HowTo

FreeBSD MPD5 PPTP VPN - Mac OS X, iPhone and Windows

MPD5 is a multi-link PPP protocol for FreeBSD that provides a PPTP VPN amoung other things. Not many comprehensive examples or HowTo documents exist for PPTP and MPD5, so one really should start by reading the manual. I have provided a sample configuration for those of you that want to skip the manual and copy and paste a working example.

In this example, the FreeBSD server has a single IP address behind a Comcast Business Gateway. Ports 1733 (PPTP) and 47 (GRE) are forwarded via NAT to the FreeBSD server. Of course, clients connect to the public IP of the gateway/router.

Install MPD5 on FreeBSD

cd /usr/ports/net/mpd5
make install

Configure startup paramaters

# MPD5
mpd_enable="YES"
mpd_flags="-b -s mpd5"
gateway_enable="YES"

Setup PPTP users

John "password1" 172.16.1.51
Frank "password2" 172.16.1.52
Jimmy "password3" 172.16.1.53
Cindy "password4" 172.16.1.54

Setup MPD5 PPTP Server

# MPD5 PPPT CONFIG
##
startup:
# Setup console user, password and level
set user admin password admin
set console self 127.0.0.1 5005
set console open
set web self 0.0.0.0 5006
set web open
##
default:
load pptp_server
##
pptp_server:
## The pptp server section has two parts, Bundle Layer and Link Layer
# Setup the PPTP bundle
create bundle template MYVPN
# Range of addresses for PPTP DHCP clients (first IP - Last IP in DHCP pool)
set ippool add pool1 172.16.1.50 172.16.1.58
# Enable proxy-arp for routing
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
# IP Control Protocol options
# Van Jacobson compression see note 1
set ipcp yes vjcomp
# This is your PPTP server's IP plus a CIDR mask - See note 2
set ipcp ranges 172.16.1.253/32 ippool pool1
# DNS server the clients will use
set ipcp dns 172.16.1.1
# Set the WINS server address
set ipcp nbns 172.16.1.20
# enables tunnel compression
set bundle enable compression
# See note 3
set bundle enable encryption
# enables microsoft point-to-point compression
set ccp yes mppc
40-bit MPP encryption
set mppc yes e128
# Faster recovery, less secure option
set mppc yes stateless
##
# Setup The Link Layer
create link template MYVPN pptp
set link action bundle MYVPN
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link eap accept
set link enable chap-msv2
set link enable chap
set auth enable system-auth
set link keep-alive 10 60
set link mtu 1460
# Set the actual IP address used by the PPTP server
set pptp self 172.16.1.253
set link enable incoming

Final steps

sysctl net.inet.ip.forwarding=1

/sbin/ipfw add 50000 allow tcp from any to me dst-port 1723
/sbin/ipfw add 51000 allow GRE from any to me
/sbin/ipfw add 52000 allow tcp from me to any dst-port 1723
/sbin/ipfw add 53000 allow GRE from me to any

touch /var/log/mpd5.log

!mpd5
*.* /var/log/mpd5.log

/usr/local/etc/rc.d/mpd5 start

Notes from my sample config file:

Read the manual: http://mpd.sourceforge.net/doc5/mpd.html

If you get an error like "Incorrect context" you have a command in the wrong section (context). see http://mpd.sourceforge.net/doc5/mpd19.html#19 for details

1.) Van Jacobson TCP header compression: http://mpd.sourceforge.net/doc/mpd26.html

2.) IP Address assignment: http://mpd.sourceforge.net/doc/mpd26.html#26

3.) Microsoft combines compression and encryption together. See http://mpd.sourceforge.net/doc/mpd30.html

Back To Articles



Comments

None Found

Add Comment