Loading ...Setting up a PPTP VPN server on Debian Etch
PPTP is known to be less secure than other VPN software, but if you need a quick solution for a VPN server that will connect out of the box from Windows workstations PPTP is the obvious choice. This post will show how easy it is to setup a pptp vnp server on Debian Etch.
A while ago setting up a pptp server was not so simple. It involved patching the kernel and the ppp daemon. These days in Debian Etch everything comes out of the box and we just have to install the pptpd server and configure it based on our needs. First let’s install pptpd:
aptitude install pptpd
(this will install also some dependencies: bcrelay and ppp). The default pptpd configuration file is installed under /etc/pptpd.conf ; you can change any of the available options (samples are included in the configuration file as comments), but really the only thing that needs to be configured is the ip of the local server used by pptpd as the local gateway for the remote hosts and the remote users assigned ips:
localip 192.168.1.1
remoteip 192.168.1.100-120
here we will use the local ip 192.168.1.1 as the pptpd ip and the remote users will be allocated the first available ip from the range 192.168.1.100 – 192.168.1.120 (meaning we can have a maximum of 20 simultaneous vpn users connected to this pptp server). These ips are assigned based on the particular setup, being either a pair of private ips (just like in my example above) or even real ips.
The debian package also uses the file /etc/ppp/pptpd-options containing the main pptpd server configs. A typical config will look like this:
name My.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.1.1
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490Finally, you will need to add your vpn users in /etc/ppp/chap-secrets, each user on a separate line using the regular pppd format:
# client server secret IP addresses
user * password *To limit connections from specific hosts, add the allowed ip instead of the * at the end.
Activate the changes restarting the pptp server:
/etc/init.d/pptpd restart
and look for the logs under /var/log/syslog to troubleshoot any problems.
You can now connect to your new PPTP VPN server using the built-in pptp vpn client from any modern windows workstation (except probably vista that is broken by sp1) using the default connection settings.
21st June 2008, 09:25
Hey checkout following site have taken many of your articles:
http://www.sinidaily.com/setting-up-a-pptp-vpn-server-on/
21st June 2008, 22:00
wow… thanks for letting me know.
26th August 2008, 11:06
Hi!
Will this setup allow conections from the client through the vpn server to the internet?
26th August 2008, 12:00
tyke: yes, as long as you setup your clients to use the vpn server as their default gw.
26th August 2008, 12:43
great! thank you for the tutorial!
29th August 2008, 21:49
hi, my problem is, Clients can’t get connected to internet I entered my eth0 ip to localip and remoteip. But it hasn’t connecting to the internet???
1st September 2008, 06:36
sarp: if you assign private ips for your clients than you must ensure that your vpn server will perform NAT for those ips to be able to browse to the outside.
10th September 2008, 05:06
Hi all, Debian system hangs up while starting the PPTP daemon. Does anyone know why this is happing?
23rd September 2008, 10:40
Please leave more information about nat iptables and routing the vpn connection on the internet.
30th September 2008, 20:27
Hi marius, even I can’t access the internet through the VPN server. I have set up localip to be that of eth0 which is a public IP(X.20.4.26). And remoteip is that of eth0:1 which is (X.20.26.209). I am also using iptables and have allowed tcp 1723 and protocol 47. And yet I can’t access the internet through the VPN. After i connect to it all I can ping is the eth0 ip. Cant ping other IPs like x.20.26.210 which are assigned to eth0:2 etc. Is there anything else I need to do to, to be able to access the internet through the VPN?
30th September 2008, 21:09
Ash: the remoteip shouldn’t be bound on the vpn server. Use a free ip for this (one not bound to the server already).
1st October 2008, 20:08
Thanks, I got it to work. I kept localip the same and changed remoteip to private IPs. 10.0.0.1-100. Then used the following iptables rules.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
TCP port 1723 and protocol 47 were already allowed through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
18th August 2009, 13:44
In PPTP VPN Server the client appears to connect, but thier User name and appears as unknown.. any idea ?
18th August 2009, 20:07
@Shab: check the system logs (/var/log/syslog under debian or /var/log/messages under centos) and see what is the error.
25th August 2009, 17:19
One quick note:
the following settings in pptpd-options seems to cause problems in my scenario.
Just removing them fixes the problem:
noipx
mtu 1490
mru 1490
I did not do extensive checks but I suspect the problem is the mtu size. Omitting the parameter uses the default value which is lower than 1490.
Beside that, thanks man, really. Your guide is super-easy and well done. You really saved me lots of hours of pain and suffering.
10th February 2010, 10:14
u r awesome i swear i’ve been searching since 10 days i really would like to thank you – Marius -
1st March 2010, 14:13
Hello,
Great Dude.Thanks alot. I have a small problem..I am not understanding the importance of localip 192.168.1.1
remoteip 192.168.1.100-120..Can you plz eloborate on this
5th April 2010, 01:14
Just throwing this out there in case anyone else was stuck in the same place. If you still can’t get the server to route even with the NAT rules in the iptables, check here:
cat /proc/sys/net/ipv4/ip_forward
If that returns zero, then your server isn’t enabled to do any routing! Just do this:
echo 1 > /proc/sys/net/ipv4/ip_forward
and you’ll be in business. I’m sure this is common knowledge for folks that do a lot of linux networking, but it had me pretty stumped : )
30th May 2010, 10:25
when i run aptitude install pptpd…
it returns the error of Couldn’t find any package whose name or description matched “pptpd”
i also get the same error if i run apt-get install pptpd
thanks
30th May 2010, 16:23
@Pat: there must be something wrong with your apt sources. What are you using? The package exists in all debian releases: http://packages.debian.org/etch/pptpd
1st June 2010, 05:32
yeh thats where i get confused aswell, could you please advise how to make this avaliable in my apt options file?
1st June 2010, 06:13
@Pat: /etc/apt/sources.list
7th July 2010, 20:49
I currently own 4 Unqiue Ip’s (e.g. 85.190.XX.XX, 85.190.XX.XX, 85.190.XX.XX, 85.190.XX.XX). Are these my remote or local ips?
29th October 2010, 07:25
[...] gibt soviele unterschiedliche Anleitungen im Netz! g**gle bringt sie alle hervor
pptp-server1 pptp-server2 pptp-server3(old) … um nur einige zu [...]
6th January 2011, 10:36
Got this error in syslog
Jan 6 18:02:06 83 pppd[8182]: In file /etc/ppp/pptpd-options: unrecognized option ‘require’
Trying to connect from my laptop winxp sp3
8th February 2011, 03:21
the setup went succesfully but no internet after connecting to VPN!?
9th February 2011, 01:04
Hi. I’m setting up the pptpd on my server. All is working between connected clients and the server. I can ping from vpn client (192.168.0.235) to the server (192.168.0.1) and vice versa. I cannot ping from client1 (192.168.0.235) to client2 (192.168.0.236) and so use all the services. The forward option is on.
What configuration is missing ? Thanks so much in advance.
18th June 2011, 11:47
Why do I get a “Error 619: A connection to the remote computer could not be established, so the port that was used for the connection was closed” I’m using windows XP to connect.
I think something is wrong with my /etc/ppp/chap-secrets file which i have pasted below.
# Secrets for authentication using CHAP
# client server secret IP addresses
linuxthefish * mypassword *
22nd August 2011, 04:27
Hello there. Thanks for very nice PPTP VPN manual. I got just one question. IS it possible to monitor users traffic on VPN ? Give users quota for VPN ? Problem is on my server is users making too mutch traffic and i need to stop this. Thanks for any help. lu
22nd August 2011, 08:23
@Lukas: I don’t think this is possible. You can definitely implement rules based on the ips you assign to the users and use other external tools to limit/monitor the traffic that way, but pptp doesn’t have native support for something like that.
11th December 2011, 09:25
i have my doubts this wil work you have to give a public ip and 192.168.1.x is a private network addres ;….
22nd December 2011, 01:22
need to enable forward
sed -i ‘s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g’ /etc/sysctl.conf
sysctl -p
and update iptables also
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT –to-source “public ip”