Subscribe to PostsCurrently, I am testing a few different vpn solutions to secure my wireless network at home. This is just the barebones steps I went through to get MPD setup and running for Windows XP clients.
mpd-netgraph setup:
I followed the suggestions in the following urls:
http://lists.freebsd.org/pipermail/freebsd-security/2003-July/000466.html
http://www.blackh0le.net/articles/vpn-dun-howto.html
Background Info:
10.x.x.0/24 was my internal network
192.168.0.0/24 was my wireless cloud
1. System specs:
Celeron 333
128MB RAM
4GB Harddisk
2 NICs
The rest really doesn’t matter.
2. Install FreeBSD:
minimal + kern developer install
kernel compile:
ipfilter
ipfilter_log
ipfilter_default_block
mpd-netgraph is a ‘userspace’ daemon.
disable the rest that we usually disable.
Enable ipf:
create /etc/ipf.rules (fully open set until we’re done with setup)
3. cvsup:
cd /usr/ports/net/cvsup-without-gui
make install clean
/usr/local/bin/cvsup -g -L 2 /usr/src/sup-ports
4. mpd installation:
cd /usr/ports/net/mpd
make install clean
7. cd /usr/ports/net/isc-dhcp3
make install clean
/usr/local/etc/dhcpd.conf
# dhcpd.conf
# option definitions common to all supported networks…
option domain-name “test.net”;
option domain-name-servers 10.x.x.253,10.x.x.249;
option subnet-mask 255.255.255.0;
default-lease-time 3600;
max-lease-time 86400;
authoritative;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.250;
# IPs 51-75 are for pptp clients
option routers 192.168.0.254;
}
8. mpd.conf:
default:
load pptp0
load pptp1
load pptp2
pptp0:
new -i ng0 pptp0 pptp0
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.51/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd
pptp1:
new -i ng1 pptp1 pptp1
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.52/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd
pptp2:
new -i ng2 pptp2 pptp2
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.53/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd
9. create mpd.links:
pptp0:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate
pptp1:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate
pptp2:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate
10. create mpd.secret:
username1 “password1″
username2 ” password2″
11. create /usr/local/etc/rc.d/mpd.sh startup script:
#!/bin/sh
# Set the environment variables
. /etc/profile
. ~/.profile
pidf=/var/run/mpd.pid
case “$1″ in
start|”") mpd -b;;
stop) if [ -r $pidf ]; then
kill -TERM `cat $pidf`
fi;;
*) echo “usage: $0 [start|stop]” 1>&2; exit 1;;
esac
12. create /usr/local/etc/rc.d/zzz_ipf_sync.sh
#! /bin/sh
echo “Sleeping for 30 seconds before syncing IPF.”
sleep 10
# Syncs IPF with the active interface list
ipf -y
echo “VPN interfaces are now available.”
# some simple logging
echo “IPF synced at:” >> /var/log/general.log
date >> /var/log/general.log
This script allows mpd to finish loading and create the ng* interfaces. Once this is done, ipf then syncs ALL interfaces.
Conclusion:
The end result of this little experiment was somewhat of a disappointment. In the end, I had a working VPN that had less than stable connections over an 802.11b wireless link. It would drop connections at random, even though the link remained strong and network connectivity remained for wireless clients NOT on the vpn.
If anyone has any ideas on ways to stabilize the vpn tunnel, I appreciate any input.
Leave a reply
