FreeBSD PPTP VPN Client HOWTO

As a newbie, after spending a few hours trying to figure out what it takes to connect to a Microsoft PPTP VPN server from FreeBSD, sharing this small piece of knowledge:

Step #1: Install mpd5(8).

Step #2: Create /usr/local/etc/mpd5/mpd.conf (you can base it upon the .sample that is in the same folder after installation)

Code:
startup:
	set user LOGIN PASSWORD admin
	set console self 127.0.0.1 5005
	set console open
	set web self 0.0.0.0 5006
	set web open

default:
	load pptp_client

pptp_client:
	create bundle static B1
	set ipcp ranges 0.0.0.0/0 0.0.0.0/0

	set iface up-script /home/blackhaz/vpn.up
	set iface down-script /home/blackhaz/vpn.down

	set bundle enable compression
	set ccp yes mppc
	set mppc accept compress
	set mppc yes e40 e56 e128
	set mppc yes stateless
	
	create link static L1 pptp
	set link action bundle B1
	set link accept chap

	set auth authname "VPNLOGIN"
	set auth password VPNPASSWORD
	set pptp peer VPNSERVER

	set pptp disable windowing
	set link mtu 1460
	open

(Change strings in caps.)

Note I use iface up-script and down-script to set routing tables. My scripts below emulate Windows/OSX behavior, making the newly established VPN tunnel to be the default gateway when it's up. The down-script restores the original default gateway.

Step #3: Create the up- and down-scripts. I store them in my home.

vpn.up to set VPN tunnel as the default route, and also make sure the WAN route is preserved for the VPN server:
Code:
#!/bin/sh
wanip=`route -n get default | sed -rn 's/gateway: (.*)/\1/p'` 
echo $wanip > /home/blackhaz/.defaultgateway
localip=`echo $3 | sed -rn 's/(.*).../\1/p'`
route delete default
route delete $4
route add $4 $wanip
route add default $localip

vpn.down to restore WAN as the default route:
Code:
#!/bin/sh
wanip=`cat /home/blackhaz/.defaultgateway`
route delete $4
route delete default
route add default $wanip
rm /home/blackhaz/.defaultgateway

Step #4: Run mpd5(8) and the VPN tunnel should appear as ng0.
 
Nice to see it done with mpd5. For same purpose i use pptpclient. Just copy /usr/local/share/examples/ppptplient/ppp.conf to /etc/ppp/ppp.conf and edit a few lines:

Code:
MIMAR:
 set authname pacija
 set authkey P4ss.w0rD
 set timeout 0
 set ifaddr 0 0
 set mppe 128 *
 enable dns

I also add routes to remote networks in /etc/ppp/ppp.linkup:
Code:
MYADDR:
 add 10.50.212.0/22 HISADDR
 add 192.168.85.0/24 HISADDR

And because while in pptp i use remote network's dns, i set /etc/ppp/ppp.linkdown to revert to local dns when i disconnect:
Code:
MYADDR:
 resolv restore

Now, i just need to [CMD="sudo"]pptp vpn.mimar.rs MIMAR[/CMD] to connect, and ctrl+c afterwards to disconnect.
 
I've been trying for years now to setup a vpn connection with FreeBSD to my university but it never worked. Using mpd5 lately but this fails with:

Code:
process 22106 started, version 5.6 (root@yokozuna.lan 00:32  9-Feb-2012)
CONSOLE: listening on 127.0.0.1 5005
web: listening on 0.0.0.0 5006
[B1] Bundle: Interface ng0 created
[L1] [L1] Link: OPEN event
[L1] LCP: Open event
[L1] LCP: state change Initial --> Starting
[L1] LCP: LayerStart
[L1] PPTP call successful
[L1] Link: UP event
[L1] LCP: Up event
[L1] LCP: state change Starting --> Req-Sent
[L1] LCP: SendConfigReq #1
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 5f13909c
[L1] LCP: SendConfigReq #2
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 5f13909c
[L1] LCP: rec'd Configure Reject #2 (Req-Sent)
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1] LCP: SendConfigReq #3
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 5f13909c
[L1] LCP: rec'd Configure Nak #3 (Req-Sent)
[L1]   ACCMAP 0x000a0000
[L1] LCP: SendConfigReq #4
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 5f13909c
[L1] LCP: rec'd Configure Ack #4 (Req-Sent)
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 5f13909c
[L1] LCP: state change Req-Sent --> Ack-Rcvd
[L1] LCP: rec'd Configure Request #1 (Ack-Rcvd)
[L1]   AUTHPROTO CHAP MSOFTv2
[L1] LCP: SendConfigAck #1
[L1]   AUTHPROTO CHAP MSOFTv2
[L1] LCP: state change Ack-Rcvd --> Opened
[L1] LCP: auth: peer wants CHAP, I want nothing
[L1] LCP: LayerUp
[L1] CHAP: rec'd CHALLENGE #1 len: 21
[L1]   Name: ""
[L1] CHAP: Using authname "xxxxxxxxxxxxxxx"
[L1] CHAP: sending RESPONSE #1 len: 69
[L1] CHAP: rec'd CHALLENGE #2 len: 21
[L1]   Name: ""
[L1] CHAP: Using authname "xxxxxxxxxx"
[L1] CHAP: sending RESPONSE #2 len: 69
[L1] CHAP: rec'd SUCCESS #2 len: 46
[L1]   MESG: S=950534681B7EDA95F476B9C5DF140238AF7A3612
[L1] LCP: authorization successful
[L1] Link: Matched action 'bundle "B1" ""'
[L1] Link: Join bundle "B1"
[B1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
[B1] IPCP: Open event
[B1] IPCP: state change Initial --> Starting
[B1] IPCP: LayerStart
[B1] IPCP: Up event
[B1] IPCP: state change Starting --> Req-Sent
[B1] IPCP: SendConfigReq #1
[B1]   IPADDR 0.0.0.0
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] IPCP: rec'd Configure Request #0 (Req-Sent)
[B1]   IPADDR 130.115.3.34
[B1]     130.115.3.34 is OK
[B1] IPCP: SendConfigAck #0
[B1]   IPADDR 130.115.3.34
[B1] IPCP: state change Req-Sent --> Ack-Sent
[L1] rec'd unexpected protocol CCP, rejecting
[B1] IPCP: SendConfigReq #2
[B1]   IPADDR 0.0.0.0
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] IPCP: rec'd Configure Reject #2 (Ack-Sent)
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] IPCP: SendConfigReq #3
[B1]   IPADDR 0.0.0.0
[B1] IPCP: rec'd Configure Nak #3 (Ack-Sent)
[B1]   IPADDR 130.115.77.11
[B1]     130.115.77.11 is OK
[B1] IPCP: SendConfigReq #4
[B1]   IPADDR 130.115.77.11
[B1] IPCP: rec'd Configure Ack #4 (Ack-Sent)
[B1]   IPADDR 130.115.77.11
[B1] IPCP: state change Ack-Sent --> Opened
[B1] IPCP: LayerUp
[B1]   130.115.77.11 -> 130.115.3.34
[B1] IFACE: Add route 0.0.0.0/0 130.115.3.34 failed: File exists
[B1] IFACE: Up event

So if anyone has an idea please let me know.

Regards,

Marco
 
Marco: you already have default route (0.0.0.0/0) setup so you need either to alter the routing table manually, or use my up/down scripts above to do it automatically.
 
MarcoB said:
[B1] IFACE: Add route 0.0.0.0/0 130.115.3.34 failed: File exists
[B1] IFACE: Up event[/CODE]

Default route doesn't get set. Try to add route just to destination network in up-script:
Code:
/sbin/route add 192.168.33.0/24 130.115.3.34

Change destination network of course.
 
I never touched routing tables before so using the scripts seem a better idea. But what do I need to change to reach the other side (vpn-eur-pptp.eur.nl)?
 
Manipulation of routing tables is easy with route(8).

Add route to some network:
Code:
route add -net 192.168.66.0/24 192.168.1.1

Delete route to some network:
Code:
route delete -net 192.168.66.0/24 192.168.1.1
 
blackhaz said:
Marco: you already have default route (0.0.0.0/0) setup so you need either to alter the routing table manually, or use my up/down scripts above to do it automatically.

It's embarrassing, but while I could use your scripts after chmod +x, they are giving me loops on ng0 and I'm confused. I appreciate any pointers.
 
I use mpd5 to connect to our VPN servers at work. Goal is to redirect all traffic to VPN gateway after successful login (i.e. manipulate default gateway). All scripts are stored under /usr/local/etc/mpd5/ra2hp, where ra2hp is the working directory of the VPN session. /etc/resolv.conf along with default gateway is restored when you disconnect from VPN.

My /usr/local/etc/mpd5/mpd.conf

Code:
startup:
        set user vpn vpn

        # configure the console
        set console self 127.0.0.1 5005
        set console open

default:
        load RA2HP

RA2HP:
        create bundle static B1
        set iface up-script /usr/local/etc/mpd5/ra2hp/iface-up.sh
        set iface down-script /usr/local/etc/mpd5/ra2hp/iface-down.sh

        set ipcp ranges 0.0.0.0/0 16.0.0.0/8
        set ipcp enable req-pri-dns
        set ipcp enable req-sec-dns

        # enable ms p2p encryption (MPPE) using the ng_mppc(8) netgraph node type
        set bundle enable compression
        set bundle enable encryption
        set ccp yes mppc
        set mppc yes compress e128 stateless
        # << ENDOF MPPE

        create link static HPLINK pptp
        set link action bundle B1
        set auth authname $PUT_YOUR_LOGIN_HERE

        # no redials! - we need a new token for that
        set link max-redial 0   
        set link mtu 1460
        set link no eap pap
        set link accept chap-msv2

        set pptp peer $VPN
        set pptp disable windowing
        open

# << ENDOF RA2HP

My up/down scripts:

/usr/local/etc/mpd5/ra2hp/iface-up.sh
Code:
#!/bin/sh
#
# $FreeBSD usr/local/etc/mpd5/ra2hp/iface-up.sh,v0.1 2011/10/16 $
#
# mpd5 calls this script with following parameters:
#
#       interface proto local-ip remote-ip authname [ dns1 server-ip ] [ dns2 server-ip ] peer-address
#
# Martin Ilavsky
#

MPD5_CONFIG_DIR="/usr/local/etc/mpd5"

# get the current INET (IPv4) gateway
CUR_DEFAULT=`/usr/bin/netstat -f inet -nr | grep ^default  | awk '{print $2}'`

if [ x = x"${CUR_DEFAULT}" ]; then exit 1; fi                           # EXIT: failed to obtain default gw

# save default; exit if not possible
/bin/mkdir "${MPD5_CONFIG_DIR}"/ra2hp/.session                          # omitting -p on purpose
echo $CUR_DEFAULT > ${MPD5_CONFIG_DIR}/ra2hp/.session/cur_default_gw

if [ $? -ne 0 ]; then exit 1; fi                                        # EXIT:  failed to save default gw

# keep a route to the VPN server
/sbin/route add -host $8 $CUR_DEFAULT

# delete default gw
/sbin/route delete default

# add new default fw
/sbin/route add default $4

# save current /etc/resolv.conf
/bin/cp -p /etc/resolv.conf "${MPD5_CONFIG_DIR}"/ra2hp/.session/cur_resolv_conf

# construct a new one
printf "nameserver\t${6#* }\nnameserver\t${7#* }\n" > /etc/resolv.conf
/bin/chmod 644 /etc/resolv.conf
/usr/sbin/chown root:wheel /etc/resolv.conf

/usr/local/etc/mpd5/ra2hp/iface-down.sh

Code:
#!/bin/sh
#
# $FreeBSD usr/local/etc/mpd5/ra2hp/iface-down.sh,v0.1 2011/10/16 $
#
# mpd5 calls this script with following parameters:
#
#       interface proto local-ip remote-ip authname peer-address
#
# Martin Ilavsky
#

MPD5_CONFIG_DIR="/usr/local/etc/mpd5"

# get the old GW
OLD_DEFAULT=`cat "${MPD5_CONFIG_DIR}"/ra2hp/.session/cur_default_gw`

if [ x = x"${OLD_DEFAULT}" ]; then exit 1; fi                           # EXIT: failed to get old default gw

# remove new default gw
/sbin/route delete default

# put the old one back
/sbin/route add default ${OLD_DEFAULT}

# remove the route to TUNNEL
/sbin/route delete -host $6

# restore DNS settings
if [ -f "${MPD5_CONFIG_DIR}"/ra2hp/.session/cur_resolv_conf ]; then
        /bin/mv  "${MPD5_CONFIG_DIR}"/ra2hp/.session/cur_resolv_conf /etc/resolv.conf
fi

# cleanup
/bin/rm -f "${MPD5_CONFIG_DIR}"/ra2hp/.session/cur_default_gw
/bin/rmdir "${MPD5_CONFIG_DIR}"/ra2hp/.session

I was not able to figure out how to obtain domain name though.
 
Hello.
Can anybody explain me few things about setting up a VPN client please?
What I'm trying to achieve:
I have a FreeBSD server (9.1-RELEASE if maybe important) located in datacenter. I want to connect it to my PPTP network in order to store some backups on my local storage (btw, is it a good idea?)

I did all steps described by blackhaz and I could see new connected client on vpn console.
I could see that my FreeBSD host was pinging my vpn gateway.
I stopped on launching up and down scripts because I wasn't sure it wouldn't make my FreeBSD server unresponsive.
Please, tell me I'm wrong.
When up.sh is launched it overrides default gateway so all the traffic passes through a gateway of my local network.
Is it safe? Will it affect all the services running on my FreeBSD host? like httpd, mail, and other.
Is there a way to add just additional routes?
 
I'd used all of configuration file found here But i was unable to load it, the problem is mainly about running "iface-down.sh" and "iface-up.sh".
The "set iface up-script /usr/local/sbin/ppp-linkup" does not anything!

My Running environment:
-FreeBSD 10.1
-MPD5 5.7
 
You are running old versions of software. It is past time to update.
FreeBSD 10.1 < FreeBSD 10.4
MPD 5.7 < MPD 5.8_2
 
You are running old versions of software. It is past time to update.
FreeBSD 10.1 < FreeBSD 10.4
MPD 5.7 < MPD 5.8_2
========================================
i'd tried in FreeBSD 10.4 & Mpd 5.8-2 but still have a same error with Older Version
My Mpd Configuration completly match with blackhaz i dont know where is problem
 
Back
Top