Jens Segers on

Setting up your own VPN server with PPTP on Ubuntu or Debian

I often connect to my own VPN server because of ports that are blocked on public networks, or if I want to access something on my home network. I use a PPTP server because OSX and Windows support it right out of the box, without having to download an additional VPN client. If you are looking for ultimate security for your VPN, PPTP might not be the solution for you, as it is considered the least secure because of security holes in MS-CHAPv2.

Installation

On Ubuntu and Debian you can install the pptpd packages with apt:

apt-get install pptpd

At the bottom of the /etc/pptpd.conf file, add the following configuration for your virtual private network. The first line being the IP for the VPN server, and the second line the IP range for connected clients. Make sure these do not conflict with IP addresses already used by your server or local network.

localip 10.0.0.1
remoteip 10.0.0.100-200

In the /etc/ppp/pptpd-options file you need to add DNS servers (Google Public DNS in this case) that connected clients will use:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Add VPN users by editing the /etc/ppp/chap-secrets file:

# client  service   password            IP addresses
jens      pptpd     2EJaredaspucHexE    *

The first column is the username, the third column is the plain text password and the last column specifies the static IP used for that client. Use an asterisk to assign incremental IP addresses for connections made by that account. This also means that multiple users can sign in with that account and will get different IP addresses.

Now restart the daemon:

service pptpd restart

It is important to enable IP forwarding, this will allow you to forward packets between public IP and private IP's that you setup with PPTP. Open /etc/sysctl.conf and uncomment the following line and execute sysctl -p:

net.ipv4.ip_forward=1

To enable network address translation (NAT) create the /etc/network/if-up.d/pptp file with the following content:

#!/bin/bash

# enable NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If the VPN IP range is different from the IP range on the local network, you may need to add the following lines as well:

# routing
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

There you go, your VPN server should be up and running!

Webmentions

Tweet about this blog post and you will appear below!