Setting up your own VPN server with PPTP on Ubuntu or Debian
I often connect to my own VPN server because of ports that are blocked on public networks, or if I want to access something on my home network. I use a PPTP server because OSX and Windows support it right out of the box, without having to download an additional VPN client. If you are looking for ultimate security for your VPN, PPTP might not be the solution for you, as it is considered the least secure because of security holes in MS-CHAPv2.
On Ubuntu and Debian you can install the pptpd packages with apt:
apt-get install pptpd
At the bottom of the
/etc/pptpd.conf file, add the following configuration for your virtual private network. The first line being the IP for the VPN server, and the second line the IP range for connected clients. Make sure these do not conflict with IP addresses already used by your server or local network.
localip 10.0.0.1 remoteip 10.0.0.100-200
/etc/ppp/pptpd-options file you need to add DNS servers (Google Public DNS in this case) that connected clients will use:
ms-dns 126.96.36.199 ms-dns 188.8.131.52
Add VPN users by editing the
# client service password IP addresses jens pptpd 2EJaredaspucHexE *
The first column is the username, the third column is the plain text password and the last column specifies the static IP used for that client. Use an asterisk to assign incremental IP addresses for connections made by that account. This also means that multiple users can sign in with that account and will get different IP addresses.
Now restart the daemon:
service pptpd restart
It is important to enable IP forwarding, this will allow you to forward packets between public IP and private IP's that you setup with PPTP. Open
/etc/sysctl.conf and uncomment the following line and execute
To enable network address translation (NAT) create the
/etc/network/if-up.d/pptp file with the following content:
#!/bin/bash # enable NAT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
If the VPN IP range is different from the IP range on the local network, you may need to add the following lines as well:
# routing iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT iptables --append FORWARD --in-interface eth0 -j ACCEPT
There you go, your VPN server should be up and running!