Getting Poptop to run under FreeBSD 5 & 6
I spent a day or so tinkering with poptop on both FreeBSD 5.x and 6.x, and I figured others might benefit from knowing what I found.
First of all, a little background: Poptop is a Point-to-Point Tunneling Protocol (PPTP) server. It lets you easily and securely establish a VPN tunnel to a server from any computer that has a PPTP client (Windows XP has one built in, as do others.) I wanted to be able to tunnel back into a machine that is on a LAN at a remote location. Using poptop looked like it might be easier than some of the other methods.
Read on if you want to know the details
Step 1 - Install Poptop:
cd /usr/ports/net/poptop; make install clean
Step 2 - Create a Poptop config file: /usr/local/etc/pptpd.conf
option /etc/ppp/ppp.conf
localip 192.168.0.1
remoteip 192.168.0.100-105
pidfile /var/run/pptpd.pid
nobsdcomp
proxyarp
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam
Be sure to replace “192.168.0.1″ with your server’s IP address, and “192.168.0.100-105″ is the range of IP addresses you want assigned to incoming clients. In this case, I only allocated 5 addresses.
Step 3 - Add an entry to /etc/ppp/ppp.conf
pptp:
set timeout 0
set log phase chat connect lcp ipcp
set dial
set login
enable mssfixup
set ifaddr 192.168.0.1 192.168.0.100-192.168.0.105 255.255.255.0
set server /tmp/loop "" 0177
enable chap
enable mschapv2
disable pap
enable proxy
accept dns
set dns 192.168.0.1 192.168.0.2
set nbns 192.168.0.1
set device !/etc/ppp/secure
Again, be sure to replace “192.168.0.1″ with your server’s IP address, and “192.168.0.100-192.168.0.105″ is the range of IP addresses for incoming clients. You’ll also want to set appropriate DNS servers, as well as nbns (WINS) server if needed.
Step 4 - Create a password file /etc/ppp/ppp.secret
It should contain lines such as:
username password
Note: I have not tried this but some have said that putting “enable passwordauth” in ppp.conf will authenticate against /etc/passwd. Using a separate file gives more control, but it’s not as convenient.
Note 2: I shouldn’t have to remind you that since the file contains passwords, it should be mode 0600 !
Step 5 - Enable pptpd in /etc/rc.conf:
pptpd_enable="YES"
Step 6 - Start pptpd:
/usr/local/etc/rc.d/pptpd.sh start
Note: This may be /usr/local/etc/rc.d/pptpd, or it may not have been copied over to pptpd.sh, it may still be pptpd.sh.sample. Adjust accordingly.
That should do it. You may need to adjust your firewall settings, if you have any. You should allow tcp port 1723 in, as well as the GRE protocol.
The next step would be to add a PPTP client connectoid to a pc and try to connect. If all goes well it should authenticate and assign an IP address. You can check the connection’s status on the client to ensure that encryption is enabled. On Windows XP, you add a PPTP connectoid just like a dial-up networking connection, except you choose “Connect to the network at my workplace” and then choose “Virtual Private Network connection”.
Just for good measure, here are some of the error messages I encountered when I did not have the above configuration (I got no hits in English on these messages, so this is more for Google than anything!):
ppp[83928]: Warning: Label ipparam rejected -direct connection: Configuration label not found
pptpd[83927]: GRE: read(fd=7,buffer=804dc60,len=8196) from PTY failed: status = 0 error = No error
pptpd[83927]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Fixed by adding “noipparam” to pptpd.conf
Once everything was running and I established a PPTP session from a laptop to the server, I was able to address machines on the LAN from a remote location. As my son would probably say “Mission completion“. :)
I was not able to connect from WinXP SP2, using default connection options when creating connection, still getting the above error that noipparam was supposed to fix, any ideas?
Comment by Jamie Bah — 5/9/2006 @ 4:18 pm
Were you getting the “Label ipparam rejected” error, the GRE error, or both?
The GRE error can also be caused by the traffic being firewalled locally.
If you send me your pptpd.conf and ppp.conf (make sure to remove any passwords!) I might be able to take a look. I’ve used this same config on 3 servers so far, and it’s worked on all 3. However, before I settled on this config I did get that error a lot while refining the options.
Jim
Comment by jim — 5/9/2006 @ 5:10 pm
I am also getting the following error, can you advise what fixes it or the cause?
ppp[pid]: Warning: Label ipparam rejected -direct connection: Configuaration label not found
Cheers,
Mal
Comment by mal — 8/31/2006 @ 8:05 pm
Have you tried setting “noipparam” in your pptpd.conf file? Are you sure that your files match up with what I posted?
Also, this can fix some errors: Try forcing the Windows PPTP client to use MS-CHAPv2. Go to the properties of the connection, click the security tab, set the options to “Advanced”, click “Settings”, select “Allow these protocols”, and check only MS-CHAP v2. Click OK until you’re out, and try again.
Comment by jim — 9/5/2006 @ 11:25 am
can win xp vpn client connect anywhere?
i can´t connect from home to office vpn server - i have standard pppoe connection (dynamic IP aadress and port closed)
connection error: 619
Comment by kaido — 9/5/2006 @ 2:37 pm
I have used XP’s PPTP client from a lot of places, and it usually Just Works. I don’t see any reason why it would not work over a PPPoE connection, although I have not tried it.
I assume you are connecting to a Poptop server, what errors, if any, are showing up on the server?
Comment by jim — 9/5/2006 @ 2:44 pm
I try different win xp computers but nothing…still error 619
here is server ppp.log
Sep 6 22:02:17 freebsd ppp[4216]: Phase: Using interface: tun0
Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: Created in closed state
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set device localhost:pptp
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set dial
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set login
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set ifaddr 192.168.50.81 192.168.50.225-192.168.50.235 255.255.255.0
Sep 6 22:02:17 freebsd ppp[4216]: IPCP: Selected IP address 192.168.50.231
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: add default HISADDR
Sep 6 22:02:17 freebsd ppp[4216]: Warning: Add route failed: 0.0.0.0/0 already exists
Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set server /tmp/loop ******** 0177
Sep 6 22:02:17 freebsd ppp[4216]: Phase: Listening at local socket /tmp/loop.
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable pap
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable passwdauth
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable ipv6cp
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable proxy
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: accept dns
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable MSChapV2
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable mppe
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable deflate pred1
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: deny deflate pred1
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: set dns 194.126.115.18
Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: set device !/etc/ppp/secure
Sep 6 22:02:17 freebsd ppp[4216]: Phase: PPP Started (direct mode).
Sep 6 22:02:17 freebsd ppp[4216]: Phase: bundle: Establish
Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: closed -> opening
Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: Connected!
Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: opening -> carrier
Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: carrier -> lcp
[LCP Traffic removed]
Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: Disconnected!
Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: Connect time: 15 secs: 241 octets in, 416 octets out
Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: 5 packets in, 10 packets out
Sep 6 22:02:32 freebsd ppp[4216]: Phase: total 43 bytes/sec, peak 67 bytes/sec on Wed Sep 6 22:02:19 2006
Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: lcp -> closed
Sep 6 22:02:32 freebsd ppp[4216]: Phase: bundle: Dead
Sep 6 22:02:32 freebsd ppp[4216]: Phase: PPP Terminated (normal).
Comment by kaido — 9/6/2006 @ 11:27 am
Looking around a bit I see that error 619 is most often caused by (a) A router you’re going through not supporting PPTP passthrough, or (b) something filtering the PPTP port or GRE protocol before it gets to the Poptop server.
If your PPPoE connection is handled by a modem/router, check to make sure it has a PPTP Passthrough or VPN passthrough option and that it is enabled.
Comment by Jim — 9/6/2006 @ 2:28 pm
in PPPOE connection is ip protokoll 47 (GRE)closed, but it´s very popular ISP on my country
I try OpenVPN now
Comment by kaido — 9/7/2006 @ 3:16 pm
Sorry to hear that you can’t get PPTP working. I haven’t used OpenVPN before, but I hear that it works really well.
I have heard some people also talk about Hamachi and there is a Linux client, but I don’t know if it would work on FreeBSD or not. If you have two Windows machines, both behind NAT, this can create a tunnel between them. Unfortunately, this requires the connection be initialized by contacting a third-party server, which is the reason I don’t like it.
Comment by jim — 9/7/2006 @ 6:32 pm
Thank you it works
Using pptpd@ubuntu and your pptpd.conf settings made it work
Comment by Tommy — 12/30/2006 @ 12:49 pm
What should the contents of /etc/ppp/secure look like?
In previous versions it was something like
#!/bin/sh
exec /usr/sbin/ppp
Comment by Jorge — 1/24/2007 @ 9:12 pm
At one point I had this in /etc/ppp/secure:
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in
But now I actually do not have any file there at all.
Comment by jim — 1/24/2007 @ 9:16 pm
Do you mean you have no /etc/ppp/secure file at all?
Comment by Jorge — 2/6/2007 @ 12:15 am
That’s correct, I have no /etc/ppp/secure file at all.
Comment by jim — 2/6/2007 @ 7:03 am
…strange…an xp systeam does connect and can ping every computer on the network but can’t see netbios names and shares. There have been no changes to the firewall and it used to work using freebsd 5.3
Comment by Jorge — 2/6/2007 @ 3:50 pm
I haven’t tested this one myself, because I don’t run windows shares across PPTP, but the usual suggestions for network browsing may apply:
Are you using a WINS server? If so, is that being set or passed to the PPTP client?
Can you still access the shares by using \\1.2.3.4\ (with a proper IP address, of course)?
Is broadcast traffic being passed back and forth?
There are many differences between 5.3 and 6.x, but I am not sure what may have caused this to pop up.
Comment by jim — 2/9/2007 @ 9:23 am
Realy helped, thank you.
Comment by proctozont — 4/18/2007 @ 3:16 am
Hello.
It works, and i did before another kind of on a linux debian, but i think that FreeBSD its better.
i have only this strange message on screen (/var/log/messages):
Apr 26 23:09:15 fw pptpd[99783]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
I really don’t understand what it is mean!
Comment by xer — 4/27/2007 @ 3:43 am
I forgot to say…
My FreeBSD (legacy 5.5) doesn’t have the file called:
/etc/ppp/secure
So, i did it as follow:
#|/bin/sh
exec /usr/sbin/ppp -direct loop-in
It works, but i don’t know if is the right way, i found it on google search.
Another one, in /etc/ppp/ppp.secret you can ASSIGN the given IP as follow:
username password “192.168.0.215″
To that username will be assigned THAT ip, it works, so you don’t have to make a RANGE, can be useful?
Comment by xer — 4/27/2007 @ 7:53 am
tail -f /var/log/messages
Aug 23 19:08:35 kunam pptpd[34764]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Aug 23 19:08:35 kunam ppp[34765]: Warning: 192.168.212.140: Cannot determine ethernet address for proxy ARP
Aug 23 19:09:24 kunam ppp[34914]: Warning: Add route failed: 0.0.0.0/0 already exists
Aug 23 19:09:40 kunam pptpd[34913]: GRE: read(fd=7,buffer=804d580,len=8196) from PTY failed: status = 0 error = No error
Aug 23 19:09:40 kunam pptpd[34913]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Aug 23 19:09:40 kunam ppp[34914]: Warning: 192.168.212.141: Cannot determine ethernet address for proxy ARP
Aug 23 19:16:27 kunam ppp[35182]: Warning: Add route failed: 0.0.0.0/0 already exists
Aug 23 19:16:43 kunam pptpd[35181]: GRE: read(fd=7,buffer=804d580,len=8196) from PTY failed: status = 0 error = No error
Aug 23 19:16:43 kunam pptpd[35181]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Aug 23 19:16:43 kunam ppp[35182]: Warning: 192.168.212.142: Cannot determine ethernet address for proxy ARP
please help me…
what do you do ?
thank’s
Comment by yudy — 8/23/2007 @ 8:10 am
no offense … what used poptop for if in freebsd we’ve much robust one that’s MPD… trust me MPD could easily configured and could do l2tp, pptp , and many more
Comment by Ryan — 8/4/2008 @ 5:50 am
If you have a link to a tutorial or information on MPD, I’d happily link to it. Poptop works well and really wasn’t that hard to configure, and works on multiple platforms.
That’s the great thing about UNIX, there is usually more than one good way to get the job done, and the choice is left up to the admin or user. :)
Comment by jim — 8/4/2008 @ 7:22 am