux 4.0 Etch
If you are trying to connect to a Microsoft Windows VPN Server, and it
is set to require encryption, then you will need MPPE support in the
kernel. If you know you don't, then skip this step.
MPPE support is enabled by the CONFIG_PPP_MPPE option and the
ppp_mppe kernel module.
The Debian Sarge prebuilt kernels do not provide MPPE support, because
MPPE was not included in the upstream kernel until 2.6.15. The Debian
Etch and later prebuilt kernels do provide MPPE support.
Choose one of the following according to your your skills and needs:
Then return here.
- use the Debian MPPE DKMS HOWTO to build the MPPE module for your current kernel,
- use the Debian MPPE HOWTO to patch the Debian kernel and then build a new kernel,
- upgrade to a Debian Etch kernel or later.
Verify PPP version
This step can be skipped if you are running Debian GNU/Linux 4.0 Etch
If you require MPPE support, then ensure the version of the ppp
package is at 2.4.2 or higher. Debian Woody includes 2.4.1, which
does not have MPPE support. Debian Sarge includes 2.4.3. Debian Etch
(The pptp-linux package does not depend on ppp (>= 2.4.2)
because it is possible to configure a tunnel without encryption. Do
not use a 2.4.1 version of ppp, even if it has been patched for
MPPE support, because all the patches out there we have tested are
incompatible with the MPPE support added to the kernel in the section
Installing the Client Program
Install PPTP Client from the Debian Project:
|apt-get install pptp-linux
Configuration, by hand
- obtain from your PPTP Server administrator:
- the IP address or host name of the server ($SERVER),
- the name you wish to use to refer to the tunnel ($TUNNEL),
- the authentication domain name ($DOMAIN),
- the username you are to use ($USERNAME),
- the password you are to use ($PASSWORD),
- whether encryption is required.
In the steps below, substitute these values manually. For example,
where we write $PASSWORD we expect you to replace this with your
- create or edit the /etc/ppp/options.pptp file, which sets
options common to all tunnels:
|lock noauth nobsdcomp nodeflate|
- create or add lines to the /etc/ppp/chap-secrets file,
which holds usernames and passwords:
|$DOMAIN\\$USERNAME PPTP $PASSWORD *|
Note: if you are using a PPTP Server that does not require an
authentication domain name, omit the slashes as well as the domain
Note: if the passwords contain any special characters, quote them.
See man pppd for more details.
- create a /etc/ppp/peers/$TUNNEL file:
|pty "pptp $SERVER --nolaunchpppd"|
Note: if you do not need MPPE support, then remove the
require-mppe-128 option from this file and
- start the tunnel using the pon command:
to further diagnose a failure, add options to the command:
|pon $TUNNEL debug dump logfd 2 nodetach
Note: we have further information on enabling debug mode, and on diagnosing problems.
- stop the tunnel using the poff command:
- to script the tunnel connection so that something is done as soon
as the tunnel is up, use either ip-up.d scripts or the
- see the Routing HOWTO
for examples of ip-up.d scripting that adds routes or
- using updetach will cause pppd to fork, detach,
and exit with success once the network link is up. This example
connects a provider link, then the tunnel, then runs
fetchmail to get new e-mail:
|pon provider updetach && pon $TUNNEL updetach && fetchmail
Note: the double ampersand && means that the commands
following it will only be executed if the command to the left of it
was successful. If the tunnel fails to connect, the fetchmail will
- to have the tunnel automatically restarted if it fails, add the option
persist to either the command line or the
- to have the tunnel started on system boot:
Every time your computer starts, the tunnel will be started automatically.
- for Debian Sarge and later, edit the /etc/network/interfaces file,
and add this section:
iface tunnel inet ppp
- for Debian Woody, edit the /etc/ppp/no_ppp_on_boot file, remove the first
line comment, and change the word provider to the name of your
tunnel, so that it looks like this:
$PPPD call $TUNNEL
(The line ... means the other lines in the file, it doesn't mean a
line with three dots.)
Then rename the no_ppp_on_boot file and make it executable:
|# mv /etc/ppp/no_ppp_on_boot /etc/ppp/ppp_on_boot|
# chmod +x /etc/ppp/ppp_on_boot
- to set up routing, read our Routing
If you have comments on this document, please send them to the author
at james.cameron at hp.com. But if you need help, use the mailing list so that we can share the
Removed deprecated GUI configuration program to close tracker
#1971934. Once Debian takes version 1.7.2 the pptpsetup program will
be available. Debian might also take Network Manager PPTP.
Wording of start on boot for Debian Etch (Sarge and later), reported by Robert Echlin.
Changes for Debian Etch, thanks to Heinrich Moser.
Linux 2.6.15 release updates.
Added DKMS or upgrade kernel option for MPPE.
Reverified with Debian Sarge using kernel 2.6.8. No effective changes.
Fix the tunnel on boot instructions following feedback from the Debian
Developer for the ppp package, Marco d'Itri, who said that
ppp_on_boot is now deprecated.
Removed kernelmod, as it no longer works, and no patches have been
received to fix it. Again, we need people to help use the
module-assistant package. Removed the prebuilt kernels, as
they have aged significantly.
Review and call for volunteers to integrate MPPE support into
Name change for configuration program.
Updated status of Debian's MPPE support.
Added note about the version of PPP being critical, thanks to Matt
Spotted typo while showing the page to someone on IRC. I had omitted the word NOT in the phrase "Debian project does NOT provide working MPPE".
Major rewrite, adding kernelmod method, and splitting all MPPE support
into three separate pages.