Hi all I'm having some issues with getting poptop to work and I think I have it narrowed down to proxyarp but am stuck now. The setup is I'm using OpenBSD 4.8 as a firewall/router/dns/dhcp/vpn system and am trying to connect via Windows XP built in vpn client to poptop 1.34 on my openbsd box. I can connect fine and ping the openbsd box but can't ping any of the other hosts on the remote network. I ran a tcpdump on the LAN interface of my OpenBSD box filtering on the host I am trying to ping and see it make an arp request for the MAC of the IP of my remote client tunnel address and never receive a response. If I manually add an entry to the arp table for the tunnel ip with a MAC of my OpenBSD box's LAN interface everything works.
Before anyone responds, I am well aware of the inherent limitations of PPTP and that it is not the most secure solution, but in MY situation it is an acceptable trade off to not have to install 3rd party VPN client software on the remote clients or manage a PKI.
Does anyone have any ideas? Do I need to write ip-up and ip-down scripts to add the arp entries? The following are the contents of my configuration files.
pptpd.conf
Code:
option /etc/ppp/options
noipparam
remoteip xxx.xxx.xxx.201-210
pidfile /var/run/pptpd.pid
options
Code:
lock
auth
usehostname
proxyarp
+MSChap-V2 mppe-128 mppe-stateless
ppp.conf
Code:
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set mppe * stateful
# Server (local) IP address, Range for Clients, and Netmask
# Use the same IP addresses you specified in /etc/pppd.conf :
set ifaddr xxx.xxx.xxx.200 xxx.xxx.xxx.201-xxx.xxx.xxx.210 255.255.255.255
set server /tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
# Disable unsecured auth
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
# DNS Servers to assign client
# Use your own DNS server IP address :
set dns xxx.xxx.xxx.1
# NetBIOS/WINS Servers to assign client
# Use your own WINS server IP address :
set nbns xxx.xxx.xxx.1
set device !/etc/ppp/secure