The FreeBSD Diary

I'm working for a US based company which has an office here in Ottawa. I also work from home, as do two other employees here. Until today, I've been using a VPN from my W2K box, which is what I usually use from day to day when accessing the office network. But this morning I found a need to access the office network using one of my FreeBSD boxes. This article shows how I set that VPN up using a pptp client. I put this client on my gateway box which enabled my entire network to access the VPN. Which is a good thing.

I knew I wanted pptp (because someone told me that's what I wanted). This was dictated by the fact that the office (i.e. the server) was using pptp. So here is how I found my options:

[dan@ns1:] $ cd /usr/ports
[dan@ns1:/usr/ports] $ make search key=pptp
Port:   poptop-1.1.2
Path:   /usr/ports/net/poptop
Info:   Windows 9x compatible PPTP (VPN) server
Maint:  nsayer@freebsd.org
Index:  net
B-deps:
R-deps:

Port:   pptpclient-1.0.3
Path:   /usr/ports/net/pptpclient
Info:   PPTP client for establishing a VPN link with an NT server
Maint:  thomas@cuivre.fr.eu.org
Index:  net
B-deps: libgnugetopt-1.1
R-deps: libgnugetopt-1.1

[dan@ns1:/usr/ports] $

cd /usr/ports/net/pptpclient
make install

If you have configured a PPP client before, this should look familiar. I took the example provided by the port but saved the existing .conf file.

cd /etc/ppp
mv ppp.conf ppp.conf.original
cp usr/local/share/examples/pptpclient/ppp.conf .
chmod 640 ppp.conf

The chmod ensures that the password contained in the file is not readable by everyone.

If you read the /usr/local/share/examples/pptpclient you will see that you need to change a few things in the .conf file. I changed the items shown in bold.

$ less ppp.conf
THEOFFICE:
 set authname myusername
 set authkey mypassword
 set timeout 0
 set ifaddr 0 0
 add 10.5.9.0/24 HISADDR
 alias enable yes

The items in bold are:

• THEOFFICE: This is just a label. Give it a descriptive value. You will use this value on the command line when you invoke pptp.
• myusername: This is the user name assigned to you and which you use to authenticate at the VPN server.
• mypassword: This is the password you use in combination with the user name above.
• 10.5.9.0/24: This is the IP address of the VPN which you will be connecting to. Talk to your VPN administrator to find out what value you should be using. This is the value I will be using later when I get a static route.

Starting the client is easy:

/usr/local/sbin/pptp a.b.c.d THEOFFICE

This script appears to do the right thing. There are a few things you should know about this script:

1. It assumes tun0 is the interface you are using for pptp. If you are using more than one PPP connection, you'll probably have to be more careful with this.
2. While running, you'll see two instances of pptp running. This appears to be normal.
3. After stopping, it can take a little while for those two instances of pptp to stop running. This also appears normal.

$ less /usr/local/etc/rc.d/pptp.sh
#!/bin/sh

case "$1" in
start)
        /usr/local/sbin/pptp a.b.c.d THEOFFICE &
        ;;

stop)
        if [ -f /var/run/tun0.pid ]
        then
                kill -TERM `cat /var/run/tun0.pid`
        fi
        ;;

*)
        echo "Usage: ^Basename $0 {start|stop}" >&2
        ;;
esac

exit 0

Make sure to do a chmod +x on the script (all files in /usr/local/etc/rc.d/ must be .sh and +x in order to be run at boot time.

I have two gateways; one is DSL, the other cable. My main connection is DSL and my network machines use the DSL gateway as their default route. I wanted to put the office VPN on my cable connection to spread the load slightly. I achieved this by adding a default route on the DSL gateway which pointed to the cable gateway. Here is how I did that by modifying /etc/rc.conf on the DSL box:

static_routes="MyOffice"
route_MyOffice="10.5.9.0/24 192.168.0.20"

This will ensure that all traffic arriving at the DSL gateway for the subnet 10.5.9.0/24 will be redirected to 192.168.0.20 (which is my cable gateway and the box which is running the pptp client).

You can create additional routes by adding more entries to static_routes. For example you can do this:

static_routes="MyOffice FriendsHouse AnotherPlace"

and for each entry you will need to create a route_" entry similar to what you see above for route_MyOffice.