
Frickin PPTP Proxy v2.0 BETA2

Installation
~~~~~~~~~~~~
If you want to take advantage of the transparent proxy you
must install Frickin on the firewall itself.  Installing on any other
machine will only provide a static relaying proxy.

Compile the package by running 'make' in the directory where you
untarred Frickin.  Frickin uses libconfigduo 0.8 by Mark Lindner, this
package is included and you do not need to download it separately.

Move the executable 'frickin2' to a suitable directory, eg.
'/usr/local/sbin'.  Move the configuration file 'frickin.conf' to a
suitable directory, eg. '/usr/local/etc'


Configuration
~~~~~~~~~~~~~
Make sure to redirect all TCP and GRE traffic to the
loopback interface (127.0.0.1) on the firewall.  This would normally be
any TCP traffic to port 1723, as for GRE you just redirect everything
since it has no ports.  You must also allow this traffic to pass in/out.

    Example.		
    rdr on $int_if proto tcp from any to any port 1723 -> 127.0.0.1 port 1723
    rdr on $int_if proto gre from any to any -> 127.0.0.1
    pass out on $ext_if proto gre from any to any keep state

NOTE: There seems there are issues with GRE packets and 'scrub' rules.
      If you experience difficulties getting the proxy working make
      sure to remove any scrub rule you might have in effect.


Listeners
~~~~~~~~~
Frickin has no limit on the numbers of listeners you can
configure, only your imagination sets any limits.  Most of the Frickin
users will however only need one listener, a listener configured for
transparent proxying of outbound connections.  Below you can see a few
examples:

Transparent and dynamic outbound listener
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is a simple listener with
only a listening ip and port specified.  All Outgoing PPTP sessions will
be transparently proxied with the help of OpenBSD packet filter.  Users
may connect to any server, serveral users may even connect to the same
server without disrupting each other.

		Example.
		default {
			ip = "127.0.0.1";
			port = 1723;
		}

Static inbound listener
~~~~~~~~~~~~~~~~~~~~~~~
This listener will listen for incoming PPTP session on an external ip
adress and port.  All connecting clients will be proxied to an internal
PPTP server completely transparently.  Connecting users will not see the
real name, host and vendor of your PPTP server but instead only what the
listerner has been configured to show.

    Example.
    incoming {
	name = "Fake PPTP server v1.0";
	host = "mydomain.com";
	vendor = "Fake vendor";
	ip = "11.22.33.44";
	port = 1723;
	target { ip = "192.168.10.20"; port = 1723; };
    }

Transparent and static outbound listener
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is possible to transparently send all outgoing PPTP sessions to a
static host.  This could be used to relay PPTP sessions thru multiple
proxies but they would all become static after the first relay.

    Example.
    static {
	ip = "127.0.0.1";
	port = 2001;
	target { ip = "22.33.44.55"; port = 1723; };
    }




Verified operatingsystems
~~~~~~~~~~~~~~~~~~~~~~~~~
Frickin has been verified and tested on the following systems and
setups:
FreeBSD 6.0
OpenBSD 3.9

Additional configuration on OpenBSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By default gre packets are not allowed to enter the ip stack and needs
to be enabled by hand.  This is done by setting the sysctl option
"net.inet.gre.allow" to 1.

	# sysctl -w net.inet.gre.allow=1

For this option to be enabled after reboot you should add it to
'/etc/sysctl.conf'.


Support
~~~~~~~
If you are having problems with Frickin, found some bugs or just have
ideas for enhancements please to contact me.  All ideas/patches are
welcome.


http://sourceforge.net/projects/frickin/
