Howto: PPTP VPN Server with Ubuntu 10.04 ‘Lucid Lynx’
Sponsored Link
Note that Lucid Lynx is still in Alpha 2 stage at the time of writing this article, this means you should only use it for testing purposes. Although the server I've set up writing this tutorial has been running without any kind of problems for two weeks now I recommend if you want to set up a Ubuntu server in a working environment you to go back to 9.10 ‘Karmic Koala' or even an earlier stable version. Okay, this being said let's get started:
1. Download the Lucid Lynx Alpha 2 server CD image from this page
2. Follow the installation wizard and install the core system
3. Under software selection select OpenSSH server -- for remote management of the machine -- and manual package selection for the actual pptpd package. If you want more services, for example if you want to use the computer also as a webserver, you may of course select the additional software. For security reasons I generally advise people to only run one from the outside accessible service per machine if set up in a critical environment, but really that's up to you.
4. In manual selection navigate to ‘not installed packages' -> ‘net' where you will find pptpd. Select it and press ‘g' twice in order to install the package.
5. Let the installation finish and reboot your system.
6. SSH into your newly set up machine and run ‘sudo aptitude update && sudo aptitude safe-upgrade' first to update all packages. Reboot if necessary.
7. Open the pptpd.conf file: ‘sudo nano /etc/pptpd.conf‘ Adjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don't know it type ‘sudo ifconfig' and it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.
8. If you want to, you can change the hostname in /etc/ppp/pptpd-options
9. Specify the user names and passwords you want to give access to your vpn: ‘sudo nano /etc/ppp/chap-secrets‘. If you changed the hostname in the step before make sure you type in the same hostname now under ‘server'
Example:
# client server secret IP addresses
eubolist pptpd myübersecretpassword *
As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.
10. Now we need to set up ip-masquerading: ‘sudo nano /etc/rc.local‘
Add the following lines above the line that says ‘exit 0‘
# PPTP IP forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Optionally I recommend securing your SSH server against brute force attacks:
# SSH Brute Force Protection
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
(also to be inserted above ‘exit 0')
You may have to change ‘eth 0' to another interface, depending on which interface is configured to connect to the internet on your machine.
11. Lastly, uncomment this line in /etc/sysctl.conf:
net.ipv4.ip_forward=1
12. Reboot
13. In case your vpn-server doesn't directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router's manual or to portforward.com for vendor specific instructions. Again, you may need to assign a static ip in /etc/network/interfaces.
Now you should have access to your local network from virtually anywhere you have access to the internet. Enjoy!
This is a wonderful tutorial. I got everything set up and connected my Moto Droid to it but then could not access websites. After reading the comments and adding ms-dns servers everything works great. Thanks
I followed this and it works great apart from I have an issue where the clients have to be assigned IPs on the same subnet or traffic doesn’t get routed at all.
If I try a different subnet, I get this in syslog: ‘Cannot determine ethernet address for proxy ARP’
I tried the ARP fix here: http://poptop.sourceforge.net/dox/qna.html but no dice….
Any suggestions?
I have to give ip address for specific user groups
how can I do that?
I also have to limit and report bandwidth usage.
Could you please give me some advise about that? thank you!
I am getting the error in /var/log/syslog:
GRE: Bad checksum from pppd
Any suggestions?
I have set up PPTP VPN server on ubuntu.
But accounts are open for concurrent simultaneous connections. means there can be many users using one account at the time.
i need to limit that to one user at the time.
anybody knows how it can be done?
So I have successfully set up this server at one location in my home. I recently had someone ask me if I could set up the server in his office. When I got there he told me that I could not change the IP addresses in his office from 192.168.1.x to 10.5.1.x so I figured that I could just change the IP address of the client since it is only going to be one person. I completed this guide the same way I did at my home but, with different user names and passwords and of course the different IP addresses. I forward the ports and tried to connect while still taking into consideration that the two sets of IP addresses need to be different. I could not connect. Does anyone have any suggestions for me on how to solve this problem?
Thanks