Clarification (31st of October 2010): This guide will give you a PPTP based 4 user VPN server on FreeBSD, using pf for NAT. Clients can use the built in VPN client in Windows/Ubuntu/Mac etc so no need for 3rd party applications like OpenVPN etc.
This post will be short and to the point, as I am deadly tired. In short, it’s a VPN server using mpd4 and NAT of the VPN users. You can adapt this howto guide (fx. add more or less users/ng interfaces) and put it on any machine inside your LAN (remember to forward the ports in your firewall/router, TCP 1723 and UDP 500), but whatever you do remember to adapt the mpd.conf IPs to suit your structure.
This howto guide is written with a co-located server in mind and as usual I assume you know basic FreeBSD to use this guide properly.
First we want to prepare the /etc/rc.conf:
# VPN mpd_enable="YES" # Firewall with NAT gateway_enable="YES" pf_enable="YES"
Now we enable the gateway.
sysctl net.inet.ip.forwarding="1"
Now install the mpd4 port with the default options
cd /usr/ports/net/mpd4 make install clean
In /usr/local/etc/mpd4 create the following files:
mpd.conf
startup:
default:
load client1
load client2
load client3
load client4
client1:
new -i ng0 pptp1 pptp1
set ipcp ranges 172.16.1.1/32 172.16.1.10/32
load client_standard
client2:
new -i ng1 pptp2 pptp2
set ipcp ranges 172.16.2.1/32 172.16.2.10/32
load client_standard
client3:
new -i ng2 pptp3 pptp3
set ipcp ranges 172.16.3.1/32 172.16.3.10/32
load client_standard
client4:
new -i ng3 pptp4 pptp4
set ipcp ranges 172.16.4.1/32 172.16.4.10/32
load client_standard
client_standard:
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set iface enable tcpmssfix
set bundle enable multilink
set link yes acfcomp protocomp
set link enable no-orig-auth
set link enable keep-ms-domain
set link no pap chap
set link enable chap
set link yes chap-msv1 chap-md5 chap-msv2
set link mtu 1460
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp dns 8.8.8.8
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle enable crypt-reqd
mpd.links (the external-ip defines what ip mpd is listening on)
pptp1:
set link type pptp
set pptp self your-external-ip
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
set pptp enable always-ack
pptp2:
set link type pptp
set pptp self your-external-ip
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
set pptp enable always-ack
pptp3:
set link type pptp
set pptp self your-external-ip
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
set pptp enable always-ack
pptp4:
set link type pptp
set pptp self your-external-ip
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
set pptp enable always-ack
mpd.secret (cleartext file)
user1 password user2 password user3 password . . . user10 password
Now create /etc/pf.conf (external IP is where you want the VPN user traffic to originate)
ext_if="your-external-interface" internal_net="172.16.0.0/16" external_addr="your-external-ip" nat on $ext_if from $internal_net to any -> $external_addr pass in all pass out all
Now we turn it on
/usr/local/etc/rc.d/mpd4 start /etc/rc.d/pf start
If everything is okay you should see ng devices in the ifconfig output
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500 ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500 ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500 ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
Once there are users connected you will see something like this (3 users connected)
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1458
inet 172.16.1.1 --> 172.16.1.10 netmask 0xffffffff
ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1396
inet 172.16.2.1 --> 172.16.2.10 netmask 0xffffffff
ng2: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1396
inet 172.16.3.1 --> 172.16.3.10 netmask 0xffffffff
ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
That’s it, you now have a multiuser VPN with room for 4 concurrent connections – if you need more just add in the mpd.conf and mpd.links as needed.
Enjoy!
#1 by Mor Di on 6. May, 2011 - 06:40
Quote
Worked like a charm, easy to set up.
Iphone connected via vpn in 2 minutes flat ๐
#2 by Miklos on 6. May, 2011 - 09:18
Quote
Excellent – happy to hear that ๐
#3 by FrancYescO on 19. November, 2011 - 21:37
Quote
I’m tring to start VPN on my vps, configured all but its not sharing internet connection ๐
the VPN connection to my vps work, but i cannot use the internet connection of vps.. i cannot ping google for example
i have to change “your-external-ip” to the VPS ip, right?
and your-external-interface is the interface that have the external ip of my vps, right?
#4 by Miklos on 20. November, 2011 - 12:14
Quote
Yes, you are correct about the ip/interface.
Make sure you are forwarding the packages:
sysctl net.inet.ip.forwarding
That has to be “1”
#5 by FrancYescO on 21. November, 2011 - 06:38
Quote
yes sysctl net.inet.ip.forwarding is 1 … confused :S all is like the tutorial
#6 by Miklos on 26. November, 2011 - 21:39
Quote
That’s odd – can you post your uname -a, pf.conf, rc.conf and mpd.conf
Trackback: Donu0027t Stop Thinking About Tomorrow