Summersault Weblog

A few years ago when I was working remotely on a regular basis, I looked seriously into creating a Virtual Private Network (VPN) setup for our office network. A VPN is a handy thing: it lets your desktop computer(s) at the remote location (e.g. home office, client office, etc.) appear to be on the local network at the main office, which means network services like printing, file sharing, e-mail, etc. can all happen seamlessly without special “remote access” privileges, firewall modifications, and so on. Many organizations with telecommuting staff use VPNs these days to reduce the overhead and hassle of having remote systems that need to interoperate with the rest of the organization. This post talks about how, after a frustrating experience last time around, I easily got a VPN up and running this time.

When I first attempted the setup with an existing FreeBSD server at our office, my research indicated that using the Poptop server to serve a PPTP connection between my Mac OS X laptop and that server was the best way to go (in the low-cost do-it-yourself paradigm; there are certainly plenty of drop-in commercial solutions too, but I couldn’t justify $2,000 for my experimenting.). I knew there were security issues with PPTP, but it would work fine for my purposes. The problem was that the Poptop daemon had to make use of the antiquated ppp kernel-land functionality in FreeBSD, and it was just so confusing to work with. Kernel recompiles, user creation, pap/chap/rap/hip-hop secrets, cryptic debugging output, and bad documentation - oh my. As much as I enjoy a good sysadmin challenge, configuring Poptop and ppp for a VPN was a nightmare.

I did finally get it working, and was even able to contribute something back to the community of folks using VPN on their Macs. And then I found that there were reliability issues with my Mac OS X VPN client and the PPTP protocol, and that combined with the latency of the DSL connection I was using at the time meant that I just couldn’t get the blissful “just like I’m there” feeling, no matter how I tried. So I gave up, and found alternate methods for tunneling in to the office, which have mostly been just fine.

Last night I was tinkering around and decided to scan the field again for easy VPN options. I found mpd - the multi-link PPP daemon for FreeBSD - and got interested again. When I saw that mpd could work with no kernel recompile and very minimal setup - and fit really well into FreeBSD’s standard third-party application structure - I got VERY interested, and gave it a shot. Using some of the guides available online, I used a FreeBSD port install and edited a few lines in the config files. This got me 99% of the way there, and I just had to enable proxy-arp (set iface enable proxy-arp) to get to 100%. I fired up my VPN client on OS X (which, in Tiger, has some great interface improvements, including split routing) and was connected without any trouble. I mounted some Samba shares, browsed some internal-only websites, and generally geeked out and relished in my oneness with the office network.

A VPN isn’t for everyone - consult your doctor/IT manager about the solution that’s right for you, but it’s nice to know it can be done this easily when needed. Thanks, mpd.

This entry was posted on Tuesday, May 17th, 2005 at 8:51 pm and is filed under Sysadmin / Hosting, Internet / Networking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.