Big PPTP server

Ganbold ganbold at micom.mng.net
Fri Aug 11 03:00:19 UTC 2006 

Brett Glass wrote:
> I've been asked to work on a PPTP server for a large company which has 
> up to 100 users tunneling in at once. They currently have a FreeBSD 
> machine set up to use FreeBSD's userland PPP together with the PoPToP 
> pptp daemon. (They have a hacked version of PoPToP which allows 
> different instances of the daemon to invoke PPP with different labels, 
> letting them set up for different sorts of connections on different 
> IPs.) But as the number of users has grown, PoPToP has started to act 
> strangely. It's giving them odd errors, saying that it's out of buffer 
> space and such. I think it's stretched to the limit.
>
> I'm looking at building a VPN server for them using FreeBSD and mpd. 
> But I've never used mpd before, primarily because it seems to work in 
> mysterious ways. Its configuration is a bit odd, and it lacks some of 
> the features of userland PPP. For example, you must put a separate 
> entry for each incoming connection (or "link") in the configuration 
> file. But since you don't know which incoming user is going to get 
> which connection, you have to create dozens and dozens of identical 
> links -- a tremendous waste of space! (Userland PPP lets you specify a 
> single label to which all PPTP connections must go and creates "tun" 
> devices on the fly as needed for the link.) 
It will be much easier if you can write some script to generate mpd 
config files. I'm generating config files such way for PPPoE.
> What's more, you have to allocate Netgraph nodes for all of them in 
> advance. You also do not have the ability to change the configuration 
> for different users, because you don't know which user will get which 
> of the links -- and the mpd.secret file, unlike the ppp.secret file, 
> doesn't let you jump to a label once you find out the user's identity. 
> The company wants to throttle bandwidth by user, so I need to be able 
> to distinguish between users to do this.
Did you try Radius?
>
> This company wants some users to have unroutable addresses that can't 
> escape their network without NAT, and others to have routable 
> addresses. I'm experimenting with what happens if you create two sets 
> of links which "listen" on different IP addresses, but this will make 
> the configuration file yet larger.
>
> Are there any mpd gurus out there who can give me a quick opinion as 
> to whether it's feasible to use mpd for this application -- and spend 
> some consulting time telling me how so that I don't have to flail 
> around experimenting? If I can't use mpd and PoPToP isn't working, 
> what other options are there for a good PPTP server?
>
> --Brett Glass
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-net mailing list