The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Article Feedback - Creating a VPN using PPTP
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 PPTP Server
Author: Matt 
Date:   29-04-02 17:33

I you are looking for a pptp server, check out /usr/ports/mpd. I have been using it for a good year, and it works great. The only problem that I ever had was that I forgot to let in/out gre traffic on my ipfilter firewall which stopped my from connecting. You do have to manually set up each connection, but after that it works well.

--Matt

Reply To This Message
 
 Re: PPTP Server
Author: Lars 
Date:   30-04-02 00:10

Yes, mpd is definitly the way to go - the other pptp implementations are too buggy.

Reply To This Message
 
 Re: PPTP Server
Author: Dan Clark 
Date:   30-04-02 14:48

OK, I have a dilemma...
I have setup mpd on my two hosts similar to this:-
euphoria - calypso - hostname
172.16.3.3 - 172.16.2.3 - internal IP
210.54.x.x - 21.54.x.x - firewall IP

The problem is I am not sure what i need to pinhole on my DSL routers 210.54.x.x etc to allow incomming connections, is it using 1723 and GRE like PPTP or some other protocol we dont know about? I can't even telnet to the local IP (on port 1723) from a PC on it's own subnet.

What ports are opened on the box when mpd runs??
I have to be missing the simple answer here.

Cheers
Dan

Reply To This Message
 
 Re: PPTP Server
Author: Matt 
Date:   30-04-02 22:54

Dan,
I don't have a real answer for you, I only run mpd on one end and use windows as the client. mpd on by box opens port 1723 like you say. If you are running ipfilter (maybe ipfw?), you will need to add rules to pass in/out ng device (ng0...), and reload your rules after mpd is running (even if you -HUP mpd). Without reloading the rules I cannot connect at all.

here are a slightly edited config i use for ipfilter
---snip---
pass out quick on ng0
pass in quick on ng0
---snip---
# pptp
pass in quick proto tcp from any to any port = 1723 flags S keep state
# pptp's gre
pass in quick proto gre from any to any
pass out quick proto gre from any to any
---snip---

Reply To This Message
 
 Re: PPTP Server
Author: Matt 
Date:   30-04-02 22:56

Damn, just tested it with my updated ipfilter... no reload is needed now.

-Matt

Reply To This Message
 
 Re: PPTP Server
Author: Dan Clark 
Date:   01-05-02 02:34

Cool thanks for that, however currently my kernel has the foloowing line:-
options IPFIREWALL_DEFAULT_TO_ACCEPT

I can connect as far as the firewall (DSL router) and no more. Thought it might be a NAT issue but on trying from internal side it made no difference, port still closed :o(

Thanks in advance

Cheers
Dan

Reply To This Message
 
 Re: PPTP Server
Author: Dan Langille 
Date:   02-05-02 07:33

Dan Clark wrote:
>
> Cool thanks for that, however currently my kernel has
> the foloowing line:-
> options IPFIREWALL_DEFAULT_TO_ACCEPT

I prefer default to deny. I prefer to have to explicitly say what is allowed rather than specify what is not allowed. It's also easier.

Reply To This Message
 
 Re: PPTP Server
Author: Matt 
Date:   03-05-02 06:01

I also like using IPFILTER_DEFAULT_BLOCK. Its much easier and more secure in my opinion (less mistake prone anyways). But I don't use it any longer now that my box is 14 hours away. If I made a mistake in my rules before, the box was just a console cable away, but now not having my rules loaded due to an error is disaster.
For a while I used to set a shutdown for a few minutes and apply my test ruleset from a seperate file, if it failed, it was just a few minutes until the restart. Yeah I know that is not a good practice :), but it worked since the box was not really used for anything important. I pretty sure there is an easier/safer way to do it but I have not looked into it. Any ideas.

--Matt

Reply To This Message
 
 Re: PPTP Server
Author: Dan Langille 
Date:   03-05-02 14:56

ipf has two rule sets (active and inactive). Use that like this:

ipf -s -Fa -f /etc/ipf.rules && sleep 10 && ipf -s

The above does this:

swap the rules sets
clear the current rule set
load the rules from that file

sleep

swap the rule sets back

During the sleep, type a few characters and make sure they echo. If they do, press control C. If they don't, you'll soon have back the original rule set.

Reply To This Message
 
 Re: PPTP Server
Author: Jeff 
Date:   05-05-02 07:51


You don't need to pass in gre. Block that baby. Just
pass it out.

regards,
Jeff

Reply To This Message
 
 Re: PPTP Server
Author: Jeff 
Date:   05-05-02 07:54


Look for "enable pptp passthrough" or some such on your
firewall configuration. For instance, a linksys has this
option; if it's turned off, pptp just won't work.

If your router doesn't have this option, chuck that baby.

regards,
Jeff

Reply To This Message
 
 Re: PPTP Server
Author: naim 
Date:   13-05-02 05:57

Does mpd support radius for authentication ? perhaps after I look around at the manual I can't found it

Reply To This Message
 
 Re: PPTP Server
Author: Matt Cowger 
Date:   16-05-02 08:16

Hi...

I saw this and thought I'd post how I did it - getting PoPToP runnng as a VPN Server for Windows clients. I've gotten it running on FreeBSD
4.6-PRERELEASE, and thought I'd share with the group.

1. The first thing I did was of course cvsup my ports tree.
2. Next, cd to /usr/ports/net/poptop and run make all install clean
3. You will now need to edit a number of files to make this work:


----/usr/local/etc/pptpd.conf-------
speed 115200
option /etc/ppp/options

localip xxx.xxx.xxx.xxx
remoteip xxx.xxx.xxx.yy-zz
pidfile /var/run/pptpd.pid
------------------------------------

You will need to change the local and remote IP's to match your local configuration.
LocalIP should be an address in your subnet but not the address of your network interface(s).
RemoteIP should be a **range** in your subnet that the PPTP daemon can assign clients for addresses.

For example, if you're address on interface ep0 is 192.168.1.1, and your subnet mask is 255.255.255.0, localip should be something like 192.168.1.100 and remote ip should be something like 192.168.1.150-200 (written just like that). The PIDFile entry should be obvious.

You will also need to create a /etc/ppp/options file:

---/etc/ppp/options----
auth
proxyarp
pap
chap
---/etc/ppp/options----

Don't worry too much about what these mean, but auth, chap, and proxyarp NEED to be in there (look them up in man ppp for more info.

The last file you need is /etc/ppp/ppp.conf

---/etc/ppp/ppp.conf----
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 192.168.1.100 192.168.1.150-192.168.1.200 255.255.255.255
set server /tmp/loop "" 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
enable chap
enable pap
# Authenticate against /etc/passwd
enable passwdauth
# The next depends on your routing. Proxy arp is an easy way out
enable proxy
accept dns
# DNS Servers to assign client - replace with your own
set dns 1.1.1.1
set device !/etc/ppp/secure
---/etc/ppp/ppp.conf----

The file above basically needs to stay the way it is, but the line containing set ifaddr needs to have the same info as what you set in pptpd.conf. The first argument should be the value of localip, the second should be the same range as remoteip (just in a slightly different format - you gotta spell out the whole range this time) and the last needs to be 255.255.255.255

Now, start up the daemon with:

/usr/local/sbin/pptpd -d

The remaining setup need to be done on your windows machine. I am assuming you are using Windows XP here, but its pretty much the same as Windows 2000. Go to Start|Settings|Network Connections. Click the new connection wizard. You want to "Connect to the network at my workplace" or something along those lines - whichever one relates to VPNs. Click next. Choose Virtual Private Network Connection. Click Next. In the COmpany Name, type whatever you wish and hot next. The next box will ask you if it should dial your dialup connection before trying to start this one - choose whichever is appropriate and hit next. In the host name, you need to put the IP of your BSD box (the real routable address...dealing with NAT is another issue). The next screen asks who to make this connection for, choose whiever is appropriate. Next. Hit Finish.

Phew! Only a little more to go. Windows will now pop up the connection box for this connection. STOP! SLOW DOWN! DONT CONNECT YET. Breathe. Ok, Ready? Hit Properties. Under security, you need to *disable* "Require data encryption" THis is just a tunnel, not a IPSec encrypted connection. Click OK, and for your username and password enter your username and password on the BSD box. Life should be good.

Have fun with your new VPN.

Reply To This Message
 
 Re: PPTP Server
Author: Matt 
Date:   23-05-02 23:07

gre does need to be passed in AND out, I just tried having it just in and then just out... got the same result:

[pptp0] LCP: not converging
[pptp0] LCP: parameter negotiation failed

With both passing, it works.

I don't believe mpd supports radius/tacacs(+)/whatever, or at least I could not find anything on it. mpd.secrets is it I guess.

Reply To This Message
 
 Re: PPTP Server
Author: Dom Bundy 
Date:   06-09-02 01:32

I have had a stab at this and i have set it up as you suggest but i am getting the following errors.

1) the windows box reports (Server didnt assign IP address)

2)
Warning: Bad label in /etc/ppp/ppp.conf (line 2) - missing colon

Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 12) - missing colon
Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Sep 5 23:30:12 sun pptpd[38992]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Sep 5 23:30:12 sun pptpd[38992]: GRE: read error: Bad file descriptor
Sep 5 23:30:12 sun pptpd[38992]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)



I guess i have messed up something in the ppp.conf file , but i cant think what as its set up just as you say.


Any ideas ?

Reply To This Message
 
 Re: PPTP Server
Author: Derek 
Date:   16-09-02 18:50

Anyone have any ideas on why the windows client just hangs up totally when i try to connect to my pptp server ? Only way i can get the client back is to hard poweroff the machine.. running pptpd in debug mode and it's not showing me anything in any log file... PPTPD starts just fine, no errors, just the win client hangs up .. :(

Reply To This Message
 
 Re: PPTP Server
Author: ben 
Date:   04-11-02 14:12

Warning: Bad label in /etc/ppp/ppp.conf (line 12) - missing

this is caused by not having a space before anyline that starts with "set" in the ppp.conf or at least that is how i fixed it on my box.

Reply To This Message
 
 Re: PPTP Server
Author: ben 
Date:   03-12-02 05:28

I initially setup the poptop server to talk to windows clients.. works great, but with no encryption.

so i fired up mpd.. fantastic! mppe encryption + mschapv2. though i know little about networks + security etc, IMHO i would strongly recommend mpd over poptop.

i basically followed the intructions at http://www.itga.com.au/~gnb/vpn/pptp-serv.html

bit of a tangent but i recently found this article aswell :

http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html

some things in there that i hadn't considered, worth a read.

Reply To This Message
 
 Re: PPTP Server
Author: MC 
Date:   04-02-03 03:24

Greetings,

Ive installed mpd in my freebsd 4.6 (at my work place behind a firewall) and configured it. I tried connecting from my WinXP Pro at home and this what i got at the freebsd side:

[pptp] CHAP: rec'd RESPONSE #2
Name: "vpntest"
Peer name: "vpntest"
Response is valid
[pptp] CHAP: sending SUCCESS
[pptp] LCP: authorization successful
[pptp] LCP: phase shift AUTHENTICATE --> NETWORK
[pptp] up: 1 link, total bandwidth 64000 bps
[pptp] IPCP: Up event
[pptp] IPCP: state change Starting --> Req-Sent
[pptp] IPCP: SendConfigReq #1
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: Open event
[pptp] CCP: state change Initial --> Starting
[pptp] CCP: LayerStart
[pptp] CCP: Up event
[pptp] CCP: state change Starting --> Req-Sent
[pptp] CCP: SendConfigReq #1
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] CCP: rec'd Configure Request #1 link 0 (Req-Sent)
PRED1
Not supported
MPPC
0x000000e0: MPPE, 40 bit, 56 bit, 128 bit
[pptp] CCP: SendConfigRej #1
PRED1
[pptp] IPCP: rec'd Configure Request #1 link 0 (Req-Sent)
IPADDR 192.168.1.100
192.168.1.100 is OK
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
[pptp] IPCP: SendConfigAck #1
IPADDR 192.168.1.100
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
[pptp] IPCP: state change Req-Sent --> Ack-Sent
[pptp] IPCP: SendConfigReq #2
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #2
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #3
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #3
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #4
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #4
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #5
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #5
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #6
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #6
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #7
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #7
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #8
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #8
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #9
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #9
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #10
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #10
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: state change Ack-Sent --> Stopped
[pptp] IPCP: LayerFinish
[pptp] IPCP: parameter negotiation failed
[pptp] IPCP: LayerFinish
[pptp] CCP: state change Req-Sent --> Stopped
[pptp] CCP: LayerFinish
[pptp] CCP: parameter negotiation failed
[pptp] CCP: Close event
[pptp] CCP: state change Stopped --> Closed
[pptp] CCP: LayerFinish
[pptp] bundle: CLOSE event in state OPENED
[pptp] closing link "pptp"...
[pptp] bundle: CLOSE event in state CLOSED
[pptp] closing link "pptp"...
[pptp] link: CLOSE event
[pptp] LCP: Close event
[pptp] LCP: state change Opened --> Closing
[pptp] LCP: phase shift NETWORK --> TERMINATE
[pptp] up: 0 links, total bandwidth 9600 bps
[pptp] IPCP: Down event

The server can't seem to connect my winXP. Did i configure my mpd.conf wrong?

mpd.conf:
===========
default:
load pptp

# PPTP Server
pptp:
new -i ng0 pptp pptp

set bundle disable multilink
set bundle enable compression
set bundle enable encryption

set iface disable on-demand
set iface disable proxy-arp
set iface idle 0

set ipcp ranges 192.168.1.3/30 192.168.1.100/30
set ipcp dns 192.168.0.1
set ipcp enable vjcomp

set link enable acfcomp protocomp
set link disable pap
set link enable chap
set link keep-alive 10 60

set ccp enable mppc
set ccp enable mpp-compress
set ccp enable mpp-e40
set ccp enable mpp-e128
set ccp enable mpp-stateless

I cant seem to figure it out. Can anyone help me?

Regards
MC

Reply To This Message
 
 Re: PPTP Server
Author: Brad Tarver 
Date:   01-04-04 21:46

Why would you ever use PAP these days? You're asking to have your data stolen if you use PAP...

Reply To This Message
 
 Re: PPTP Server
Author: Dan 
Date:   01-04-04 21:52

Brad Tarver wrote:

> Why would you ever use PAP these days? You're asking to have
> your data stolen if you use PAP...

Please provide references supporting your statement.

--
Webmaster

Reply To This Message
 
 Re: PPTP Server
Author: Brad Tarver 
Date:   01-04-04 21:53

So is mpd for multilink PPP and PPTP VPNs too?

Reply To This Message
 
 Re: PPTP Server
Author: Brad Tarver 
Date:   01-04-04 22:00

Dan wrote:

> Brad Tarver wrote:
>
> > Why would you ever use PAP these days? You're asking to have
> > your data stolen if you use PAP...
>
> Please provide references supporting your statement.
>

Although neither PAP nor CHAP involves encryption. In both cases the username is sent in the clear. With PAP the passwrod is sent in the clear too. With CHAP the authentication is done by a challenge/response, thus preventing a replay attack.

Reply To This Message
 
 Re: PPTP Server
Author: Omer Faruk Sen 
Date:   03-04-04 20:12

I am trying to use pptpclient but on my mpd server when I try to send package (such as pinging mpd server) I get those errors on the mpd server. I have no idea why can that be... Any comments

ptp1] rec'd unexpected protocol 0x00b1 on link -1, rejecting
[pptp1] rec'd proto 0xe21d on MP link! (ignoring)
[pptp1] rec'd unexpected protocol 0xa0ab on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0007 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x00dd on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0035 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0a8d on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x00b7 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x56db on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x00df on link -1, rejecting
[pptp1] rec'd unexpected protocol 0xba57 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x004f on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0081 on link -1, rejecting
[pptp1] rec'd unexpected protocol CRYPT on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x009d on link -1, rejecting

Reply To This Message
 
 Re: PPTP Server
Author: virusok 
Date:   21-12-04 05:42

2 Omer Faruk Sen:
I have the same problem:
2 routers - Win2k Server(RAS) and FreeBSD(mpd). When FBSD connecting to Win i have something like this...

...
[pptp1] rec'd unexpected protocol 0x56db on link -1, rejecting
[pptp1] rec'd unexpected protocol CRYPT on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x009d on link -1, rejecting
...

but when win connecting to FBSD all is right.

When I add the strings:
set link disable pop chap
set link accept chap
in mpd.conf these error messages disapire, but win2k can not connect to FBSD.

May be this help U too.

ps: sorry for my english. ;)

Reply To This Message
 
 Re: PPTP Server
Author: Leigh Finch 
Date:   04-01-05 06:08

Hi All,
I have a question about mpd, I have read through a number of howto's etc, but I have been unable to achieve mpd opening up port 1723 for a pptp vpn.

There are no errors in the log files, it creates the interface ng0, and is running in the background.

Am I missing something obviouse? I can post configs if required.

FreeBSD 4.10 stable
mpd-3.18_2

Regards
Leigh Finch

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org