Do it yourself: VPN tunnel from Mac OSX to FreeBSD
Because I need to do a demonstration for which I need public IP addresses and I am not sure wether I will be behind a NAT box I decided to configure my Mac box to establish a VPN to my FreeBSD server.
The prerequisite is that you actually have public IP addresses to create a tunnel to. I’ve been using a /28 so my colleagues can make use of the tunnel too.
Setting up PPTPs is a bit involved since it involves understanding the various layers that are involved.
Below is an annotated configuration file /usr/local/etc/mpd5/mpd.conf.
In the example below assume that 10.15.22/24 is a piece of public address space. That 10.15.22.177-182 are the addresses assigned to users.
#################################################################
#
# MPD configuration file for a VPN
#
#
#################################################################startup:
# set user username password [admin|operator|user]
# This command configures which users are allowed to connect
# to the console. It may be invoked multiple times with
# different usernames.
set user admin secret admin
# set user foo1 bar1
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 127.0.0.1 5006
set web open# We define a new interface for eache possible user
default:
load pptp_server# Anotated Setup for pptp_server
pptp_server:
# Pool of addresses to be used:
set ippool add LANPOOL 10.15.22.177 10.15.22.182# Create a bundle template named VPN
create bundle template VPN# Iterface configuration
# On demand is only useful when we want to make an outgoing
# connection
set iface disable on-demand
set iface idle 0# Since we do not want to play routing tricks we’ll proxy arp
# to the LAN so traffic will find its way to the interace
set iface enable proxy-arp
set iface enable tcpmssfix# IP options
# TCP header compression
set ipcp yes vjcomp# Set the IP range
# pick a fixed local address and allow assignment from a shared pool
# To assign a fixed address to a user use something like:
# joe "foobar" 10.15.22.178
# bob "foobar" 10.15.22.179
0 # in the mpd.secrets file
# that would always provide joe with the 178 and bob with the 179 address
set ipcp ranges 10.15.22.48/32 ippool LANPOOL
# This is the resolver that is available on the local lan
set ipcp dns 10.15.22.155# Set the encryption on the VPN, Mac OSX uses PPTP uses this too.
set bundle enable compression
# Let this bundle use mppc
set ccp yes mppc
# Continue to configure mppc
# Use 128 bit MMPE encryption
set mppc no e40
set mppc yes e128
# Less secure but fastre recovery from lost packets
set mppc yes stateless
# Require Encryption#Create links
create link template VPNLINK pptp
# Set bundle template to use
set link action bundle VPN
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
# Enable address and control field compression, and protocol
# field compression
set link yes acfcomp protocomp
# Turn pap and chap type authentication off.
set link no pap chap# Require CHAP authentication from the peer NB: Use enable The
# use of enable and accept have slightly different meaning in
# the context of PAP and CHAP.
set link enable chapset link keep-alive 30 300
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP # This is the address to which you will have to connect using your vpn client
set pptp self 10.15.22.48
# Allow to accept calls
set link enable incoming
Troubleshooting
Having all configured out of the box things did not work as expected, after establishing a connection (by which the client was assigned 10.15.22.178) I could not forward traffic to the Internet. My suspicion was that proxy arp was not working on the FreeBSD server.
To troubleshoot proxy-arp you login to a machine that lives on your LAN, different from your client. And ping the address that the client has been assigned.
Then you validate by first pinging and then checking if the arp address points to the interface by which your server is connected to the LAN.
otherbox# ping 10.15.22.178
otherbox# arp 10.15.22.178
? (10.15.22.178) at 0:10:4b:bc:24:1b on en0 [ethernet]
freebsdbox#ifconfig xl0: flags=8843 metric 0 mtu 1500
options=9
ether 00:10:4b:bc:24:1b
…
Those MAC addresses look good.. So proxy-arp was not the problem. What could be another reason why packets from the pptp interface do not make it to the xl0 interface and onto the net? But off course IP forwarding. If you forgot a sysctl net.inet.ip.forwarding=1 on your PPTP server then packets will never make it. So make sure your /etc/sysctl.conf contains such line.
Setting up your connection to this VPN server is trivial, just follow the instructions in your apple help instructions.
Choose Apple > System Preferences, and then click Network.
- Click Add (+) at the bottom of the network connection services list, and then choose VPN from the Interface pop-up menu.
- Choose what kind of VPN connection you want to set up from the VPN Type pop-up menu, depending on the network you are connecting to, and give the VPN service a name.
- Enter the server address and the account name for the VPN connection.
- Click Authentication Settings, and enter the user authentication information you were given by the network administrator.
- After entering the user authentication information, click OK, and then click Connect.
If you want all your traffic routed via the VPN make sure you check the the "Send all traffic over VPN connection".
Leave a Reply