3.2 mpd5 Configuration
Create the file holding the mpd secrets. Here you basically setup the credentials for the administrator of mpd5 and for the users who may connect to the VPN service. For example my entries look roughly like this:
nano /usr/local/etc/mpd5/mpd.secret
Code:
super "pwSuper"
rolf "pwRolf"
thomas "pwThomas"
alex "pwAlex"
anna "pwAnna"
etc "pwEtc"
Remember the login-id of the admin user (in the above example super, because you need this in the next step, i.e. creation and editing the principal configuration file. You could start with a copy of mpd.conf.sample, however this contains configurations for a lot of different operation modes of mpd5. So, I suggest, to create a new file, and copy my configuration suggestion below into it. You might want to review the file
/usr/local/etc/mpd5/mpd5.conf.sample at some point in time later, though.
nano /usr/local/etc/mpd5/mpd.conf
Code:
startup:
# configure mpd users
set user super pwSuper admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 192.168.0.150 192.168.0.199
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
set ipcp dns 192.168.0.1
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
# Set bundle template to use
set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
set link mtu 1280
# Configure L2TP
set l2tp self 192.168.0.1
set l2tp enable length
# Allow to accept calls
set link enable incoming
The above setup assumes that the local network is 192.168.0.0/24, and that the L2TP/IPsec-VPN host has the IP 192.168.0.1. Furthermore, an IP range from 192.168.0.150 to 192.168.0.199 is reserved for VPN.
"set iface enable proxy-arp" is required, if VPN clients are allowed to connect to other machines in- and outside of your local network. If VPN clients should be restricted to services of the VPN host only, then remove this setting. By default, proxy-arp is disabled.
In my setup the VPN host, hosts also the DNS server. If you have another DNS, change "set ipcp dns 192.168.0.1" accordingly. Of course, this would mean also that proxy-arp should be enabled, since otherwise, VPN clients cannot connect to another DNS.
3.3 System configurations
- If VPN clients are allowed to connect to other hosts, then you need to add to /etc/sysctl.conf the following two lines:
nano /etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
- Make sure, that your firewall is open for the TCP port 1701 and the UDP ports 500 and 4500.
- Enable ipsec, racoon, and mpd by adding the following lines to /etc/rc.conf
nano /etc/rc.conf
Code:
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
Now restart your machine.
shutdown -r now
The L2TP/IPsec-VPN server should be up and waiting for connections.