FreeBSD MPD5 PPTP VPN - Mac OS X, iPhone and Windows

MPD5 is a multi-link PPP protocol for FreeBSD that provides a PPTP VPN amoung other things. Not many comprehensive examples or HowTo documents exist for PPTP and MPD5, so one really should start by reading the manual. I have provided a sample configuration for those of you that want to skip the manual and copy and paste a working example.

In this example, the FreeBSD server has a single IP address behind a Comcast Business Gateway. Ports 1733 (PPTP) and 47 (GRE) are forwarded via NAT to the FreeBSD server. Of course, clients connect to the public IP of the gateway/router.

Install MPD5 on FreeBSD

cd /usr/ports/net/mpd5
make install

Configure startup paramaters

# MPD5
mpd_flags="-b -s mpd5"

Setup PPTP users

John "password1"
Frank "password2"
Jimmy "password3"
Cindy "password4"

Setup MPD5 PPTP Server

# Setup console user, password and level
set user admin password admin
set console self 5005
set console open
set web self 5006
set web open
load pptp_server
## The pptp server section has two parts, Bundle Layer and Link Layer
# Setup the PPTP bundle
create bundle template MYVPN
# Range of addresses for PPTP DHCP clients (first IP - Last IP in DHCP pool)
set ippool add pool1
# Enable proxy-arp for routing
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
# IP Control Protocol options
# Van Jacobson compression see note 1
set ipcp yes vjcomp
# This is your PPTP server's IP plus a CIDR mask - See note 2
set ipcp ranges ippool pool1
# DNS server the clients will use
set ipcp dns
# Set the WINS server address
set ipcp nbns
# enables tunnel compression
set bundle enable compression
# See note 3
set bundle enable encryption
# enables microsoft point-to-point compression
set ccp yes mppc
40-bit MPP encryption
set mppc yes e128
# Faster recovery, less secure option
set mppc yes stateless
# Setup The Link Layer
create link template MYVPN pptp
set link action bundle MYVPN
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link eap accept
set link enable chap-msv2
set link enable chap
set auth enable system-auth
set link keep-alive 10 60
set link mtu 1460
# Set the actual IP address used by the PPTP server
set pptp self
set link enable incoming

Final steps

sysctl net.inet.ip.forwarding=1

/sbin/ipfw add 50000 allow tcp from any to me dst-port 1723
/sbin/ipfw add 51000 allow GRE from any to me
/sbin/ipfw add 52000 allow tcp from me to any dst-port 1723
/sbin/ipfw add 53000 allow GRE from me to any

touch /var/log/mpd5.log

*.* /var/log/mpd5.log

/usr/local/etc/rc.d/mpd5 start

Notes from my sample config file:

Read the manual:

If you get an error like "Incorrect context" you have a command in the wrong section (context). see for details

1.) Van Jacobson TCP header compression:

2.) IP Address assignment:

3.) Microsoft combines compression and encryption together. See

Back To Articles