If you need to access your network (be it a home network, or a work network) from a remote location, a great option is to set up some sort of VPN connection. There are a few different types of VPN connections, such as PPTP, L2TP, and IPSec, and each has advantages and disadvantages. One of the advantages of PPTP VPN connections is that almost all devices that can create VPN connections, have a PPTP VPN client already.
Linux can be set up as a PPTP Server easily, and the following guide will outline how to do this.
Install the PPTP server package:
$ sudo apt-get install pptpd
Edit the chap-secrets file, which contains the usernames and passwords for the users that will connect to the VPN.
$ sudo nano /etc/ppp/chap-secrets
Example blank chap-secrets file:
# Secrets for authentication using CHAP # client server secret IP addresses
The following example shows two users (‘vpnuser’ and ‘vpnuser2’), and their plain text password of ‘pass123’. The ‘vpnuser2’ user has been set to use the same IP address (192.168.0.90) on each connection. This is how you can assign a static VPN IP to a specific user.
# Secrets for authentication using CHAP # client server secret IP addresses vpnuser * pass123 * vpnuser2 * pass123 192.168.0.103
Once you have added any users that you want to add, save the file and exit the editor.
Edit the main PPTP configuration file:
$ sudo nano /etc/pptpd.conf
The configuration file is well documented, so have a read through it and see if there are any options you need to change.
The main option that you will need to modify, is the ‘localip’ and ‘remoteip’ settings. I set the ‘localip’ option to be the IP address of the computer on the LAN side (192.168.0.1 in this case), and the ‘remoteip’ to be a range of IP’s on the same subnet as your LAN (192.168.0.100 through to 192.168.0.120 in this case).
Sample configuration settings:
localip 192.168.0.1 remoteip 192.168.0.100-120
Save the file and exit the editor.
Restart the PPTP/VPN server service for the changes to take effect.
sudo /etc/init.d/pptpd restart
You can now try and connect to the server from a PPTP VPN client.
Use the ifconfig command to see the status of the VPN interfaces, if there are any users connected.
ifconfig
The VPN connections will appear as ppp# connections.
Example ifconfig output with a VPN user connected:
ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.0.1 P-t-P:192.168.0.100 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1 RX packets:86 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:7659 (7.6 KB) TX bytes:98 (98.0 B)
Keep in mind that if your server has firewall rules on it, you will need to allow access to port 1723 with the TCP protocol, and also allow the GRE protocol (protocol number 47). You may also need to allow access from the PPP connections if the VPN users need to access services on the VPN server itself.
If the Linux server is behind a firewall/router, port forward TCP port 1723 to the VPN server (and also GRE if available on your firewall/router). Some routers may have a pre-defined rule named ‘PPTP’. Use this if it exists. Some NAT routers don’t seem to forward the GRE protocol correctly. Make sure your router has PPTP Pass through support.
If you need to access computers on the LAN behind the VPN server machine, you will have to look at enabling forwarding and setting up iptables forwarding rules.
The following should allow all traffic from the VPN to the LAN and vice versa, however don’t use this on a server directly connected to the Internet:
$ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT $ sudo iptables -A FORWARD -o ppp+ -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
(This assuming your LAN subnet is 192.168.0.0/24 on the eth0 network interface.)
This is exactly what I needed when trying to set up my VPN server, pity I only came across it 2 days later.
Excellent – precise and to the point. Love the fact that you stated …
The following should allow all traffic from the VPN to the LAN and vice versa, however don’t use this on a server directly connected to the Internet:
$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -o ppp+ -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
Thanx again
=)
Perfect,
I am not a Linux guy yet… How Can I create VPN when the server is connecticut direct to internet?
Any solutions….?.
Mikkel
Hi Mikkel,
It really depends how the machine is configured in terms of the number of network interfaces, if it uses pppoe to connect to the internet, etc.
The warning about not using those rules on a server directly connected to the internet, is not really meant to be taken as ‘this cant be done on a server directly connected to the internet’, but more so as ‘dont use these specific examples, but modify these rules to suit your specific network’.
For example, if you connect to the internet over PPPoE from the same PC as the VPN server, it will create its own ppp interface, and the iptables rules in the example would match both the ppp interface for the pppoe connection, and also the ppp interfaces for the pptp connections.
Also, depending on the Linux distro, the iptables FORWARD chain is probably set to a default policy of ACCEPT, which means as soon as you turn IP forwarding on in the kernel (the sysctl command), you are allowing your server to act as a open router.
If the VPN server is behind a NAT router, the forwarding security can be a bit more open for data traffic.
HELP!!!
I have done after your guide and i got VPN to work fine etc.
BUT when i connect to vpn the internet connection lose.
What to do???
I have try to change and uncomment /etc/ppp/pptpd-options
ms-dns 192.168.1.1
But no succes!
PLEASE HELP!!!!
Hi John,
Its hard to know exactly whats happening in your situation, but im going to assume that you have set up the PPTP VPN server at your work, your connecting to it from home/elsewhere, and it connects OK, but you loose internet connectivity on your home computer.
By default, a new PPTP VPN connection on Windows will try and route all remote network traffic through the VPN (This includes internet traffic). If the VPN server isn’t set up to handle this, it wont allow internet traffic through.
Generally what you want, is the VPN traffic to go over the VPN, and all other internet traffic to go through your own internet connection. To do this (assuming you are connecting from a Windows PC), you need to edit the properties of the VPN connection. Once you have the VPN properties window open, go to the “Networking” tab, select “Internet Protocol Version 4 (TCP/IPv4)”, and click the properties button. Click the “Advanced” button on the window that comes up, and then untick “Use default gateway on remote network”. Click OK a few times to get out of the VPN connection settings windows.
You should now be able to connect to the VPN, and still have local internet access.
Hope this helps.
Thanks for help, I got it all to works now.
The problems was my computer, when i reboot my computer everything works fine.
Your guide is really good.
Hello I need your help. I followed your instructions, but when I tried to get it my computer to connect to the vpn it cant connect. I set it vpn on a vps Ubuntu server.
I am still new a Linux. is there a command I can run to troubleshoot on the vpn server to see why it wont connect?
Hi Kevin,
There’s a few things you could check.
– Make sure TCP port 1723 and the GRE protocol are allowed through the firewall on the VPN server, assuming a firewall (iptables) is on/enabled and blocking everything by default.
Eg: iptables -I INPUT 1 -p tcp –dport 1723 -j ACCEPT
iptables -I INPUT 1 -p gre -j ACCEPT
– Check the /var/log/messages log for any PPP errors.
– Make sure the VPN client machine is trying to connect using PPTP and not some other protocol like IPSEC or L2TP.
– Use ‘tcpdump -i eth0 port 1723 or proto 47’ to check for incoming traffic on port 1723 or with the gre protocol. Change eth0 to be your external interface on the VPN server.
I’m having an odd problem. I can connect fine to my vpn server on the internet on its eth0, but I can’t get to any of the hosts on the private internal subnet that’s on eth1. The vpn server itself can see those hosts, but my vpn clients cannot. I’ve entered as permissive rules as possible for forwarding traffic from eth0 to eth1 but no luck. sysctl change made, gre allowed through. It must be something obvious staring me in the face. Anyone have an idea?
Hi Dan,
Firstly, make sure the packets are getting to the VPN server by running a ‘tcpdump’ on the ppp interface. Then from the vpn client, try and ping one of the IP’s from the VPN’s LAN side. If you don’t see any traffic, it could be a routing issue on the VPN client PC, and not a config issue on the VPN server. If the LAN subnet on the VPN client PC matches the LAN subnet on the VPN server, there could be routing issues, as it may try and route via the local LAN rather than going over the VPN connection.