Loading ...
Setting up a PPTP VPN server on Debian Etch
PPTP is known to be less secure than other VPN software, but if you need a quick solution for a VPN server that will connect out of the box from Windows workstations PPTP is the obvious choice. This post will show how easy it is to setup a pptp vnp server on Debian Etch.
A while ago setting up a pptp server was not so simple. It involved patching the kernel and the ppp daemon. These days in Debian Etch everything comes out of the box and we just have to install the pptpd server and configure it based on our needs. First let’s install pptpd:
aptitude install pptpd
(this will install also some dependencies: bcrelay and ppp). The default pptpd configuration file is installed under /etc/pptpd.conf ; you can change any of the available options (samples are included in the configuration file as comments), but really the only thing that needs to be configured is the ip of the local server used by pptpd as the local gateway for the remote hosts and the remote users assigned ips:
localip 192.168.1.1
remoteip 192.168.1.100-120
here we will use the local ip 192.168.1.1 as the pptpd ip and the remote users will be allocated the first available ip from the range 192.168.1.100 - 192.168.1.120 (meaning we can have a maximum of 20 simultaneous vpn users connected to this pptp server). These ips are assigned based on the particular setup, being either a pair of private ips (just like in my example above) or even real ips.
The debian package also uses the file /etc/ppp/pptpd-options containing the main pptpd server configs. A typical config will look like this:
name My.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.1.1
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490Finally, you will need to add your vpn users in /etc/ppp/chap-secrets, each user on a separate line using the regular pppd format:
# client server secret IP addresses
user * password *To limit connections from specific hosts, add the allowed ip instead of the * at the end.
Activate the changes restarting the pptp server:
/etc/init.d/pptpd restart
and look for the logs under /var/log/syslog to troubleshoot any problems.
You can now connect to your new PPTP VPN server using the built-in pptp vpn client from any modern windows workstation (except probably vista that is broken by sp1) using the default connection settings.
21st June 2008, 09:25
Hey checkout following site have taken many of your articles:
http://www.sinidaily.com/setting-up-a-pptp-vpn-server-on/
21st June 2008, 22:00
wow… thanks for letting me know.
26th August 2008, 11:06
Hi!
Will this setup allow conections from the client through the vpn server to the internet?
26th August 2008, 12:00
tyke: yes, as long as you setup your clients to use the vpn server as their default gw.
26th August 2008, 12:43
great! thank you for the tutorial!
29th August 2008, 21:49
hi, my problem is, Clients can’t get connected to internet I entered my eth0 ip to localip and remoteip. But it hasn’t connecting to the internet???
1st September 2008, 06:36
sarp: if you assign private ips for your clients than you must ensure that your vpn server will perform NAT for those ips to be able to browse to the outside.
10th September 2008, 05:06
Hi all, Debian system hangs up while starting the PPTP daemon. Does anyone know why this is happing?
23rd September 2008, 10:40
Please leave more information about nat iptables and routing the vpn connection on the internet.
30th September 2008, 20:27
Hi marius, even I can’t access the internet through the VPN server. I have set up localip to be that of eth0 which is a public IP(X.20.4.26). And remoteip is that of eth0:1 which is (X.20.26.209). I am also using iptables and have allowed tcp 1723 and protocol 47. And yet I can’t access the internet through the VPN. After i connect to it all I can ping is the eth0 ip. Cant ping other IPs like x.20.26.210 which are assigned to eth0:2 etc. Is there anything else I need to do to, to be able to access the internet through the VPN?
30th September 2008, 21:09
Ash: the remoteip shouldn’t be bound on the vpn server. Use a free ip for this (one not bound to the server already).
1st October 2008, 20:08
Thanks, I got it to work. I kept localip the same and changed remoteip to private IPs. 10.0.0.1-100. Then used the following iptables rules.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
TCP port 1723 and protocol 47 were already allowed through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT