Filed Under (freebsd, router) by Coni on 06-06-2006
to use it u should know basic paket filtering ipfw
it’s not very difficult to understand
just flow.
for example our network have VPN server and we have a router that used to connect to VPN server
the address of VPN server example 10.11.12.11
we have LAN for 10.11.13.0/24
our router has ip 10.11.13.1 and 10.11.12.13
the LAN is configured to be able to access any thing but can not be accessed and it have to could connect to VPN server
ipfw detect tunneled packet to VPN server not as tcp with port 1723 but it detect as gre (Generic Routing Encapsulation)
so if we don’t pass the gre packet, our LAN can not established VPN connection
the simple ipfw configuration to handle that is :
IPFW=”/sbin/ipfw -q add”
LAN=”10.11.13.0/24″
VPN_SERVER=”10.11.12.11″
#flushing all rules
/sbin/ipfw -f flush
#rule for localhost
$IPFW pass all from any to any via lo0
$IPFW deny all from any to 127.0.0.0/8
$IPFW deny ip from 127.0.0.0/8 to any
#accepting connection that has been established
$IPFW allow tcp from any to any established
#this is for gre packet to and from VPN server
$IPFW allow gre from { $LAN or $VPN_SERVER } to { $LAN or $VPN_SERVER }
#permitting our LAN to access to anything
$IPFW allow tcp from $LAN to any setup
$IPFW allow udp from $LAN to any keep-state
#passing all packet from router
$IPFW allow all from me to any setup
$IPFW allow udp from me to any keep-state
#drop all packet that not match the rule
$IPFW deny all from any to any
that is. hope usefull
Filed Under (freebsd) by Coni on 06-06-2006
in this concept i use mpd
http://www.dellroad.org/mpd/index … read by your self 
MPD - Multi-link PPP daemon for FreeBSD
try googling for a lot of days finally find a shell script to configure and connect
but i get ip and still didn’t connect
script from http://www.stw-bonn.de/support/vpn-freebsd
thanks for it
the vpn server can be connected with normal windows machine with default option
with some modification and luck and also God Blessed i make some modification and it’s works
HOREEE!!!
first install mpd use ports
#cd /usr/ports/net/mpd
if u use proxy to connect to internet
#setenv http_proxy “your_proxy:the_port”
#setenv ftp_proxy “your_proxy:the_port”
install it
#make install clean
finish ….
hope it’s works 
now for the script. here it is :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
| #!/bin/sh
CONFIG_FILE="/usr/local/etc/mpd/mpd.conf"
LINKS_FILE="/usr/local/etc/mpd/mpd.links"
SECRET_FILE="/usr/local/etc/mpd/mpd.secret"
ROUTE=`which route`
if test -z $ROUTE ; then
ROUTE="/sbin/route"
if ! test -f $ROUTE ; then
echo Cannot find program route. Bailing out
exit 1
fi
fi
MPD_BIN=`which mpd`
if test -z $MPD_BIN; then
MPD_BIN="/usr/local/sbin/mpd"
if ! test -f $MPD_BIN ; then
echo Cannot find mpd VPN client program. Please install mpd-netgraph port!
exit 1
fi
fi
configure(){
### first generate mpd.conf
echo "
default:
load vpn
vpn:
new -i ng0 vpn vpn
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set iface mtu 1400
set bundle enable compression
set bundle yes crypt-reqd
set link mtu 1400
set link enable chap
set link keep-alive 10 60
set link yes acfcomp protocomp
set iface route default
set bundle disable multilink
set bundle authname $USERNAME
set link yes acfcomp protocomp
set link no pap chap
set link accept chap
set ipcp yes vjcomp
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set ccp enable mpp-compress
open
" > $CONFIG_FILE
### next generate mpd.links
echo "
vpn:
set link type pptp
set pptp peer $VPN_TARGET_ADDRESS
set pptp enable originate incoming outcall
" > $LINKS_FILE
### and last but not least mpd.secret
echo "
$USERNAME $NETPASSWORD
" > $SECRET_FILE
chmod 600 $SECRET_FILE
}
### ok, config stuff done, now get this all running (modified 16.05.02)
case "$1" in
start)
VPN_STATUS=`$0 status|grep "Cannot find any"`
if test -z "$VPN_STATUS" ; then
echo There is already a VPN connection running
exit 1
fi
echo -n "Starting VPN "
${MPD_BIN} -b
for i in 1 2 3 4 5 6 7 8
do
echo -n .
sleep 1
done
echo -n " "
if ifconfig | grep ng0 | grep UP > /dev/null ; then
NG_DEVICE=ng0
fi
if test -z "$NG_DEVICE" ; then
echo Could not start mpd connection to vpn server
exit 1
fi
echo "VPN's started"
;;
stop)
if test -f /var/run/mpd.pid ; then
MPD_PID=`cat /var/run/mpd.pid`
fi
if test -z $MPD_PID ; then
echo Cannot find any running VPN connection to terminate
else
for i in $MPD_PID ; do
kill $i
done
echo -n "Stopping VPN "
for i in 1 2 3
do
echo -n .
sleep 1
done
echo -n " "
echo "VPN connection(s) closed"
fi
;;
status)
if test -f /var/run/mpd.pid ; then
MPD_PID=`cat /var/run/mpd.pid`
fi
if test -z $MPD_PID ; then
echo "Cannot find any VPN connection(s) started by this startup script"
else
echo "VPN connection seems to be running"
fi
;;
restart)
$0 stop && $0 start
;;
config)
echo -n "username : "
read USERNAME;
echo -n "password : "
stty -echo
read NETPASSWORD
stty echo
echo
echo -n "server : "
read VPN_TARGET_ADDRESS
configure
;;
*)
echo "1. Start"
echo "2. Stop"
echo "3. Restart"
echo "4. Configure"
echo "5. Exit"
echo -n "? "
read opsi
case "$opsi" in
1)
$0 start
;;
2)
$0 stop
;;
3)
$0 restart
;;
4)
$0 config
$0
;;
5)
exit 0
;;
*)
echo "Wrong Answer!"
exit 1
;;
esac
;;
esac |
