I work form home, and I need to login into our corporate network using a pptp based vpn. How do I configure and setup up a PPTP VPN client under FreeBSD desktop / laptop or server operating systems?


The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. FreeBSD comes with PPTP client for establishing a VPN link with an NT server. FreeBSD uses the "pptp-linux" PPTP client. It can establish a PPP connection with an NT server, tunneled through a PPTP link over the Internet. In effect, it makes the client machine behave as if it were on the same LAN as the server.

Warning: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. I recommend using OpenVPN (SSL based) or IPSec instead.

Install pptp-linux client

Type the following command to update ports tree:
# portsnap fetch update
Install the client, run:
# cd /usr/ports/net/pptpclient
# make install clean
Sample outputs:

===>  Extracting for pptpclient-1.7.2_5
=> SHA256 Checksum mismatch for pptp-1.7.2.tar.gz.
===>  Refetch for 1 more times files: pptp-1.7.2.tar.gz
=> pptp-1.7.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch 
pptp-1.7.2.tar.gz                             100% of   79 kB   49 kBps
=> SHA256 Checksum OK for pptp-1.7.2.tar.gz.
===>   pptpclient-1.7.2_5 depends on file: /usr/local/bin/perl5.12.4 - found
===>  Patching for pptpclient-1.7.2_5
===>   pptpclient-1.7.2_5 depends on file: /usr/local/bin/perl5.12.4 - found
===>  Applying FreeBSD patches for pptpclient-1.7.2_5
===>   pptpclient-1.7.2_5 depends on file: /usr/local/bin/perl5.12.4 - found
===>  Configuring for pptpclient-1.7.2_5
===>  Building for pptpclient-1.7.2_5
echo "/* text added by Makefile target config.h */" > config.h
echo "#define PPTP_LINUX_VERSION \"1.7.2\"" >> config.h
echo "#define PPPD_BINARY \"/usr/sbin/ppp\"" >> config.h
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp_gre.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c ppp_fcs.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp_ctrl.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c dirutil.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c vector.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c inststr.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c util.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c version.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c test.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp_quirks.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c orckit_quirks.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pqueue.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp_callmgr.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c routing.c
gcc -O2 -pipe -fno-strict-aliasing  -Wall   -DUSER_PPP -c pptp_compat.c
gcc -o pptp pptp.o pptp_gre.o ppp_fcs.o  pptp_ctrl.o dirutil.o vector.o  inststr.o util.o version.o test.o  pptp_quirks.o orckit_quirks.o pqueue.o pptp_callmgr.o routing.o  pptp_compat.o  -lutil
pod2man pptpsetup > pptpsetup.8
===>  Installing for pptpclient-1.7.2_5
===>   pptpclient-1.7.2_5 depends on file: /usr/local/bin/perl5.12.4 - found
===>   Generating temporary packing list
===>  Checking if net/pptpclient already installed
install  -s -o root -g wheel -m 555 /usr/ports/net/pptpclient/work/pptp-1.7.2/pptp /usr/local/sbin
/bin/mkdir -p /usr/local/share/examples/pptpclient
install  -o root -g wheel -m 444 /usr/ports/net/pptpclient/files/README /usr/local/share/examples/pptpclient
install  -o root -g wheel -m 444 /usr/ports/net/pptpclient/files/ppp.conf /usr/local/share/examples/pptpclient
install  -o root -g wheel -m 444 /usr/ports/net/pptpclient/work/pptp-1.7.2/pptp.8 /usr/local/man/man8
===>   Compressing manual pages for pptpclient-1.7.2_5
===>   Registering installation for pptpclient-1.7.2_5
===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/pptp
      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.
      For more information, and contact details about the security
      status of this software, see the following webpage:

===>  Cleaning for pptpclient-1.7.2_5

Out sample setup

Here is my sample vpn server information. Talk to your network / sys administrator to find out what value you should be using.

1. My vpn server ip address for Mumbai office - 202.54.1.2
2. My vpn server ip address for Delhi data center - 203.54.1.2
3. My vpn server ip address for Dallas data center - 204.54.1.2
4. Username - vivek
5. Password - FooBar
6. Network - 10.0.0.0/8 (use this sub/net for routing vpn traffic)

On the client side:

1. Test os - FreeBSD 9 amd64 running on my Laptop.
2. Vpn client - pptpclient (see above for installation info).
3. Vpn config file name - /etc/ppp/ppp.conf
4. Vpn interface name - tun0

Configure the vpn client

In this example connect to Mumbai data center using the vpn server IP 202.54.1.2. First, backup original /etc/ppp/ppp.conf file, enter:
# mv /etc/ppp/ppp.conf /etc/ppp/ppp.conf.factory
Edit /etc/ppp/ppp.conf, enter:
# vi /etc/ppp/ppp.conf
Append the following configuration:

 
MUMBAI:
 set authname vivek
 set authkey  FooBar
 set timeout 0 set ifaddr 0 0 add 10.0.0.0/8 hisaddr
 alias enable yes
 disable ipv6cp
 

Save and close the file. Where,

• MUMBAI: - PPP label to use. You need to pass this label to pptp command when connecting to the server (vpn server in Mumbai).
• set authname vivek - Your account name on the server.
• set authkey FooBar - Your password on the server.
• add 10.0.0.0/8 hisaddr - Set up the routing. In this example, route 10.0.0.0/8 traffic using hisaddr (this one is assigned by the remote server and you will use it to route the traffic).

How do I connect to Mumbai office using pptp vpn?

You must run the program as root. Use a command as follows:
# pptp 202.54.1.2 MUMBAI
Sample outputs:

/bin/ip: not found
/bin/ip: not found

Please ignore /bin/ip not found error. To kill vpn connection press ^C.

How do I verify vpn is up and running?

Type the following command (open a new terminal):
# ifconfig tun0
Sample outputs:

tun0: flags=8051 metric 0 mtu 1498
	options=80000 inet 10.1.3.62 --> 10.0.31.18 netmask 0xffffffff  nd6 options=21
	Opened by PID 36259

Where,

• 10.1.3.62 - Your ip address.
• 10.0.31.18 - VPN server gateway.
• 0xffffffff - Netmask.

How do I view current FreeBSD kernel routing table?

Type the following command:
# netstat -r
OR
# netstat -r -f inet
Sample outputs:

Routing tables
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.2        UGS         0     1930   bge0
10.0.0.0           10.0.31.18         UGS         0        0   tun0
10.0.31.18         link#8             UHS         0        0   tun0
10.1.3.89          link#8             UHS         0        0    lo0
localhost          link#7             UH          0     2308    lo0
192.168.1.0        link#3             U           0      962   bge0
fwks01.nixcraft.ne link#3             UHS         0        0    lo0

How do I test vpn connectivity?

Use the ping and traceroute commands:
$ ping -c3 10.37.34.2
Sample outputs:

PING 10.37.34.2 (10.37.34.2): 56 data bytes
64 bytes from 10.37.34.2: icmp_seq=0 ttl=61 time=330.681 ms
64 bytes from 10.37.34.2: icmp_seq=1 ttl=61 time=329.039 ms
64 bytes from 10.37.34.2: icmp_seq=2 ttl=61 time=329.592 ms
--- 10.37.34.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 329.039/329.771/330.681/0.682 ms

To print the route packets take to network host:
$ tracroute 10.37.34.2

How do I view vpn connection log?

Type the following command:
# tail -f /var/log/ppp.log
# grep something /var/log/ppp.log
Sample outputs (a log of successful connection):

Jul 16 04:01:43 fwks01 ppp[37612]: Phase: Using interface: tun0
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: deflink: Created in closed state
Jul 16 04:01:43 fwks01 ppp[37612]: Warning: The alias command is deprecated
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: PPP Started (direct mode).
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: bundle: Establish
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: deflink: closed -> opening
Jul 16 04:01:43 fwks01 ppp[37612]: Alert: deflink: Can't create /var/run/pts/3.if: No such file or directory
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: deflink: Connected!
Jul 16 04:01:43 fwks01 ppp[37612]: Phase: deflink: opening -> carrier
Jul 16 04:01:44 fwks01 ppp[37612]: Phase: deflink: /dev/pts/3: CD detected
Jul 16 04:01:44 fwks01 ppp[37612]: Phase: deflink: carrier -> lcp
Jul 16 04:01:45 fwks01 ppp[37612]: Phase: bundle: Authenticate Jul 16 04:01:45 fwks01 ppp[37612]: Phase: deflink: his = CHAP 0x81, mine = none
Jul 16 04:01:45 fwks01 ppp[37612]: Phase: Chap Input: CHALLENGE (16 bytes)
Jul 16 04:01:45 fwks01 ppp[37612]: Phase: Chap Output: RESPONSE (vivek)
Jul 16 04:01:45 fwks01 ppp[37612]: Phase: Chap Input: SUCCESS (S=DC9CCD2E06D333C502626C4BAXXXYYYZZZYYY)
Jul 16 04:01:45 fwks01 ppp[37612]: Phase: deflink: lcp -> open Jul 16 04:01:45 fwks01 ppp[37612]: Phase: bundle: Network

How do I start pptp vpn connection in background?

Start it as follows:
# pptp 38.96.196.94 DAL 2>/dev/null &
OR use nohup command which allows to run pptp that can continue running in the background after you log out from a shell:
# nohup pptp 38.96.196.94 DAL 2>/dev/null &
To kill it, enter:
# kill -TERM `cat /var/run/tun0.pid`
OR
# kill -TERM $(cat /var/run/tun0.pid)
You can write a shell script to start and stop pptp. This is left as an exercise for the reader.

A note about mpd

based implementation of the multi-link PPP protocol for FreeBSD. It is designed to be both fast and flexible. It handles configuration and negotiation in user land, while routing all data packets strictly in the kernel. You can use mpd for the same purpose. Stay tuned for mpd tutorial.

See also

• Linux pptp .
• OpenBSD pptp .
• For more information, see .