I spent a day or so tinkering with poptop on both FreeBSD 5.x and 6.x, and I figured others might benefit from knowing what I found.
First of all, a little background: Poptop is a Point-to-Point Tunneling Protocol (PPTP) server. It lets you easily and securely establish a VPN tunnel to a server from any computer that has a PPTP client (Windows XP has one built in, as do others.) I wanted to be able to tunnel back into a machine that is on a LAN at a remote location. Using poptop looked like it might be easier than some of the other methods.
Read on if you want to know the details
Step 1 – Install Poptop:
cd /usr/ports/net/poptop; make install clean
Step 2 – Create a Poptop config file: /usr/local/etc/pptpd.conf
Be sure to replace “192.168.0.1” with your server’s IP address, and “192.168.0.100-105” is the range of IP addresses you want assigned to incoming clients. In this case, I only allocated 5 addresses.
Step 3 – Add an entry to /etc/ppp/ppp.conf
set timeout 0
set log phase chat connect lcp ipcp
set ifaddr 192.168.0.1 192.168.0.100-192.168.0.105 255.255.255.0
set server /tmp/loop "" 0177
set dns 192.168.0.1 192.168.0.2
set nbns 192.168.0.1
set device !/etc/ppp/secure
Again, be sure to replace “192.168.0.1” with your server’s IP address, and “192.168.0.100-192.168.0.105” is the range of IP addresses for incoming clients. You’ll also want to set appropriate DNS servers, as well as nbns (WINS) server if needed.
Step 4 – Create a password file /etc/ppp/ppp.secret
It should contain lines such as:
Note: I have not tried this but some have said that putting “enable passwordauth” in ppp.conf will authenticate against /etc/passwd. Using a separate file gives more control, but it’s not as convenient.
Note 2: I shouldn’t have to remind you that since the file contains passwords, it should be mode 0600 !
Step 5 – Enable pptpd in /etc/rc.conf:
Step 6 – Start pptpd:
Note: This may be /usr/local/etc/rc.d/pptpd, or it may not have been copied over to pptpd.sh, it may still be pptpd.sh.sample. Adjust accordingly.
That should do it. You may need to adjust your firewall settings, if you have any. You should allow tcp port 1723 in, as well as the GRE protocol.
The next step would be to add a PPTP client connectoid to a pc and try to connect. If all goes well it should authenticate and assign an IP address. You can check the connection’s status on the client to ensure that encryption is enabled. On Windows XP, you add a PPTP connectoid just like a dial-up networking connection, except you choose “Connect to the network at my workplace” and then choose “Virtual Private Network connection”.
Just for good measure, here are some of the error messages I encountered when I did not have the above configuration (I got no hits in English on these messages, so this is more for Google than anything!):
ppp: Warning: Label ipparam rejected -direct connection: Configuration label not found
pptpd: GRE: read(fd=7,buffer=804dc60,len=8196) from PTY failed: status = 0 error = No error
pptpd: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Fixed by adding “noipparam” to pptpd.conf
Once everything was running and I established a PPTP session from a laptop to the server, I was able to address machines on the LAN from a remote location. As my son would probably say “Mission completion“. :)