point to multipoint vpn

Is it possible and how would this be done to have a point to multipoint vpn on FreeBSD.

If I have an ADSL connection with a static IP I would like to be able to connect this box to more than one remote server and establish a VPN connection.

When a VPN is established is it still possible to have local Internet access through the local ADSL connection?

What would be the best way for a staff member using a Notebook to connect to the office as they travel around and access the office network via the internet?

Who is Participating?

I have found that mpd located in the ports "/usr/ports/net/mpd/" works very well.  PPTP is built into almost every version of windows so extra software client does not need to be installed on the PC. The server and client are very easy to setup and would probably take 1hr tops to setup.

You can find more info at http://www.sourceforge.net/projects/mpd 

Here is a feature list...

      Multi-link PPP capability
      PAP, CHAP, and MS-CHAP authentication
      PPP compression and encryption
      Point-to-Point Tunnelling Protocol (PPTP)
      PPP over Ethernet (PPPoE)
      RADIUS (authentication and accounting)

Mpd also includes many additional features:

      Dial-on-demand with idle timeout
      Multiple active connections running simultaneously
      Dynamic demand based link management (also known as ``rubber bandwidth'')
      Powerful chat scripting language for asynchronous serial ports
      Pre-tested chat scripts for several common modems and ISDN TAs
      Clean device-type independent design
      Comprehensive logging

Poptop: http://poptop.org/
OpenVPN:  http://openvpn.net/
FreeS/WAN: http://freeswan.org/ -
IPSec: http://www.freebsddiary.org/pipsecd.php - Uses IPSec

Each has it's own advantages.. for example, poptop is the best for windows compatability.
I use and very strongly recommend OpenVPN, which is extremely fast, reliable, flexible, easy to configure, multiplatform, and uses OpenSSL based encryption.  http://openvpn.sourceforge.net

One particularly nifty thing about OpenVPN is that you can actually establish a working tunnel with a single command right from the shell prompt, with no config files whatsoever!  This is usually how I test out a new tunnel; just run the command right there at the prompt, and if it works, I kill the process and write the command up in an rc.d script and run it again from there.

Note: openvpn is available in the ports tree, but the version there is 1.x and if you are going to be using this crossplatform (ie interfacing directly with windows machines, not just tying two BSD boxen together) you will need to instead download and build 2.x from source, from openvpn.sourceforge.net.  When you do so, you'll need to pass arguments to ./configure either telling it not to bother building with LZO compression, or pointing it to the location of the headers and includes for LZO.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Sorry Ivan, None of those are a good choice. (except possibly openswan which I'm not sure runs on BSD)

OpenVPN will NOT do what you want... And I quote from the site:

 "There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP." ... "OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP"

No L2TP means no Windows client without buying software at 100 bucks a seat.

Ivan, you need to cut to the chase and buy a hardware VPN endpoint. (Linksys DI-808HV is a good choice.) from 50 to 100 bucks depending on who makes it. LOOK FOR L2PT. That is the protocol you want. Also look for the number of tunnels. The 808HV will do 40 concurrently but (from memory) only 8 can be laptops (L2TP) at any one time. But 8 concurrent users will melt your DSL line anyway. ;-)

Do not use pptp it is old and easy to break. Sorry I don't have better news but that's the way life works sometimes. ;-(
> No L2TP means no Windows client without buying software at 100 bucks a seat.

Where do you get $100/seat figure?  OpenVPN is free and GPL, so is the Windows GUI..

OK point taken... If you want your average Windows user trying to figure out how to configure a VPN from their laptop then you have a solution....

If you want a solution that your end users will not destroy, and -you know- can actually use, then you have another problem.

There are "solutions" and then there are "solutions."
Poptop uses PPTP
OpenVPN uses SSL tunnel
FreeS/WAN uses L2TP+IPSec
Pipsecd uses L2TP+IPSec

There's one of each tunnel/encryption type there, and all are compatible with windows (some requiring extra software), if that is a requirement.

Do NOT just use L2TP..  L2TP is a tunneling protocol that offers no encryption.  Most tunnels using L2TP use IPSec, which adds encryption, and a second level of overhead.  SSL is the cheapest on overhead, and PPTP is the most compatible for least overhead.

For staff members using notebooks, PPTP is definitely the best way to go... it's compatable, easy to install and use, requiring no extra software installation on windows notebooks.

For a more secure VPN, try SSL, which allows the use of certificates and other authentication technologies, and is cross-platform by providing a connectivity application for each platform.

I would only recommend L2TP+IPSec for perminant installations, as it has the ability to re-establish lost connections, but relies on both ends using static IPs, unless it's in a road warrior configuration.
> For staff members using notebooks, PPTP is definitely the best way to go... it's compatable, easy to install and use, requiring no extra software installation on windows notebooks.

PPTP can nearly be broken in real time today. If you want to keep people from reading your email or maybe some simple business correspondence OK.... BUT if you have real data (one of my clients is an investment banker) use L2TP+IPSec.
I'd say even split between first three commenters, all of whom provided workable solutions to fit the question.

I do not include Bienville because of giving erroneous information leading the poster to believe he can't do what he wants.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.