FreeBSD VPN

Posted by Benjamin Close on November 7, 2008 under Computers, FreeBSD | 6 Comments to Read

This document describes how to setup both the server side and client side for a PPTP connection with MPPE encryption that works for windows, MacOsX and other freebsd boxes.

Note, it was based on FreeBSD 6 series, whether it works with later versions of FreeBSD is unknown.

The basic process:

 - Install & configure pptpserver on the freebsd server
 - Configure ppp on the freebsd server
 - Setup the clients

1. Installing pptpserver

This part is handled really easily as it pptp server exists in the ports collections. Hence all you need to do is:

 cd /usr/port/net/poptop
 make install

To configure pptp modify /usr/local/etc/pptp.conf\\ Put the following lines in the file:

 localip 192.168.2.1
 remoteip 192.168.2.56-75

 # Listen on the outside interface only
 listen 130.220.37.202

Configure ppp on the freebsd server

Edit /etc/ppp/ppp.conf and set the following target only:

  pptp:
    set ifaddr 192.168.1.1 192.168.1.56-192.168.1.74 255.255.255.255
   set dns 192.168.0.1
    set nbns 192.168.0.1
   disable pap
   disable utmp
   disable passwdauth
   #enable chap     # MPPE Requirest chap81/MSChapV2
   enable MSChapV2
   enable mppe      # Enable Encrptions
   set log Phase Chat LCP IPCP CCP tun command  # Debugging
   set timeout 0   # Don't drop the connection
   #
   # Force 128 bit encryption with a key change every packet
   # MacOSX only works with stateless connections and the are more
   # secure anyway - just less efficient.
   set mppe 128 stateless
   # Disable compression - freebsd clients try to use it but it breaks mppe
   disable deflate pred1
   deny deflate pred1
   set server /var/run/pptp_ppp_%d "" 0700
   accept dns              # Enable clients to request dns details
   disable ipv6cp          # Disable ipv6
   enable proxy            # Enable proxying addresses on the local net for clients

Now modify/create /etc/ppp/ppp.secret and put in it:

 someuser  userpassword  192.168.1.75

Now ’someuser’ can log in with the password ‘userpassword’ and will get an IP address of 192.168.1.75. If you don’t want to specify the ip, just leave the 3rd parameter off that line of the file.

Setup Clients

This section details how to setup various clients

Windows XP

 - Create a new VPN connection
 - Specify host
 - Specify Usename  / password
 - Hit connect

FreeBSD

Freebsd works with MPPE out the box. Simply setup the following in /etc/ppp.conf

 MYVPN:
   set authname someuser
   set authkey  userpassword
   disable pred1
   enable proxy
   disable ipv6cp
   set timeout 0
   add default HISADDR

Install pptpclient

   cd /usr/ports/net/pptpclient
   make install

Now run it with: pptp serverip MYVPN\\ ie:

  pptp  130.220.37.2 MYVPN

Mac OsX

Simply configure the GUI tool.

Tags: , , , ,

  • Dan Alexander

    Dan Alexander said,

    Maybe I missed something, but I need to know where those ip addresses are coming from. Which ones are my dynamically assigned address and which is my users dynamically assigned address.

  • Benjamin Close

    Benjamin Close said,

    Hi Dan,
    In regards to the IP’s:

    > localip 192.168.2.1
    > remoteip 192.168.2.56-75

    > # Listen on the outside interface only
    > listen 130.220.37.202

    The local/remote ones here really don’t do anything appart from configuring a range. The listen is the external network interface of the server.

    > set ifaddr 192.168.1.1 192.168.1.56-192.168.1.74 255.255.255.255
    > set dns 192.168.0.1
    > set nbns 192.168.0.1

    192.168.1.1 is the internal address allocated to the tun* device and is what the client ends up talking too. With 192.168.1.56-192.168.1.74 being the dynamic range allocated to clients. In regards to dns/nbns ip this is the address of the internal network card of the servers

    Ie: When clients connect you end up with a tun* device created on the server which is:

    inet 192.168.1.1 –> 192.168.1.56

    whilst the client ends up with:

    inet 192.168.1.56 –> 192.168.1.1

    Routing on this network then handles 192.168.1/24 -> 192.168.0/24

  • Josh

    Josh said,

    Im new to freebsd but after the install i dont have a pptp.conf in that dir the one i have is ppp is the same or are those different.

    Thanks

  • Benjamin Close

    Benjamin Close said,

    You may have to create the file pptp.conf from memory it isn’t installed by default.

  • dqueue

    dqueue said,

    Thank you for this. This configuration works well for me under FreeBSD 6.4p5. Believe me, this is a relief. Under OpenBSD, I have problems with Mac-based clients; some connect, but do not route traffic for some reason.

    Cheers.

  • Benjamin Close

    Benjamin Close said,

    One thing that might be useful is if your using openBSD’s pf then you can’t use the antispoof clause:

    #
    # Watch Antispoofing, we can’t use this at the moment as it breaks
    # vpn support
    #
    #####
    #antispoof for { $internalif, $externalif }

    Might help with your setup, might not

Add A Comment

home top