PPTP VPN server on FreeBSD

Clarification (31st of October 2010): This guide will give you a PPTP based 4 user VPN server on FreeBSD, using pf for NAT. Clients can use the built in VPN client in Windows/Ubuntu/Mac etc so no need for 3rd party applications like OpenVPN etc.

This post will be short and to the point, as I am deadly tired. In short, it’s a VPN server using mpd4 and NAT of the VPN users. You can adapt this howto guide (fx. add more or less users/ng interfaces) and put it on any machine inside your LAN (remember to forward the ports in your firewall/router, TCP 1723 and UDP 500), but whatever you do remember to adapt the mpd.conf IPs to suit your structure.

This howto guide is written with a co-located server in mind and as usual I assume you know basic FreeBSD to use this guide properly.

First we want to prepare the /etc/rc.conf:

# VPN
mpd_enable="YES"

# Firewall with NAT
gateway_enable="YES"
pf_enable="YES"

Now we enable the gateway.

sysctl net.inet.ip.forwarding="1"

Now install the mpd4 port with the default options

cd /usr/ports/net/mpd4
make install clean

In /usr/local/etc/mpd4 create the following files:

mpd.conf

startup:
default:
        load client1
        load client2
        load client3
        load client4
client1:
        new -i ng0 pptp1 pptp1
        set ipcp ranges 172.16.1.1/32 172.16.1.10/32
        load client_standard

client2:
        new -i ng1 pptp2 pptp2
        set ipcp ranges 172.16.2.1/32 172.16.2.10/32
        load client_standard

client3:
        new -i ng2 pptp3 pptp3
        set ipcp ranges 172.16.3.1/32 172.16.3.10/32
        load client_standard

client4:
        new -i ng3 pptp4 pptp4
        set ipcp ranges 172.16.4.1/32 172.16.4.10/32
        load client_standard

client_standard:
        set iface disable on-demand
        set iface enable proxy-arp
        set iface idle 0
        set iface enable tcpmssfix
        set bundle enable multilink
        set link yes acfcomp protocomp
        set link enable no-orig-auth
        set link enable keep-ms-domain
        set link no pap chap
        set link enable chap
        set link yes chap-msv1 chap-md5 chap-msv2
        set link mtu 1460
        set link keep-alive 10 60
        set ipcp yes vjcomp
        set ipcp dns 8.8.8.8
        set bundle enable compression
        set ccp yes mppc
        set ccp yes mpp-e40
        set ccp yes mpp-e128
        set ccp yes mpp-stateless
        set bundle enable crypt-reqd

mpd.links (the external-ip defines what ip mpd is listening on)

pptp1:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack

pptp2:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack

pptp3:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack

pptp4:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack

mpd.secret (cleartext file)

user1 password
user2 password
user3 password
.
.
.
user10 password

Now create /etc/pf.conf (external IP is where you want the VPN user traffic to originate)

ext_if="your-external-interface"

internal_net="172.16.0.0/16"
external_addr="your-external-ip"

nat on $ext_if from $internal_net to any -> $external_addr

pass in all
pass out all

Now we turn it on

/usr/local/etc/rc.d/mpd4 start
/etc/rc.d/pf start

If everything is okay you should see ng devices in the ifconfig output

ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500

Once there are users connected you will see something like this (3 users connected)

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1458
        inet 172.16.1.1 --> 172.16.1.10 netmask 0xffffffff
ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1396
        inet 172.16.2.1 --> 172.16.2.10 netmask 0xffffffff
ng2: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1396
        inet 172.16.3.1 --> 172.16.3.10 netmask 0xffffffff
ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500

That’s it, you now have a multiuser VPN with room for 4 concurrent connections – if you need more just add in the mpd.conf and mpd.links as needed.

Enjoy!

Did you like this? Share it:

6 Comments

  • #1 by Mor Di on 6. May, 2011 - 06:40

    Reply Quote

    Worked like a charm, easy to set up.
    Iphone connected via vpn in 2 minutes flat ๐Ÿ™‚

  • #2 by Miklos on 6. May, 2011 - 09:18

    Reply Quote

    Excellent – happy to hear that ๐Ÿ™‚

  • #3 by FrancYescO on 19. November, 2011 - 21:37

    Reply Quote

    I’m tring to start VPN on my vps, configured all but its not sharing internet connection ๐Ÿ™

    the VPN connection to my vps work, but i cannot use the internet connection of vps.. i cannot ping google for example

    i have to change “your-external-ip” to the VPS ip, right?

    and your-external-interface is the interface that have the external ip of my vps, right?

  • #4 by Miklos on 20. November, 2011 - 12:14

    Reply Quote

    Yes, you are correct about the ip/interface.

    Make sure you are forwarding the packages:

    sysctl net.inet.ip.forwarding

    That has to be “1”

  • #5 by FrancYescO on 21. November, 2011 - 06:38

    Reply Quote

    yes sysctl net.inet.ip.forwarding is 1 … confused :S all is like the tutorial

  • #6 by Miklos on 26. November, 2011 - 21:39

    Reply Quote

    That’s odd – can you post your uname -a, pf.conf, rc.conf and mpd.conf

Page not found - Sweet Captcha
Error 404

It look like the page you're looking for doesn't exist, sorry

Search stories by typing keyword and hit enter to begin searching.