Date: Sat, 4 May 2002 07:44:00 -0700 (PDT) From: Jeff Mitchell <jeff4492@yahoo.com> To: freebsd-questions@freebsd.org Subject: A PPTP VPN success story Message-ID: <20020504144400.33409.qmail@web21501.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
keywords: pptp vpn mpd ipfilter ipnat tunnel tunneling Windows 2000 Cool, it works! I have Windows 2000 pptp clients connecting at "maximum strength" 128-bit encryption with MS-CHAPv2 authentication to a freebsd 4.5-RELEASE-p4 box. This is only on a per-computer basis right now; I haven't tried LAN-to-LAN yet. (Supposedly there is a "Dial-Up Networking 128-bit Encryption Upgrade" for Windows 98 (SE?) but I've yet to see anyone successfully find and install and run it.) Some comments/questions/suggestions: --- Make sure clients have "enable pptp pass-through" or equivalent on their router. Some very confusing errors can result if the router is somehow blocking pptp. For instance, looking at the mpd output on the server you'll see clients trying to connect but it will seem like mpd just doesn't recognize or allow the protocol. --- mpd.secret.sample was misleading because it had a sample client assigned to 192.168.1.1, whereas 192.168.1.1 was used as the mpd server in mpd.conf.sample and mpd.links.example. So for a while my test client was getting the 192.168.1.1 address which of course resulted in a useless/unusable connection (but Windows still said the connection was valid). --- mpd will always try to load the kernel module, giving you mucho errors if you already have NETGRAPH and/or NETGRAPH_* in your kernel. So I guess the rule is, "Don't compile netgraph into your kernel!" which should be explicitly stated somewhere (unless I missed it). Or maybe mpd could check before trying to load it? --- Clients are unable to look up computers by name or see computers in the 'Network Neighborhood'. We have a Windows 2000 server running WINS at 192.168.1.2, and 'ipconfig /all' on the clients appropriately says that their primary WINS server is at 192.168.1.2. The WINS database is nonempty. What is wrong? Typing in the ip address explicitly in explorer works, e.g. "\\192.168.1.6". --- Can I make a LAN-to-LAN pptp vpn when the address of the other side is not known ahead of time? (e.g., the client has a dialup connection.) --- Has anyone connected LAN-to-LAN pptp vpn where the other side is a Windows box? We don't have the time or resources to build freebsd boxes and send them to other offices/clients. (In fact we have no IT staff at all, I'm just a programmer who knows freebsd and wanted vpn.) And, sigh, less enlightened clients are uncomfortable with trying freebsd... --- It would be nice to have a way to specify n number of clients without cutting and pasting entries in mpd.conf and mpd.links n times. Maybe a template mechanism? --- does anyone write firewall rules for ng0, ng1, etc? --- The mpd manual is a little daunting; is there a hand-holding / getting started guide to mpd available? --- Archie Cobbs really did some nice work here. Thanks Archie. On a personal note, I found freebsd/mpd with ipfilter/ipnat as the most elegant set of tools available for this sort of thing. While a firewall is not directly related to pptp/vpn/mpd, they do need to interact, and ipfilter was particularly nice for this. I can pretend to have an authoritative opinion because I did try many other tools: linux/poptop, freebsd/poptop, Windows 2000/vpn (it goes without saying that Windows tools are undesirable), linux/ipchains, linux/netfilter, freebsd/ipfw (with all due respect to the ipfw authors). freebsd/mpd/ipfilter/ipnat was just beautiful in the end. Regards, Jeff ------------------------------------------------------------------- p.s.: When searching the archives for answers to various problems I'm always grateful to find someone who "spelled it out." It makes it much easier to see what's causing the problem when there are examples available for comparison. So here is my example. Freebsd firewall running ipfilter/ipnat: internal interface xl0 192.168.1.1 external interface xl1 1.2.3.4 This firewall is also the machine running mpd. I could just as well run mpd on a different machine on the internal network, and I'll probably do so when another machine is available. The "rdr" rules in ipnat.rules would go to that machine instead of 192.168.1.1. All incoming packets are blocked except for (1) SYN packets on the two vpn ports (2) packets from established vpn connections (3) packets from established inside-initiated connections For more security one would filter on both interfaces and add anti-spoofing rules (and other rules I'm sure), but this suffices as a starting point and shows rules needed for vpn. ------------------------------------------------------------------- file: ipf.rules ------------------------------------------------------------------- ############################################# # external ############################################# # kill stupid netbios both ways right off the bat block out quick on xl1 from any to 1.2.3.4/27 port = 137 block out quick on xl1 from any to 1.2.3.4/27 port = 138 block in quick on xl1 from any to 1.2.3.4/27 port = 137 block in quick on xl1 from any to 1.2.3.4/27 port = 138 # outgoing # pass out tcp/udp/icmp and keep state pass out quick on xl1 proto tcp from any to 1.2.3.4/27 keep state pass out quick on xl1 proto udp from any to 1.2.3.4/27 keep state pass out quick on xl1 proto icmp from any to 1.2.3.4/27 keep state # pass out some unusual protocols needed for vpn pass out quick on xl1 from any to 1.2.3.4/27 # incoming # vpn ports: listen for SYN and keep state pass in quick on xl1 proto tcp from any to 1.2.3.4/27 port = 47 flags S keep state pass in quick on xl1 proto tcp from any to 1.2.3.4/27 port = 1723 flags S keep state # block in everything else block in quick on xl1 from any to 1.2.3.4/27 ############################################# # internal ############################################# # allow everything in and out pass in quick on xl0 pass out quick on xl0 ############################################# # loopback ############################################# # allow everything in and out pass in quick on lo0 pass out quick on lo0 ------------------------------------------------------------------- file: ipnat.rules ------------------------------------------------------------------- ############################################# # outside --> inside ############################################# # vpn redirect ports rdr xl1 1.2.3.4/32 port 1723 -> 192.168.1.1 port 1723 rdr xl1 1.2.3.4/32 port 47 -> 192.168.1.1 port 47 ############################################# # inside --> outside ############################################# # ftp proxy for stupid internet explorer map xl1 192.168.1.0/24 -> 1.2.3.4/32 proxy port 21 ftp/tcp # map with portmap map xl1 192.168.1.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:60000 # map everything else map xl1 192.168.1.0/24 -> 1.2.3.4/32 ------------------------------------------------------------------- file: mpd.conf ------------------------------------------------------------------- default: load client0 load client1 client0: new -i ng0 pptp0 pptp0 set iface disable on-demand set iface enable proxy-arp set iface idle 1800 set bundle disable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 set ipcp yes vjcomp set ipcp ranges 192.168.1.1/32 192.168.1.200/32 set ipcp dns 192.168.1.2 set ipcp nbns 192.168.1.2 set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless client1: new -i ng1 pptp1 pptp1 set iface disable on-demand set iface enable proxy-arp set iface idle 1800 set bundle disable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 set ipcp yes vjcomp set ipcp ranges 192.168.1.1/32 192.168.1.201/32 set ipcp dns 192.168.1.2 set ipcp nbns 192.168.1.2 set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless ------------------------------------------------------------------- file: mpd.links ------------------------------------------------------------------- pptp0: set link type pptp set pptp self 192.168.1.1 set pptp enable incoming set pptp disable originate pptp1: set link type pptp set pptp self 192.168.1.1 set pptp enable incoming set pptp disable originate ------------------------------------------------------------------- file: mpd.secret ------------------------------------------------------------------- generic_client_username "some_password" __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020504144400.33409.qmail>