Linux PPTP Masquerading Page

PPTP is the Point to Point Tunneling Protocol that is currently used by Windows 95/NT for creating Virtual Private Networks (VPNs). PPTP makes use of GRE, the Internet Generic Routing and Encapsulation Protocol as defined by RFC 1701 and RFC 1702. Since Microsoft can of course improve on any standard, they created GRE V2 that they make use of in their implementation of PPTP. There is now an Internet Draft available that discusses PPTP. Here is more information about PPTP.

If you are trying to connect to a PPTP server that is behind a firewall, check out ipfwd.
For a Linux PPTP server implementation, see PoPTP. This page also has links on how to setup VPNs.
For a Linux PPTP client implementation by, see client PPTP.

I have created a module to allow Linux IP masquerading to handle PPTP. Similar work was done by John Hardin, and his PPTP masquerading page has far better instructions than mine. Mine works fine, but if you need more help, his site is a good way to go.

There are some limitations. Currently, only one inside machine can have an open virtual circuit to an outside machine X. If another inside machine connects to machine X, the first inside machine will lose its connection because packets will be intermixed. This problem exists because this protocol is not port based. There are a couple things in the PPTP spec that might allow IP masquerading to work more generically. There are callID and peerCallID areas that could act as identifiers for sessions. The only problem is that Windows NT sets both of them to 0, so nothing useful can be done with them currently. I may modify the code to see if an NT server machine just sets peerCallID to the callID that the connecting client specifies. If so, then masquerading would work for any number of inside machines.

To use any of the following patches, you need to select CONFIG_IP_MASQUERADE_GRE.

patch-ipmasq-pptp-2.0.34: Patch against 2.0.34 kernel, should work with 2.0.34+ kernels.

patch-ipmasq-pptp-2.0.30: Patch against 2.0.30 kernel, should work with most 2.0.x kernels before 2.0.3?.

patch-ipmasq-pptp-2.1.42: Patch against 2.1.42 kernel, should work with most 2.1.x kernels.

To use the following patch, you need to select CONFIG_IP_MASQUERADE_PPTP in your kernel config. It can be built as either a module or into the kernel. To load it as a module, run insmod ip_masq_pptp.

patch-ipmasq-pptp-2.1.105: Patch against 2.1.105 kernel, should work with kernels through at least 2.1.115.

patch-ipmasq-pptp-2.2.2: Patch against 2.2.2 kernel. Thanks to William Avery for updating my 2.1.105 patch to 2.2.2.

patch-ipmasq-pptp-2.2.5: Patch against 2.2.5 kernel as distributed in RedHat 6.0.

patch-ipmasq-pptp-2.2.5-RH6.0: Another patch against 2.2.5 kernel as distributed in RedHat 6.0. Some people have reported problems with the previous one.

patch-ipmqasq-2.2.1multi: Multiple machines from within firewall can connect to same server. Thanks to David Poole for this nice work. This code will replace my earlier code after it gets sufficient testing.

ip_masq_vpn-2.2.10-alpha.patch.gz: Patch for IPSec and PPTP against kernel 2.2.10 from John Hardin. Includes multiple client support.

John Hardin has also created a PPTP patch for 2.0.x kernels. In addition, he has taken the PPTP patch and added IPSec masquerading. All of this can be found at .

Back to Gordon's Home Page.