Easiest way to setup Ubuntu as a VPN server

WARNING: PPTP IS AN INSECURE PROTOCOL! Not only has the encryption been breached, but it sends your authentication in clear text and is easily intercepted. It has been estimated that the amount of time required to brute-force the password is roughly equivalent to the time required to brute-force a single DES key. Consider using OpenVPN or another VPN architecture instead of PPTP!

I used this guide to set up a PPTP VPN server on my Ubuntu 12.04 server.


To summarize the main points in the link, though:

1: Install pptpd and ufw. iptables can be used in place of ufw, but for the sake of easiness, ufw is better if you don't know iptables.

sudo apt-get install pptpd ufw

2: Open the ports needed. The guide suggests 22 (SSH) and 1723 for the pptp vpn.

sudo ufw allow 22
sudo ufw allow 1723
sudo ufw enable

3: Edit /etc/ppp/pptpd-options. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/pptpd-options), and comment out these lines by putting a # before them, if you want this to work universally on all OSes:

refuse-pap
refuse-chap
refuse-mschap

You can comment this line if you want to disable encryption: require-mppe-128

4: While editing /etc/ppp/pptpd-options, add DNS servers for the VPN. This example uses OpenDNS servers:

ms-dns 208.67.222.222
ms-dns 208.67.220.220

5: Edit /etc/pptpd.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/pptpd.conf). You need to add the local VPN IPs for the system, so add:

localip 10.99.99.99
remoteip 10.99.99.100-199

If your system is a VPS, use the public IP for "localip". If it is not and is on a local network, use your computer's network IP. Use different IPs and ranges if these IPs exist on your subnet! If you don't know your public IP of your VPS, find it by running dig +short myip.opendns.com @resolver1.opendns.com

6: Edit /etc/ppp/chap-secrets. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/chap-secrets), and add the auth data.
The format for /etc/ppp/chap-secrets is:

[Username] [Service] [Password] [Allowed IP Address]

An example would be: sampleuser pptpd samplepassword *

7: Restart pptpd. Run this command in terminal: sudo /etc/init.d/pptpd restart

8: Edit /etc/sysctl.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/sysctl.conf). Un-comment the following line (by removing the # at the beginning of it) in /etc/sysctl.conf: net.ipv4.ip_forward=1
Reload the configuration: sudo sysctl -p

9: This step assumes you have ufw.
Edit /etc/default/ufw and change the option DEFAULT_FORWARD_POLICY from DROP to ACCEPT

10: This step assumes you have ufw.
Edit /etc/ufw/before.rules, and add the following either at the beginning of /etc/ufw/before.rules or just before the *filter rules (recommended):

# NAT table rules
*nat

:POSTROUTING ACCEPT [0:0]
# Allow forward traffic to eth0
-A POSTROUTING -s 10.99.99.0/24 -o eth0 -j MASQUERADE

# Process the NAT table rules
COMMIT

If you have kernel version 3.18 and newer (you can check this by running uname -r), also add the following lines before the # drop INVALID packets ... line:

-A ufw-before-input -p 47 -j ACCEPT

11: Restart the firewall, to refresh the rule sets and to apply the rules we added to the /etc/ufw/*.rules files: sudo ufw disable && sudo ufw enable

Warning: If you have other ports you need open, such as for HTTPS if your server hosts a website, you need to individually add those ports to the allowed list with sudo ufw allow <PORT>


UPDATE: As of Sierra, macOS no longer supports PPTP vpn. This answer is not valid for macOS clients Sierra and beyond.

PPTP via PoPToP is easy

  1. apt-get install pptpd
  2. edit /etc/pptpd.conf and set the remoteip option to a range on your network that is NOT served by your DHCP server.
  3. edit /etc/ppp/chap-secrets and add a username and password

e.g.

vpnuser pptpd vpnpassword *

This is all it takes to setup pptp. Now test it with your OS X client.


PPTP VPN on Ubuntu 12.04 Example

Here is a quick tutorial to set up a basic PPTP VPN server on Ubuntu 12.04.

Install Necessary Packages

                          sudo apt-get install ppp pptpd

Configure PPTP IP Ranges on the Server

                          sudo nano /etc/pptpd.conf

Add the following lines in end

                          localip 10.89.64.1
                          remoteip 10.89.64.100-150

This sets up the PPTP server to use IP 10.89.64.1 while distributing the IP range 10.89.64.100 to 10.89.64.150 to PPTP clients. Change these as you wish as long as they are private IP addresses and do not conflict with IP addresses already used by your server.

Configure DNS Servers to Use When Clients Connect to this PPTP Server

                          sudo nano /etc/ppp/pptpd-options

Modify OR Add the following lines in end

                          ms-dns 8.8.8.8
                          ms-dns 8.8.4.4

Create a PPTP User

                          sudo nano /etc/ppp/chap-secrets

Append a line at the bottom so your file looks something like:

                          # client    server  secret          IP addresses
                          test        pptpd   abcd1234        *

Configure NAT for PPTP Connections

Without this step you will be able to connect but your connection will not be able to load any web connection from this server.

                          sudo nano /etc/rc.local

Add the following to the bottom right before “exit 0” line:

                          iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Assuming eth0, you can use ifconfig to check network name.

Enable IPv4 forwading:

                          sudo nano /etc/sysctl.conf

Uncomment the following line:

                          net.ipv4.ip_forward=1

Then reload the configuration:

                          sudo sysctl -p

Reboot your VPS and everything should work swimmingly from any PPTP client.


Client side configuration

For Mac, make sure you added PPTP VPN connection. Besides that you only need to setup server address, account name, and password in authentication settings. No pain here.

For Linux, NetworkManager to add VPN connections. Make sure you added PPTP VPN connection. And the configuration I use is here:

How To Debug and Fix PPTP/VPN Client Connection

enter image description here

And for Windows

enter image description here

Tags:

Vpn