Posts Tagged “PPTP”

Getting FreeBSD to connect to a Windows VPN using PPTP (who designed that protocol anyway?) is not the most pleasant experience, but at least it’s doable.

The most competent console tool for this in FreeBSD is probably Mpd5. It’s quite easy to work with but you’ll need to get all the details right otherwise it just won’t work.

The following mpd.conf configuration file worked for me and allowed me to successfully connect to a Windows VPN. One of the keys were to disable EAP, this particular VPN server just plain refused to work with it enabled

    load vpn
    create bundle static B1
    # Create a default route (use a net/mask to create specific routes)
    set iface route default
    # Script to execute on connect (custom routes etc)
    # set iface up-script /usr/local/etc/
    # Accept any IP-address
    set ipcp ranges
    # Microsoft Point-to-Point Compression, only enable if you have a really fast machine
    # set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e56
    set mppc yes e128
    create link static L1 pptp
    set link action bundle B1
    # Replace with you credentials or use the mpd.secret file
    set auth authname USERNAME
    set auth password SECRET
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    # Hostname/IP of the VPN server
    set pptp peer
    set pptp disable windowing
    set link no eap

Save it to a file, say mpd.conf in /usr/local/etc/mpd.conf and simply run mpd5 mpd.conf and with some luck you’ll be connected the the VPN.

The order of the statements are important. As they only apply to the current selected link (create link) or bundle (create bundle). Keep this in mind when editing.

Windows logon name

If you’re connecting to a Windows network you’ll probably need to use “DOMAIN\\username” as the authname (with the quotes and double backslash).

Firewall and NAT issues

The PPTP protocol is far from ideal. If you’re behind NAT chances are you won’t be able to do multiple PPTP connections to the same VPN server from within your LAN.

You’ll also need to allow the GRE protocol through, with Free/OpenBSD pf (packet filter) the following line is enough (you still won’t be able to do simultaneous connections to the same server though)

pass out on $ext_if proto gre from ($ext_if) to any keep state

Replace $ext_if with your external network interface.

Comments 1 Comment »