How to Set Up a PPTP VPN (Legacy) on FreeBSD Operating System

This guide provides a step-by-step guide on how to set up a PPTP VPN (Legacy) on FreeBSD.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Introduction

Virtual Private Networks (VPNs) are essential tools for securing internet connections, enabling remote access to private networks, and bypassing geo-restrictions. Among the various VPN protocols, Point-to-Point Tunneling Protocol (PPTP) is one of the oldest and most straightforward to set up. While PPTP is considered less secure compared to modern alternatives like OpenVPN or WireGuard, it remains a viable option for legacy systems or scenarios where simplicity and compatibility are prioritized over advanced security.

FreeBSD, a powerful and versatile Unix-like operating system, is an excellent choice for setting up a VPN server due to its robustness, security features, and flexibility. This article provides a step-by-step guide on how to set up a PPTP VPN server on FreeBSD. We will cover the installation, configuration, and testing of the PPTP VPN service, ensuring that even users with moderate technical expertise can follow along.

Prerequisites

Before proceeding, ensure you have the following:

  1. A FreeBSD System: This guide assumes you have a FreeBSD server or desktop installed and configured with root access.
  2. Internet Connectivity: The FreeBSD system must have a stable internet connection.
  3. Basic Command-Line Knowledge: Familiarity with FreeBSD’s command-line interface and text editors like vi or ee is recommended.
  4. Static IP Address: Assign a static IP address to your FreeBSD server to ensure consistent VPN access.

Step 1: Update the FreeBSD System

Before installing any software, it is good practice to update the FreeBSD system to ensure all packages and the kernel are up to date. Run the following commands:

freebsd-update fetch
freebsd-update install
pkg update
pkg upgrade

This will fetch and install the latest updates for the operating system and installed packages.

Step 2: Install PPTPD (PPTP Daemon)

The PPTP VPN server on FreeBSD is managed by the pptpd daemon. To install it, use the pkg package manager:

pkg install pptpd

This command will download and install the pptpd package along with any required dependencies.

Step 3: Configure PPTPD

Once pptpd is installed, the next step is to configure it. The configuration files for pptpd are located in /usr/local/etc/.

1. Edit the pptpd.conf File

Open the pptpd.conf file in a text editor:

ee /usr/local/etc/pptpd.conf

Add the following configuration lines:

option /usr/local/etc/ppp/options.pptpd
logwtmp
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
  • option: Specifies the path to the PPP options file.
  • logwtmp: Enables logging of connection and disconnection events.
  • localip: The IP address assigned to the VPN server.
  • remoteip: The range of IP addresses assigned to VPN clients.

Save and exit the editor.

2. Edit the options.pptpd File

Next, configure the PPP options by editing the options.pptpd file:

ee /usr/local/etc/ppp/options.pptpd

Add the following configuration:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
  • name: The name of the PPTP server.
  • refuse-pap/chap/mschap: Disables less secure authentication methods.
  • require-mschap-v2: Enables MS-CHAPv2 for secure authentication.
  • require-mppe-128: Enables 128-bit encryption.
  • ms-dns: Specifies DNS servers for VPN clients.
  • proxyarp: Enables Proxy ARP for routing.
  • lock: Locks the device to prevent simultaneous use.
  • nobsdcomp/novj/novjccomp: Disables compression to improve compatibility.
  • nologfd: Disables logging to file descriptors.

Save and exit the editor.

3. Set Up User Authentication

PPTP uses a username and password for authentication. These credentials are stored in the /usr/local/etc/ppp/chap-secrets file. Open the file in a text editor:

ee /usr/local/etc/ppp/chap-secrets

Add a line for each user in the following format:

username pptpd password *
  • username: The username for the VPN client.
  • pptpd: The name of the PPTP server (must match the name in options.pptpd).
  • password: The password for the user.
  • *: Allows the user to connect from any IP address.

Save and exit the editor.

Step 4: Enable IP Forwarding

For the VPN server to route traffic between clients and the internet, IP forwarding must be enabled. Edit the /etc/rc.conf file:

ee /etc/rc.conf

Add the following line:

gateway_enable="YES"

Save and exit the editor.

Step 5: Start and Enable the PPTPD Service

With the configuration complete, start the pptpd service and enable it to start automatically on boot:

sysrc pptpd_enable="YES"
service pptpd start

Verify that the service is running:

service pptpd status

Step 6: Configure the Firewall (Optional)

If you are using a firewall, you must allow PPTP traffic. PPTP uses TCP port 1723 and GRE (Protocol 47). For pf, add the following rules to /etc/pf.conf:

pass in quick proto tcp from any to any port 1723
pass in quick proto gre from any to any

Reload the firewall:

service pf reload

Step 7: Test the PPTP VPN Connection

To test the VPN, configure a PPTP client on another device (e.g., Windows, macOS, or a mobile device). Use the following details:

  • Server IP: The public or private IP address of your FreeBSD server.
  • Username/Password: The credentials you added to chap-secrets.

Once connected, verify that the client can access the internet and any internal resources.

Step 8: Troubleshooting

If the VPN connection fails, check the following:

  1. Logs: Review the logs in /var/log/pptpd.log and /var/log/ppp.log for errors.
  2. Firewall: Ensure the firewall is not blocking PPTP traffic.
  3. IP Forwarding: Verify that IP forwarding is enabled.
  4. Authentication: Double-check the chap-secrets file for typos.

Conclusion

Setting up a PPTP VPN on FreeBSD is a straightforward process that can be completed in a few steps. While PPTP is not the most secure VPN protocol available, it remains a useful option for legacy systems or scenarios where simplicity is key. By following this guide, you can configure a PPTP VPN server on FreeBSD and provide secure remote access to your network.

Remember to consider upgrading to more secure VPN protocols like OpenVPN or WireGuard if your use case allows it. However, for basic needs, PPTP on FreeBSD is a reliable and easy-to-implement solution.

This guide provides a comprehensive overview of setting up a PPTP VPN on FreeBSD. If you encounter any issues or have further questions, consult the FreeBSD documentation or seek assistance from the FreeBSD community.


< How to Configure Link Aggregation (LACP)How to Enable QoS (Quality of Service) with PF >