Getting Poptop to run under FreeBSD 5 & 6

I spent a day or so tinkering with poptop on both FreeBSD 5.x and 6.x, and I figured others might benefit from knowing what I found.

First of all, a little background: Poptop is a Point-to-Point Tunneling Protocol (PPTP) server. It lets you easily and securely establish a VPN tunnel to a server from any computer that has a PPTP client (Windows XP has one built in, as do others.) I wanted to be able to tunnel back into a machine that is on a LAN at a remote location. Using poptop looked like it might be easier than some of the other methods.

Read on if you want to know the details

Step 1 – Install Poptop:
cd /usr/ports/net/poptop; make install clean

Step 2 – Create a Poptop config file: /usr/local/etc/pptpd.conf
option /etc/ppp/ppp.conf
localip 192.168.0.1
remoteip 192.168.0.100-105
pidfile /var/run/pptpd.pid
nobsdcomp
proxyarp
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam

Be sure to replace “192.168.0.1” with your server’s IP address, and “192.168.0.100-105” is the range of IP addresses you want assigned to incoming clients. In this case, I only allocated 5 addresses.

Step 3 – Add an entry to /etc/ppp/ppp.conf
pptp:
set timeout 0
set log phase chat connect lcp ipcp
set dial
set login
enable mssfixup
set ifaddr 192.168.0.1 192.168.0.100-192.168.0.105 255.255.255.0
set server /tmp/loop "" 0177
enable chap
enable mschapv2
disable pap
enable proxy
accept dns
set dns 192.168.0.1 192.168.0.2
set nbns 192.168.0.1
set device !/etc/ppp/secure

Again, be sure to replace “192.168.0.1” with your server’s IP address, and “192.168.0.100-192.168.0.105” is the range of IP addresses for incoming clients. You’ll also want to set appropriate DNS servers, as well as nbns (WINS) server if needed.

Step 4 – Create a password file /etc/ppp/ppp.secret
It should contain lines such as:
username password
Note: I have not tried this but some have said that putting “enable passwordauth” in ppp.conf will authenticate against /etc/passwd. Using a separate file gives more control, but it’s not as convenient.
Note 2: I shouldn’t have to remind you that since the file contains passwords, it should be mode 0600 !

Step 5 – Enable pptpd in /etc/rc.conf:
pptpd_enable="YES"

Step 6 – Start pptpd:
/usr/local/etc/rc.d/pptpd.sh start
Note: This may be /usr/local/etc/rc.d/pptpd, or it may not have been copied over to pptpd.sh, it may still be pptpd.sh.sample. Adjust accordingly.

That should do it. You may need to adjust your firewall settings, if you have any. You should allow tcp port 1723 in, as well as the GRE protocol.

The next step would be to add a PPTP client connectoid to a pc and try to connect. If all goes well it should authenticate and assign an IP address. You can check the connection’s status on the client to ensure that encryption is enabled. On Windows XP, you add a PPTP connectoid just like a dial-up networking connection, except you choose “Connect to the network at my workplace” and then choose “Virtual Private Network connection”.

Just for good measure, here are some of the error messages I encountered when I did not have the above configuration (I got no hits in English on these messages, so this is more for Google than anything!):

ppp[83928]: Warning: Label ipparam rejected -direct connection: Configuration label not found
pptpd[83927]: GRE: read(fd=7,buffer=804dc60,len=8196) from PTY failed: status = 0 error = No error
pptpd[83927]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)

Fixed by adding “noipparam” to pptpd.conf

Once everything was running and I established a PPTP session from a laptop to the server, I was able to address machines on the LAN from a remote location. As my son would probably say “Mission completion“. :)

28 thoughts on “Getting Poptop to run under FreeBSD 5 & 6

  1. I was not able to connect from WinXP SP2, using default connection options when creating connection, still getting the above error that noipparam was supposed to fix, any ideas?

  2. Were you getting the “Label ipparam rejected” error, the GRE error, or both?

    The GRE error can also be caused by the traffic being firewalled locally.

    If you send me your pptpd.conf and ppp.conf (make sure to remove any passwords!) I might be able to take a look. I’ve used this same config on 3 servers so far, and it’s worked on all 3. However, before I settled on this config I did get that error a lot while refining the options.

    Jim

  3. I am also getting the following error, can you advise what fixes it or the cause?
    ppp[pid]: Warning: Label ipparam rejected -direct connection: Configuaration label not found

    Cheers,

    Mal

  4. Have you tried setting “noipparam” in your pptpd.conf file? Are you sure that your files match up with what I posted?

    Also, this can fix some errors: Try forcing the Windows PPTP client to use MS-CHAPv2. Go to the properties of the connection, click the security tab, set the options to “Advanced”, click “Settings”, select “Allow these protocols”, and check only MS-CHAP v2. Click OK until you’re out, and try again.

  5. can win xp vpn client connect anywhere?
    i can´t connect from home to office vpn server – i have standard pppoe connection (dynamic IP aadress and port closed)

    connection error: 619

  6. I have used XP’s PPTP client from a lot of places, and it usually Just Works. I don’t see any reason why it would not work over a PPPoE connection, although I have not tried it.

    I assume you are connecting to a Poptop server, what errors, if any, are showing up on the server?

  7. I try different win xp computers but nothing…still error 619

    here is server ppp.log

    Sep 6 22:02:17 freebsd ppp[4216]: Phase: Using interface: tun0
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: Created in closed state
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set device localhost:pptp
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set dial
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set login
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set ifaddr 192.168.50.81 192.168.50.225-192.168.50.235 255.255.255.0
    Sep 6 22:02:17 freebsd ppp[4216]: IPCP: Selected IP address 192.168.50.231
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: add default HISADDR
    Sep 6 22:02:17 freebsd ppp[4216]: Warning: Add route failed: 0.0.0.0/0 already exists
    Sep 6 22:02:17 freebsd ppp[4216]: Command: loop: set server /tmp/loop ******** 0177
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: Listening at local socket /tmp/loop.
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable pap
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable passwdauth
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable ipv6cp
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable proxy
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: accept dns
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable MSChapV2
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: enable mppe
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: disable deflate pred1
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: deny deflate pred1
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: set dns 194.126.115.18
    Sep 6 22:02:17 freebsd ppp[4216]: Command: pptp: set device !/etc/ppp/secure
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: PPP Started (direct mode).
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: bundle: Establish
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: closed -> opening
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: Connected!
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: opening -> carrier
    Sep 6 22:02:17 freebsd ppp[4216]: Phase: deflink: carrier -> lcp
    [LCP Traffic removed]
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: Disconnected!
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: Connect time: 15 secs: 241 octets in, 416 octets out
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: 5 packets in, 10 packets out
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: total 43 bytes/sec, peak 67 bytes/sec on Wed Sep 6 22:02:19 2006
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: deflink: lcp -> closed
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: bundle: Dead
    Sep 6 22:02:32 freebsd ppp[4216]: Phase: PPP Terminated (normal).

  8. Looking around a bit I see that error 619 is most often caused by (a) A router you’re going through not supporting PPTP passthrough, or (b) something filtering the PPTP port or GRE protocol before it gets to the Poptop server.

    If your PPPoE connection is handled by a modem/router, check to make sure it has a PPTP Passthrough or VPN passthrough option and that it is enabled.

  9. in PPPOE connection is ip protokoll 47 (GRE)closed, but it´s very popular ISP on my country
    I try OpenVPN now

  10. Sorry to hear that you can’t get PPTP working. I haven’t used OpenVPN before, but I hear that it works really well.

    I have heard some people also talk about Hamachi and there is a Linux client, but I don’t know if it would work on FreeBSD or not. If you have two Windows machines, both behind NAT, this can create a tunnel between them. Unfortunately, this requires the connection be initialized by contacting a third-party server, which is the reason I don’t like it.

  11. Thank you it works

    Using pptpd@ubuntu and your pptpd.conf settings made it work

  12. What should the contents of /etc/ppp/secure look like?

    In previous versions it was something like

    #!/bin/sh
    exec /usr/sbin/ppp

  13. At one point I had this in /etc/ppp/secure:

    #!/bin/sh
    exec /usr/sbin/ppp -direct loop-in

    But now I actually do not have any file there at all.

  14. …strange…an xp systeam does connect and can ping every computer on the network but can’t see netbios names and shares. There have been no changes to the firewall and it used to work using freebsd 5.3

  15. I haven’t tested this one myself, because I don’t run windows shares across PPTP, but the usual suggestions for network browsing may apply:

    Are you using a WINS server? If so, is that being set or passed to the PPTP client?

    Can you still access the shares by using \\1.2.3.4\ (with a proper IP address, of course)?

    Is broadcast traffic being passed back and forth?

    There are many differences between 5.3 and 6.x, but I am not sure what may have caused this to pop up.

  16. Hello.
    It works, and i did before another kind of on a linux debian, but i think that FreeBSD its better.
    i have only this strange message on screen (/var/log/messages):

    Apr 26 23:09:15 fw pptpd[99783]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!

    I really don’t understand what it is mean!

  17. I forgot to say…
    My FreeBSD (legacy 5.5) doesn’t have the file called:
    /etc/ppp/secure

    So, i did it as follow:

    #|/bin/sh
    exec /usr/sbin/ppp -direct loop-in

    It works, but i don’t know if is the right way, i found it on google search.
    Another one, in /etc/ppp/ppp.secret you can ASSIGN the given IP as follow:
    username password “192.168.0.215”

    To that username will be assigned THAT ip, it works, so you don’t have to make a RANGE, can be useful?

  18. tail -f /var/log/messages
    Aug 23 19:08:35 kunam pptpd[34764]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
    Aug 23 19:08:35 kunam ppp[34765]: Warning: 192.168.212.140: Cannot determine ethernet address for proxy ARP
    Aug 23 19:09:24 kunam ppp[34914]: Warning: Add route failed: 0.0.0.0/0 already exists
    Aug 23 19:09:40 kunam pptpd[34913]: GRE: read(fd=7,buffer=804d580,len=8196) from PTY failed: status = 0 error = No error
    Aug 23 19:09:40 kunam pptpd[34913]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
    Aug 23 19:09:40 kunam ppp[34914]: Warning: 192.168.212.141: Cannot determine ethernet address for proxy ARP
    Aug 23 19:16:27 kunam ppp[35182]: Warning: Add route failed: 0.0.0.0/0 already exists
    Aug 23 19:16:43 kunam pptpd[35181]: GRE: read(fd=7,buffer=804d580,len=8196) from PTY failed: status = 0 error = No error
    Aug 23 19:16:43 kunam pptpd[35181]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
    Aug 23 19:16:43 kunam ppp[35182]: Warning: 192.168.212.142: Cannot determine ethernet address for proxy ARP

    please help me…
    what do you do ?

    thank’s

  19. no offense … what used poptop for if in freebsd we’ve much robust one that’s MPD… trust me MPD could easily configured and could do l2tp, pptp , and many more

  20. If you have a link to a tutorial or information on MPD, I’d happily link to it. Poptop works well and really wasn’t that hard to configure, and works on multiple platforms.

    That’s the great thing about UNIX, there is usually more than one good way to get the job done, and the choice is left up to the admin or user. :)

  21. I realize this is a very very old post, but I’ve been using it as a reference to get poptop working on freeBSD 6.3. I’ve used about 5 or 6 different website recommended configurations and can’t get it to work.

    Just in case you still monitor this at all, here is the error I’m getting. Similar to your above, but slightly different and I can’t fix it:
    Warning: Label /etc/ppp/ppp.conf rejected -direct connection: Configuration label not found
    GRE: read(fd=7,buffer=804d580, len=8196) from PTY failed: status = 0 error = No Error
    CTRL: PTY read or GRE write failed (pty,gre)=(7,6)

    My usr/local/etc/pptpd.conf file looks like this:
    option /etc/ppp/ppp.conf
    localip
    remoteip
    pidfile /var/run/pptpd.pid
    nobsdcomp
    proxyarp
    +chapms-v2
    mppe-40
    mppe-128
    mppe-stateless
    noipparam
    debug

    My etc/ppp/ppp.conf:
    pptp:
    set timeout 0
    set log phase chat connect lcp ipcp tun
    set dial
    set login
    enable passwdauth
    enable mssfixup
    set ifaddr
    allow mode direct
    set server /tmp/loop “” 0177
    enable chap
    enable mschapv2
    disable pap
    enable proxy
    accept dns
    set dns
    set nbns
    set device !/etc/ppp/secure

    From client side, I’m running Windows XP and trying to do a standard VPN connection, getting 619 error after it tries to authenticate credentials.

    Notes: I’m not using a /etc/ppp/secure file just like your setup recommends (getting same errors with or without it). I’ve played around with the firewall, and it’s definitely allowing connections on port 1723. I’ve put in code to allow GRE, but I have no way to test it (assuming it’s working because I was getting a GRE socket() error before I added it in).

    Any help is appreciated more than you could possibly believe. Thank you.

  22. Sorry to say that I don’t run poptop anymore. I’ve replaced all my VPN terminating routers with pfSense boxes (http://www.pfsense.org/). :-)

    They use MPD for PPTP, but I’ve also phased out almost all my PPTP VPNs, in favor of IPsec mobile clients with the Shrew Soft client, or OpenVPN.

    I wish I could help, those do look like the errors I saw before, but I don’t recall any specifics except that when I was running with the config I posted here they went away…

  23. i am runing FreeBSD 8.0 , i need only PPTP client ,is there any standard configuration ,i tried mpd5 but i failed to success .

  24. I haven’t needed to try this on pfSense 7 or 8 so I don’t know what works anymore. I run pfSense at the edge of all my networks and use OpenVPN or IPsec to interconnect now. I know mpd5 can be used as a PPTP client but I haven’t ever tried to configure it as such.

  25. The error:

    Warning: Label /etc/ppp/ppp.conf rejected -direct connection: Configuration label not found

    is caused because the latest poptop appears to no longer accept the line in /usr/local/etc/pptpd.conf that is labeled:

    option /etc/ppp/options.pptpd

    Best thing is to comment this out, this causes poptop to use /etc/ppp/ppp.conf as it’s ppp config file

Leave a Reply

Your email address will not be published. Required fields are marked *

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image