FreeBSD PPTP VPN Client questions

heximal · Jun 16, 2015

Hello.
Can anybody explain me few things about setting up a VPN client please?
I followed this article and got the definite success in setting up the vpn connection.
But I still have a couple of questions.
What I'm trying to achieve:
I have a FreeBSD server (9.1-RELEASE if maybe important) located in datacenter. I want to connect it to my PPTP network in order to store some backups on my local storage (btw, is it a good idea?)

I did all steps described by blackhaz (topic starter) and I could see new connected client on vpn console.
I could see that my FreeBSD host was pinging my vpn gateway.
I stopped on launching up and down scripts because I wasn't sure it wouldn't make my FreeBSD server unresponsive.
Please, tell me I'm wrong.
When up.sh is launched it overrides default gateway so all the traffic passes through a gateway of my local network.
Is it safe? Will it affect all the services running on my FreeBSD host? like httpd, mail, and other.
Is there a way to add just additional routes?

Oko · Jun 17, 2015

heximal said:
I have a FreeBSD server (9.1-RELEASE if maybe important) located in datacenter. I want to connect it to my PPTP network in order to store some backups on my local storage (btw, is it a good idea?)

No it is not good idea! PPTP should not be used period. L2TP/IPsec should be used instead. I have set L2PT/IPSec gateway to our research group analytic tools for a customer. Our L2PT/IPSec runs on OpenBSD because it is trivial to configure. I have no clue how I would do it on FreeBSD but I would imagine that it has to be more complicated. This is an obsolete write up I would be happy to share updated how to if you need it.

http://undeadly.org/cgi?action=article&sid=20120427125048

The only reason we decided to use L2PT/IPSec was due to the fact that a customer uses Windows 7 client. I didn't bother to test if the set up works from OpenBSD clients but considering the fact that setting IPSec tunnel on OpenBSD is trivial it should not be difficult.

heximal said:
I did all steps described by blackhaz (topic starter) and I could see new connected client on vpn console.
I could see that my FreeBSD host was pinging my vpn gateway.
I stopped on launching up and down scripts because I wasn't sure it wouldn't make my FreeBSD server unresponsive.
Please, tell me I'm wrong. When up.sh is launched it overrides default gateway so all the traffic passes through a gateway of my local network.
Is it safe? Will it affect all the services running on my FreeBSD host? like httpd, mail, and other.
Is there a way to add just additional routes?

Machine which runs L2PT/IPSec client will have its DNS and routing tables messed up. There is a way to prevent this if you know how the things are working.

Going to the original problem you are trying to solve. If you are just trying to do backup over hostile network that is a trivial problem on *nix like systems. Please have a look at sysutils/duplicity and its friendly "frontend" sysutils/duply.

abishai · Jun 17, 2015

Generally, L2TP is overhead. Plain IPSec can do almost the same. I recommend security/strongswan

Oko · Jun 17, 2015

abishai said:
Generally, L2TP is overhead. Plain IPSec can do almost the same. I recommend security/strongswan

Are you saying that FreeBSD doesn't have its own IPSec stack and one has to use Linux implementation

? I see that documentation recommends using security/ipsec-tools which is still very disappointing. IPSec should be the part of the base of any serious OS.

gkontos · Jun 17, 2015

Oko said:
IPSec should be the part of the base of any serious OS.

I agree with you and I am disappointed that in order to use IPSEC I need to compile a new kernel.

abishai · Jun 18, 2015

Oko said:
Are you saying that FreeBSD doesn't have its own IPSec stack and one has to use Linux implementation ? I see that documentation recommends using security/ipsec-tools which is still very disappointing. IPSec should be the part of the base of any serious OS.

ipsec(4) is a part of FreeBSD kernel, but disabled in GENERIC. StrongSwan is IKE/IKE2 daemon and it supports FreeBSD officially. security/ipsec-tools is IKE daemon only (no support for IKE2), so a little bit outdated.

Oko · Jun 18, 2015

abishai said:
ipsec(4) is a part of FreeBSD kernel, but disabled in GENERIC. StrongSwan is IKE/IKE2 daemon and it supports FreeBSD officially. security/ipsec-tools is IKE daemon only (no support for IKE2), so a little bit outdated.

Thanks for the info. A good reason to stay away from FreeBSD if IPSec is needed.

abishai · Jun 18, 2015

~~OpenBSD has no support for IKE2 as well~~

gkontos · Jun 18, 2015

Oko said:
Thanks for the info. A good reason to stay away from FreeBSD if IPSec is needed.

What are you talking about? You can compile a kernel with IPSEC.

abishai · Jun 18, 2015

gkontos said:
What are you talking about? You can compile a kernel with IPSEC.

Oko is pointing that OpenBSD has embedded ike daemon, openisakmpd if I remember spelling correctly.

Oko · Jun 18, 2015

abishai said:
OpenBSD has no support for IKE2 as well

Now that is not true!

http://www.openiked.org/

Maybe FreeBSD crew should check what other BSD projects are actually doing instead of just blindly following Linux like in the case of strongSwan. One of these days Matt Dillon might actually finish HAMMER2 and stabilize DF code base and FreeBSD will become irrelevant. Porting cool things from Open Solaris can take you only so far.

abishai · Jun 22, 2015

We can only hope HAMMER2 will be portable enough to be adopted by FreeBSD, OpenZFS initiative without 'upstream' is obviously dead.