 |
Using 'mpd' To Allow VPN Connections from Windows Workstations
added 2.6.2005 -- written by David van Geyn
|
Article Description: A description on how to setup 'mpd' to allow VPN connections from Windows workstations.
Hopefully, this guide will be easy to follow. Once I found 'mpd', my VPN server needs were satisfied. I just wanted to be able to allow Windows clients to connect, and that's exactly what 'mpd' does. I found it very easy to set up. In a few simple steps you can do this too!
1. First, I installed 'mpd' from ports. If you don't use the ports system, you can grab the 'mpd' source and compile it manually. Just beware that the directory names may be different for the configuration files:
cd /usr/ports/net/mpd
make install
2. Once that was done, I examined the mpd.*.sample files in /usr/local/etc/mpd and wrote my own configuration files:
cd /usr/local/etc/mpd
vi (or your favourite editor) mpd.conf
3. Put this in your mpd.conf file:
default:
load pptp1
pptp1:
new -i ng0 pptp1 pptp1
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set iface enable tcpmssfix
set bundle enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 172.20.1.1/32 172.20.1.51/32
set ipcp dns 172.20.1.1
set ipcp nbns 172.20.1.1 172.20.1.8
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
Here, you should change the IP addresses to suit your needs. In the 'ipcp ranges' line, the first address is the IP address that the server host will use, and the second address is the address that the client will use. The 'ipcp dns' line is to specify what DNS servers the client should use. The 'ipcp nbns' line is to specify what WINS (Netbios NS) servers the client should use. You can remove that line if you do not have a WINS server to use. The address assigned to the server (172.20.1.1 in this case) can be assigned multiple times if you want to allow more than one client to connect at a time. You only need to specify different addresses for the clients (172.20.1.51 in this case).
4. Now open mpd.links in your editor and put this in it:
pptp1:
set link type pptp
set pptp enable incoming
set pptp disable originate
5. Now open mpd.secret in your editor and put username/password pairs you want in it:
pptpuser "pptppassword"
pptpuser2 "pptppassword2"
etc...
6. Now, make sure you do the following to protect your mpd.secret file from anyone other than root:
chmod 600 mpd.secret
7. You now should be able to start up 'mpd':
/usr/local/sbin/mpd -b
8. If you have problems, you can try running it without the '-b' (it means run in the background) to run it in the foreground and troubleshoot the problem.
Now you should have a VPN server for Windows clients that supports MPPE (Microsoft Point-to-Point Encryption), but not MPPC (Compression), because the compression libraries are not open source and are not included with 'mpd'.
If you want to allow more than one connection at a time, all you need to do is copy the lines in the mpd.conf and mpd.links files and change the identifier from 'pptp1' to 'pptp2' and so on. I have 3 set up and I can have 3 connections at a time (obviously).
I am not sure how many you can setup, but I believe you can only use as many at a time as you have ng (netgraph) interfaces, which, to my knowledge, are automatically created anyway. There probably is some limit somewhere, but I haven't run into that problem yet.
9. If you have 'mpd' working now and want it started at boot time, just add this line to /etc/rc.local:
/usr/local/sbin/mpd -b
Piece of cake, right?
|
|
|
|
