vpn Archives - Networking HowTos

Common VPN ports and protocols

March 18, 2020 Networking

The following is a list of the common VPN connection types, and the relevant ports, and protocols, that generally need to be open on the firewall for VPN traffic to flow through.

PPTP

Protocol	Port
TCP	1723
GRE (Proto 47)	N/A

SSTP

Protocol	Port
TCP	443

L2TP

Protocol	Port
UDP	1701

IPSec

Protocol	Port	Description
UDP	500	IKE
UDP	4500	NAT-Traversal
ESP (Proto 50)	N/A	ESP
AH (Proto 51)	N/A	AH

L2TP with IPSec

Protocol	Port	Description
UDP	1701	L2TP
UDP	500	IPSec
UDP	4500	IPSEC – NAT Traversal

OpenVPN

Protocol	Port	Description
UDP	1194	Default Protocol
TCP	1194	Alternate Protocol

IKEv2

Protocol	Port	Description
UDP	500	IPSec IKEv2
UDP	4500	NAT Traversal

Connect to a PPTP VPN Server from Ubuntu Linux

December 2, 2012 Linux, Ubuntu

This howto outlines how to connect to a PPTP VPN server from a Linux computer running Ubuntu (or a Ubuntu based distribution). It covers the installing of the PPTP VPN client, configuration, and connecting/disconnecting from the VPN connection.
Continue Reading…

Configure a PPTP VPN Server on Ubuntu Linux

February 10, 2012 Linux, Ubuntu

If you need to access your network (be it a home network, or a work network) from a remote location, a great option is to set up some sort of VPN connection. There are a few different types of VPN connections, such as PPTP, L2TP, and IPSec, and each has advantages and disadvantages. One of the advantages of PPTP VPN connections is that almost all devices that can create VPN connections, have a PPTP VPN client already.
Linux can be set up as a PPTP Server easily, and the following guide will outline how to do this.
Install the PPTP server package:

$ sudo apt-get install pptpd

Edit the chap-secrets file, which contains the usernames and passwords for the users that will connect to the VPN.

$ sudo nano /etc/ppp/chap-secrets

Example blank chap-secrets file:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

The following example shows two users (‘vpnuser’ and ‘vpnuser2’), and their plain text password of ‘pass123’. The ‘vpnuser2’ user has been set to use the same IP address (192.168.0.90) on each connection. This is how you can assign a static VPN IP to a specific user.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
vpnuser         *       pass123                 *
vpnuser2        *       pass123                 192.168.0.103

Once you have added any users that you want to add, save the file and exit the editor.
Edit the main PPTP configuration file:

$ sudo nano /etc/pptpd.conf

The configuration file is well documented, so have a read through it and see if there are any options you need to change.
The main option that you will need to modify, is the ‘localip’ and ‘remoteip’ settings. I set the ‘localip’ option to be the IP address of the computer on the LAN side (192.168.0.1 in this case), and the ‘remoteip’ to be a range of IP’s on the same subnet as your LAN (192.168.0.100 through to 192.168.0.120 in this case).
Sample configuration settings:

localip 192.168.0.1
remoteip 192.168.0.100-120

Save the file and exit the editor.
Restart the PPTP/VPN server service for the changes to take effect.

sudo /etc/init.d/pptpd restart

You can now try and connect to the server from a PPTP VPN client.
Use the ifconfig command to see the status of the VPN interfaces, if there are any users connected.

ifconfig

The VPN connections will appear as ppp# connections.
Example ifconfig output with a VPN user connected:

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.0.1  P-t-P:192.168.0.100  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:86 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:7659 (7.6 KB)  TX bytes:98 (98.0 B)

Keep in mind that if your server has firewall rules on it, you will need to allow access to port 1723 with the TCP protocol, and also allow the GRE protocol (protocol number 47). You may also need to allow access from the PPP connections if the VPN users need to access services on the VPN server itself.
If the Linux server is behind a firewall/router, port forward TCP port 1723 to the VPN server (and also GRE if available on your firewall/router). Some routers may have a pre-defined rule named ‘PPTP’. Use this if it exists. Some NAT routers don’t seem to forward the GRE protocol correctly. Make sure your router has PPTP Pass through support.
If you need to access computers on the LAN behind the VPN server machine, you will have to look at enabling forwarding and setting up iptables forwarding rules.
The following should allow all traffic from the VPN to the LAN and vice versa, however don’t use this on a server directly connected to the Internet:

$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -o ppp+ -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

(This assuming your LAN subnet is 192.168.0.0/24 on the eth0 network interface.)