You are on page 1of 5

PPTP VPN - PFSenseDocs

http://doc.pfsense.org/index.php/PPTP_VPN

Search

Personal tools

Log in

PPTP VPN
From PFSenseDocs

Contents
1 2 3 4 5 6 7 8 Summary Requirements Subnetting and VLAN routing PPTP User setup PPTP Firewall rules Configuring the PPTP client under Windows XP Limitations Acknowledgements

Summary
This chapter is intended to outline several different PPTP VPN type setups, it includes a how-to on setting up a Windows XP PPTP client to connect to the pfSense PPTP VPN server. Later versions of this document will include Mac, Linux and other clients.

Requirements
Configuring the PPTP server on a pfSense box requires moderate knowledge of TCP/IP Inter-networking and subnetting. Also required is at least a basic, working configuration of pfSense.

Subnetting and VLAN routing

1 of 5

12/05/2010 04:40 PM

PPTP VPN - PFSenseDocs

http://doc.pfsense.org/index.php/PPTP_VPN

First figure out which public IP address you want to use to terminate the PPTP connection on. For the sake of simplicity, I will not use redirection. Click the "Enable PPTP server" radio button. Next, set an IP address for the "Server address" field. This address will be used for the server side of the Point2Point network, and it should be an either in an unused subnet, or an unused IP address in the same subnet as the IPs you will use for PPTP clients. The remote address range defines the range of IP addresses that will be assigned to PPTP clients. The field hardcodes the subnet mask to /28, which creates a subnetwork with 14 available host addresses (plus one for the network address, and one for the broadcast address). In my example, I define a subnet with the following characteristics: Network: 192.168.1.208/28 11000000.10101000.00000001.1101 0000 HostMin: 192.168.1.209 11000000.10101000.00000001.1101 0001 HostMax: 192.168.1.222 11000000.10101000.00000001.1101 1110 Broadcast: 192.168.1.223 11000000.10101000.00000001.1101 1111 In my example PPTP VPN config (http://www.electricalchemy.org/pfsense /img/pptp_vpn_config.JPG) I have chosen a subnet that lies within the LAN network, but that is outside the range of IPs that I use for servers and other networking equipment. This allows for easy rule configuration. Note that because you can define rules based on the pptp interface, this isn't strictly required. Do check the 'require 128bit encryption' to enable the mppe-128 we'll use from the WinXP VPN client. Again for the sake of simplicity I have left the RADIUS options unchecked. If you have an enterprise AAA server, or a ghetto-tech freeradius server you can utilize it here.

PPTP User setup


Now create usernames and passwords for your PPTP VPN users. If you specify an IP address in the IP address field, make sure the address is within the range you've specified in the Subnetting and VLAN routing section. Hard-coding an IP address for a particular user is good if you want to restrict access to particular resources by user, rather than by the PPTP interface itself.

PPTP Firewall rules


Now go into the firewall rules section and select the PPTP interface. Note that you do not need to manually create the rules required to allow PPTP
2 of 5 12/05/2010 04:40 PM

PPTP VPN - PFSenseDocs

http://doc.pfsense.org/index.php/PPTP_VPN

itself to function. (Pfsense automagically creates the following rules to allow GRE and TCP/1723 to pass inbound to your PPTP termination point).

pass quick proto gre all keep state label "allow gre pptpd" pass quick proto tcp from any to any port = pptp keep state label "allow pptpd 127.0.0.1"
Note that if you want to manually restrict the PPTP service to only be available from particular subnets or IP addresses you'll need to do it outside the GUI <fixme: how are implied and/or automatic rules handled? where do we modify them?> Now, what we do need to do is create some rules to allow the PPTP users to access the resources they need. In my example (http://www.electricalchemy.org/pfsense /img/pptp_vpn_fw_rules_config.JPG) I have added (liberal) rules to allow all traffic from the PPTP interface to the LAN and DMZ subnets. Note that the picky amongst us can further restrict the protocol, source and destination parameters as required.

Configuring the PPTP client under Windows XP


Start --> Control Panel --> Network Connections File --> New Connection --> Next Connect to the network at my workplace --> Next Select VPN connection --> Next Enter descriptive name for connection --> Next Do not dial the initial connection --> Next Enter hostname or PUBLIC IP address of the PPTP server --> Next

Note that in this example the IP here is RFC1918 private, however thats only because in my lab environment the WAN IP is on a private segment.
Select do not use smart card --> Next <Fixme: we should support PKI based auth for PPTP VPN at some point> Click on Finish That is all that is required. Now, if you will be accessing resources on the VPN network that are not directly connected to the firewall itself, you will probably want to skip this step. If you do skip this step when you connect to the PPTP server, your default gateway for ALL trac will be via the PPTP VPN. With the current ruleset Ive created in this example, this means that you will be unable to reach any

3 of 5

12/05/2010 04:40 PM

PPTP VPN - PFSenseDocs

http://doc.pfsense.org/index.php/PPTP_VPN

resources outside the LAN or DMZ subnets. To remedy the situation, click on Properties Click on Networking --> Internet Protocol Properties --> Advanced Uncheck use default gateway on remote network Click OK, OK, OK Now enter your username and password (configured during the PPTP User Setup process) Click on Connect Should get Connecting --> Verifying username & password --> Authenticated Now right click on the tray icon for the VPN connection --> Properties --> Details Ensure that we are using MSCHAP v2 and MPPE 128 Now attempt to ping the LAN interface of the firewall: dc@ryokosha:~# ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time=1ms TTL=64 Reply from 192.168.1.254: bytes=32 time=1ms TTL=64

Now attempt to ping a host on the LAN segment (note this requires that the rules for the PPTP interface are configured per my example). dc@ryokosha:~# ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=2ms TTL=254 Reply from 192.168.1.1: bytes=32 time=1ms TTL=254

Limitations Acknowledgements
This document would have borrowed very heavily from the m0n0wall documentation, if I had looked at it before visiting this page. Thanks to pfsense@electricalchemy.org for mad skill @ reinventing the wheel. Retrieved from "http://doc.pfsense.org/index.php/PPTP_VPN" Categories: Documentation | VPN | PPTP

4 of 5

12/05/2010 04:40 PM

PPTP VPN - PFSenseDocs

http://doc.pfsense.org/index.php/PPTP_VPN

Privacy policy

About PFSenseDocs

Disclaimers

This page was last modified on 22 April 2010, at 17:47. This page has been accessed 48,828 times.

5 of 5

12/05/2010 04:40 PM