VPN Server Using PPTP Protocol and FreeRadius as AAA Implementation

hmmmmm….. in this documentation, i will explain how to build VPN server using PPTP protocol. In my last documentation about VPN server, there’s a lot of problem (my friend told me), so i will revisied my last documentation in this documentation. Okay… I’m using FreeBSD 6.2-RELEASE as my PPTP server, but you can using higher version of FreeBSD. In Linux??……… long time i’m not using it. this documentation contains 3 step : 1. configuring the router, 2. configuring PPTP server itself, and 3. configuring client (Windows XP). lets start it. heres the network diagram :

1. Configuring Router :
For the router, i’m using FreeBSD, but you can also using other operating systems. of course you should change your IP forwarding to 1. I think you already know what’s that mean.
/etc/sysctl.conf

security.bsd.see_other_uids=0
net.inet.ip.fastforwarding=1
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=2

Then, config NAT. I’m using PF firewall for NAT-ing my PPTP Server. here’s some output of my pf.conf (located in /etc/pf.conf) :

table const {10.14.200.252}
x
x
x
nat on bce1 proto {tcp,udp,icmp} from to any -> 222.124.204.236
x
x
x

x means line of PF rule. You should read PF manual documentation first!
Last section, is configuring IP address. IP address config located in /etc/rc.conf. Here’s some output :

defaultrouter="222.124.x.y"
hostname="bokep.mania.com"
ifconfig_bce0="inet 10.14.200.231 netmask 255.255.255.0"
ifconfig_bce1="inet 222.124.x.x netmask 255.255.255.224"
static_routes="internal"
route_internal="-net 10.14.0.0/16 10.14.200.1"
pf_enable="YES"
pf_rules="/etc/pf.conf"

that’s all the router configuration. Now, go to step 2, configuring PPTP Server.

2. Configuring PPTP Server.
a. IP Address Configuration. ip address config located in /etc/pf.conf. here’s some output :

defaultrouter="10.14.200.231"
hostname="end-pointA.ittelkom.ac.id"
ifconfig_rl0="inet 10.14.200.252 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 172.16.1.1 netmask 255.255.255.0"
gateway_enable="YES"

b. installing pptp server and radius server.
PPTP Server :

root@end-pointA# cd /usr/ports/net/poptop/
root@end-pointA# make install clean # wait until installation process are finished.

all poptop configuration, located in /usr/local/etc/pptpd.conf and /etc/ppp/ directory. here’s the ‘ls’ output of /etc/ppp/ directory :

root@end-pointA# ls /etc/ppp/
ppp.conf ppp.conf.ngakakak ppp.secure secure
ppp.conf.backup ppp.secret radius.conf

/usr/local/etc/pptpd.conf config file :

debug
nobsdcomp
proxyarp
localip 10.14.15.36
remoteip 172.16.1.2-254
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam
mppc
#added
+chap
ipcp-accept-local
ipcp-accept-remote
deflate 0

/etc/ppp/ppp.conf config file :

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
# if you want to use NAT use private IP addresses
#set ifaddr 10.14.15.7 10.14.15.10-10.14.15.20 255.255.255.255
set ifaddr 172.16.1.1 172.16.2-172.16.1.254 255.255.255.255
add default HISADDR
set server /tmp/loop "" 0177
loop-in:
#set ifaddr 10.14.15.7 10.14.15.10-10.14.15.20 255.255.255.255
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
disable pap
# Authenticate against /etc/passwd
#enable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
set mppe * stateless
#enable mppc
disable deflate pred1
deny deflate pred1
set dns 10.14.203.7
set device !/etc/ppp/secure
set radius /etc/ppp/radius.conf

/etc/ppp/secure config file :

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

/etc/ppp/radius.conf config file :

auth 127.0.0.1 your-password-here
acct 127.0.0.1 your-password-here

last but not least, add pptpd_enable on /etc/rc.conf file :

pptpd_enable="YES"

finishh……….. configuring PPTP Server. next, configuring radius server

c. Radius server :
As AAA implementation, i’m using FreeRadius. I think, it’s the hardest part of configuring my PPTP Server. okay.. let’s start it.
installing freeradius :

root@end-pointA# cd /usr/ports/net/freeradius/
root@end-pointA# make config #choose MYSQL With MySQL user database
root@end-pointA# make install clean

All Freeradius config, located in /usr/local/etc/raddb. okay, i will give you my config one-by-one.
/usr/local/etc/raddb/clients.conf :

client 127.0.0.1 {
secret = your-password-here
shortname = localhost
}
client 172.16.0.0/16 {
secret = your-password-here
shortname = vpn-billing
}

/usr/local/etc/raddb/clients

localhost your-password-here

okay………. and then, create freeradius database structure. here’s step by step :
1. create database radius;
2. give user mysql-user to access or modify database radius with password mysql-password (grant insert, select, delete…………….)
3. on bash shell execute : mysql -u mysql-user -p radius < /usr/local/share/examples/freeradius/db_mysql.sql
and then, edit /usr/local/etc/raddb/sql.conf file. here’s some output :

sql {
server = "localhost"
login = "mysql-user"
password = "mysql-password"
radius_db = "radius"
x
x
}

x means another config lines. there’s lot of line, so i won’t post in here.
Because lot of line in freeradius config file, i will give you a link to download my own freeradius configuration
Of course, i also creating web based aplication to maintain vpn user account. thanks to adjiexx a.k.a AllDelta for creating VPN user management web based application. here’s sample code to insert new user on freeradius database (on PHP of course) :

$iq="insert into radcheck(username,attribute,value) values ('$nama','Password','$password')";
$iq2="insert into radreply(username,attribute,op,value) values ('$nama','Framed-IP-Address',':=','$ip')";
$iq3="insert into radreply(username,attribute,op,value) values ('$nama','Framed-IP-Netmask',':=','255.255.255.255')";
$iq4="insert into radreply(username,attribute,op,value) values ('$nama','Framed-Protocol',':=','PPP')";
$iq6="insert into radcheck(username,attribute,op,value) values ('$nama','Max-Monthly-Session',':=','$quota')";

of course you must add “radiusd_enable” on /etc/rc.conf :

radiusd_enable="YES"

last, installing squid. here’s step by step :

root@end-pointA# cd /usr/ports/www/squid
root@end-pointA# make install clean

and the sample config like this (squid.conf):

http_port 172.16.1.1:8080
cache_mem 512MB
cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64
cache_access_log /dev/null
cache_store_log none
cache_log /dev/null
cache_replacement_policy GDSF
pipeline_prefetch on
refresh_pattern /.gif 4320 50% 43200
refresh_pattern /.jpg 4320 50% 43200
refresh_pattern /.jpeg 4320 50% 43200
refresh_pattern /.png 4320 50% 43200
refresh_pattern ^http://www.friendster.com/.* 720 100% 10080
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 10080
refresh_pattern ^http://*.yahoo.*/.* 720 100% 7200
refresh_pattern ^http://*.google.com/.* 720 100% 10080
refresh_pattern ^http://www.telkomspeedy.com/.* 720 100% 28800
refresh_pattern ^http://*.blogsome.com/.* 720 80% 10080
refresh_pattern ^http://*.wordpress.com/.* 720 80% 10080
refresh_pattern ^http://detik.com/.* 720 90% 2880
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl outgoing src 192.168.10.2/255.255.255.255
acl student src 192.168.0.0/255.255.255.0
acl admin src 172.16.0.0/255.255.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl xx snmp_community tuah
http_access allow manager
http_access allow localhost
http_access allow outgoing
http_access allow student
http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow localhost
icp_access allow student
icp_access allow admin
icp_access deny all

http_port 172.16.1.1:8080 means : squid will only listen to physical interface alias that we created on /etc/rc.conf file.
add “squid_enable” on /etc/rc.conf :

squid_enable="YES"

3. Client Configuration
I’m using windows XP. for connect to vpn server, make sure vpn server is located in 10.14.200.252.

finish

sorry for my bad english