PPTP VPN in FreeBSD (for Windows XP/Vista/7 clients)

Here’s a simple guide to setting up a VPN server on FreeBSD so that Windows clients can connect using their built-in VPN clients…

First, make sure your ports collection is up-to-date, then build poptop in /usr/ports/net/poptop:

# cd /usr/ports/net/poptop/
# make
# make install

Next we need to create a config file for poptop… create the file /usr/local/etc/pptpd.conf as follows:

pidfile /var/run/pptpd.pid

Next we need to create a PPP configuration file called /etc/ppp/ppp.conf (overwrite the existing file) as follows (edit the IPs to suit your network requirements):

set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr
set server /tmp/vpn-in-%d “” 0177

set timeout 0
set log phase lcp ipcp command
allow mode direct

load loop
disable pap
disable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
set device !/etc/ppp/secure

Every line above except those ending with a colon(:) should be indented or ppp.conf will not work – the CMS in use on this site wont indent – sorry 🙁

Next we need to create a file called /etc/ppp/secure with the following contents:

exec /usr/sbin/ppp -direct loop-in

And set it to be executable with chmod 0755 /etc/ppp/secure – this script will be run automatically during the VPN setup process.

Now we need to add a login for the VPN (you can have multiple username/passwords in this file) called /etc/ppp/ppp.secret like so:

user1 pass1
user2 pass2
user3 pass3

Now we need to enable proxy ARP in Freebsd.  Add the following line into /etc/sysctl.conf:


To activate it without a reboot, type sysctl net.link.ether.inet.proxyall=1

And finally set the VPN server to start on bootup automatically by adding the following into /etc/rc.conf:


Now startup the VPN server by running:

/usr/local/etc/rc.d/pptpd start

Your VPN server is now ready on your FreeBSD server and you’re ready to configure your Windows clients to connect to it.  I’ll give you an example of how to do it on Windows 7, i’m sure you can find out how to do it on earlier versions of windows…

  1. Go to Start
  2. Open Control Panel
  3. Under Network and Internet, click View network status and tasks
  4. Click Set up a new connection or network at the bottom of the page
  5. Choose Connect to a workplace and click Next
  6. Select No, create a new connection and click Next
  7. Select Use my Internet connection (VPN)
  8. Enter the IP address of your VPN server in Internet address and give it a description below.
  9. Check Don’t connect now; just set it up so I can connect later and click Next
  10. Enter the username and password from your ppp.secret file, leave Domain blank, click Create
  11. Click Close
  12. Click Change adapter settings on the left of your Network and Sharing Center window
  13. Right-click on your new VPN and go to Properties
  14. Go to the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and click Properties
  15. Click Advanced
  16. Uncheck Use default gateway on remote network (this enables split tunnelling mode which is probably what you will want to use)
  17. Click Ok then Ok then Ok and close the Network Connections window.

Now your VPN is setup, you can connect by clicking on the network icon in your taskbar, clicking your VPN in the list and clicking on Connect.

Windows Vista is similar to Windows 7 to configure.  Windows XP is a little different – but the general setup is identical on all three flavours of Windows.

Split Tunnelling mode is when you join the remote network but not route your entire internet connection via it.  If you want to route your entire connection via the VPN you can skip steps 12-17 above.

37 thoughts on “PPTP VPN in FreeBSD (for Windows XP/Vista/7 clients)

  1. Andrey


    On Freebsd 8 i get error:
    Mar 4 00:48:25 autopilot ppp[9822]: IPCP: myaddr hisaddr =
    Mar 4 00:48:25 autopilot ppp[9822]: Error: Add proxy arp entry File exists
    Mar 4 00:48:25 autopilot kernel: Mar 4 00:48:25 autopilot ppp[9822]: Error: Add proxy arp entry File exists

    and all packet loss…..
    listening on tun1, link-type NULL (BSD loopback), capture size 96 bytes
    00:49:49.591035 IP > ICMP echo request, id 768, seq 256, length 40
    00:49:54.711507 IP > ICMP echo request, id 768, seq 512, length 40
    00:50:00.196823 IP > ICMP echo request, id 768, seq 768, length 40
    00:50:05.716393 IP > ICMP echo request, id 768, seq 1024, length 40

    ip – on local lan

    autopilot# ifconfig tun1
    tun1: flags=8051 metric 0 mtu 1398
    inet –> netmask 0xffffffff
    Opened by PID 9822

    Maybe you know where my error ?
    i chane only ip:
    set ifaddr
    set ifaddr

    1. dan Post author



      to /etc/sysctl.conf and then type “sysctl net.link.ether.inet.proxyall=1” to activate it without rebooting.



  2. kevin

    cannot register computer on network what did i wrong?
    i need to setup a full working vpn server with internet for school

  3. Rick G

    Really weird issue. My iMac VPN connection to the FreeBSD 7.3 PPP Server works fine – I can open a term and ping everything inside the Firewall… Using a Windows XP, I get connected but it can do nothing… I noted this difference:

    XP on connect: UGH 0 0 em0

    ff02::%tun0/32 fe80::202:a5ff:fe4c:85ae%tun0 UGC tun0

    iMac on connect: UGH 0 33 tun1

    ff02::%tun1/32 fe80::202:a5ff:fe4c:85ae%tun1 UGC tun1

    What am I missing on the Winders machine that causes a “tunX” to fail to be created in netstat and remains totally useless while a Mac does it all? (I am not a Mac snob… I got to get these Winders machines working for the client tho!


    Thanx in advance…


    1. dan Post author

      Hmm, i’m not sure – I’ve not tried it with XP – it uses a different VPN stack to everything else.
      I don’t have any XP machines left to test on – everything on windows 7 now 🙁

      1. dan Post author

        You should check the ‘proxyall’ is set in sysctl.conf, and also make sure the machine is set to forwarding (check sysctl net.inet.ip.forwarding is ‘1’)

  4. Rick G

    Well shucks, Dan! Thanks any old way for getting back to me. If the problem is a retro-VPN stack on the WinXP boxes, then the boss will need to do a little “investing” on some newer equipment! Certainly takes the pressure off me! ;^)



  5. Rick G

    Actually, going into pptpd.conf and commenting out these fixed it. Seems that after XP SP3, Msoft made some changes that would break PPP..


    Now the VPN will tunnel and access the shares properly… Maybe this will help someone else!



  6. Rick G

    Correction – the only pptpd.conf config that caused the VPN problem after the SP3 update was:


    chapms-v2, and all the mppe configs are fine. Something happened in SP3 that broke +mschap-v2 and won’t allow tunneling on the VPN Server. I am using FreeBSD7.3 PPTPD/PPP on an HP DL580.

    Client is happy with their new VPN Access – and I get to blame Bill Gates for the delay in getting their VPN going! Win/Win for me!



  7. Mike

    Thank you! This fixed my issue of Warning: Label pptp rejected -direct connection: Configuration label not found. I see many posts asking about it but no fixes for it and this did the trick.

    Thanks Again,

  8. Richard Pilkington

    I have set up the vpn as above successfully. The only problem I am having is when the server is restarted after a power failure I have to manually start the pptpd.

    The /etc/rc.conf file contains the line

    but it still does not seem to start.

    Any suggestions?

  9. dan Post author

    Check your log files (maybe /var/log/debug.log) to see if there are any notices about it when it starts up. It may be that it loads up too quickly, or is waiting for another service that has not started (perhaps it needs to lookup and IP and runs before DHCP can assign an ip) – hard to tell as I don’t know your system configuration.

    Hopefully, the logs will point you in the right direction though.

  10. Richard Pilkington

    Thanks for the response.
    I looked at /var/log/debug.log and the only entries it had were like:
    Oct 7 11:30:12 servername pptpd[number]: CTRL: Reaping Child PPP[number]
    Which, I assume is someone connecting to the vpn.
    I will take note on the next restart if there are any messages during boot time and try from there. (the boot messages in the logs have been rotated out of existence by now).
    I am running a very old (FreeBSD 5.2.1) firewall server which I am hoping to upgrade soon. I do not know if this affects anything.

  11. igor

    Dan sir,
    i’m still unable to connect to internet like
    i’m using minimal install frebsd 8.2 without firewall


    enable without reboot
    sysctl net.link.ether.inet.proxyall=1
    sysctl net.inet.ip.forwarding=1

    i’m using your default config
    am i missing something?

    1. dan Post author

      So long as the IPs in your configuration are valid for your network, it should be fine.
      The IPs must be part of your internet access router’s block of IPs it uses for NAT.

  12. sking

    hi,my vpn just can provide one client to visit the local network,although,other clients can succeed connect th vpn.Even,other clients can not visit the vpn.why?

  13. reņģis

    Thanks, took me a while to correctly parse the instructions for setting up the network addresses. In case anyone else has the same problem that they connect to the VPN but can’t use the internet: I set the first address to the server’s IP, and I set the second one as a range in the same bloc, and that was it.

  14. tm

    I get this message when i run “make install” on poptop port: “poptop-1.3.4_2 is marked as broken: fails to build with new utmpx”

    Is there anyway around this problem?

    1. dan Post author

      I have a patch waiting to go into the FreeBSD ports collection to make it work on FreeBSD 9.x – if you can’t wait for it to get into it (it can take a while), and you’re happy editing files etc – feel free to email me and i’ll reply with instructions to do it.

        1. dan Post author

          The change for this port has been committed to the ports tree now – if you update your ports (see my other post on how to do it if you don’t already know) it will allow you to build on FreeBSD 9 using the instructions in this blog article. Thanks 🙂

  15. Carlos

    Hi Dan,

    Thank you for this tutorial; it works very well for me.

    I would like to give a static address to each user.

    Taking the FreeBSD example:
    ———————————————————- Setting Up ppp.conf for Static-IP Users
    set ifaddr
    set ifaddr
    set ifaddr

    Is it possible to do that and, if it is the case, how to do?

    If you could help me, It would be great.

    Thank you,


    1. dan Post author

      Sure – simply add the IP address at the end of the line in the ppp.secret file and that user will be given that IP when they login.
      No netmask info is needed… e.g. “username password” will give ‘username’ when they login.

  16. Adrian Peña

    Hi, thank you for this tutorial (i’m a big noob on FreeBSD, familiar with linux and basic network settings) I managed to configure and start the pptpd on the office server and connect locally on a Win 7 machine inside the office.. the office connects to internet through that same server(DNS/squid configured). Now I’m at home but I can’t connect, when configuring my laptop (windows 7) and setting the new VPN network connection I used my office external IP address for the “Internet Address” field but it refuses to connect, should I configure something on my office server firewall?

    Thank you in advance.

    1. dan Post author

      Hi, you will need to allow TCP port 1723 and also GRE (protocol 47) packets to be allowed. With both of those, PPTP should work.

  17. Adrian

    Im sorry for being such a noob but how can I do that? This freebsd is using pf and the rules are on etc/pf.conf. I’m reading the manual but i don’t know where to declare the ports or that protocol 47 thing

    Thank you and sorry for troubling

    1. dan Post author

      Hi Adrian – Unfortunately, I’m not familiar with pf so I’m not sure how you would do this 🙁

  18. Rap2

    Just a comment….
    The ip address in ppp.conf must be for the same network as one of your interfaces but not bound to any interface or computer on the network….


    in ppp.conf you need to format the sections ending in : left justified and then spaces before every line that follows…


    set timeout 0
    set log phase chat connect lcp ipcp command
    bla bla bla

    set timeout 0
    set log phase lcp ipcp command
    bla bla bla

    I hope the formating comes out in the blog but just in case the spaces MATTER!

  19. Rap2

    Yea… the blog reformated it, the spaces are not in my example… they Matter

    SPACE set timeout 0
    SPACE set log phase chat connect lcp ipcp command
    SPACE bla bla bla

    SPACE set timeout 0
    SPACE set log phase lcp ipcp command
    SPACE bla bla bla

  20. Carlos

    Hello Dan,

    Over the last ten months, I used the method proposed in this post to provide VPN connections to my users. It works fine for small amount of data transferred.

    However, I have a big problem : when two users try to use the VPN to access a Windows machine using RDP, the connection becomes unstable.

    I thougth it is a performance issue, so I increased the amount of memory in the FreeeBSD the server, the problem stills the same.

    Maybe you have an idea of the limits of PPTP, or a workaround.

    Thank you in advance for your help,



Leave a Reply to dan Cancel reply

Your email address will not be published. Required fields are marked *