Transcript
Search Personal tools Log in PPTP VPN From PFSenseDocs Contents 1 Summary2 Requirements3 Subnetting and VLAN routing4 PPTP User setup5 PPTP Firewall rules6 Configuring the PPTP client under Windows XP7 Limitations8 Acknowledgements Summary This chapter is intended to outline several different PPTP VPN type setups, itincludes a how-to on setting up a Windows XP PPTP client to connect to thepfSense PPTP VPN server. Later versions of this document will include Mac,Linux and other clients. Requirements Configuring the PPTP server on a pfSense box requires moderate knowledgeof TCP/IP Inter-networking and subnetting. Also required is at least a basic,working configuration of pfSense. Subnetting and VLAN routing PPTP VPN - PFSenseDocshttp://doc.pfsense.org/index.php/PPTP_VPN1 of 512/05/2010 04:40 PM First figure out which public IP address you want to use to terminate thePPTP connection on.For the sake of simplicity, I will not use redirection.Click the Enable PPTP server radio button. Next, set an IP address for the Server address field. This address will be used for the server side of thePoint2Point network, and it should be an either in an unused subnet, or anunused IP address in the same subnet as the IPs you will use for PPTP clients.The remote address range defines the range of IP addresses that will beassigned to PPTP clients. The field hardcodes the subnet mask to /28, whichcreates a subnetwork with 14 available host addresses (plus one for thenetwork address, and one for the broadcast address). In my example, I definea subnet with the following characteristics:Network: 192.168.1.208/28 11000000.10101000.00000001.1101 0000HostMin: 192.168.1.209 11000000.10101000.00000001.1101 0001HostMax: 192.168.1.222 11000000.10101000.00000001.1101 1110Broadcast: 192.168.1.223 11000000.10101000.00000001.1101 1111In my example PPTP VPN config (http://www.electricalchemy.org/pfsense/img/pptp_vpn_config.JPG) I have chosen a subnet that lies within the LANnetwork, but that is outside the range of IPs that I use for servers and othernetworking equipment. This allows for easy rule configuration. Note thatbecause you can define rules based on the pptp interface, this isn't strictlyrequired.Do check the 'require 128bit encryption' to enable the mppe-128 we'll usefrom the WinXP VPN client. Again for the sake of simplicity I have left the RADIUS options unchecked. If you have an enterprise AAA server, or a ghetto-tech freeradius server you canutilize it here. PPTP User setup Now create usernames and passwords for your PPTP VPN users. If you specifyan IP address in the IP address field, make sure the address is within therange you've specified in the Subnetting and VLAN routing section.Hard-coding an IP address for a particular user is good if you want to restrictaccess to particular resources by user, rather than by the PPTP interfaceitself. PPTP Firewall rules Now go into the firewall rules section and select the PPTP interface.Note that you do not need to manually create the rules required to allow PPTP PPTP VPN - PFSenseDocshttp://doc.pfsense.org/index.php/PPTP_VPN2 of 512/05/2010 04:40 PM itself to function. (Pfsense automagically creates the following rules to allowGRE and TCP/1723 to pass inbound to your PPTP termination point). pass quick proto gre all keep state label allow gre pptpd pass quick proto tcp from any to any port = pptp keep state label allow pptpd 127.0.0.1 Note that if you want to manually restrict the PPTP service to only beavailable from particular subnets or IP addresses you'll need to do it outsidethe GUI <fixme: how are implied and/or automatic rules handled? where dowe modify them?>Now, what we do need to do is create some rules to allow the PPTP users toaccess the resources they need.In my example (http://www.electricalchemy.org/pfsense/img/pptp_vpn_fw_rules_config.JPG) I have added (liberal) rules to allow alltraffic from the PPTP interface to the LAN and DMZ subnets. Note that thepicky amongst us can further restrict the protocol, source and destinationparameters as required. Configuring the PPTP client under Windows XP Start --> Control Panel --> Network ConnectionsFile --> New Connection --> NextConnect to the network at my workplace --> NextSelect VPN connection --> NextEnter descriptive name for connection --> NextDo not dial the initial connection --> NextEnter hostname or PUBLIC IP address of the PPTP server --> Next Note that in this example the IP here is RFC1918 private, however that’s only because in my lab environment the WAN IP is on a private segment. Select do not use smart card --> Next <Fixme: we should support PKI basedauth for PPTP VPN at some point>Click on FinishThat is all that is required. Now, if you will be accessing resources on the VPN network that are not directly connected to the firewall itself, you willprobably want to skip this step.If you do skip this step when you connect to the PPTP server, your defaultgateway for ALL traffic will be via the PPTP VPN. With the current ruleset I’vecreated in this example, this means that you will be unable to reach any PPTP VPN - PFSenseDocshttp://doc.pfsense.org/index.php/PPTP_VPN3 of 512/05/2010 04:40 PM resources outside the LAN or DMZ subnets.To remedy the situation, click on PropertiesClick on Networking --> Internet ProtocolProperties --> AdvancedUncheck “use default gateway on remote network”Click OK, OK, OK Now enter your username and password (configured during the PPTP UserSetup process)Click on ConnectShould get Connecting --> Verifying username & password --> AuthenticatedNow right click on the tray icon for the VPN connection --> Properties -->DetailsEnsure that we are using MSCHAP v2 and MPPE 128Now attempt to ping the LAN interface of the firewall:dc@ryokosha:~# ping 192.168.1.254 Pinging 192.168.1.254 with 32 bytes of data:Reply from 192.168.1.254: bytes=32 time=1ms TTL=64Reply from 192.168.1.254: bytes=32 time=1ms TTL=64 Now attempt to ping a host on the LAN segment (note this requires that therules for the PPTP interface are configured per my example).dc@ryokosha:~# ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data:Reply from 192.168.1.1: bytes=32 time=2ms TTL=254Reply from 192.168.1.1: bytes=32 time=1ms TTL=254 Limitations Acknowledgements This document would have borrowed very heavily from the m0n0walldocumentation, if I had looked at it before visiting this page. Thanks
[email protected] for mad skill @ reinventing the wheel.Retrieved from http://doc.pfsense.org/index.php/PPTP_VPN Categories: Documentation | VPN | PPTP PPTP VPN - PFSenseDocshttp://doc.pfsense.org/index.php/PPTP_VPN4 of 512/05/2010 04:40 PM
