In last week’s tutorial installment on PPTP VPN, we

recompiled the kernel. The next step is to create the additional tun devices and

finish installing and configuring Poptop.

Let’s get started: tun0 – tun3 exist by default, so create
additional devices with the following:

# cd /dev
# sh ./MAKEDEV tun?

Where ? is the device number, I need to go through from tun4
– tun49 to create the 50 concurrent devices I enabled in the kernel.

Flying along now, we can get down to installing the Poptop

package. Download the package from the repository of your choice and install


# pkg_add poptop-1.1.4.b4p1.tgz

A few errors are shown but they aren’t anything to worry

about. Let’s get down to the Poptop configuration. The first file to edit is


option /etc/ppp/ppp.conf
# IP address of your server-side PPP endpoint:
# (An unused IP address on your internal LAN)
# IP address range to use for your PPTP clients:
# (Unused IP addresses on your internal LAN)
# IP address of external LAN interface:
# (The IP which a remote users client will connect with)
pidfile /var/run/

Now /etc/ppp/ppp.conf needs to be configured to handle
encryption via a loop back:

      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr
      set server /tmp/loop "" 0177
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
     # DNS Servers to assign client 
     # Use your own DNS server IP address :
     set dns 
     # NetBIOS/WINS Servers to assign client 
     # Use your own WINS server IP address :
     set nbns
     set device !/etc/ppp/secure

We need to create the file /etc/ppp/secure and add the
following content:

exec /usr/sbin/ppp -direct loop-in

Chmod the file after creation:

# chmod u+x

The file /etc/ppp/ppp.secret holds usernames and passwords
for your dial-in users. The format is quite simple:

username       password       *
username       password       staticip
username       password       *

This file needs to have chmod 0400

performed on it after editing. The * denotes that this user will be

automatically allocated a free IP address; you can alternatively specify a

static address for this user.

It’s nice to have any PPP log messages sent to it’s own log

file, as this makes debugging easier and keeps things tidy. Add the following

lines to /etc/syslog.conf :

*.*                    /var/log/ppp.log

Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log
# kill –HUP (syslogd PID)

Just as a hint, find the syslogd process ID with ps aux. There will be two syslogd processes running, so you
need to use the one running as root.

Poptop can be launched manually, the –d switch will enable
debug output.

# /usr/local/sbin/pptpd -d

To start Poptop automatically during boot, the following
lines should be added to /etc/rc.local:

if [ -x /usr/local/sbin/pptpd ]; then
    echo -n " pptpd";    /usr/local/sbin/pptpd -d

I would recommend doing this as it would be easy to forget
to start the daemon after rebooting and takes no effort to set up.

Our last consideration is the firewall (Packet Filter). We

need to allow inbound tcp connections on port 1723 on the external IP, inbound

and outbound connections of type gre on the external IP, and also all traffic

to tun* devices:

# PPTP Rules (VPN Dial in)
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all

Now all that’s left is to test it. Reboot the machine to

make sure that everything is started cleanly. Now, we just need to create a

PPTP client connection and make sure it actually connects.

I’m using Windows XP as an example. Start the New Connection

Wizard, and select the option ‘Connect to the network at my workplace’. The

next option to select is ‘Virtual Private Network connection’ rather than

Dial-up connection. Enter any name for the connection; the suggestion is ‘Company

Name’. There is an option at this stage to have an initial connection dialed before

making the VPN connection. I prefer to disable this option, but the choice is

yours. At the next step, enter the IP address or hostname of your Gateway

machine; this is the address seen by the outside world. In our example, this is, the IP specified in /etc/pptpd.conf with the listen directive.