FreeBSD 9.1 MPD5 not forwarding VPN connections.

[UCLAGeek]

Hey guys,

I have been trying to figure this out for about three days and I can't seem to get it to work. I'm building a small company VPN and I'm testing it out with my iPhone. I can get the iPhone to connect but it can't connect to the Internet afterwards. I'm hoping you guys can help me figure out what the problem is.

My mpd.conf:

startup:
        # configure mpd users
        set user pptpadmin admin
        set user pptpadmin <PASSWORD>
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open
default:
        load pptp_server
 
pptp_server:
        set ippool add pool1 10.1.1.10 10.1.1.90
 
# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges <PUBLIC IP>/20 ippool pool1
        set ipcp dns 8.8.8.8
 
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
 
# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
# Enable utmp/wtmp logging
        set auth enable system-acct
# We are reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
# Configure PPTP
        set pptp self <PUBLIC IP>
# Allow to accept calls
        set link enable incoming

My /etc/rc.conf:

# Enable mpd5 daemon
mpd_enable="YES"
mpd_flags="-b -s mpd5"
gateway_enable="YES"

#enable packet filter service
pf_enable="YES"
pf_rules="/etc/pf.conf"
arpproxy_all="YES"

My /etc/pf.conf:

ext_if="em1"

internal_net="10.1.1.10/20"
external_addr="<PUBLIC IP>"

nat on $ext_if from $internal_net to any -> $external_addr

pass in all
pass out all

My /etc/sysctl.conf:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.link.ether.inet.proxyall=1

From what I can tell it should work but it's not and I'm not really sure where I screwed up.

Any help is very much appreciated, thank you.

 

[Anonymous]

...
My mpd.conf:

...
# Specify IP address pool for dynamic assigment.
        set ipcp ranges <PUBLIC IP>/20 ippool pool1
...

This entry looks strange to me. This mixes up incompatible IP ranges at both endpoints of the VPN connection. You set a WAN IP endpoint at the server side, and a LAN endpoint at the client side.

Try the following (or something similar), using the actual LAN IP of the server.

...
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 10.1.0.1/32 ippool pool1
...

 

[UCLAGeek]

Ok, I'm not 100% sure on what you mean by the LAN IP of the server. The server is directly connected to the internet (no DHCP server) so it doesn't really have a LAN IP.

I tried changing it using the pool of IP's it's suppose to assign to the VPN clients but still a no go.

# Specify IP address pool for dynamic assigment.
        set ipcp ranges 10.1.1.0/32 ippool pool1

 

[Anonymous]

Ok, I'm not 100% sure on what you mean by the LAN IP of the server.

Reading your pf.conf I learned that the external interface is em1. So, my wild guess was that there should be an em0 which would connect your LAN to your server. So, if there really is an em0 having a LAN IP, then use this one. However, perhaps, I assumed to much.

I tried changing it using the pool of IP's it's suppose to assign to the VPN clients but still a no go.

# Specify IP address pool for dynamic assigment.
        set ipcp ranges 10.1.1.0/32 ippool pool1

If 10.1.1.0/32 is a fake address, and is not otherwise known and routed by your server, then this won't work, of course not.

The MPD5 manual tells us:

set ipcp ranges (local/width|ippool pool) (remote/width|ippool pool)

This command determines what IP addresses mpd will allow to be negotiated at the local and remote ends of the link. For each endpoint, we have a target address and a netmask width. The width determines how flexible we are, i.e., how close the actual negotiated address must be to the target address. A width of 32 means they must match exactly; a width of zero means any address is suitable. For example, 192.168.1.17/25 means that IP address 192.168.1.17 is desired, but any IP address in the range 192.168.1.0 through 192.168.1.128 is acceptable.
...

In any case, both endpoints must lie in the same network, and the endpoint that you set at your server must be in its routing table.

 

[UCLAGeek]

There is an em0 but it is being used for a couple of Jails and I'd hoped to use em1 purely for VPN just for load balancing purposes. Both em0 and em1 have statics IP's directly connected to the internet.

I added a route: route add -net 10.1.1.0/20 <PUBLIC IP>

But still nada, do I need NAT?

Is there a way to have mpd act as a NAT as well?