And here’s another thing I posted 4 years ago (reposted with backdating in 2016) about something I’ve totally forgotten! Could very well be useful.
Surfing the internet on public wifi is not secure. Anyone could be snooping on your communication. I’ve a computer running FreeBSD 9.0 that I use for many things and I’ve recently added VPN to one of those things. I imagine you could use other BSDs, Linux, or OS X for this also. I imagine even Windows could do it.
One thing I’d been doing was using the FreeBSD server for SSH tunneling for privacy but VPN is simpler from the end user standpoint since clients just support it without command line magic. I ended up setting up a PPTP VPN on FreeBSD using MPD and PF. You might hear that PPTP is not a secure VPN. Well, from lots of surfing it seems like PPTP is secure enough as long as you use the 2nd version (the first version is insecure) and have a good password. If you aren’t a bank or other organization needing ultimate security it’s likely safe enough and much better than not using any VPN.
It took me a while to figure this out so I thought I’d write what I needed to do here for posterity. The main thing was I need to make the IP range to a fake range as this is the range MPD sets up. Then I needed to setup PF to forward from the fake ip range network to the real network which was the IP of the FreeBSD server. Using PF messed up my IPFilters firewall but the server is behind a router firewall so doesn’t need IPFilter anyhow.
Here’s some pertinant parts of mpf.conf:
startup:# configure mpd usersset user admin_username admin_password admin# configure the consoleset console self 0.0.0.0 5005set console open# configure the web serverset web self 0.0.0.0 5006set web openpptp_server:# Define dynamic IP address pool. <This is the fake range>set ippool add pool1 172.16.0.1 172.16.0.50# Create clonable bundle template named Bcreate bundle template Bset iface enable proxy-arpset iface idle 1800set iface enable tcpmssfixset ipcp yes vjcomp# Specify IP address pool for dynamic assigment. <This is the real local address of the BSD machine>set ipcp ranges 192.xxx.x.xx/32 ippool pool1set ipcp dns 208.67.222.222 #don’t know if it matters but this is openDNS# The five lines below enable Microsoft Point-to-Point encryption# (MPPE) using the ng_mppc(8) netgraph node type.set bundle enable compressionset ccp yes mppcset mppc yes e40set mppc yes e128set mppc yes stateless# Create clonable link template named Bcreate link template L pptp# Set bundle template to useset link action bundle B# Multilink adds some overhead, but gives full 1500 MTU.set link enable multilinkset link yes acfcomp protocompset link no pap chap eapset link enable chapset link keep-alive 10 60# Enable utmp/wtmp loggingset auth enable system-acct# We reducing link mtu to avoid GRE packet fragmentation.set link mtu 1460# Configure PPTP <real local address again>set pptp self 192.xxx.x.xx# Allow to accept callsset link enable incoming
ext_if=”em0″internal_net=”172.16.0.1/16″external_addr=”192.xxx.x.xx”nat on $ext_if from $internal_net to any -> $external_addrpass in allpass out all