# PopTop / MPD5



## NuLL3rr0r (Jun 22, 2010)

Hi Folsk,

I want to run a PPTP VPN Server. I choose PopTop (since it seems simple to me), I've already tried MPD5 too. But with 

MPD5 I've got 800 error.


Now when I connect to my FreeBSD BoX using a Windows VPN client I've got this:


```
3rr0r# tail -f /var/log/messages
Jun 22 18:29:05 3rr0r ppp[28526]: Warning: Label /usr/local/etc/ppp/options.pptpd rejected
 -direct connection: Configuration label not found
Jun 22 18:29:05 3rr0r pptpd[28525]: GRE: read(fd=7,buffer=80589c0,len=8196) from PTY
 failed: status = 0 error = No error
Jun 22 18:29:05 3rr0r pptpd[28525]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)


3rr0r# tail -f /var/log/ppp.log
Jun 22 18:29:05 3rr0r ppp[28526]: Warning: Label /usr/local/etc/ppp/options.pptpd rejected
 -direct connection: Configuration label not found
```


And I've got 619 error on client side.


I'm already googling for days and found so many solutions for

```
Warning: Label /usr/local/etc/ppp/options.pptpd rejected -direct connection: Configuration label not found
```

But none of 'em works for me.

Also


```
[url=http://poptop.sourceforge.net/dox/qna.html#23]http://poptop.sourceforge.net/dox/qna.html#23[/URL]

Q. GRE: read(fd=5,buffer=804d720,len=8196) from PTY failed: status = -1 error =
 Input/output error

A. The log will display something like this:

Jun 22 21:48:35 linuxbox pptpd[1900]: GRE: read(fd=5,buffer=804d720,len=8196) from PTY
 failed: status = -1 error = Input/output error
Jun 22 21:48:35 linuxbox pptpd[1900]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)

An EIO on read from the PTY is caused when pppd has failed and closed the PTY. pppd failed
 for some reason. pptpd does not report why pppd failed. pptpd not reporting why pppd failed is a
 bug, but it is not yet	 fixed.
You should look at why pppd failed, which is most likely your fault, not a bug. pppd fails
 when it does not understand the options you entered, or when it could not negotiate with the peer.
 Running pppd manually against your options.pptpd file would find bad options. Adding "debug dump"
 to options.pptpd file will capture cause of negotiation failure.
```



I think there's something wrong with my configuration (since I've lack of knowledge in Network related stuffs). 


Here's my configuration:

 **  I'm not running any firewall.


```
3rr0r# ifconfig
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:0c:29:89:4d:ad
        inet 91.194.91.7 netmask 0xffffff00 broadcast 91.194.91.255
        media: Ethernet autoselect
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
```

As you can see 91.194.91.7 is my only private IP that is in use with my LAN.


   /usr/local/etc/pptpd.conf

```
option /etc/ppp/options.pptpd
noipparam
logwtmp


#localip 192.168.1.1
#remoteip 192.168.1.234-238,192.168.1.245
localip 91.194.91.7
remoteip 91.194.91.10-20
```

I've tried both 192.168.1.1 and 91.194.91.7.


   /etc/ppp/options.pptpd

```
name pptpd

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

ms-dns 8.8.4.4
ms-dns 8.8.8.8

proxyarp
debug
dump
lock
novj
novjccomp
nologfd
```


   /etc/ppp/chap-secrets

```
# client        server  secret          IP addresses
myUsername       *   myPassword        *
```



   /etc/rc.conf

```
gateway_enable="YES"
arpproxy_all="YES"
pptpd_enable="YES"
```



I've done everything possible but still cannot connect to my FreeBSD VPS.

Do I must use nat/dhcp?? (If its, how?)
I am wrong about local and remote IP addresses or dnses? (how to assign IP ranges ro DNS)
Is there anything else that I forget to mention?



Any help would be appreciated.


----------



## kisscool-fr (Jun 23, 2010)

Can you comment in your /usr/local/etc/pptpd.conf the first line to have something like this 
	
	



```
#option /etc/ppp/options.pptpd
noipparam
logwtmp
...
```

It should fix the label rejected.


Your vpn user accounts should be located in the /etc/ppp/ppp.secret file. It should look like this :


```
username password * (* is for any ip address)
username2 password2 12.34.56.78 (if you want to always assign the same adresse to a user)
```


----------



## NuLL3rr0r (Jun 24, 2010)

@kisscool-fr

Thank you for your answer.

I comment out *option /etc/ppp/options.pptpd* but the error message just a little changed.


```
Jun 24 12:04:22 3rr0r ppp[41275]: Warning: Label pptp rejected -direct connection:
 Configuration label not found
```


And I created */etc/ppp/ppp.secret* as you said 

```
username password *
```


But still error remains:

Without *option /etc/ppp/options.pptpd* with */etc/ppp/ppp.secret*

```
Jun 24 12:14:54 3rr0r ppp[41343]: Warning: Label pptp rejected -direct connection: 
Configuration label not found
Jun 24 12:14:54 3rr0r pptpd[41342]: GRE: read(fd=7,buffer=80589c0,len=8196) from PTY
 failed: status = 0 error = No error
Jun 24 12:14:54 3rr0r pptpd[41342]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
```


With *option /etc/ppp/options.pptpd* with */etc/ppp/ppp.secret*

```
Jun 24 12:16:29 3rr0r ppp[41369]: Warning: Label /etc/ppp/options.pptpd rejected -direct
 connection: Configuration label not found
Jun 24 12:16:29 3rr0r pptpd[41368]: GRE: read(fd=7,buffer=80589c0,len=8196) from PTY
 failed: status = 0 error = No error
Jun 24 12:16:29 3rr0r pptpd[41368]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
```


What about IP's as I mentioned above

```
#localip 192.168.1.1
#remoteip 192.168.1.234-238,192.168.1.245
localip 91.194.91.7
remoteip 91.194.91.10-20
```

Maybe something wrongs with these IP configuration...


----------



## kisscool-fr (Jun 24, 2010)

My /usr/local/etc/pptpd.conf looks like this :


```
debug
stimeout 10
noipparam
remoteip 192.168.3.45-60
listen 12.34.56.78
```

I don't have localip because I allocate to my clients a range of addresses from my work lan not a separate lan. But from what i read, localip can't be the same address that is assigned to your physical if.


I don't see anywhere your /etc/ppp/ppp.conf. What do you have in this file ?


And what are those *3rr0r*'s i see in your logs ?


Where did you get 91.194.91.7 ? Is it the address from your isp ? And the range 91.194.91.10-20, is your isp allocating it to you ?


----------



## NuLL3rr0r (Jun 25, 2010)

First of all thank you for the answer.



> And what are those 3rr0r's i see in your logs ?


That's the machine name :e



> Where did you get 91.194.91.7 ? Is it the address from your isp ? And the range 91.194.91.10-20, is your isp allocating it to you ?



Well, as I mentioned my knowledge about networking is nearly ZERO :e

91.194.91.7 is my VPS IP in Germany. And I'm in Iran. My government has Internet censorship policy. They banned nearly 70% of websites. They said we just banned P0rnography websites. But so many of 'em are not P0rn, Political or etc.

For example here is a page about C++/CGI programming but I can't access it except using using Web Proxies, JAP/JonDo, etc (They are all too slow).

```
http://www.cs.tut.fi/~jkorpela/forms/cgic.html I 
Facebook, Twitter, Youtube are also banned.
```

Down here is still life and
I'm still lucky they didn't banned freebsd.org.

This is crucial to me.



91.194.91.7 is a FreeBSD VPS with a single lan in Germany in a datacenter.
91.194.91.7 is the VPS lan IP.
I'm in Iran and I want to connect to this VPS using VPN from home with an ADSL connection.

I didn't know that I must use 91.194.91.10-20 or 192.168.1.10-20. Or What dns should I use for ms-dns in */etc/ppp/options.pptpd*.
It's complicated to me (I'm a programmer not a network expert).


As you can see I comment out 192.168.1.1 and 192.168.1.234-238,192.168.1.245 because I'm not sure.

   /usr/local/etc/pptpd.conf

```
#localip 192.168.1.1
#remoteip 192.168.1.234-238,192.168.1.245
localip 91.194.91.7
remoteip 91.194.91.10-20
```

I already enabled debug dump in */etc/ppp/options.pptpd*;


I never changed anything in */etc/ppp/ppp.conf*

  ** /etc/ppp/ppp.conf

```
#################################################################
# PPP  Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.11.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#################################################################

default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)

 # Ensure that "device" references the correct serial port
 # for your modem. (cuau0 = COM1, cuau1 = COM2)
 #
 set device /dev/cuau1

 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set timeout 180                        # 3 minute idle timer (the default)
 enable dns                             # request DNS info (for resolv.conf)

papchap:
 #
 # edit the next three lines and replace the items in caps with
 # the values which have been assigned by your ISP.
 #

 set phone PHONE_NUM
 set authname USERNAME
 set authkey PASSWORD

 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR                    # Add a (sticky) default route
```


I'll be very appreciated for your solution.


----------



## kisscool-fr (Jun 25, 2010)

We won't talk about the political aspect here, just the technical. 




			
				NuLL3rr0r said:
			
		

> That's the machine name :e



You're right, forgot about that.




			
				NuLL3rr0r said:
			
		

> As you can see I comment out 192.168.1.1 and 192.168.1.234-238,192.168.1.245 because I'm not sure.



If you're not sure what you're doing, just leave the defaults !




			
				NuLL3rr0r said:
			
		

> /usr/local/etc/pptpd.conf
> 
> ```
> #localip 192.168.1.1
> ...




```
localip 192.168.1.1
remoteip 192.168.1.234-238
```




			
				NuLL3rr0r said:
			
		

> I already enabled debug dump in */etc/ppp/options.pptpd*;



Don't care about this file !




			
				NuLL3rr0r said:
			
		

> I never changed anything in */etc/ppp/ppp.conf*



Backup it and put this in this file :


```
pptp:
 set escape 0xff
 set device localhost:pptp
 set dial
 set timeout 30
 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun command
 set ifaddr 192.168.1.1 192.168.1.234-192.168.1.238 255.255.255.255

 set mppe 128 stateful
 enable MSCHAPv2
 disable deflate pred1
```


----------



## NuLL3rr0r (Jun 25, 2010)

```
We won't talk about the political aspect here, just the technical.
```
I'm a little bit political person. That's my mistake, pardon me. 


```
Quote:
Originally Posted by NuLL3rr0r  
I already enabled debug dump in /etc/ppp/options.pptpd;
Don't care about this file !
```

As you mentioned I throw away */etc/ppp/options.pptpd* and totally removed that.
Also, As you said */etc/ppp/ppp.secret* is the right place to put the authentication data, not  */etc/ppp/chap-secrets*.


// /usr/local/etc/pptpd.conf

```
Code:
localip 192.168.1.1
remoteip 192.168.1.234-238
```

// /etc/ppp/ppp.conf

```
Backup it and put this in this file :

Code:
pptp:
 set escape 0xff
 set device localhost:pptp
 set dial
 set timeout 30
 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun command
 set ifaddr 192.168.1.1 192.168.1.234-192.168.1.238 255.255.255.255

 set mppe 128 stateful
 enable MSCHAPv2
 disable deflate pred1
```


OH THANKS MAN!!!!!!! You're my savior. You Ro0ock!!
After days and days finally it's connected now. I'm very Happy.


But when I type freebsd.org in my browser it says Connecting... and I have no browsing.


```
C:\>ping freebsd.org

Pinging freebsd.org [69.147.83.40] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 69.147.83.40:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
```




```
C:\>ipconfig /all

Windows IP Configuration

.
.
.

PPP adapter bsd:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : bsd
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d08a:af74:8fc7:a6da%31(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.235(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DHCPv6 IAID . . . . . . . . . . . : 529667360
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-AF-88-5F-00-1D-BA-89-C0-BB

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

.
.
.
```

As you can see I have no Gateway....?????



```
# tail -f /var/log/messages

Jun 25 07:55:04 3rr0r kernel: tun0: link state changed to UP
Jun 25 07:55:05 3rr0r pptpd[45331]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
```


----------



## NuLL3rr0r (Jun 25, 2010)

I also forget to mention,  that I have:

  /etc/rc.conf

```
gateway_enable="YES"
arpproxy_all="YES"
pptpd_enable="YES"
```


----------



## kisscool-fr (Jun 25, 2010)

Not sure it is necessary in your case, but forgot one line in the /etc/ppp/ppp.conf file.


```
...
enable proxyall
```



			
				NuLL3rr0r said:
			
		

> But when I type freebsd.org in my browser it says Connecting... and I have no browsing.
> 
> 
> ```
> ...




Do you have nat enabled in your freebsd box ?


----------



## NuLL3rr0r (Jun 25, 2010)

```
Do you have nat enabled in your freebsd box ?
```

How do I enable NAT??


I saw somewhere they enabled NAT in Linux using iptables.
But I didn't know how to do it in FreeBSD.


----------



## kisscool-fr (Jun 25, 2010)

Search in the handbook how to enable nat.


----------



## NuLL3rr0r (Jun 25, 2010)

I also did

```
3rr0r# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1
3rr0r# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
```

But still nothing...


----------



## NuLL3rr0r (Jun 25, 2010)

```
Search in the handbook how to enable nat.
```

Thanks
I found this one

```
http://www.freebsd.org/doc/en/books/handbook/network-natd.html
```
and

```
http://vas99.tripod.com/natd.html
```

I'm going to try it and postback here.


----------



## kisscool-fr (Jun 25, 2010)

Take a look a this one http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/


----------



## NuLL3rr0r (Jun 25, 2010)

Ha!! Finally works.

Instead of pf I decide to use IPFW since pf requires building custom kernels.


  /boot/loader.conf

```
ipfw_load="YES"
ipdivert_load="YES"
net.inet.ip.fw.default_to_accept="1"
net.inet.ip.forwarding=1
```


  /etc/rc.conf

```
gateway_enable="YES"
arpproxy_all="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"
natd_enable="YES"
natd_interface="le0"
natd_flags="-redirect_port tcp 91.194.91.7:1723 1723"
# This works too:
#natd_flags=""
pptpd_enable="YES"
```


Having these rules in rc.firewall is not necessary for me, but I just add them for safety (To be sure that works).

   /etc/rc.firewall

```
# 91.194.91.1 is vps gateway
ipfw add allow tcp from any to 91.194.91.1 1723
ipfw add allow tcp from 91.194.91.1 1723 to any
ipfw add allow gre from any to 91.194.91.1 1723
ipfw add allow gre from 91.194.91.1 1723 to any
# 47 is GRE, just an alternative
#ipfw add allow 47 from any to 91.194.91.1 1723
#ipfw add allow 47 from 91.194.91.1 1723 to any
```


```
3rr0r# /etc/rc.d/ipfw restart
net.inet.ip.fw.enable: 1 -> 0
Stopping natd.
Waiting for PIDS: 2185, 2185, 2185, 2185, 2185.
Starting natd.
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00050 divert 8668 ip4 from any to any via le0
65000 allow ip from any to any
65100 allow tcp from any to 91.194.91.1 dst-port 1723
65200 allow tcp from 91.194.91.1 1723 to any
65300 allow gre from any to 91.194.91.1 dst-port 1723
65400 allow gre from 91.194.91.1 1723 to any
Firewall rules loaded.
Firewall logging enabled.


3rr0r# tail -f /var/log/messages
Jun 25 20:57:01 3rr0r kernel: tun0: link state changed to UP
Jun 25 20:57:01 3rr0r pptpd[2338]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
```


*Thank you so much, you are so kind. Without your help it can't be done.* 

I'm not sure my configuration has any security risks or not, but it just works for now.


----------



## DutchDaemon (Jun 26, 2010)

NuLL3rr0r said:
			
		

> Instead of pf I decide to use IPFW since pf requires building custom kernels.



What gave you that idea? A custom kernel is only needed for ALTQ. All other pf functions are handled by a generic kernel, or by the pf kld.


----------



## NuLL3rr0r (Jun 26, 2010)

> Quote:
> Originally Posted by NuLL3rr0r
> Instead of pf I decide to use IPFW since pf requires building custom kernels.
> 
> What gave you that idea? A custom kernel is only needed for ALTQ. All other pf functions are handled by a generic kernel, or by the pf kld.



Thank you for correcting me. But when I saw http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html, I thought I need to build custom kernels. The miss conception is I thought I need ALTQ for doing NAT using pf.


```
/etc/rc.d/pf start
pfctl: /dev/pf: No such file or directory
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
.
```

However pf enabled now. Well if there is no need to build custom kernels for doing NAT using pf,  I'm going to try it as well.


----------



## DutchDaemon (Jun 27, 2010)

The ALTQ message when invoking pfctl is annoying a lot of people, but, indeed, it's not needed for anything but traffic shaping.


----------



## NuLL3rr0r (Jul 5, 2010)

Hi again,

Sorry for disturbing you guys too much.

I have two little questions:

1.
My ISP does not resolve facebook.com (because it's banned by them), I searched for some public DNSes and found this: *Free Fast Public DNS Servers List*, I used OpenDNS service, then everything works just fine.

But sometimes the performance get sucks and my browsing/downloading speed is about 2-3 KB/S (As I said not all the time).

Is this because I'm not using my ISP's DNSes. Is this related? Does this really matters?

I found this *Google Public DNS vs OpenDNS vs Your ISPâ€™s DNS â€“ measuring performance *

I thought these DNS stuff related to page-load performance, Is pinging to DNS address a good way to measure performance?

2.
My final configuration in /etc/ppp/ppp.conf is:

```
pptp:
 set escape 0xff
 set device localhost:pptp
 set dial
 set timeout 0
 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun command
 set ifaddr 192.168.1.1 192.168.1.234-192.168.1.238 255.255.255.255

 set mppe 128 stateful
 enable MSCHAPv2
 disable deflate pred1
 deny deflate pred1
 enable proxyall

 accept dns
 set dns 208.67.222.222 208.67.220.220
```

Is this (the problem mentioned in question 1) because PopTop sucks in performance?? Or my configuration sucks (and theres nothing to do with DNS or PopTop)? Is there anyway to get better performance?


----------



## NuLL3rr0r (Jul 5, 2010)

3.
Another thing forget to mention, does pf/ipfw slow things down?? is there any traffic shaping options turned on by default??


----------

