Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
I'm working for a US based company which has an office here in Ottawa. I also work from home, as
do two other employees here. Until today, I've been using a VPN from my W2K box, which is what I usually
use from day to day when accessing the office network. But this morning I found a need to access the office
network using one of my FreeBSD boxes. This article shows how I set that VPN up using a pptp client.
I put this client on my gateway box which enabled my entire network to access the VPN. Which is a good thing.
Installing the client
I knew I wanted pptp (because someone told me that's what I wanted). This was dictated by the fact that
the office (i.e. the server) was using pptp. So here is how I found my options:
[dan@ns1:] $ cd /usr/ports
[dan@ns1:/usr/ports] $ make search key=pptp
Port: poptop-1.1.2
Path: /usr/ports/net/poptop
Info: Windows 9x compatible PPTP (VPN) server
Maint: nsayer@freebsd.org
Index: net
B-deps:
R-deps:
Port: pptpclient-1.0.3
Path: /usr/ports/net/pptpclient
Info: PPTP client for establishing a VPN link with an NT server
Maint: thomas@cuivre.fr.eu.org
Index: net
B-deps: libgnugetopt-1.1
R-deps: libgnugetopt-1.1
[dan@ns1:/usr/ports] $
Since I wanted a client and did not need a server, I went with net/pptpclient. Here
is the rather complicated installation process:
cd /usr/ports/net/pptpclient
make install
You should read the examples which will be installed at /usr/local/share/examples/pptpclient.
Configuring the client
If you have configured a PPP client before, this should look familiar. I took the example provided
by the port but saved the existing .conf file.
The chmod ensures that the password contained in the file is not readable by everyone.
If you read the /usr/local/share/examples/pptpclient you will see that you need to
change a few things in the .conf file. I changed the items shown in bold.
$ less ppp.conf
THEOFFICE:
set authname myusername
set authkey mypassword
set timeout 0
set ifaddr 0 0
add 10.5.9.0/24 HISADDR
alias enable yes
The items in bold are:
THEOFFICE: This is just a label. Give it a descriptive value. You will
use this value on the command line when you invoke pptp.
myusername: This is the user name assigned to you and which you use to
authenticate at the VPN server.
mypassword: This is the password you use in combination with the user name
above.
10.5.9.0/24: This is the IP address of the VPN which you will be connecting
to. Talk to your VPN administrator to find out what value you should be using. This is the value I will be
using later when I get a static route.
Starting the client
Starting the client is easy:
/usr/local/sbin/pptp a.b.c.dTHEOFFICE
where a.b.c.d is the IP address of VPN Server and
THEOFFICE is the label you created in the ppp.conf
file. When you're done, you can just CONTROL-C it away.
Running it all the time
This script appears to do the right thing. There are a few things you should know about this
script:
It assumes tun0 is the interface you are using for pptp. If you are using
more than one PPP connection, you'll probably have to be more careful with
this.
While running, you'll see two instances of pptp running. This appears to be normal.
After stopping, it can take a little while for those two instances of pptp to stop running.
This also appears normal.
$ less /usr/local/etc/rc.d/pptp.sh
#!/bin/sh
case "$1" in
start)
/usr/local/sbin/pptp a.b.c.d THEOFFICE &
;;
stop)
if [ -f /var/run/tun0.pid ]
then
kill -TERM `cat /var/run/tun0.pid`
fi
;;
*)
echo "Usage: ^Basename $0 {start|stop}" >&2
;;
esac
exit 0
Make sure to do a chmod +x on the script (all files in /usr/local/etc/rc.d/
must be .sh and +x in order to be run at boot time.
Optional - default routes
I have two gateways; one is DSL, the other cable. My main connection is DSL and my network machines
use the DSL gateway as their default route. I wanted to put the office VPN on my cable connection
to spread the load slightly. I achieved this by adding a default route on the DSL gateway which pointed
to the cable gateway. Here is how I did that by modifying /etc/rc.conf on the DSL box:
This will ensure that all traffic arriving at the DSL gateway for the subnet 10.5.9.0/24 will be redirected to
192.168.0.20 (which is my cable gateway and the box which is running the pptp client).
You can create additional routes by adding more entries to static_routes. For example
you can do this:
