PPTP VPN Configuration in pfSense


Configuring the PPTP VPN settings in pfSense 2.2.4.

A virtual private network is a means of extending a private network across a public network. The public network is most commonly the Internet, although not always. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network. A VPN establishes a virtual point-to-point connection to the destination network. Major implementations of VPNs inclue OpenVPN, IPsec, L2TP and PPTP.

pfSense makes it easy to set up a VPN connection, with support for all four of the abovementioned VPN protocols. [m0n0wall, which I used prior to making pfSense my primary firewall, supported IPsec and PPTP.] In this article, I will demonstrate how to configure a PPTP connection with pfSense, and connect to it with a Mint Linux system.

PPTP VPN Configuration: Configuring the PPTP Server

After logging into your pfSense firewall, navigate to VPN -> PPTP. From the Configuration tab, select the Enable PPTP server radio button. For Server address, you should enter an IP address on an unused subnet. For Remote address range, you should specify the starting address for VPN users (presumably on the same subnet as the server address). Scroll to the bottom and check the Require 128-bit encryption check box. Press the Save button at the bottom of the page.

Now PPTP is enabled, but we still have to create users and a firewall rule. Click on the Users tab and press the Plus button to add a user. Enter a username and password (you have to enter it twice). If you want to assign a specific IP address to this user, you can do it here. Press the Save button when you’re done.


Creating an firewall rule to allow traffic to pass from the VPN to the LAN.

Now all we have to do is add a firewall rule. Navigate to Firewall -> Rules. You will see that in addition to tabs for all your interfaces (LAN, WAN, DMZ/OPT1, etc.) there is a tab for PPTP. Click on that tab, and click on the Plus button to the right of the table to add a rule. For Destination, select LAN net (to allow access to the LAN network from our VPN), and for Destination port range, select any. Add a brief Description (e.g. “Allow PPTP to LAN”) and press the Save button. [All other settings can be kept at the default values.] Once the rule is saved, press the Apply changes button on the next page to force a reload of the firewall rules.

PPTP VPN Configuration: Testing the Connection in Linux Mint

Our setup of the pfSense firewall for VPN is complete; now we need to test it. Your mileage may vary depending on what operating system you use. I used Mint Linux to connect. In Linux Mint, click on the connection icon in the system notification area of the toolbar. A box with various networking options should appear. In this box, click on Network Connections. This should open the Network Connections dialog box. [You can also reach this dialog box by navigating to Preferences -> Network Connections on the Mint Linux menu, also accessible from the toolbar.] In this dialog box, click on the Add button. This will launch the Choose a Connection Type dialog box, choose Point-to-Point Tunneling Protocol (PPTP) and press the Create button. At Gateway (on the VPN tab), enter the WAN IP address of your pfSense firewall (or the domain name of your WAN gateway, if you have one). For User name and Password, enter the username and password you created when you were setting up PPTP on your pfSense box. Press the Advanced button and check the Use Point-to-Point encryption (MPPE) check box. This will enable the Security dropdown box, select 128-bit (most secure. Check the Allow stateful encryption check box. Press the OK button to save these settings. Next, click on the IPv4 Settings tab and for Method, select Automatic (VPN) addresses only from the dropdown box. Click on the Save button at the bottom of the dialog box to save the VPN connection settings.


Configuring the advanced settings in Mint Linux for our VPN connection.

Now, the VPN connection settings are saved and you should be able to connect. Again click on the connection icon in the system notification tray. In the box that appears, there should be a new section called VPN Connections. Click on the VPN connection you just created (most likely, VPN connection 1), when you do, Linux Mint will try to establish a VPN connection. If it works, you should be connected to the VPN.

If it doesn’t work, there can be several reasons. If the connection attempt fails without even connecting to your pfSense box, then you should make sure that the WAN interface of your pfSense box is reachable from your network. If, however, Mint Linux is able to connect to your pfSense box but the connection still fails (the more likely scenario), your VPN connection settings may be incorrect. In particular, you should check to make sure the security settings are correct (you must choose 128-bit encryption and allow stateful encryption). If you double-check the settings and everything seems to be right and you still cannot connect, then the mistake may have been how you configured PPTP in pfSense, so you probably should double-check those settings. If you are now connected to the VPN, you should be able to access LAN resources the same as a local LAN user would be able to access them.

One final note is that we should be mindful of the fact that VPN connections are encrypted, and encrypting data requires additional CPU power. One user connecting via VPN shouldn’t create an appreciable strain on the CPU, but 50 VPN users surely will. There is specialized hardware that you can purchase; Soekris is the most prominent manufacturer of such hardware, and installing them in your pfSense box will relieve the CPU of the computing-intensive tasks of encryption and compression. In most cases, however, the cheaper option is to just buy a faster CPU. In any case, you will probably want to consider VPN usage when you develop the specifications for your pfSense box.

External Links:

Virtual private network on Wikipedia.

Product page for vpn 14×1 products on the Soekris website.


Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy