Firerack has support for PPTP, L2TP and IPsec VPNs.  This document focuses on PPTP which is the simplest to set up and connect to from a Windows client.

There are several ways to set up PPTP (or L2TP) VPN accounts on FireRack.  The most commonly used method provides a unique virtual interface and security zone policy for each VPN client.  This is ideal for a small number of VPN clients, provides better security and can also allow entire subnets to be routed via a PPTP connection.  This method will be covered in detail in this document.

The two other methods allow virtual interfaces and security zones to be shared between multiple clients, but each client may only have a single IP address routed to it.  In one case, the IP address assignments are made using the Host Address Registration system to make IP address assignments associated with VPN security zones and users.  The usernames and passwords used are configured through the main user access control list.   It is possible to mix shared security zone VPNs configured by this method with dedicated security zone VPNs as this document will describe.

The other method of providing shared security zones allows use of an external RADIUS authentication server  (e.g. a Windows domain controller running IAS) to authenticate connections and assign IP addresses.  

Enabling PPTP

Before configuring your VPN accounts you should ensure that PPTP is enabled on your firewall.  

1. Go to the 'Interfaces and Zones' section
2. Click on the VPNs tab
3. Choose the Server Settings sub-tab
4. Set the 'Local address bound to server interfaces' setting.  This is the IP address that will be assigned to the firewall's virtual interface in every incoming PPTP/L2TP connection.  This is normally a RFC 1918 private IP address.  It does not need to be unique to the VPN interfaces; you can for example use the same IP address as you use on one of your ethernet interfaces.  However, do not use an external IP address or any IP address that the VPN client is likely to connect to.
5. If you want the VPN clients to be able to resolve host names on your network, specify one or both DNS server settings.  You may just wish to set one DNS server and set it to the same address as the 'Local address bound to server interfaces' setting to make the VPN client use the DNS server on the firewall
6. If you want the VPN clients to be able to access windows or NetBIOS services on your network, you may wish to set the WINS settings to point at your servers.
7. Choose the Server Settings sub-tab
8. Ensure that the PPTP service is ticked.  Note that this setting governs the boot time status of the PPTP service only.  To start the service after the firewall has booted, ssh to the firewall and run '/etc/init.d/pptpd start'.
9. in the Services firewall policy for your external security zone (and also any internal zones you wish to test this from) you will need to configure pairs of rules to allow the PPTP VPN traffic from the external IP address of each machine or subnet running the VPN clients (or all IP addresses if you prefer).   Each pair of rules should comprise of one rule to allow PPTP control connections (specify protocol TCP, any source port, destination port PPTP/1723) and one rule to allow GRE (specify protocol GRE). 

VPNs with Dedicated Security Zones

Typically, for each VPN client you will configure a single virtual server interface and add a single zone to this interface.

To create the virtual interface, 

1. Go to the 'Interfaces and Zones' section
2. Click on the VPNs tab
3. Chose the 'Virtual Interfaces' sub tab if it is not already selected
4. Click on 'Add New Server Interface' in the 'L2TP / PPTP Server Interfaces' box.
5. Fill in a description for the VPN interface
6. Fill in a login and password
7. In the 'address to assign to VPN client' box specify the remote virtual IP address.  This is the IP address that will be assigned to the virtual interface at the client end of the VPN connection, and should be a unique address on your network and be within the network range for the zone you intend to configure on it (see below).
8. Leave all other interface settings on their default, and save the interface defination
9. You will be prompted if you wish to add a zone to the new interface: say 'Yes' and follow the instructions in one of the next two sections.

Security Zone Configuration for a Simple VPN client with single IP address

In a typical PPTP VPN configuration the client will be a Windows PC running the Microsoft VPN client.  In such a scenairo you will normally be assigning a single RFC 1918 private IP address to the VPN client.  For such a configuration, the zone comprises a single IP address.  The network/host definition on the zone should hence exactly match the IP address in the Interface configuration.

Typically, FireRack administrators will nominate a specific subnet to use exclusively for assigning IP addresses to all of their VPNs, although this is not a requirement and it is possible to assign different IP addresses if you wish.

Usually, you will NOT want to assign an IP address to a VPN client which lies within a subnet used on any of your ethernet zones.   If you were to do so this would require you to enable Proxy ARP on that ethernet interface in order for the VPN client to access other hosts within that zone, and you may experience difficulties due to broken PMTU behavoir on windows servers.   However, one reason why some people choose to do this is it may allow you to avoid the need to configure routes on the Windows client (see later).

1. When configuring the virtual interface as detailed above, specify the unique IP address you want to use for the VPN client and choose to add a zone to the new interface.
2. Either choose to create a new zone or copy an existing zone. 
3. If you choose to copy an existing zone, you can use this to copy the configuration and more importantly all the firewall rules from another VPN zone you have set up previously.  Select the zone you wish to copy from, then specify which rules you want to copy and confirm the copy operation.
4. Amend the name of the new zone as desired.
5. Click on 'change' next to the 'Network or Host'. 
6. In the 'Networks and Hosts' pop-up window, click the '+' symbol and choose host.
7. Enter the same IP address as you entered for the interface configuration.  
8. Amend the description of the host as desired and 'Save' it.
9. All other options for the security zone can be left at their defaults; click on 'Save'.

You may at this point wish to modify the firewall policy for the new security zone.  If you created a new zone without copying an existing one, you will certainly want to add some firewall rules as the default policy in Connection Filtering and Services is to drop everything.  It is strongly recommended that you add a Services rule allowing ping requests so that the connection can be verified from the client end.  If you specified
one of the firewall's own IP addresses in the DNS settings given out by the PPTP server, you will also need to ensure the Services policy permits DNS requests.

Configuring Routes with Windows PPTP/L2TP client

When a VPN connection is configured on Windows, the options available via the GUI for configuring routes via the VPN are very limited: you have a simple tick box that creates a default route via the VPN.   Normally you will not want to have this enabled when using FireRack as the VPN server since this will cause the client machine to route all its Internet traffic via the VPN to the FireRack.

However, without a default route via the VPN windows will only configure a route to the Class A, B or C subnet enclosing the IP address it was assigned (classfull addressing hasn't been used on the Internet for quite some time now).

Once the VPN has been brought up for the first time you can configure any extra routes needed via the VPN from the Windows command prompt on the client machine.   This is done using the 'route' command and specifying the IP address assigned to the VPN client as the gateway address.

For example:

c:\>  route -p add 192.168.100.0 netmask 255.255.255.0 192.168.200.67 metric 1
 

This example would create a route to 192.168.100.0/24 via the VPN and assumes that the IP address the FireRack assigns to this VPN client is 192.168.200.67.  The '-p' option makes this a permanent route meaning that Windows should restore it whenever the VPN connection is brought up.