PPTP VPN server setup
A Netopia router can act as a PPTP Network Server (PNS) and accept a PPTP tunnel from a PPTP Access Concentrator (PAC). As a PNS, a Netopia router can provide remote users a secure connection to the resources of the LAN over a dial-up, cable, DSL, or any other type of Internet access. Because PPTP can create a VPN tunnel using the Dial-up Networking (DUN) utility built into Windows 98, NT, 2000 or XP, no additional client software is required. This quick guide includes instructions for the Netopia router configuration, as well as instructions for installing and configuring a VPN Dial-up Networking profile on a PPTP client.
Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.
* v8.2 R1 (and up) - 3300 Enterprise Series * v5.3.7 (and up) - 4000 Series * v4.8.2 (and up) - R-Series
Before You Start
PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.
Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).
Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.
Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.
The Esc key will take you back towards the main menu screen.
Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.
The Netopia Main Menu Interface
Configuration for PPTP
1. From the Main Menu, Go to Quick Menus... 2. Select ATMP/PPTP Default Profile [or VPN Default Answer Profile before firmware v4.8]. 1. Set Answer ATMP/PPTP Connections: to Yes. [Answer VPN Connections in versions before 4.8]. 2. Under PPTP Configuration Options set Receive Authentication... to MS-CHAP . 3. Escape once back to Quick Menu. 3. Scroll up to Add Connection Profiles and press Enter. 4. Supply a descriptive Profile Name. 5. Set the Encapsulation Type... [or Data Link Encapsulation... before fw 4.8] to PPTP and press Enter. 6. Enter Encapsulation Options... [or Data Link Options]. 1. Enter the PPTP Partner IP Address. (Note: This is the public IP address of the PPTP client and most likely an IP address that is assigned dynamically when the client dials into their Internet Service Provider (ISP). If you don't know the PPTP Partner IP Address, this field can be left 0.0.0.0.) 2. For Authentication... select MS-CHAP. 3. For Data Encryption... you have the option to select either MPPE or None. 1. (Note: MPPE, Microsoft Point-to-Point Encryption, will slow down your connection when enabled.) 2. Selecting None will provide no data encryption, a security feature. 4. Next, enter the Receive Host Name and Receive Secret the client will be entering as their username and password in their Dial-up Networking VPN profile. 5. Initiate Connections would be set to No. 6. Adjust the Idle Timeout (seconds) to whatever you prefer. The default value is 300 seconds. 7. Escape once back to the Add Connection Profile screen. 8. Press Enter on COMMIT to save this profile (firmware v4.8 or later) [Add Profile Now - firmware v4.7.2 or earlier]. Please Note: It is important to save these settings before proceeding into the IP Profile Parameters configuration. 7. You should now be back to the Connection Profiles Screen. 8. Select Display/Change Connection Profile... and hit Enter on the VPN profile you have just created. 9. Profile Enabled: should be set to Yes. 10. Select IP Profile Parameters... 1. Address Translation should be set to No. (Note: Use the tab key to toggle this option between Yes and No. Press Enter to save your changes). 2. Remote IP Address: should be set to a static private IP address on this routers network that is available and not being served via DHCP (ex. 192.168.1.254). 3. Remote IP Mask: should be set to 255.255.255.255. Alternatively, you can leave the Remote IP Address: and Remote IP Mask: at 0.0.0.0, and your router can assign an IP address to the PPTP client. You must confirm the router's IP Address Serving Setup is configured accordingly. (From Quick Menus, go to IP Address Serving Setup and set Serve Dynamic WAN Clients to Yes. You should also confirm your router is serving an adequate number of IP addresses, enough for all DHCP clients, on the same subnet as the router's Ethernet IP Address. You can find the router's Ethernet IP Address and Ethernet Subnet Mask from Quick Menus in IP Setup.) 4. Do not enable a filter set in the VPN profile. Ignore Rip Profile Options... 5. Hit the Esc key once; select COMMIT and hit Enter (firmware v4.8 or later). If this selection is not available, hit Esc once more. 6. Escape out to the Main Menu and go to Utilities and Diagnostics... 7. Enter Restart System... and CONTINUE.
The router is now configured for incoming PPTP from a remote Dial-Up Networking client.
Windows 98 Client Configuration
1. From your Windows 98 desktop, go to the Start Menu, and select Settings, Control Panel, then double-click on Add/Remove Programs. 2. In the Add/Remove Programs Properties screen, select the Windows Setup tab. 3. In Windows Setup highlight and select Communications with a double-click of your mouse. 4. In Communications, under Components, make sure to check the boxes next to Dial-up Networking at the top of the list and Virtual Private Networking at the bottom of the list. Click OK at the bottom of each screen, then close the Control Panel screen by clicking the upper right corner marked with an X. (Note: Your Windows 98 Installation CD may be required, and your computer will need to be restarted.) 5. Go to the Start Menu again, select Programs, select Accessories, select Communications, and click to select Dial-up Networking. 6. In Dial-up Networking, double-click on Make New Connection. 7. In the Make New Connection screen, follow the instructions by typing a name to identify your router, and select Microsoft VPN Adapter as your device. Click Next. Follow the instructions of the next screen and type the domain name or the public IP address of your router. Click Next, and then click Finish.
Note: The public IP address is the same as the router's Local WAN IP address if Address Translation (NAT) is enabled on your router, or if your router is configured for a Numbered interface. If NAT is not enabled, and your router is configured for an Unnumbered interface, you will enter the Ethernet IP address of your router. If your Local WAN IP address is assigned to you dynamically, check the Quick View menu of your routers console screen for the current WAN IP address. 8. Next, right click on the icon for the new Dial-Up Networking profile you just created and select Properties. 9. Select the Server Types tab of your connection profile window. 10. Confirm that Log on to network is unchecked. If you are using MS-CHAP in your router profile, then check Require encrypted password. If you selected the MPPE option for Data Encryption in your router's client connection profile (step 5 above), then you will need to have Require data encryption checked.
Windows NT 4.0 Client Configuration
(The following information was obtained from the Microsoft's Windows NT Server White Paper titled "Deploying Point-to-Point Tunneling Protocol.")
1. From your Windows NT desktop, go to the Start Menu and select Settings, Control Panel, then double-click on Network. 2. In the Network screen, click the Protocols tab, and then click the Add to display the Select Network Protocol dialog box. 3. Select Point To Point Tunneling Protocol and click OK. 4. Type the drive and directory location of your installation files in the Windows NT Setup dialog box, and then click Continue. The PPTP files are copied from the installation directory and the PPTP Configuration dialog box will appear. 5. Click the Number of Virtual Private Networks drop-down arrow and select the number of VPN devices you want the client to support. You can select a number between 1 and 256 for computers running Windows NT Workstation version 4.0 or Windows NT Server version 4.0. Typically, only one VPN is installed on a PPTP client.
Note: If the PPTP client is an ISP server running Windows NT Server version 4.0, you can select multiple VPN devices as needed to simultaneously support the PPP clients using the ISP server to connect to a PPTP server.
Click OK, and then click OK in the Setup Message dialog box. 6. In the Remote Access Setup properties dialog box, click Add. 7. Click the RAS Capable Devices list to display the VPN devices that must be added and configured as a port and device in RAS. 8. Select the VPN1 - RASPPTPM device, and then click OK. (If you installed PPTP with more than one VPN device, repeat steps 7, 8 and 9 until all the VPNs are added to the Remote Access Setup properties dialog box.) 9. By default, the VPN device on a workstation running Windows NT 4.0 is configured to dial out only. Select the VPN port and click Configure. Verify that the Dial out only option in the Port Usage dialog box is the only option selected, and then click OK. This returns you to the Remote Access Setup properties dialog box. 10. Click Network to display the Network Configuration dialog box. 11. Verify that the TCP/IP option in Dial out Protocols is the only option checked, and then click OK. 12. Click Continue. 13. Close Network, shut down, and then restart your workstation. 14. Once your workstation has completely rebooted, go to the Start Menu, select Accessories, then click-on and select Dial-up Networking. (If this is the first phonebook entry, a Dial-up Networking dialog box will appear. Click OK.) 15. Type a name to identify your router in the Name the new phonebook entry field and click Next. Select I am calling the Internet and click Next. This configures the phonebook entry to use TCP/IP and PPP as the Dial-up Networking protocols. Select RASPPTPM(VPN1) in the Select the modem or adapter this entry will use list in the Modem or Adapter dialog box, and then click Next. Type the domain name or the public IP address of your router in the Phone Number dialog box (see the Note in the step 6 of the previous section: Windows 98). Click Next, and then click Finish. 16. To verify or edit your phonebook entry for the PPTP server, or your router, click More in Dial-up Networking, and then click Edit entry and modem properties to verify that your PPTP server phonebook entry is correctly configured. 17. Review the information on the Basic tab to ensure that the phone number is correct and that the RASPPTPM(VPN1) device is selected. Make any necessary changes. 18. Click the Server tab. Review the information on the Server tab to ensure that the Dial-up server type displays "PPP: Windows NT, Windows 95 Plus, Internet." In the Network protocols dialog box, ensure that the network protocols used on your private network are selected. Any selected protocol (TCP/IP, IPX/SPX, NetBEUI) must already be installed on the PPTP client your are configuring. In addition, RAS must be configured to use that protocol to dial out. Also, check the TCP/IP Settings to ensure that Server assigned IP address and Server assigned name server addresses are both selected. Use IP Header Compression and Use default gateway on remote Network should be Disabled. Enable software compression and Enable PPP LCP extensions should also be selected under the Server tab. 19. Click the Script tab, and then select None. 20. Click the Security tab. Click Accept only Microsoft encrypted authentication. The PPP protocol encrypts the user name and password for remote logon. If you are using the same name and password that you log into your computer with to authenticate with the router then select Use current username and password. If not, make sure this is unchecked.
Windows 2000 Client Configuration
1. From your Windows 2000 desktop, right click on My Network Places and select Properties. 2. Select Make New Connection to start the New Connection Wizard. Click Next. 3. In the 'Network Connection Type' window check Connect to a Private Network through the Internet. Click Next. 4. In the 'Public Network' dialog box: * If you have a direct connection to the Internet, select Do Not Dial the Initial Connection. Click Next. * If you have a Dial Up Networking connection that should be connected first, select Automatically Dial this Initial Connection and choose your Internet dial up from the pull down menu. 5. In the 'Destination Address' window, type the Local WAN IP address of the router you are connecting to in the Host Name or IP Address field. 6. (Note: If the router you are connecting to is not running NAT and has IP Addressing set to Unnumbered, there will be no Local WAN IP Address. In this case, use the Ethernet IP Address instead.) In the 'Connection Availability' window, Windows will ask if you want all users to be able to use this VPN or just yourself. Select the choice that meets your network needs. 7. In the 'Completing the Network Connection Wizard' menu, you will be prompted to name the connection. Assign a name that makes it easy for you to distinguish your connection. You can have Windows place a shortcut for this connection on your Desktop by checking the box at the bottom of the screen. Click Finish. 8. The connection will be prompted to dial. If you wish to connect, enter your User name and Password and click Connect. If not, click Cancel.
Windows XP Client Configuration
1. From your Windows XP desktop, click on Start ---> My Network Places and select View Network Connections from the 'Network Tasks' area. 2. Click Create a New Connection in the 'Network Tasks' area to start the 'New Connection Wizard'. Click Next. 3. In the 'Network Connection Type' box that appears, select the radio button labeled Connect to the network at my workplace; click Next. 4. In the 'Network Connection' box that appears, select the radio button labeled Virtual Private Network connection; click Next. 5. In the 'Connection Name' window's text box labeled 'Company Name', assign the name of the organization or connection to which you log in. 6. In the 'VPN Server Selection' window's text box labeled 'Host Name or IP address', type the Local WAN IP address of the router to which you are connecting. 7. In the 'Connection Availability' window, you can select the radio button labeled Anyone's Use if you want to make this connection accessible to other users on your workstation. Otherwise, leave it set to the default My use only selection. Click Next. 8. Click Finish; this completes the VPN configuration. Also, you can click the checkbox labeled Add a shortcut to this connection to my desktop to put an icon on the desktop.
Windows ME Client Configuration
1. From your Windows ME desktop, go to the Start Menu, and select 2. Settings, Control Panel, then double-click on Add/Remove Programs. In the Add/Remove Programs Properties screen, select the Windows Setup tab. 3. In Windows Setup highlight and select Communications with a double-click of your mouse. 4. In Communications, under Components, make sure to check the boxes next to Dial-up Networking at the top of the list and Virtual Private Networking at the bottom of the list. Click OK at the bottom of each screen, then close the Control Panel screen by clicking the upper right corner marked with an X. (Note: Your Windows ME Installation CD may be required, and your computer will need to be restarted.) 5. Go to the Start Menu again, select Programs, select Accessories, select Communications, and click to select Dial-up Networking. 6. In Dial-up Networking, double-click on Make New Connection. 7. In the Make New Connection screen, follow the instructions by typing a name to identify your router, and select Microsoft VPN Adapter as your device. Click Next. Follow the instructions of the next screen and type the Local WAN IP address of the router you are connecting to in the Host Name or IP Address field. (Note: If the router you are connecting to is not running NAT and has IP Addressing set to Unnumbered, there will be no Local WAN IP Address. In this case, use the Ethernet IP Address instead.) Click Next, and then click Finish. 8. Next, right click on the icon for the new Dial-Up Networking profile you just created and select Properties. 9. Select the Security tab of your connection profile window. 10. Confirm that Log on to network is unchecked. If you are using MS-CHAP in your router profile, then check Require encrypted password. If you selected the MPPE option for Data Encryption in your router's client connection profile (step 5 above), then you will need to have Require data encryption checked.
You should have now successfully configured your router, as well as installed PPTP and created a VPN Dial-up Networking profile on your PPTP client. You are now ready to initiate a VPN connection between your PPTP client and your router. From Dial-up Networking, remember to have all workstations select the connection or phonebook entry to dial-up their ISP first, and then select the connection or phonebook entry to dial-up your router second.