# PPTP VPN server on FreeBSD.



## icinemagr (Jul 2, 2022)

I have create a Pptp vpn server on my vps at hetzner. with mpd5

Android Phone is connecting with Mobile Data On
Android Phone thru my wifi at home Error 619
Laptop windows 7  from wifi Error 619
Laptop windows server 2008 r2   from wifi Error 619
Desktop pc ( behind freebsd gateway ) error 619

i try from a server in hetzner and i connected fine to my vpn server.


here is my /etc/ppp/mpd.conf

*UPDATE:  I change router and everything works so the proble is the asus vg router*


```
PPTP_SERVER:

    set ippool add pool1 10.0.1.100 10.0.1.200
    create bundle template B
    set iface enable proxy-arp
    set iface route default
    set iface enable netflow-in
    set iface enable netflow-out
    set iface enable ipacct
    set ipcp nbns 10.0.1.20
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    set ipcp ranges  10.0.1.1/32 ippool pool1
    set ipcp dns 8.8.8.8
    set ipcp dns 8.8.4.4
    set iface enable nat
  
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

  
    create link template L pptp
    set link action bundle B
    set link enable multilink
    set link yes acfcomp protocomp
    set link enable multilink
  
    set link enable acfcomp protocomp
    set link accept acfcomp protocomp
    set link yes acfcomp protocomp

      set link no pap eap

    set link enable chap
    set link accept chap
    set link enable chap-msv2
    set link accept chap-msv2
    set auth authname mel
    set link enable no-orig-auth
  

    set pptp self 0.0.0.0
    set link type pptp
    set link keep-alive 0 0
    set pptp disable dataseq
    set link mtu 1460
    set link enable incoming
```


Any one to help me?


----------



## VladiBG (Jul 2, 2022)

pptp requres your ISP to allow protocol 47 which is not always the case as most of the routers doesn't allow PPTP Passthrough by default. That's why when you connect from some public place you can't connect using pptp vpn. It's better to use OpenVPN or some other SSL based vpn.


----------



## diizzy (Jul 2, 2022)

PPTP is considered insecure and you should really consider using something else


----------



## icinemagr (Jul 2, 2022)

VladiBG said:


> pptp requres your ISP to allow protocol 47 which is not always the case as most of the routers doesn't allow PPTP Passthrough by default. That's why when you connect from some public place you can't connect using pptp vpn. It's better to use OpenVPN or some other SSL based vpn.


No this is not the case because i have setup also 3 vpn servers with centos 7 and works fine.


----------



## icinemagr (Jul 2, 2022)

diizzy said:


> PPTP is considered insecure and you should really consider using something else


Security is not my point i have set ip also L2tp on same box and works fine.
I want just to get the vps external ip with minimal speed lost. so Pptp is the faster way i think.

All i want is to keep connection with server and have internal ip for communications.


----------



## diizzy (Jul 2, 2022)

Use anything SSL-based as VladiBG suggest, it'll save you a lot of trouble. WireGuard will most likely do line speed on your devices unless you have a very old and slow hardware. It's noticable faster than OpenVPN but you have DCO support in -CURRENT if you feel adventurous.


----------



## icinemagr (Jul 2, 2022)

diizzy said:


> Use anything SSL-based as VladiBG suggest, it'll save you a lot of trouble. WireGuard will most likely do line speed on your devices unless you have a very old and slow hardware. It's noticable faster than OpenVPN but you have DCO support in -CURRENT if you feel adventurous.


as i said i only care for speed and as i update my question problem is with my router  *ASUS DSL-AC87VG *


----------



## VladiBG (Jul 2, 2022)

Page 70 in your router manual


			https://dlcdnets.asus.com/pub/ASUS/wireless/DSL-AC87VG/E11833_DSL_AC87VG_Manual.pdf


----------



## icinemagr (Jul 2, 2022)

VladiBG said:


> Page 70 in your router manual
> 
> 
> https://dlcdnets.asus.com/pub/ASUS/wireless/DSL-AC87VG/E11833_DSL_AC87VG_Manual.pdf


all my nat passthough are ON. before switch them on i could not even telnet port 1723.
I search all pages in my router console no luck Thanks.


----------



## zirias@ (Jul 2, 2022)

icinemagr said:


> Security is not my point


Then just forget the VPN and directly expose the services you need from "the outside"?

Seriously, if security is not the point, a VPN is moot.


----------



## icinemagr (Jul 2, 2022)

Zirias said:


> Then just forget the VPN and directly expose the services you need from "the outside"?
> 
> Seriously, if security is not the point, a VPN is moot.


well i need a conenction with Local Ip from server to My pc 
Also i need the maximum speed i can have so encryption is not the point here.
so what are the options?


----------



## zirias@ (Jul 2, 2022)

icinemagr said:


> well i need a conenction with Local Ip from server to My pc


So, you need to restrict this access to yourself? Then, security _is_ an important point.

Otherwise, just publicly expose that host (probably using NAT if on IPv4).

Edit: As already mentioned, for best VPN speed while still offering decent security, wireguard is said to work fine. Can't add my own experience, I'm still fine with OpenVPN and won't change it unless there's a real need for me…


----------



## icinemagr (Jul 2, 2022)

Zirias said:


> So, you need to restrict this access to yourself? Then, security _is_ an important point.
> 
> Otherwise, just publicly expose that host (probably using NAT if on IPv4).
> 
> Edit: As already mentioned, for best VPN speed while still offering decent security, wireguard is said to work fine. Can't add my own experience, I'm still fine with OpenVPN and won't change it unless there's a real need for me…


and as i said i have already setup l2tp vpn on this box and workd fine from all devices.
Open vpn is not an option


----------



## zirias@ (Jul 2, 2022)

Starts to sound like an XY-problem to me. So you have another working VPN? I'd suggest you describe the problem in depth that you _think_ you'd solve using another VPN.


----------



## icinemagr (Jul 2, 2022)

Zirias said:


> Starts to sound like an XY-problem to me. So you have another working VPN? I'd suggest you describe the problem in depth that you _think_ you'd solve using another VPN.


L2tp connection (adsl speed 15 mbbs 
pptp Conenction adsl speed 33 mbbs 

Finally the problem was the gateway Freebsd Box in my home Router is fine.
for Unknown reason i can connect thru l2tp to my server but no thru pptp


----------



## zirias@ (Jul 2, 2022)

So, you want to _replace_ your existing VPN? Then, again, either security *is* a concern (then try wireguard), or it isn't (then expose whatever services you need directly, without a VPN). PPTP is more or less useless.


----------



## icinemagr (Jul 3, 2022)

Zirias said:


> So, you want to _replace_ your existing VPN? Then, again, either security *is* a concern (then try wireguard), or it isn't (then expose whatever services you need directly, without a VPN). PPTP is more or less useless.











as you can see i have 3 options

1st Option is to Use Pptp  With my router ( so all my house will be under vpn )  (works fine) 
2nd is to use L2tp but asus forget to add an option for preshare key so no way to connect 
3rd option is to use OpenVPN buu history has teach me to never use 3rd party apps look viber and supposed cryptography 
so the only real option i have to connect is pptp and i hope this answer to all your questions about the reason i use pptp.


----------



## zirias@ (Jul 3, 2022)

icinemagr said:


> 3rd option is to use OpenVPN buu history has teach me to never use 3rd party apps look viber and supposed cryptography


OpenVPN is proven and secure. It just isn't as fast as it could be.


icinemagr said:


> the only real option i have to connect is pptp and i hope this answer to all your questions about the reason i use pptp.


PPTP is proven to be insecure. If it's insecure, you could just as well use no VPN at all. Not really a question, it just doesn't make sense to use PPTP nowadays.

But there would be a question indeed: Why do you have to implement the VPN on your router? Can't you just either leave it out or configure it to forward packages as needed to your FreeBSD host?


----------



## icinemagr (Jul 3, 2022)

Zirias said:


> PPTP is proven to be insecure. If it's insecure, you could just as well use no VPN at all. Not really a question, it just doesn't make sense to use PPTP nowadays.


It is not the same.

i have static IP all the time  in my house without to pay the ISP 50 euros per month which is asking me


----------



## zirias@ (Jul 3, 2022)

Not sure I understand this correctly: So your usecase for a VPN is to have a static IPv4 address?

If so, you can just leverage dynamically updated DNS to have a static _name_ instead. VPN really seems overkill if that's the only reason.


----------



## icinemagr (Jul 3, 2022)

Zirias said:


> Not sure I understand this correctly: So your usecase for a VPN is to have a static IPv4 address?
> 
> If so, you can just leverage dynamically updated DNS to have a static _name_ instead. VPN really seems overkill if that's the only reason.


Is not the reason is one of the reasons.


----------



## zirias@ (Jul 3, 2022)

Ok just to get it straight one time...

The raison d'être of a VPN is that it offers a _private_ network in a _virtual_ (on top of public network infrastructure) way. This can only be achieved if it is _secure_ (offering confidential communication and reliable authentication). One key component for that is strong encryption.

So, if you don't need that ... and the need for a known address can be achieved by a dynamically updated DNS name ... why would you want a VPN?

Do whatever you like, I won't ask more questions  – just want to make sure you really think about requirements and how they make sense...


----------



## icinemagr (Jul 3, 2022)

Zirias said:


> Ok just to get it straight one time...
> 
> The raison d'être of a VPN is that it offers a _private_ network in a _virtual_ (on top of public network infrastructure) way. This can only be achieved if it is _secure_ (offering confidential communication and reliable authentication). One key component for that is strong encryption.
> 
> ...


So i have to rely my services on DDNS? and pray to be up all time .And what happen on the middle time before dynamic dns refresh this 1-10 seconds?
Some visitors will not be able to Place an order or what ever.
So i am fine with the vpn as for security its much much better than plain connection.


----------



## zirias@ (Jul 3, 2022)

icinemagr said:


> So i have to rely my services on DDNS? and pray to be up all time .And what happen on the middle time before dynamic dns refresh this 1-10 seconds?
> Some visitors will not be able to Place an order or what ever.



VPNs need time to reconnect as well, although (just like DNS updates) most likely never 10 seconds.
Basing a business on a dial-up connection. Seriously? 



icinemagr said:


> So i am fine with the vpn as for security its much much better than plain connection.


Sure, for a VPN that works (aka is secure). Not for PPTP.


----------



## icinemagr (Jul 4, 2022)

Zirias said:


> VPNs need time to reconnect as well, although (just like DNS updates) most likely never 10 seconds.
> Basing a business on a dial-up connection. Seriously?
> 
> Sure, for a VPN that works (aka is secure). Not for PPTP.


Well as i can see pptp  still exists on freebsd and many other os so sould be a reason for that eh?


----------



## zirias@ (Jul 4, 2022)

Please tell me the reason, gets(3) (which was removed decades after everyone knew _any_ usage is a security hole) still exists in certain C libs.

So much for _that_ reasoning.


----------

