PPTP VPN and FreeBSD
At work one of my colleages recently started working from home and
needed a way of copying files securely (albeat slowly given our
link speed). I decided to use the MS VPN instead of IPSEC (but
will probably transition to IPSEC sometime..)
Setting up the server
The necessary software on the server is the net/poptop port (home
page is here, and userland
PPP. Install the poptop port and then copy the config file example
and edit it for your situation. I changed the pid file to
/var/run/pptp.pid. I also set the local and remote IPs, but I
believe they don't actually do anything (the PPP process handles
that).
Edit the /etc/ppp/ppp.conf file and add the following
pptp:
set timeout 0
set dial
set login
set ifaddr serverip clientiprange 255.255.255.255
set server /var/run/pptp_ppp_%d "" 0700
enable mschapv2 mppe
set mppe * *
enable chap
disable pap
disable utmp
disable passwdauth
enable proxy
accept dns
set dns dnsip
set nbns netbiosip
You will also need to add entries in /etc/ppp/ppp.secret for each
user you wish to allow to login. Note that you can't use
passwdauth because CHAP requires the password in plain text to
generate it's challenge. Make sure you change the permissions on
the file to 0600, otherwise PPP will refuse to read it.
Start pptpd (rename /usr/local/etc/rc.d/pptpd.sh.sample and run
that..), and go to...
Setting up the client
I used Windows 2000 SP1 which only appears to support 56bit
encryption (lame). Still, the setup was fairly simple - run the
new connection wizard and tell it you want a VPN over the internet
and you'll have to enter so obvious stuff and you should be ready
to go.
I believe Windows 2000 SP2 has 128 bit encryption support
universally, I will find out soon.. If so you may wish to change
the 'set mppe * *' line to 'set mppe 128 *' to force better
encryption.
Daniel O'Connor
Last modified: Tue Mar 1 13:31:08 CST 2005