Date: Sat, 4 May 2002 07:44:00 -0700 (PDT) From: Jeff Mitchell <jeff4492@yahoo.com> To: freebsd-questions@freebsd.org Subject: A PPTP VPN success story Message-ID: <20020504144400.33409.qmail@web21501.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
keywords: pptp vpn mpd ipfilter ipnat tunnel tunneling Windows 2000
Cool, it works!
I have Windows 2000 pptp clients connecting at "maximum strength"
128-bit encryption with MS-CHAPv2 authentication to a freebsd
4.5-RELEASE-p4 box.
This is only on a per-computer basis right now; I haven't tried
LAN-to-LAN yet.
(Supposedly there is a "Dial-Up Networking 128-bit Encryption Upgrade"
for Windows 98 (SE?) but I've yet to see anyone successfully find and
install and run it.)
Some comments/questions/suggestions:
--- Make sure clients have "enable pptp pass-through" or equivalent on
their router. Some very confusing errors can result if the router is
somehow blocking pptp. For instance, looking at the mpd output on the
server you'll see clients trying to connect but it will seem like mpd
just doesn't recognize or allow the protocol.
--- mpd.secret.sample was misleading because it had a sample client
assigned to 192.168.1.1, whereas 192.168.1.1 was used as the mpd
server in mpd.conf.sample and mpd.links.example. So for a while my
test client was getting the 192.168.1.1 address which of course
resulted in a useless/unusable connection (but Windows still said the
connection was valid).
--- mpd will always try to load the kernel module, giving you mucho
errors if you already have NETGRAPH and/or NETGRAPH_* in your kernel.
So I guess the rule is, "Don't compile netgraph into your kernel!"
which should be explicitly stated somewhere (unless I missed it). Or
maybe mpd could check before trying to load it?
--- Clients are unable to look up computers by name or see computers
in the 'Network Neighborhood'. We have a Windows 2000 server running
WINS at 192.168.1.2, and 'ipconfig /all' on the clients appropriately
says that their primary WINS server is at 192.168.1.2. The WINS
database is nonempty. What is wrong? Typing in the ip address
explicitly in explorer works, e.g. "\\192.168.1.6".
--- Can I make a LAN-to-LAN pptp vpn when the address of the other
side is not known ahead of time? (e.g., the client has a dialup
connection.)
--- Has anyone connected LAN-to-LAN pptp vpn where the other side is a
Windows box? We don't have the time or resources to build freebsd
boxes and send them to other offices/clients. (In fact we have no IT
staff at all, I'm just a programmer who knows freebsd and wanted vpn.)
And, sigh, less enlightened clients are uncomfortable with trying
freebsd...
--- It would be nice to have a way to specify n number of clients
without cutting and pasting entries in mpd.conf and mpd.links n times.
Maybe a template mechanism?
--- does anyone write firewall rules for ng0, ng1, etc?
--- The mpd manual is a little daunting; is there a hand-holding /
getting started guide to mpd available?
--- Archie Cobbs really did some nice work here. Thanks Archie.
On a personal note, I found freebsd/mpd with ipfilter/ipnat as the
most elegant set of tools available for this sort of thing. While a
firewall is not directly related to pptp/vpn/mpd, they do need to
interact, and ipfilter was particularly nice for this.
I can pretend to have an authoritative opinion because I did try many
other tools: linux/poptop, freebsd/poptop, Windows 2000/vpn (it goes
without saying that Windows tools are undesirable), linux/ipchains,
linux/netfilter, freebsd/ipfw (with all due respect to the ipfw
authors).
freebsd/mpd/ipfilter/ipnat was just beautiful in the end.
Regards,
Jeff
-------------------------------------------------------------------
p.s.:
When searching the archives for answers to various problems I'm always
grateful to find someone who "spelled it out." It makes it much
easier to see what's causing the problem when there are examples
available for comparison. So here is my example.
Freebsd firewall running ipfilter/ipnat:
internal interface xl0 192.168.1.1
external interface xl1 1.2.3.4
This firewall is also the machine running mpd.
I could just as well run mpd on a different machine on the internal
network, and I'll probably do so when another machine is available.
The "rdr" rules in ipnat.rules would go to that machine instead of
192.168.1.1.
All incoming packets are blocked except for
(1) SYN packets on the two vpn ports
(2) packets from established vpn connections
(3) packets from established inside-initiated connections
For more security one would filter on both interfaces and add
anti-spoofing rules (and other rules I'm sure), but this suffices as a
starting point and shows rules needed for vpn.
-------------------------------------------------------------------
file: ipf.rules
-------------------------------------------------------------------
#############################################
# external
#############################################
# kill stupid netbios both ways right off the bat
block out quick on xl1 from any to 1.2.3.4/27 port = 137
block out quick on xl1 from any to 1.2.3.4/27 port = 138
block in quick on xl1 from any to 1.2.3.4/27 port = 137
block in quick on xl1 from any to 1.2.3.4/27 port = 138
# outgoing
# pass out tcp/udp/icmp and keep state
pass out quick on xl1 proto tcp from any to 1.2.3.4/27 keep state
pass out quick on xl1 proto udp from any to 1.2.3.4/27 keep state
pass out quick on xl1 proto icmp from any to 1.2.3.4/27 keep state
# pass out some unusual protocols needed for vpn
pass out quick on xl1 from any to 1.2.3.4/27
# incoming
# vpn ports: listen for SYN and keep state
pass in quick on xl1 proto tcp from any to 1.2.3.4/27 port = 47 flags S
keep state
pass in quick on xl1 proto tcp from any to 1.2.3.4/27 port = 1723 flags
S keep state
# block in everything else
block in quick on xl1 from any to 1.2.3.4/27
#############################################
# internal
#############################################
# allow everything in and out
pass in quick on xl0
pass out quick on xl0
#############################################
# loopback
#############################################
# allow everything in and out
pass in quick on lo0
pass out quick on lo0
-------------------------------------------------------------------
file: ipnat.rules
-------------------------------------------------------------------
#############################################
# outside --> inside
#############################################
# vpn redirect ports
rdr xl1 1.2.3.4/32 port 1723 -> 192.168.1.1 port 1723
rdr xl1 1.2.3.4/32 port 47 -> 192.168.1.1 port 47
#############################################
# inside --> outside
#############################################
# ftp proxy for stupid internet explorer
map xl1 192.168.1.0/24 -> 1.2.3.4/32 proxy port 21 ftp/tcp
# map with portmap
map xl1 192.168.1.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:60000
# map everything else
map xl1 192.168.1.0/24 -> 1.2.3.4/32
-------------------------------------------------------------------
file: mpd.conf
-------------------------------------------------------------------
default:
load client0
load client1
client0:
new -i ng0 pptp0 pptp0
set iface disable on-demand
set iface enable proxy-arp
set iface idle 1800
set bundle disable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 192.168.1.1/32 192.168.1.200/32
set ipcp dns 192.168.1.2
set ipcp nbns 192.168.1.2
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
client1:
new -i ng1 pptp1 pptp1
set iface disable on-demand
set iface enable proxy-arp
set iface idle 1800
set bundle disable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 192.168.1.1/32 192.168.1.201/32
set ipcp dns 192.168.1.2
set ipcp nbns 192.168.1.2
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
-------------------------------------------------------------------
file: mpd.links
-------------------------------------------------------------------
pptp0:
set link type pptp
set pptp self 192.168.1.1
set pptp enable incoming
set pptp disable originate
pptp1:
set link type pptp
set pptp self 192.168.1.1
set pptp enable incoming
set pptp disable originate
-------------------------------------------------------------------
file: mpd.secret
-------------------------------------------------------------------
generic_client_username "some_password"
__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020504144400.33409.qmail>