Definite's Extractor

My findings on Life, Linux, Open Source, and so on.

MPD — as VPN client in FreeBSD

MPD is a netgraph based implementation of the multi-link PPP protocol for FreeBSD.  One of the main feature  of mpd is the capability to establish the VPN connection. After extensive testing, I found:

  • Don’t use mpd4 yet, for it always enables  chap even you explictly disable it.
  • Not many VPN server support the set link ident command.
  • Check the route setting, it a is critical sucess factor.

My VPN environment

I use my laptop to connect the VPN in office at home or office. But the setting at home and at office is quite different. In office, I wish to set all the Internet traffic through VPN so I can use the Internet bandwidth of the university instead consume my own quota. The university blocks many websites but I want to access those websites at home, so the traffic to the university go through VPN, and the others go through default gateway.

The mpd.conf I am using:

 
vpn: 	new -i ng1 vpn vpn 	
   # set log +pptp +pptp2 +pptp3 +ccp2 +chat2
   # disconnect the client after 8 hours 	
   set iface session 28800
   # "username" here should match "username" in mpd.secret
   set bundle disable multilink 	
   set bundle authname "USER"
   # set this to your correct routing information 	
   set iface disable on-demand 	
   set iface up-script "IFACE_UP.sh" 	
   set iface down-script "IFACE_DOWN.sh" 	
   #set iface enable proxy-arp 	
   set iface idle 0 	
   set iface enable tcpmssfix 	
   set bundle disable encryption 	
   set link no acfcomp protocomp  	
   set link max-redial -1 	
   set link no pap chap 	
   set link accept chap 	
   set link accept chap-msv2 	
   set link mtu 1500 	
   set link keep-alive 30 300 	
   # If remote machine is NT you need this.. 	
   set link yes no-orig-auth 	
   set ipcp no vjcomp 	
   set ipcp yes req-pri-dns req-sec-dns 	
   set ipcp ranges 0/0 0/0 
   # 
   # The five lines below enable Microsoft Point-to-Point encryption 
   # (MPPE) using the ng_mppc(8) netgraph node type. 
   # 	set bundle enable compression 	
   set ccp yes mppc 	set ccp yes mpp-e40 	
   set ccp yes mpp-e128 	
   set bundle enable crypt-reqd 	
   set ccp yes mpp-stateless 	
   set ccp yes mpp-compress 	
   open 

Change USER to your login name

The mpd.link is simple:

 
vpn:         
   set link type pptp         
   set pptp peer PPTP_HOST_IP         
   set pptp enable originate outcall 

PPTP_HOST_IP is the IP of VPN server

The mpd.secret:

 
USER     PASSWORD 

The IFACE_UP.sh (the script to preform when the netgraph interface (e.g. ng1) is up):

 
#!/bin/sh  
route=/sbin/route  
IFACE="$1" 
INET="$2" 
LOCAL_IP="$3" 
REMOTE_IP="$4" 
AUTHNAME="$5" 
PRI_DNS_SERVER_IP="$7" 
SEC_DNS_SERVER_IP="$9"  
$route add PPTP_HOST_IP $DEFAULT_GATEWAY 
if [ "${CURR_LOCATION}" = "OFFICE"  ] then    
   $route change default $REMOTE_IP 
elif [ "${CURR_LOCATION}" = "HOME" ] then 
   $route add OFFICE_NET1 $REMOTE_IP -netmask 0xffffff00  
   $route add OFFICE_NET2 $REMOTE_IP -netmask 0xffffff00 
   $route add OFFICE_NET_EXCLUDE  $DEFAULT_GATEWAY -netmask 0xffffff00      
   $route add OFFICE_HOST_EXCLUDE $DEFAULT_GATEWAY fi 
  • CURR_LOCATION: An environment varible to determine your location.
  • DEFAULT_GATEWAY: An environment varible to hold the IP of default gateway .
  • OFFICE_NET1. OFFICE_NET2: The office subnets you want to reach by VPN.
  • OFFICE_NET_EXCLUSIVE. OFFICE_HOST_EXCLUSIVE: The office subnets/hosts that you don’t want to reach by VPN.

The IFACE_DOWN.sh (the script to preform when the netgraph interface (e.g. ng1) is down:

 
#!/bin/sh  route=/sbin/route  IFACE="$1" INET="$2" AUTHNAME="$3"   
#umount samba drive before disconnet from VPN 
SMB_DRIVE=`/sbin/mount | grep smbfs | awk '{print $3}'` 
if [ "$SMB_DRIVE" != "" ] then
    /sbin/umount $SMB_DRIVE 
fi  
$route delete PPTP_HOST_IP 
if [ "$CURR_LOCATION" = "OFFICE"  ] then 
   $route change default $DEFAULT_GATEWAY || $route add default $DEFAULT_GATEWAY
elif [ "$CURR_LOCATION" = "HOME" ] then
   $route delete OFFICE_NET1
   $route delete OFFICE_NET2
   $route delete OFFICE_NET_EXCLUSIVE 
   $route delete OFFICE_HOST_EXCLUSIVE 
fi 
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: