How do I set up a PPTP VPN on my own Ubuntu Server?
The Absolute Minimum Server Setup
What follows are the absolute minimum instructions that you need to get a basic PPTP VPN server running under Ubuntu. Clients will then be able to VPN into the server and route their internet traffic so that it goes through the server to the internet. As always, consult the full documentation to understand what everything is doing.
First, install the required software:
sudo apt-get install pptpd
Second, enable ip_forward
in the kernel for IPv4 by uncommenting the associated line in /etc/sysctl.conf:
sudo sed -i -r 's/^\s*#(net\.ipv4\.ip_forward=1.*)/\1/' /etc/sysctl.conf
# Reload the config file to have the change take effect immediately.
sudo -i sysctl -p
Third, enable NAT (if it isn't enabled already) so that users on the private VPN network can have their packets routed out to the internet:
OUTIF=`/sbin/ip route show to exact 0/0 | sed -r 's/.*dev\s+(\S+).*/\1/'`
sudo -i iptables --table nat --append POSTROUTING --out-interface $OUTIF --jump MASQUERADE
# Enable NAT on boot from the rc.local script.
CMD="iptables --table nat --append POSTROUTING --out-interface $OUTIF --jump MASQUERADE"
sudo sed -i "\$i$CMD\n" /etc/rc.local
Note: This guide assumes you have no firewall configured on the server. If you have a firewall on the server, such as UFW, consult the relevant documentation instead.
Fourth, for each VPN user, create an account in the file /etc/ppp/chap-secrets. Replace $USER
with the actual username you want to use for that VPN user.
KEY=`head -c 20 /dev/urandom | sha1sum | nawk '{print $1}'`
echo "$USER pptpd $KEY *" | sudo tee -a /etc/ppp/chap-secrets
Finally, you are ready to...
Configure the Client
In the Network Manager applet, select VPN Connections → Configure VPN, then click Add. On the next screen select PPTP for the VPN type, then click Create.
In this window, enter your server's hostname or IP along with the username and key that you added to the /etc/ppp/chap-secrets file on the server.
Now click Advanced.
In this window, enable "Use Point-to-Point encryption (MPPE)" and select 128-bit security. Disable the use of MSCHAP authentication (leave MSCHAPv2 enabled).
Finally, click Ok and then Save to close out the previous window.
You can now test the VPN connection by going to the Network Manager applet → VPN Connections and selecting the connection that you just created. Make sure you get a message saying that the VPN connection was successful, then browse to an IP checking website to verify that your IP now shows up as the server's IP.
If you get a message saying that the VPN connection to the server failed: first verify that you correctly entered the client settings; second, check that the client has network connectivity to TCP port 1723 on the server; finally, check the log file /var/log/messages on the server for further clues. If your VPN connection succeeds, but you subsequently are unable to browse to any websites from the client, consult this incredibly helpful diagnostic guide on the pptpd website.
Notes
If the local network you are connected to is using the 192.168.0.0/24 and 192.168.1.0/24 subnets, you are going to run into issues because that is what the PPTP server uses by default. You will have to configure PPTP to use different subnets in pptpd.conf.
There are numerous other configuration changes you may want to make. For example, all your domain name lookups will still be queried using your local DNS server instead of going through the PPTP server. Take the time to read over the full documentation to find out how to change this setting and many others.
This tutorial I wrote will guide you through. It should help you avoid common mistakes made by people using VPS.
First login into your VPS Panel and enable TUN/TAP and PPP. If you do not have such option contact your ISP to enable this for you.
First install this package:
sudo apt-get install pptpd
Because we do not want our VPN to be public we are going to create users.
I am using VI you can use NANO or whatever text editor you like
vi /etc/ppp/chap-secrets
The format is
[username] [service] [password] [ip]
Example
john pptpd johnspassword *
*
means access from all IP addresses is allowed, specify IP only if you have static one.
Editing PPTPD Settings
vi /etc/pptpd.conf
Look for the localip and remoteip settings.
Remove the #
(comment character) for both so that these settings will actually be recognized. Change localip to your server IP. If you don’t know your server IP, you may look in your VPS control panel.
The remoteip is basically the IP range that clients (computers that are connected to your VPN) will be assigned. For example, if you want the following IP range: 192.168.120.231-235, your VPN server will be able to assign 192.168.120.232, 192.168.120.233, 192.168.120.234, and 192.168.120.235 to clients. It’s up to you what you want to use for this field.
Personally I choose this settings:
localip 10.0.0.1
remoteip 10.0.0.100-200
So I can get about 200 clients connected.
Add DNS servers to /etc/ppp/pptpd-options
ms-dns 8.8.8.8
ms-dns 8.8.4.4
You can whether add this to end of file or find those lines, uncomment them and change IPs to your desired Public DNS.
Set up Forwarding
It is important to enable IP forwarding on your PPTP server. This will allow you to forward packets between public IP and private IPs that you setup with PPTP. Simply edit /etc/sysctl.conf and add the following line if it doesn’t exist there already:
net.ipv4.ip_forward = 1
To make changes active, run sysctl -p
Create a NAT rule for iptables
This is an important part, if you are using VPS you probably wont use eth0 but venet0 instead, you should check which interface you have by running ifconfig
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
If you would also like your PPTP clients to talk to each other, add the following iptables rules:
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
Again, you need to replace eth0 with venet0 if you are using VPS.
I would recommend running
sudo iptables-save
Now your PPTP server also acts as a router.
You can run this command so the VPN service starts on boot
systemctl enable pptpd
I recommend installing iptables-persistent so rules stay even after reboot
sudo apt-get install -y iptables-persistent
Follow this tutorial: PPTP VPN Server with Ubuntu
Under software selection select OpenSSH server -- for remote management of the machine -- and manual package selection for the actual pptpd package. If you want more services, for example if you want to use the computer also as a webserver, you may of course select the additional software. For security reasons I generally advise people to only run one from the outside accessible service per machine if set up in a critical environment, but really that's up to you.
In manual selection navigate to not installed packages > net where you will find pptpd. Select it and press ‘g' twice in order to install the package.
Let the installation finish and reboot your system.
SSH into your newly set up machine and run
sudo aptitude update && sudo aptitude safe-upgrade
first to update all packages. Reboot if necessary.Open the pptpd.conf file:
sudo nano /etc/pptpd.conf
Adjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don't know it type ‘sudo ifconfig' and it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.If you want to, you can change the hostname in
/etc/ppp/pptpd-options
Specify the user names and passwords you want to give access to your vpn:
sudo nano /etc/ppp/chap-secrets
. If you changed the hostname in the step before make sure you type in the same hostname now underserver
Example:
# client server secret IP addresses eubolist pptpd myübersecretpassword *
As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.
Now we need to set up ip-masquerading:
sudo nano /etc/rc.local
Add the following lines above the line that says ‘exit 0‘
# PPTP IP forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Optionally I recommend securing your SSH server against brute force attacks:
#SSH Brute Force Protection iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j
DROP
(also to be inserted above ‘exit 0')
You may have to change ‘eth 0' to another interface, depending on which interface is configured to connect to the internet on your machine.
Lastly, uncomment this line in
/etc/sysctl.conf
:net.ipv4.ip_forward=1
Reboot
If your vpn-server doesn't directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router's manual or to portforward.com for vendor specific instructions. Again, you may need to assign a static ip in
/etc/network/interfaces
.