| PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.
More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
This chapter is intended to outline several different PPTP VPN type setups, it includes a how-to on setting up a Windows XP PPTP client to connect to the pfSense PPTP VPN server. Later versions of this document will include Mac, Linux and other clients.
Configuring the PPTP server on a pfSense box requires moderate knowledge of TCP/IP Inter-networking and subnetting. Also required is at least a basic, working configuration of pfSense.
First figure out which public IP address you want to use to terminate the PPTP connection on.
For the sake of simplicity, I will not use redirection.
Click the "Enable PPTP server" radio button. Next, set an IP address for the "Server address" field. This address will be used for the server side of the Point2Point network, and it should be either in an unused subnet, or an unused IP address outside the range of IPs you will use for PPTP clients.
The remote address range defines the range of IP addresses that will be assigned to PPTP clients. The field hardcodes the subnet mask to /28, which creates a subnetwork with 14 available host addresses (plus one for the network address, and one for the broadcast address). In my example, I define a subnet with the following characteristics:
Network: 192.168.1.208/28 11000000.10101000.00000001.1101 0000
HostMin: 192.168.1.209 11000000.10101000.00000001.1101 0001
HostMax: 192.168.1.222 11000000.10101000.00000001.1101 1110
Broadcast: 192.168.1.223 11000000.10101000.00000001.1101 1111
In my example PPTP VPN config I have chosen a subnet that lies within the LAN network, but that is outside the range of IPs that I use for servers and other networking equipment. This allows for easy rule configuration. Note that because you can define rules based on the pptp interface, this isn't strictly required.
Do check the 'require 128bit encryption' to enable the mppe-128 we'll use from the WinXP VPN client.
Again for the sake of simplicity I have left the RADIUS options unchecked. If you have an enterprise AAA server, or a ghetto-tech freeradius server you can utilize it here.
Now create usernames and passwords for your PPTP VPN users. If you specify an IP address in the IP address field, make sure the address is within the range you've specified in the Subnetting and VLAN routing section. Hard-coding an IP address for a particular user is good if you want to restrict access to particular resources by user, rather than by the PPTP interface itself.
Now go into the firewall rules section and select the PPTP interface.
Note that you do not need to manually create the rules required to allow PPTP itself to function. (Pfsense automagically creates the following rules to allow GRE and TCP/1723 to pass inbound to your PPTP termination point).
pass quick proto gre all keep state label "allow gre pptpd"
pass quick proto tcp from any to any port = pptp keep state label "allow pptpd 127.0.0.1"
Note that if you want to manually restrict the PPTP service to only be available from particular subnets or IP addresses you'll need to do it outside the GUI <fixme: how are implied and/or automatic rules handled? where do we modify them?>
Now, what we do need to do is create some rules to allow the PPTP users to access the resources they need.
In my example I have added (liberal) rules to allow all traffic from the PPTP interface to the LAN and DMZ subnets. Note that the picky amongst us can further restrict the protocol, source and destination parameters as required.
Start --> Control Panel --> Network Connections
File --> New Connection --> Next
Connect to the network at my workplace --> Next
Select VPN connection --> Next
Enter descriptive name for connection --> Next
Do not dial the initial connection --> Next
Enter hostname or PUBLIC IP address of the PPTP server --> Next
Note that in this example the IP here is RFC1918 private, however that’s only because in my lab environment the WAN IP is on a private segment.
Select do not use smart card --> Next <Fixme: we should support PKI based auth for PPTP VPN at some point>
Click on Finish
That is all that is required. Now, if you will be accessing resources on the VPN network that are not directly connected to the firewall itself, you will probably want to skip this step.
If you do skip this step when you connect to the PPTP server, your default gateway for ALL traffic will be via the PPTP VPN. With the current ruleset I’ve created in this example, this means that you will be unable to reach any resources outside the LAN or DMZ subnets.
To remedy the situation, click on Properties
Click on Networking --> Internet Protocol
Properties --> Advanced
Uncheck “use default gateway on remote network”
Click OK, OK, OK
Now enter your username and password (configured during the PPTP User Setup process)
Click on Connect
Should get Connecting --> Verifying username & password --> Authenticated
Now right click on the tray icon for the VPN connection --> Properties --> Details
Ensure that we are using MSCHAP v2 and MPPE 128
Now attempt to ping the LAN interface of the firewall:
|dc@ryokosha:~# ping 192.168.1.254|
Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time=1ms TTL=64 Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Now attempt to ping a host on the LAN segment (note this requires that the rules for the PPTP interface are configured per my example).
|dc@ryokosha:~# ping 192.168.1.1|
Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=2ms TTL=254 Reply from 192.168.1.1: bytes=32 time=1ms TTL=254
This document would have borrowed very heavily from the m0n0wall documentation, if I had looked at it before visiting this page. Thanks to firstname.lastname@example.org for mad skill @ reinventing the wheel.