# VPN by mpd5 from VPS



## Vovas (Sep 11, 2019)

Hi folks!
I've installed mpd5 on VPS with FreeBSD 12 box. 
`ifconfig`

```
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 52:54:00:c9:7e:b4
        inet 21.22.11.14 netmask 0xffffff00 broadcast 212.224.112.255
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
`cat /usr/local/etc/mpd5/mpd.conf`

```
startup:
        set user foo bar admin
        set user foo1 bar1
        set console self 127.0.0.1 5005
        set console open
        set web self 127.0.0.1 5006
        set web open
default:
        load pptp_server
pptp_server:
        set ippool add pool1 192.168.1.50 192.168.1.99
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
        set ipcp ranges 192.168.1.1/32 ippool pool1
        set ipcp dns 192.168.1.1
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
        create link template L pptp
        set link action bundle B
        #set link accept chap-msv2
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set link keep-alive 10 60
        set link mtu 1460
        set pptp self 21.22.11.14
        set link enable incoming
```
Tryed to connect several time, but no success. 
`% tail -f /var/log/mpd.log`

```
Sep 11 23:05:14 proxy mpd[909]: [L-1] Accepting PPTP connection
Sep 11 23:05:14 proxy mpd[909]: [L-1] Link: OPEN event
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: Open event
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: state change Initial --> Starting
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: LayerStart
Sep 11 23:05:14 proxy mpd[909]: [L-1] PPTP: attaching to peer's outgoing call
Sep 11 23:05:14 proxy mpd[909]: [L-1] Link: UP event
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: Up event
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: state change Starting --> Req-Sent
Sep 11 23:05:14 proxy mpd[909]: [L-1] LCP: SendConfigReq #1
Sep 11 23:05:14 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:14 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:14 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:14 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:14 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:14 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:14 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:14 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:16 proxy mpd[909]: [L-1] LCP: SendConfigReq #2
Sep 11 23:05:16 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:16 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:16 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:16 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:16 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:16 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:16 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:16 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:18 proxy mpd[909]: [L-1] LCP: SendConfigReq #3
Sep 11 23:05:18 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:18 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:18 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:18 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:18 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:18 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:18 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:18 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:20 proxy mpd[909]: [L-1] LCP: SendConfigReq #4
Sep 11 23:05:20 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:20 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:20 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:20 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:20 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:20 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:20 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:20 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:22 proxy mpd[909]: [L-1] LCP: SendConfigReq #5
Sep 11 23:05:22 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:22 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:22 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:22 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:22 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:22 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:22 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:22 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:24 proxy mpd[909]: [L-1] LCP: SendConfigReq #6
Sep 11 23:05:24 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:24 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:24 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:24 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:24 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:24 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:24 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:24 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:26 proxy mpd[909]: [L-1] LCP: SendConfigReq #7
Sep 11 23:05:26 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:26 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:26 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:26 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:26 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:26 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:26 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:26 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:28 proxy mpd[909]: [L-1] LCP: SendConfigReq #8
Sep 11 23:05:28 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:28 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:28 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:28 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:28 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:28 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:28 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:28 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:30 proxy mpd[909]: [L-1] LCP: SendConfigReq #9
Sep 11 23:05:30 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:30 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:30 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:30 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:30 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:30 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:30 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:30 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:32 proxy mpd[909]: [L-1] LCP: SendConfigReq #10
Sep 11 23:05:32 proxy mpd[909]: [L-1]   ACFCOMP
Sep 11 23:05:32 proxy mpd[909]: [L-1]   PROTOCOMP
Sep 11 23:05:32 proxy mpd[909]: [L-1]   MRU 1500
Sep 11 23:05:32 proxy mpd[909]: [L-1]   MAGICNUM 0xcbf3eea2
Sep 11 23:05:32 proxy mpd[909]: [L-1]   AUTHPROTO CHAP MSOFTv2
Sep 11 23:05:32 proxy mpd[909]: [L-1]   MP MRRU 2048
Sep 11 23:05:32 proxy mpd[909]: [L-1]   MP SHORTSEQ
Sep 11 23:05:32 proxy mpd[909]: [L-1]   ENDPOINTDISC [802.1] 52 54 00 c9 7e b4
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: parameter negotiation failed
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: state change Req-Sent --> Stopped
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: LayerFinish
Sep 11 23:05:34 proxy mpd[909]: [L-1] PPTP call terminated
Sep 11 23:05:34 proxy mpd[909]: [L-1] Link: DOWN event
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: Close event
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: state change Stopped --> Closed
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: Down event
Sep 11 23:05:34 proxy mpd[909]: [L-1] LCP: state change Closed --> Initial
Sep 11 23:05:34 proxy mpd[909]: [L-1] Link: SHUTDOWN event
Sep 11 23:05:34 proxy mpd[909]: [L-1] Link: Shutdown
```
What's wrong?


----------



## Lamia (Sep 12, 2019)

Are aware that OpenVPN Is strongly advised over MPD5? I spent days on it last week. I could telnet into it but  no access to Internet. I dropped it owing to that recommendation.


----------



## SirDice (Sep 12, 2019)

Keep in mind that PPTP isn't encrypted. So it may not be the best option for a VPN connection. OpenVPN is encrypted and relatively easy to set up. More complex way is to use IPSec with security/strongswan. That's definitely trickier to set up, especially if you've never set up an IPSec tunnel before. 


```
root@maelcum:~ # swanctl --list-conn
gw-gw: IKEv2, no reauthentication, rekeying every 14400s
  local:  A.A.A.A
  remote: B.B.B.B
  local pre-shared key authentication:
    id: home.example.com
  remote pre-shared key authentication:
    id: server.example.com
  net-net: TUNNEL, rekeying every 3600s
    local:  192.168.10.0/24 192.168.11.0/24
    remote: 192.168.21.0/24
```


----------



## Vovas (Sep 12, 2019)

SirDice said:


> That's definitely trickier to set up, especially if you've never set up an IPSec tunnel before.


Thanks for answer. But how can I config it? I want to connect from Windows 10 box to VPN server. I don't need connect two networks.
On FreeBSD machine I have only one network interface vtnet0 and only one ip address. It's located at another contry.
My scheme:  Home PC--->FreeBSD VPN---->Internet


----------



## xtaz (Sep 12, 2019)

I thought PPTP was encrypted? But that the encryption and authentication is so weak that it can be cracked in minutes these days. Definitely not recommended either way.

Personally I use net/wireguard https://www.wireguard.com/ which is far easier to configure than OpenVPN and works wonderfully for me on FreeBSD, Windows 10, and my iPhone.


----------



## SirDice (Sep 13, 2019)

xtaz said:


> I thought PPTP was encrypted?


Nope. 


> The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement any and all security functionalities.
> 
> The PPTP implementation that ships with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack.








						Point-to-Point Tunneling Protocol - Wikipedia
					






					en.wikipedia.org


----------



## obsigna (Sep 13, 2019)

SirDice said:


> Nope.
> 
> 
> 
> ...


After the 3rd praragraph, continue reading:


> The PPTP implementation that ships with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack.


Vovas stated he wants to connect using Windows 10 and this PPTP-VPN would be encrypted.


----------



## SirDice (Sep 13, 2019)

obsigna said:


> he wants to connect using Windows 10 and this PPTP-VPN would be encrypted.


To be honest I'm not so sure about that. It might be true for Windows to Windows (since both sides would use the Microsoft implementation) but this may not be the case for Windows to mpd. Mpd does support a few of the Microsoft _authentication_ schemes but this has nothing to do with encryption.

Reading the documentation (it's been a really long time since I last used mpd) there is _some_ encryption. It's off by default and the available encryption is rather poor and quite CPU hungry.



			Encryption (ECP) layer


----------



## obsigna (Sep 13, 2019)

Vovas said:


> Hi folks!
> I've installed mpd5 on VPS with FreeBSD 12 box.
> `ifconfig`
> 
> ...



I am a bit rusty with PPTP, because I stopped using it more than 5 years ago in favour of L2TP/IPsec provided by the combo of net/mpd5 and security/strongswan because of the various security flaws of PPTP which were revealed at that time.
Anyway, I remember vaguely that I needed on the server a valid end point which matches the ipcp ranges ranges and its ippool. I have running a few L2TP/IPsec VPN service on AWS EC2 instances and here, I usually create the required local IP range for VPN by aliasing it to the virtual network adapter. In your case, you want to try to add the following to your /etc/rc.conf:
ifconfig_vtnet0_alias0="inet 192.168.1.1 netmask 255.255.255.0"

Also it is very important that this IP range is different from the local IP range of the VPN client.

Finally, check your firewall rules, if any. The firewall must not block the GRE network protocol.


----------



## obsigna (Sep 13, 2019)

SirDice said:


> To be honest I'm not so sure about that. It might be true for Windows to Windows (since both sides would use the Microsoft implementation) but this may not be the case for Windows to mpd. Mpd does support a few of the Microsoft _authentication_ schemes but this has nothing to do with encryption.
> 
> Reading the documentation (it's been a really long time since I last used mpd) there is _some_ encryption. It's off by default and the available encryption is rather poor and quite CPU hungry.
> 
> ...


This is handled by the mpd5 settings for the encryption, and the OP got this part straight:

```
set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
```



> Mpd implements Microsoft Point-to-point compression (MPPC) CCP subprotol. To enable it, 'mppc' option should be enabled at the CCP layer.
> 
> MPPC CCP subprotocol consists of MPPC compression and MPPE encryption parts. To make MPPC CCP actually do something you should enable some of them using options below.
> 
> ...


----------



## Vovas (Sep 16, 2019)

Thanks for all. I've installed net/wireguard.


----------

