Date: Thu, 10 Aug 2006 20:43:28 -0600 From: Brett Glass <brett@lariat.net> To: net@freebsd.org Subject: Big PPTP server Message-ID: <7.0.1.0.2.20060810201735.067258b0@lariat.net>
next in thread | raw e-mail | index | archive | help
I've been asked to work on a PPTP server for a large company which has up to 100 users tunneling in at once. They currently have a FreeBSD machine set up to use FreeBSD's userland PPP together with the PoPToP pptp daemon. (They have a hacked version of PoPToP which allows different instances of the daemon to invoke PPP with different labels, letting them set up for different sorts of connections on different IPs.) But as the number of users has grown, PoPToP has started to act strangely. It's giving them odd errors, saying that it's out of buffer space and such. I think it's stretched to the limit. I'm looking at building a VPN server for them using FreeBSD and mpd. But I've never used mpd before, primarily because it seems to work in mysterious ways. Its configuration is a bit odd, and it lacks some of the features of userland PPP. For example, you must put a separate entry for each incoming connection (or "link") in the configuration file. But since you don't know which incoming user is going to get which connection, you have to create dozens and dozens of identical links -- a tremendous waste of space! (Userland PPP lets you specify a single label to which all PPTP connections must go and creates "tun" devices on the fly as needed for the link.) What's more, you have to allocate Netgraph nodes for all of them in advance. You also do not have the ability to change the configuration for different users, because you don't know which user will get which of the links -- and the mpd.secret file, unlike the ppp.secret file, doesn't let you jump to a label once you find out the user's identity. The company wants to throttle bandwidth by user, so I need to be able to distinguish between users to do this. This company wants some users to have unroutable addresses that can't escape their network without NAT, and others to have routable addresses. I'm experimenting with what happens if you create two sets of links which "listen" on different IP addresses, but this will make the configuration file yet larger. Are there any mpd gurus out there who can give me a quick opinion as to whether it's feasible to use mpd for this application -- and spend some consulting time telling me how so that I don't have to flail around experimenting? If I can't use mpd and PoPToP isn't working, what other options are there for a good PPTP server? --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7.0.1.0.2.20060810201735.067258b0>