Howto: PPTP VPN Server with Ubuntu 10.04 ‘Lucid Lynx’

Sponsored Link
This tutorial describes how you set up a computer as a dedicated VPN server for your network. With a VPN server you can open secure data tunnels and access files and deivces in your local network (eg. home or office) from remote locations, which is not only a pretty cool thing (accessing your media library from anywhere) but also very handy for system maintenance or customer support or if you want to work from home.

Note that Lucid Lynx is still in Alpha 2 stage at the time of writing this article, this means you should only use it for testing purposes. Although the server I've set up writing this tutorial has been running without any kind of problems for two weeks now I recommend if you want to set up a Ubuntu server in a working environment you to go back to 9.10 ‘Karmic Koala' or even an earlier stable version. Okay, this being said let's get started:

1. Download the Lucid Lynx Alpha 2 server CD image from this page

2. Follow the installation wizard and install the core system

3. Under software selection select OpenSSH server -- for remote management of the machine -- and manual package selection for the actual pptpd package. If you want more services, for example if you want to use the computer also as a webserver, you may of course select the additional software. For security reasons I generally advise people to only run one from the outside accessible service per machine if set up in a critical environment, but really that's up to you.

4. In manual selection navigate to ‘not installed packages' -> ‘net' where you will find pptpd. Select it and press ‘g' twice in order to install the package.

5. Let the installation finish and reboot your system.

6. SSH into your newly set up machine and run ‘sudo aptitude update && sudo aptitude safe-upgrade' first to update all packages. Reboot if necessary.

7. Open the pptpd.conf file: ‘sudo nano /etc/pptpd.conf‘ Adjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don't know it type ‘sudo ifconfig' and it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.

8. If you want to, you can change the hostname in /etc/ppp/pptpd-options

9. Specify the user names and passwords you want to give access to your vpn: ‘sudo nano /etc/ppp/chap-secrets‘. If you changed the hostname in the step before make sure you type in the same hostname now under ‘server'

Example:

# client        server  secret                  IP addresses
eubolist   pptpd   myübersecretpassword   *

As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.

10. Now we need to set up ip-masquerading: ‘sudo nano /etc/rc.local

Add the following lines above the line that says ‘exit 0

# PPTP IP forwarding

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Optionally I recommend securing your SSH server against brute force attacks:

# SSH Brute Force Protection

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

(also to be inserted above ‘exit 0')

You may have to change ‘eth 0' to another interface, depending on which interface is configured to connect to the internet on your machine.

11. Lastly, uncomment this line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

12. Reboot

13. In case your vpn-server doesn't directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router's manual or to portforward.com for vendor specific instructions. Again, you may need to assign a static ip in /etc/network/interfaces.

Now you should have access to your local network from virtually anywhere you have access to the internet. Enjoy!

via eubolist.wordpress.com

Sponsored Link

You may also like...

36 Responses

  1. joeYao says:

    Why install PPTP Server on a alpha version of ubuntu?

  2. eubolist says:

    As I mentioned the server was set up for testing purposes.
    But I guess the answer to your question could be “to show that even in Alpha stage Ubuntu runs really nice and stable” 😉

  3. mapman88 says:

    At work in bush Alaska I have wireless internet. I have karmic on my computer. I want to try your server tutorial on another computer I have. What hardware setup would I need to set this up, and would I then go through my server from my computer to get to the internet on my VNP?

  4. eubolist says:

    This setup can actually be done with very old hardware. A server like this may run on a PC as old as a Pentium III 500 MHz. My setup was done on an old laptop, so specialized (and possibly expensive) server hardware isn’t a necessity.
    A VPN will tunnel your whole traffic through your server. So yes, not only will you access the remote LAN through your server but also normal internet traffic will be routed through your server. You can easily check this: If you go to http://whatismyip.com/ before and after you established a connection to your VPN it should show a different IP.

  5. Randy says:

    Why did you choose to use PPTP as opposed to Openvpn?

  6. eubolist says:

    Because it’s a lot easier to configure and when I set up a VPN server for customers they usually want to connect with computers running Windows. PPTP they can easily set up themselves whereas with Openvpn the installation and configuration is too complicated for most of the everyday users.

  7. smartqv5 says:

    This works great. My Windows machine connects no problem. Ubuntu, ironically, can’t seem to connect. Neither can my dd-wrt router. Any suggestions!?!

  8. eubolist says:

    Did you check /var/log/syslog on your pptp-server for any error messages? What error does Ubuntu/dd-wrt give you? Also check your Ubuntu version, your kernel has to be at least version 2.6.15 or above.

  9. smartqv5 says:

    server:
    Feb 8 02:36:09 yapptptest pptpd[2331]: CTRL: Client 71.163.237.193 control connection started
    Feb 8 02:36:10 yapptptest pptpd[2331]: CTRL: Starting call (launching pppd, opening GRE)
    Feb 8 02:36:10 yapptptest pppd[2332]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
    Feb 8 02:36:10 yapptptest pppd[2332]: pppd 2.4.5 started by root, uid 0
    Feb 8 02:36:10 yapptptest pppd[2332]: Using interface ppp0
    Feb 8 02:36:10 yapptptest pppd[2332]: Connect: ppp0 /dev/pts/1
    Feb 8 02:36:10 yapptptest pptpd[2331]: GRE: Bad checksum from pppd.
    Feb 8 02:36:40 yapptptest pptpd[2331]: CTRL: Reaping child PPP[2332]
    Feb 8 02:36:40 yapptptest pppd[2332]: Modem hangup
    Feb 8 02:36:40 yapptptest pppd[2332]: Connection terminated.
    Feb 8 02:36:40 yapptptest pppd[2332]: Exit.
    Feb 8 02:36:40 yapptptest pptpd[2331]: CTRL: Client 71.163.237.193 control connection finished

    client:
    Using nm-applet in gnome, I get message
    VPN Connection failed.

  10. smartqv5 says:

    after googling a bit I realized there are… many possible problems. nm-applet could be messed up, or it could be a problem with the way this computer connects to the internet and the pptp connection not being able to connect that way. anyway, I give up.

  11. eubolist says:

    Shame. You know you could try setting up an IPSec VPN (OpenSwan) or OpenVPN for your Ubuntu pc.
    If you still want to use pptp I suggest you open a thread on ubuntuforums.org – usually they can help you troubleshoot your problem.
    Cheers

  12. The-Game says:

    hi every1,
    I have been tryin to make a dial up connection in my ubuntu 9.10 but after following the complete steps of pppoeconf still my internet doesnt work. Can any1 guide me with it?? 🙂

  13. E1000 says:

    Thanks for the clear guide however I was unable to get internet access to work through the VPN.

    I am able to connect (from Windows7) and I receive an ip from the VPN network. However, the Default Gateway gets set 0.0.0.0. I have checked all the instructions and other sites as well for hours and have been unable to find a fix. Is there anything else check in order to have internet traffic routed over the VPN. I am assuming that there is something wrong with the Default Gateway assignment coming from the VPN server.

    Thanks

  14. eubolist says:

    E1000: Are you sure the VPN server assigns an IP in a different subnet than your original LAN? If the DHCP server (in most cases the router) assigns for example 192.168.1.xx the VPN server must not serve an address from this range. You have to set it to something different in order to work (eg. 192.168.100.xx, 10.0.0.xx, …)

  15. Emil Goldfarb says:

    eubolist, thanks for the quick response, your support is greatly appreciated.

    I have the made the following changes on the /etc/pptpd.conf file so that I will be given IPs on a different subnet.

    localip 192.168.0.9
    remoteip 192.168.9.1-10

    I restarted the pptp daemon and reconnected. I was given the new IP on windows, but still the problem remained. I can access all the machines on the remote network but cannot access the internet via the VPN.

    Here is the what IpConfig on windows Shows:

    PPP adapter MyVPN:
    Connection-specific DNS Suffix . :
    IPv4 Address. . . . . . . . . . . : 192.168.9.1
    Subnet Mask . . . . . . . . . . . :255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0

    As you can see, the Default Gateway remains 0.0.0.0, is this normal?

  16. eubolist says:

    Have you added a DNS (and WINS) server in /etc/ppp/options? There you should specify the IP of the server (in a home network that would be the router) in the remote network. Plus double-check whether you did step 11 properly…

  17. Emil says:

    Thanks once again for the response. I have made the changes on the /etc/ppp/options as shown:

    # Specify which DNS Servers the incoming Win95 or WinNT Connection should use
    # Two Servers can be remotely configured
    # ms-dns 192.168.1.1
    # ms-dns 192.168.1.2
    ms-dns 192.168.0.1

    # Specify which WINS Servers the incoming connection Win95 or WinNT should use
    # ms-wins 192.168.1.50
    # ms-wins 192.168.1.51
    ms-wins 192.168.0.1

    and I have checked step 11 to be done properly.

    My current status is that when connected to the VPN I can:

    *Ping IPs and names.
    *Messenger and SSH work fine
    *Browse Google and do searches.
    *Browse Websites by using their IPs on the URL.
    *Cannot browse websites normally.
    *Trace routes go thrugh the VPN server.

    Thanks

  18. eubolist says:

    Emil: Okay, that sounds most obviously like a DNS issue. Try specifying the OpenDNS servers as primary and secondary dns servers:
    ms-dns 208.67.222.222
    ms-dns 208.67.220.220

    I strongly recommend using OpenDNS with Windows anyway, as it adds yet another layer of security to your network.

  19. Emil says:

    eubolist, thanks for your support. I have added the ms-dns entries into /etc/ppp/options as you suggested and restarted the equipment. Unfortunately the situation remained the same. Any other ideas?

    Thanks

  20. eubolist says:

    Is it still showing 0.0.0.0 under Default Gateway? Another issue could be a Firewall or “Security Suite” on the Windows side. Try deactivating any of those. Can you ping eg. google.com from the command line?

  21. Emil says:

    Yes, the situation has remained the same as my previous report:
    *Ping IPs and names.
    *Messenger and SSH work fine
    *Browse Google and do searches.
    *Browse Websites by using their IPs on the URL.
    *Cannot browse websites normally.
    *Trace routes go thrugh the VPN server.
    *IPv4 Address : 192.168.9.1
    *Subnet Mask :255.255.255.255
    *Default Gateway : 0.0.0.0

    Thanks

  22. eubolist says:

    If you can ping a domain name I don’t see any reason why it wouldn’t resolve in a browser. Have you tried different browsers?
    By the way I suggest you open a thread in the Ubuntuforums, that way more people will have a look at your problem.

  23. Lemuel says:

    Great tutorial, Eubolist. I followed this tutorial to setup a pptp server on a Lucid server linode VPS. Everything worked flawlessly and I was able to connect from an OS X system, but browsing websites didn’t work until I added ms-dns entries in /etc/ppp/pptpd-options. I guess that option is necessary for it to work with most systems?

  24. eubolist says:

    I think it depends on the network setup on the vpn-server side. In my setup connecting from OS X works fine without specifying an ms-dns entry in the pptpd-options file. But I’ve updated the original entry on my blog as you don’t seem to be the only one with this problem.

  25. sprudls says:

    To access the machines in the “tunnelled” network and surf the internet simultaneously, you can configure the Windows 7 client to allow for “split tunnelling”. You configure this on the Windows 7 PC in the properties of the VPN connection:
    Open the Networking tab and open the IPv4 properties. Choose the “Advanced…” button and clear the check mark “Use Standard Gateway….”. Do not uncheck the “Automatic Metric” box.
    Confirm all changes and reconnect the VPN tunnel.

  26. Simon says:

    I followed this guide.

    Can connect to the VPN, but can’t ping IPs or browse Web sites. Have specified DNS server (OpenDNS).

    Can only ping the server.

    What is wrong?

  27. sash says:

    I was able to get all of my traffic to go through the VPN connection by changing the binding order of the Advanced Settings in the Network Connection windows. I put Remote Access Connection at the top of the list. Then I used Open DNS servers on my Ubuntu vpn server machine in /etc/ppp/pptpd-options file:
    ms-dns 208.67.222.222
    ms-dns 208.67.220.220
    I did not uncheck anything on the TCPIP settings of the vpn connection of Windows client as was suggested by the post above. Nslookup defaulted to open DNS server and tracert went through my vpn connection.

  28. Ted Mittelstaedt says:

    On my Ubuntu install I had to comment out the requirements for data encryption in /etc/pptpd-options as such:

    # Encryption
    # Debian: on systems with a kernel built with the package
    # kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, …
    # {{{
    refuse-pap
    # refuse-chap
    # refuse-mschap
    # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
    # Challenge Handshake Authentication Protocol, Version 2] authentication.
    # require-mschap-v2
    # Require MPPE 128-bit encryption
    # (note that MPPE requires the use of MSCHAP-V2 during authentication)
    # require-mppe-128
    # }}}

    I left in the pap refusal. I also had to change the properties in the Windows XP dialup to uncheck the Require Data Encryption button. This is Ubuntu with the 2.6.32-25-generic kernel.

  29. Dmitry says:

    I am trying to setup vpn on ubuntu server from which i get the internet connection. It seems to work on the server, but when i try to share that connection via eth1 problems begin. From the second PC I am able to ping webs, but i can’t open them in any of the brothers. They are opening very very slow. I have Ubuntu on my laptop (not a server one). And I connect to the internet via VPN using NetworkManager. I do all steps described in “Internet ConnectionSharing” section of this web cite. After that I connect my PC to the laptop. That PC gets proper internet connection.

    I had the same problem on my router WL-500, after setting “nomppc” I was able to get proper Internet connection behind the router. However there is no such a setting as nomppc in ubuntu server pppd.

    Any suggestions why it works via my laptop using NetworkManager, but doesn’t want to work on another machine with ubuntu server ?

  30. Tohid says:

    Great tutorial … Thanks !

Leave a Reply

Your email address will not be published. Required fields are marked *