MDLog:/sysadmin

The Journal Of A Linux Sysadmin

Setting Up a PPTP VPN Server on Debian Etch

| Comments

PPTP is known to be less secure than other VPN software, but if you need a quick solution for a VPN server that will connect out of the box from Windows workstations PPTP is the obvious choice. This post will show how easy it is to setup a pptp vnp server on Debian Etch.

A while ago setting up a pptp server was not so simple. It involved patching the kernel and the ppp daemon. These days in Debian Etch everything comes out of the box and we just have to install the pptpd server and configure it based on our needs. First let’s install pptpd:

1
aptitude install pptpd

(this will install also some dependencies: bcrelay and ppp). The default pptpd configuration file is installed under /etc/pptpd.conf ; you can change any of the available options (samples are included in the configuration file as comments), but really the only thing that needs to be configured is the ip of the local server used by pptpd as the local gateway for the remote hosts and the remote users assigned ips:

1
2
localip 192.168.1.1
remoteip 192.168.1.100-120

here we will use the local ip 192.168.1.1 as the pptpd ip and the remote users will be allocated the first available ip from the range 192.168.1.100 – 192.168.1.120 (meaning we can have a maximum of 20 simultaneous vpn users connected to this pptp server). These ips are assigned based on the particular setup, being either a pair of private ips (just like in my example above) or even real ips.

The debian package also uses the file /etc/ppp/pptpd-options containing the main pptpd server configs. A typical config will look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
name My.VPN

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

ms-dns 192.168.1.1

proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490

Finally, you will need to add your vpn users in /etc/ppp/chap-secrets, each user on a separate line using the regular pppd format:

1
2
# client        server  secret                 IP addresses
user            *       password               *

To limit connections from specific hosts, add the allowed ip instead of the * at the end.

Activate the changes restarting the pptp server:

1
/etc/init.d/pptpd restart

and look for the logs under /var/log/syslog to troubleshoot any problems.

You can now connect to your new PPTP VPN server using the built-in pptp vpn client from any modern windows workstation (except probably vista that is broken by sp1) using the default connection settings.

Comments