How to Install PPTP VPN Server on FreeBSD

This tutorial will cover the steps to set up a virtual private network on FreeBSD. We are using the PPTP VPN server to establish a VPN of 2 and more users. For the clients there is no need to install any VPN application as the built-in VPN client of Windows, Linux or Mac can be used.
This VPN server is using mpd4 and NAT of the VPN users and can be extended to any amount of users and interfaces.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Prepare the init scripts

Open the /etc/rc.conf.

vi /etc/rc.conf

Add the following lines to start VPN and the firewall with NAT on system start.

mpd_enable="YES"
gateway_enable="YES"
pf_enable="YES"

Enable the gateway

Set up the machine to act as a gateway with:

sysctl net.inet.ip.forwarding="1"

Install Mpd

Install the mpd4 port with the default options

cd /usr/ports/net/mpd4
make install clean; rehash

Configure Mpd

In the /usr/local/etc/mpd4 directory create a mpd.conf file:

vi /usr/local/etc/mpd4/mpd.conf

Add the Mpd configuration as follows:

startup:
default:
        load client1
        load client2
client1:
        new -i ng0 pptp1 pptp1
        set ipcp ranges 172.16.1.1/32 172.16.1.10/32
        load client_standard
 
client2:
        new -i ng1 pptp2 pptp2
        set ipcp ranges 172.16.2.1/32 172.16.2.10/32
        load client_standard
 
client_standard:
        set iface disable on-demand
        set iface enable proxy-arp
        set iface idle 0
        set iface enable tcpmssfix
        set bundle enable multilink
        set link yes acfcomp protocomp
        set link enable no-orig-auth
        set link enable keep-ms-domain
        set link no pap chap
        set link enable chap
        set link yes chap-msv1 chap-md5 chap-msv2
        set link mtu 1460
        set link keep-alive 10 60
        set ipcp yes vjcomp
        set ipcp dns 8.8.8.8
        set bundle enable compression
        set ccp yes mppc
        set ccp yes mpp-e40
        set ccp yes mpp-e128
        set ccp yes mpp-stateless
        set bundle enable crypt-reqd

In the /usr/local/etc/mpd4 directory create a mpd.links file:

vi /usr/local/etc/mpd4/mpd.links

Add the PPTP configuration as follows. The external-ip defines what IP Mpd is listening on.

pptp1:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack
 
pptp2:
        set link type pptp
        set pptp self your-external-ip
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
        set pptp enable always-ack

In the /usr/local/etc/mpd4 directory create a mpd.secret file:

vi /usr/local/etc/mpd4/mpd.secret

This is the cleartext file. Add the users as follows:

user1 password
user2 password

Configure the PF firewall

In the /etc directory create or edit the pf.conf file:

vi /etc/pf.conf

This is the PF firewall configuration file. Add the configuration as follows. The external IP is where you want the VPN user traffic to originate.

ext_if="your-external-interface"
 
internal_net="172.16.0.0/16"
external_addr="your-external-ip"
 
nat on $ext_if from $internal_net to any -> $external_addr
 
pass in all
pass out all

Start Mpd and the PF firewall

Finally we can start Mpd and the PF firewall.

/usr/local/etc/rc.d/mpd4 start
/etc/rc.d/pf start

Execute the ifconfig command.

ifconfig

The ng devices in the ifconfig output should look like this:

ng0: flags=8890 metric 0 mtu 1500
ng1: flags=8890 metric 0 mtu 1500

Once there are users connected you should see something like this:

ng0: flags=88d1 metric 0 mtu 1458
        inet 172.16.1.1 --> 172.16.1.10 netmask 0xffffffff
ng1: flags=8890 metric 0 mtu 1500

Now you have a multiuser VPN with 2 concurrent connections. Feel free to add more users by editing the mpd.conf and mpd.links files.