PPTP VPN in FreeBSD (for Windows XP/Vista/7 clients)

Here’s a simple guide to setting up a VPN server on FreeBSD so that Windows clients can connect using their built-in VPN clients…

First, make sure your ports collection is up-to-date, then build poptop in /usr/ports/net/poptop:

# cd /usr/ports/net/poptop/
# make
# make install

Next we need to create a config file for poptop… create the file /usr/local/etc/pptpd.conf as follows:

nobsdcomp
proxyarp
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless

Next we need to create a PPP configuration file called /etc/ppp/ppp.conf (overwrite the existing file) as follows (edit the IPs to suit your network requirements):

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 192.168.31.254 192.168.31.120-192.168.31.128 255.255.255.255
set server /tmp/vpn-in-%d “” 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
disable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
set device !/etc/ppp/secure

Every line above except those ending with a colon(:) should be indented or ppp.conf will not work – the CMS in use on this site wont indent – sorry 🙁

Next we need to create a file called /etc/ppp/secure with the following contents:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

And set it to be executable with chmod 0755 /etc/ppp/secure – this script will be run automatically during the VPN setup process.

Now we need to add a login for the VPN (you can have multiple username/passwords in this file) called /etc/ppp/ppp.secret like so:

user1 pass1
user2 pass2
user3 pass3

Now we need to enable proxy ARP in Freebsd.  Add the following line into /etc/sysctl.conf:

net.link.ether.inet.proxyall=1

To activate it without a reboot, type sysctl net.link.ether.inet.proxyall=1

And finally set the VPN server to start on bootup automatically by adding the following into /etc/rc.conf:

pptpd_enable=”YES”

Now startup the VPN server by running:

/usr/local/etc/rc.d/pptpd start

Your VPN server is now ready on your FreeBSD server and you’re ready to configure your Windows clients to connect to it.  I’ll give you an example of how to do it on Windows 7, i’m sure you can find out how to do it on earlier versions of windows…

  1. Go to Start
  2. Open Control Panel
  3. Under Network and Internet, click View network status and tasks
  4. Click Set up a new connection or network at the bottom of the page
  5. Choose Connect to a workplace and click Next
  6. Select No, create a new connection and click Next
  7. Select Use my Internet connection (VPN)
  8. Enter the IP address of your VPN server in Internet address and give it a description below.
  9. Check Don’t connect now; just set it up so I can connect later and click Next
  10. Enter the username and password from your ppp.secret file, leave Domain blank, click Create
  11. Click Close
  12. Click Change adapter settings on the left of your Network and Sharing Center window
  13. Right-click on your new VPN and go to Properties
  14. Go to the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and click Properties
  15. Click Advanced
  16. Uncheck Use default gateway on remote network (this enables split tunnelling mode which is probably what you will want to use)
  17. Click Ok then Ok then Ok and close the Network Connections window.

Now your VPN is setup, you can connect by clicking on the network icon in your taskbar, clicking your VPN in the list and clicking on Connect.

Windows Vista is similar to Windows 7 to configure.  Windows XP is a little different – but the general setup is identical on all three flavours of Windows.

Split Tunnelling mode is when you join the remote network but not route your entire internet connection via it.  If you want to route your entire connection via the VPN you can skip steps 12-17 above.

37 thoughts on “PPTP VPN in FreeBSD (for Windows XP/Vista/7 clients)

  1. Andrey

    Hi.

    On Freebsd 8 i get error:
    Mar 4 00:48:25 autopilot ppp[9822]: IPCP: myaddr 192.168.1.254 hisaddr = 192.168.1.128
    Mar 4 00:48:25 autopilot ppp[9822]: Error: Add proxy arp entry 192.168.1.128: File exists
    Mar 4 00:48:25 autopilot kernel: Mar 4 00:48:25 autopilot ppp[9822]: Error: Add proxy arp entry 192.168.1.128: File exists

    and all packet loss…..
    listening on tun1, link-type NULL (BSD loopback), capture size 96 bytes
    00:49:49.591035 IP 192.168.1.128 > 192.168.1.3: ICMP echo request, id 768, seq 256, length 40
    00:49:54.711507 IP 192.168.1.128 > 192.168.1.3: ICMP echo request, id 768, seq 512, length 40
    00:50:00.196823 IP 192.168.1.128 > 192.168.1.3: ICMP echo request, id 768, seq 768, length 40
    00:50:05.716393 IP 192.168.1.128 > 192.168.1.3: ICMP echo request, id 768, seq 1024, length 40

    ip 192.168.1.3 – on local lan

    autopilot# ifconfig tun1
    tun1: flags=8051 metric 0 mtu 1398
    inet 192.168.1.254 –> 192.168.1.128 netmask 0xffffffff
    Opened by PID 9822

    Maybe you know where my error ?
    i chane only ip:
    set ifaddr 192.168.31.254 192.168.31.120-192.168.31.128 255.255.255.255
    to:
    set ifaddr 192.168.1.254 192.168.1.120-192.168.1.128 255.255.255.255

    Reply
    1. dan Post author

      Add:

      net.link.ether.inet.proxyall=1

      to /etc/sysctl.conf and then type “sysctl net.link.ether.inet.proxyall=1” to activate it without rebooting.

      Thanks,

      Dan.

      Reply
  2. kevin

    cannot register computer on network what did i wrong?
    i need to setup a full working vpn server with internet for school

    Reply
  3. Rick G

    Really weird issue. My iMac VPN connection to the FreeBSD 7.3 PPP Server works fine – I can open a term and ping everything inside the Firewall… Using a Windows XP, I get connected but it can do nothing… I noted this difference:

    XP on connect:

    192.168.0.249 192.168.0.84 UGH 0 0 em0

    ff02::%tun0/32 fe80::202:a5ff:fe4c:85ae%tun0 UGC tun0

    ****************
    iMac on connect:

    192.168.0.242 192.168.0.84 UGH 0 33 tun1

    ff02::%tun1/32 fe80::202:a5ff:fe4c:85ae%tun1 UGC tun1

    What am I missing on the Winders machine that causes a “tunX” to fail to be created in netstat and remains totally useless while a Mac does it all? (I am not a Mac snob… I got to get these Winders machines working for the client tho!

    Idears?

    Thanx in advance…

    -Ricker

    Reply
    1. dan Post author

      Hmm, i’m not sure – I’ve not tried it with XP – it uses a different VPN stack to everything else.
      I don’t have any XP machines left to test on – everything on windows 7 now 🙁

      Reply
      1. dan Post author

        You should check the ‘proxyall’ is set in sysctl.conf, and also make sure the machine is set to forwarding (check sysctl net.inet.ip.forwarding is ‘1’)

        Reply
  4. Rick G

    Well shucks, Dan! Thanks any old way for getting back to me. If the problem is a retro-VPN stack on the WinXP boxes, then the boss will need to do a little “investing” on some newer equipment! Certainly takes the pressure off me! ;^)

    Cheers!

    -Ricker

    Reply
  5. Rick G

    Actually, going into pptpd.conf and commenting out these fixed it. Seems that after XP SP3, Msoft made some changes that would break PPP..

    ———-
    #chapms-v2
    #+mschap-v2
    #mppe-40
    #mppe-128
    #mppe-stateless
    ———-

    Now the VPN will tunnel and access the shares properly… Maybe this will help someone else!

    Cheers,

    Ricker

    Reply
  6. Rick G

    Correction – the only pptpd.conf config that caused the VPN problem after the SP3 update was:

    #+mschap-v2

    chapms-v2, and all the mppe configs are fine. Something happened in SP3 that broke +mschap-v2 and won’t allow tunneling on the VPN Server. I am using FreeBSD7.3 PPTPD/PPP on an HP DL580.

    Client is happy with their new VPN Access – and I get to blame Bill Gates for the delay in getting their VPN going! Win/Win for me!

    Cheers,

    -Ricker

    Reply
  7. Mike

    Thank you! This fixed my issue of Warning: Label pptp rejected -direct connection: Configuration label not found. I see many posts asking about it but no fixes for it and this did the trick.

    Thanks Again,
    Mike

    Reply
  8. Richard Pilkington

    I have set up the vpn as above successfully. The only problem I am having is when the server is restarted after a power failure I have to manually start the pptpd.

    The /etc/rc.conf file contains the line
    pptpd_enable=”YES”

    but it still does not seem to start.

    Any suggestions?

    Reply
  9. dan Post author

    Check your log files (maybe /var/log/debug.log) to see if there are any notices about it when it starts up. It may be that it loads up too quickly, or is waiting for another service that has not started (perhaps it needs to lookup and IP and runs before DHCP can assign an ip) – hard to tell as I don’t know your system configuration.

    Hopefully, the logs will point you in the right direction though.

    Reply
  10. Richard Pilkington

    Dan
    Thanks for the response.
    I looked at /var/log/debug.log and the only entries it had were like:
    Oct 7 11:30:12 servername pptpd[number]: CTRL: Reaping Child PPP[number]
    Which, I assume is someone connecting to the vpn.
    I will take note on the next restart if there are any messages during boot time and try from there. (the boot messages in the logs have been rotated out of existence by now).
    I am running a very old (FreeBSD 5.2.1) firewall server which I am hoping to upgrade soon. I do not know if this affects anything.

    Reply
  11. igor

    Dan sir,
    i’m still unable to connect to internet like
    i’m using minimal install frebsd 8.2 without firewall

    /etc/sysctl.conf
    net.link.ether.inet.proxyall=1
    net.inet.ip.forwarding=1

    enable without reboot
    sysctl net.link.ether.inet.proxyall=1
    sysctl net.inet.ip.forwarding=1

    i’m using your default config
    am i missing something?

    Reply
    1. dan Post author

      So long as the IPs in your configuration are valid for your network, it should be fine.
      The IPs must be part of your internet access router’s block of IPs it uses for NAT.

      Reply
  12. sking

    hi,my vpn just can provide one client to visit the local network,although,other clients can succeed connect th vpn.Even,other clients can not visit the vpn.why?

    Reply
  13. reņģis

    Thanks, took me a while to correctly parse the instructions for setting up the network addresses. In case anyone else has the same problem that they connect to the VPN but can’t use the internet: I set the first address to the server’s IP, and I set the second one as a range in the same bloc, and that was it.

    Reply
  14. tm

    I get this message when i run “make install” on poptop port: “poptop-1.3.4_2 is marked as broken: fails to build with new utmpx”

    Is there anyway around this problem?

    Reply
    1. dan Post author

      I have a patch waiting to go into the FreeBSD ports collection to make it work on FreeBSD 9.x – if you can’t wait for it to get into it (it can take a while), and you’re happy editing files etc – feel free to email me and i’ll reply with instructions to do it.

      Reply
        1. dan Post author

          The change for this port has been committed to the ports tree now – if you update your ports (see my other post on how to do it if you don’t already know) it will allow you to build on FreeBSD 9 using the instructions in this blog article. Thanks 🙂

          Reply
  15. Carlos

    Hi Dan,

    Thank you for this tutorial; it works very well for me.

    I would like to give a static address to each user.

    Taking the FreeBSD example:
    ———————————————————-
    28.2.1.2.9 Setting Up ppp.conf for Static-IP Users
    [..]
    fred:
    set ifaddr 203.14.100.1 203.14.101.1 255.255.255.255
    sam:
    set ifaddr 203.14.100.1 203.14.102.1 255.255.255.255
    mary:
    set ifaddr 203.14.100.1 203.14.103.1 255.255.255.255
    ———————————————————-

    Is it possible to do that and, if it is the case, how to do?

    If you could help me, It would be great.

    Thank you,

    Carlos

    Reply
    1. dan Post author

      Sure – simply add the IP address at the end of the line in the ppp.secret file and that user will be given that IP when they login.
      No netmask info is needed… e.g. “username password 172.16.0.1” will give ‘username’ 172.16.0.1 when they login.

      Reply
  16. Adrian Peña

    Hi, thank you for this tutorial (i’m a big noob on FreeBSD, familiar with linux and basic network settings) I managed to configure and start the pptpd on the office server and connect locally on a Win 7 machine inside the office.. the office connects to internet through that same server(DNS/squid configured). Now I’m at home but I can’t connect, when configuring my laptop (windows 7) and setting the new VPN network connection I used my office external IP address for the “Internet Address” field but it refuses to connect, should I configure something on my office server firewall?

    Thank you in advance.

    Reply
    1. dan Post author

      Hi, you will need to allow TCP port 1723 and also GRE (protocol 47) packets to be allowed. With both of those, PPTP should work.

      Reply
  17. Adrian

    Im sorry for being such a noob but how can I do that? This freebsd is using pf and the rules are on etc/pf.conf. I’m reading the manual but i don’t know where to declare the ports or that protocol 47 thing

    Thank you and sorry for troubling

    Reply
    1. dan Post author

      Hi Adrian – Unfortunately, I’m not familiar with pf so I’m not sure how you would do this 🙁

      Reply
  18. Rap2

    Just a comment….
    The ip address in ppp.conf must be for the same network as one of your interfaces but not bound to any interface or computer on the network….

    and….

    in ppp.conf you need to format the sections ending in : left justified and then spaces before every line that follows…

    I.E.

    loop:
    set timeout 0
    set log phase chat connect lcp ipcp command
    bla bla bla

    loop-in:
    set timeout 0
    set log phase lcp ipcp command
    bla bla bla

    I hope the formating comes out in the blog but just in case the spaces MATTER!

    Reply
  19. Rap2

    Yea… the blog reformated it, the spaces are not in my example… they Matter

    loop:
    SPACE set timeout 0
    SPACE set log phase chat connect lcp ipcp command
    SPACE bla bla bla

    loop-in:
    SPACE set timeout 0
    SPACE set log phase lcp ipcp command
    SPACE bla bla bla

    Reply
  20. Carlos

    Hello Dan,

    Over the last ten months, I used the method proposed in this post to provide VPN connections to my users. It works fine for small amount of data transferred.

    However, I have a big problem : when two users try to use the VPN to access a Windows machine using RDP, the connection becomes unstable.

    I thougth it is a performance issue, so I increased the amount of memory in the FreeeBSD the server, the problem stills the same.

    Maybe you have an idea of the limits of PPTP, or a workaround.

    Thank you in advance for your help,

    Carlos

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *