FreeBSD VPN

Posted by Benjamin Close on November 7, 2008 under Computers, FreeBSD | 8 Comments to Read

This document describes how to setup both the server side and client side for a PPTP connection with MPPE encryption that works for windows, MacOsX and other freebsd boxes.

Note, it was based on FreeBSD 6 series, whether it works with later versions of FreeBSD is unknown.

The basic process:

 - Install & configure pptpserver on the freebsd server
 - Configure ppp on the freebsd server
 - Setup the clients

1. Installing pptpserver

This part is handled really easily as it pptp server exists in the ports collections. Hence all you need to do is:

 cd /usr/port/net/poptop
 make install

To configure pptp modify /usr/local/etc/pptp.conf\\ Put the following lines in the file:

 localip 192.168.2.1
 remoteip 192.168.2.56-75

 # Listen on the outside interface only
 listen 130.220.37.202

Configure ppp on the freebsd server

Edit /etc/ppp/ppp.conf and set the following target only:

  pptp:
    set ifaddr 192.168.1.1 192.168.1.56-192.168.1.74 255.255.255.255
   set dns 192.168.0.1
    set nbns 192.168.0.1
   disable pap
   disable utmp
   disable passwdauth
   #enable chap     # MPPE Requirest chap81/MSChapV2
   enable MSChapV2
   enable mppe      # Enable Encrptions
   set log Phase Chat LCP IPCP CCP tun command  # Debugging
   set timeout 0   # Don't drop the connection
   #
   # Force 128 bit encryption with a key change every packet
   # MacOSX only works with stateless connections and the are more
   # secure anyway - just less efficient.
   set mppe 128 stateless
   # Disable compression - freebsd clients try to use it but it breaks mppe
   disable deflate pred1
   deny deflate pred1
   set server /var/run/pptp_ppp_%d "" 0700
   accept dns              # Enable clients to request dns details
   disable ipv6cp          # Disable ipv6
   enable proxy            # Enable proxying addresses on the local net for clients

Now modify/create /etc/ppp/ppp.secret and put in it:

 someuser  userpassword  192.168.1.75

Now ‘someuser’ can log in with the password ‘userpassword’ and will get an IP address of 192.168.1.75. If you don’t want to specify the ip, just leave the 3rd parameter off that line of the file.

Setup Clients

This section details how to setup various clients

Windows XP

 - Create a new VPN connection
 - Specify host
 - Specify Usename  / password
 - Hit connect

FreeBSD

Freebsd works with MPPE out the box. Simply setup the following in /etc/ppp.conf

 MYVPN:
   set authname someuser
   set authkey  userpassword
   disable pred1
   enable proxy
   disable ipv6cp
   set timeout 0
   add default HISADDR

Install pptpclient

   cd /usr/ports/net/pptpclient
   make install

Now run it with: pptp serverip MYVPN\\ ie:

  pptp  130.220.37.2 MYVPN

Mac OsX

Simply configure the GUI tool.



Donations keep this site alive

  • avatar

    Dan Alexander said,

    Maybe I missed something, but I need to know where those ip addresses are coming from. Which ones are my dynamically assigned address and which is my users dynamically assigned address.

  • avatar

    Benjamin Close said,

    Hi Dan,
    In regards to the IP’s:

    > localip 192.168.2.1
    > remoteip 192.168.2.56-75

    > # Listen on the outside interface only
    > listen 130.220.37.202

    The local/remote ones here really don’t do anything appart from configuring a range. The listen is the external network interface of the server.

    > set ifaddr 192.168.1.1 192.168.1.56-192.168.1.74 255.255.255.255
    > set dns 192.168.0.1
    > set nbns 192.168.0.1

    192.168.1.1 is the internal address allocated to the tun* device and is what the client ends up talking too. With 192.168.1.56-192.168.1.74 being the dynamic range allocated to clients. In regards to dns/nbns ip this is the address of the internal network card of the servers

    Ie: When clients connect you end up with a tun* device created on the server which is:

    inet 192.168.1.1 –> 192.168.1.56

    whilst the client ends up with:

    inet 192.168.1.56 –> 192.168.1.1

    Routing on this network then handles 192.168.1/24 -> 192.168.0/24

  • avatar

    Josh said,

    Im new to freebsd but after the install i dont have a pptp.conf in that dir the one i have is ppp is the same or are those different.

    Thanks

  • avatar

    Benjamin Close said,

    You may have to create the file pptp.conf from memory it isn’t installed by default.

  • avatar

    dqueue said,

    Thank you for this. This configuration works well for me under FreeBSD 6.4p5. Believe me, this is a relief. Under OpenBSD, I have problems with Mac-based clients; some connect, but do not route traffic for some reason.

    Cheers.

  • avatar

    Benjamin Close said,

    One thing that might be useful is if your using openBSD’s pf then you can’t use the antispoof clause:

    #
    # Watch Antispoofing, we can’t use this at the moment as it breaks
    # vpn support
    #
    #####
    #antispoof for { $internalif, $externalif }

    Might help with your setup, might not

  • avatar

    SIFE said,

    salamo alikom ,
    i get this problem can you correct me :
    Jan 14 03:10:27 localhost pptp[37402]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated
    Jan 14 03:10:27 localhost pptp[37407]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 ‘Start-Control-Connection-Request’
    Jan 14 03:10:27 localhost pptp[37407]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
    Jan 14 03:10:27 localhost pptp[37407]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
    Jan 14 03:10:28 localhost pptp[37407]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 ‘Outgoing-Call-Request’
    Jan 14 03:10:29 localhost pptp[37407]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
    Jan 14 03:10:29 localhost pptp[37407]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer’s call ID 41984).
    Jan 14 03:10:29 localhost kernel: tun0: link state changed to UP
    Jan 14 03:10:29 localhost ppp[37402]: tun0: Warning: disable ipv6cp: Invalid command
    Jan 14 03:10:29 localhost ppp[37402]: tun0: Warning: disable ipv6cp: Failed 1
    Jan 14 03:10:29 localhost ppp[37402]: tun0: Alert: deflink: Can’t create /var/run/pts/2.if: No such file or directory
    Jan 14 03:10:31 localhost pptp[37407]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
    Jan 14 03:10:31 localhost kernel: tun0: link state changed to DOWN
    Jan 14 03:10:31 localhost ppp[37402]: tun0: Warning: deflink: Unable to set physical to speed 0
    Jan 14 03:10:31 localhost ppp[37402]: tun0: Warning: deflink: Unable to set physical to speed 0
    Jan 14 03:10:31 localhost ppp[37402]: tun0: Warning: deflink: tcsetattr: Unable to restore device settings
    Jan 14 03:10:31 localhost ppp[37402]: tun0: Alert: deflink: Can’t remove /var/run/pts/2.if: No such file or directory
    Jan 14 03:10:31 localhost pptp[37407]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 ‘Call-Clear-Request’
    Jan 14 03:10:31 localhost pptp[37407]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)

  • avatar

    Benjamin Close said,

    It seems this article may now be a little out of date for the new pptp/ppp.
    A possible fix to your problem may be:

    1> Remove the line: disable ipv6cp from ppp.conf
    2> Make sure you have this line correct: set server /var/run/pptp_ppp_%d “” 0700
    3> Create the directory /var/run/pts
    4> If things still don’t work try modifying the line in 2> to read: set server /var/run/pts/%d.if “” 0700

Add A Comment

*