Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall

To be able to connect to a Windows based PPTP VPN through a OpenBSD firewall you’ll need to make a couple of changes to allow GRE traffic through.
first add the following to /etc/sysctl.conf:
net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1

then add the following to the filter section in your /etc/pf.conf:
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state

To make the changes effective without having to reboot issue the following as root:

sysctl net.inet.gre.allow=1
sysctl net.inet.gre.wccp=1
sysctl net.inet.mobileip.allow=1
pfctl -f /etc/pf.conf

2 Replies to “Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall”

  1. Isn’t there a rdr rule that needs to be in pf that pushes the inbound port 1723 to the Windows VPN server?

  2. I just got my PPTP connection working from my Windows XP/SP2 box through my OpenBSD 3.5 pf firewall/nat. All I had to do was enable outbound gre connections. I didn’t have to much with sysctl nor change anything inbound. I suspect that the additional instructions are if you’re allowing inbound PPTP.

Comments are closed.