Howto: PPTP VPN Server with Ubuntu 10.04 ‘Lucid Lynx’
Note that Lucid Lynx is still in Alpha 2 stage at the time of writing this article, this means you should only use it for testing purposes. Although the server I've set up writing this tutorial has been running without any kind of problems for two weeks now I recommend if you want to set up a Ubuntu server in a working environment you to go back to 9.10 ‘Karmic Koala' or even an earlier stable version. Okay, this being said let's get started:
1. Download the Lucid Lynx Alpha 2 server CD image from this page
2. Follow the installation wizard and install the core system
3. Under software selection select OpenSSH server -- for remote management of the machine -- and manual package selection for the actual pptpd package. If you want more services, for example if you want to use the computer also as a webserver, you may of course select the additional software. For security reasons I generally advise people to only run one from the outside accessible service per machine if set up in a critical environment, but really that's up to you.
4. In manual selection navigate to ‘not installed packages' -> ‘net' where you will find pptpd. Select it and press ‘g' twice in order to install the package.
5. Let the installation finish and reboot your system.
6. SSH into your newly set up machine and run ‘sudo aptitude update && sudo aptitude safe-upgrade' first to update all packages. Reboot if necessary.
7. Open the pptpd.conf file: ‘sudo nano /etc/pptpd.conf‘ Adjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don't know it type ‘sudo ifconfig' and it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.
8. If you want to, you can change the hostname in /etc/ppp/pptpd-options
9. Specify the user names and passwords you want to give access to your vpn: ‘sudo nano /etc/ppp/chap-secrets‘. If you changed the hostname in the step before make sure you type in the same hostname now under ‘server'
# client server secret IP addresses
eubolist pptpd myübersecretpassword *
As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.
10. Now we need to set up ip-masquerading: ‘sudo nano /etc/rc.local‘
Add the following lines above the line that says ‘exit 0‘
# PPTP IP forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Optionally I recommend securing your SSH server against brute force attacks:
# SSH Brute Force Protection
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
(also to be inserted above ‘exit 0')
You may have to change ‘eth 0' to another interface, depending on which interface is configured to connect to the internet on your machine.
11. Lastly, uncomment this line in /etc/sysctl.conf:
13. In case your vpn-server doesn't directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router's manual or to portforward.com for vendor specific instructions. Again, you may need to assign a static ip in /etc/network/interfaces.
Now you should have access to your local network from virtually anywhere you have access to the internet. Enjoy!