Trying to setup net/mpd5 PPTP VPN Server behind NAT

tuaris · Nov 8, 2023

For $REASONS I must run a PPTP VPN server, alternatives such as OpenVPN, etc are not an option in this very specific use case. Is it possible to run a PPTP server with net/mpd5 behind a NAT? If so, what am I missing?

I have added the firewall rules to my router:

Firefox_Screenshot_2023-11-08T08-41-30.217Z.png

Also the port forwarding:

Firefox_Screenshot_2023-11-08T08-44-47.669Z.png

The configuration file (/usr/local/etc/mpd5/mpd.conf) is as follows:

Code:

startup:
    # configure mpd users
    set user foo bar admin
    set user foo1 bar1
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open

default:
    load pptp_server

pptp_server:
    set ippool add pool1 192.168.0.192 192.168.0.207
    
    create bundle template B
    set iface disable on-demand
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set iface idle 1800
    
    set bundle enable crypt-reqd
    set bundle enable compression
    
    set ipcp yes vjcomp
    set ipcp ranges 192.168.0.101 ippool pool1
    
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
    set ipcp dns 192.168.0.10 192.168.0.11

    create link template L pptp
    set link action bundle B
    
    set link enable multilink
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2 eap
    set link mtu 1460
    set link mru 1460
    set link keep-alive 10 60
    set link enable incoming

The VPN client just hangs, looks like something's failing around "LCP: parameter negotiation"

Code:

Nov  8 03:32:25 vpn mpd[1397]: [L-1] Accepting PPTP connection
Nov  8 03:32:25 vpn mpd[1397]: [L-1] Link: OPEN event
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: Open event
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: state change Initial --> Starting
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: LayerStart
Nov  8 03:32:25 vpn mpd[1397]: [L-1] PPTP: attaching to peer's outgoing call
Nov  8 03:32:25 vpn mpd[1397]: [L-1] Link: UP event
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: Up event
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: state change Starting --> Req-Sent
Nov  8 03:32:25 vpn mpd[1397]: [L-1] LCP: SendConfigReq #1
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:25 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:27 vpn mpd[1397]: [L-1] LCP: SendConfigReq #2
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:27 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:29 vpn mpd[1397]: [L-1] LCP: SendConfigReq #3
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:29 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:31 vpn mpd[1397]: [L-1] LCP: SendConfigReq #4
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:31 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:33 vpn mpd[1397]: [L-1] LCP: SendConfigReq #5
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:33 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:35 vpn mpd[1397]: [L-1] LCP: SendConfigReq #6
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:35 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:37 vpn mpd[1397]: [L-1] LCP: SendConfigReq #7
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:37 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:39 vpn mpd[1397]: [L-1] LCP: SendConfigReq #8
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:39 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:41 vpn mpd[1397]: [L-1] LCP: SendConfigReq #9
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:41 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:44 vpn mpd[1397]: [L-1] LCP: SendConfigReq #10
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   ACFCOMP
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   PROTOCOMP
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   MRU 1460
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   MAGICNUM 0x5f973025
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   AUTHPROTO CHAP MSOFTv2
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   MP MRRU 2048
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   MP SHORTSEQ
Nov  8 03:32:44 vpn mpd[1397]: [L-1]   ENDPOINTDISC [802.1] 00 50 56 96 f5 e8
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: parameter negotiation failed
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: state change Req-Sent --> Stopped
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: LayerFinish
Nov  8 03:32:46 vpn mpd[1397]: [L-1] PPTP call terminated
Nov  8 03:32:46 vpn mpd[1397]: [L-1] Link: DOWN event
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: Close event
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: state change Stopped --> Closed
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: Down event
Nov  8 03:32:46 vpn mpd[1397]: [L-1] LCP: state change Closed --> Initial
Nov  8 03:32:46 vpn mpd[1397]: [L-1] Link: SHUTDOWN event
Nov  8 03:32:46 vpn mpd[1397]: [L-1] Link: Shutdown

covacat · Nov 8, 2023

pptp is ppp over gre
if your nat forwards just the tcp call port (1723 iirc) its not enough

SirDice · Nov 8, 2023

I had some issues getting a PPPoE connection working with MPD5. Had to add set iface enable tcpmssfix. Don't know if that will fix things for you too but it's worth a shot.

skeletor · Nov 8, 2023

You can't forward GRE proto. I have found only one way - use L2TP instead of PPTP, which require only UDP/1701 forwarding

covacat · Nov 8, 2023

you sure can redirect_proto in ipfw, nat(d)

Trying to setup net/mpd5 PPTP VPN Server behind NAT

tuaris

covacat

SirDice

Administrator

skeletor

covacat