Eubolist's Blog

about IT, Linux, the web and much more

Howto: PPTP VPN Server with Ubuntu 10.04 ‘Lucid Lynx’

with 19 comments

This tutorial describes how you set up a computer as a dedicated VPN server for your network. With a VPN server you can open secure data tunnels and access files and deivces in your local network (eg. home or office) from remote locations, which is not only a pretty cool thing (accessing your media library from anywhere) but also very handy for system maintenance or customer support or if you want to work from home.

VPN scheme

A simple scheme how VPN works: Through your VPN server you will have full, secure access to your LAN (source: caconsultant.com)


Note that Lucid Lynx is still in Alpha 2 stage at the time of writing this article, this means you should only use it for testing purposes. Although the server I’ve set up writing this tutorial has been running without any kind of problems for two weeks now I recommend if you want to set up a Ubuntu server in a working environment you to go back to 9.10 ‘Karmic Koala’ or even an earlier stable version. Okay, this being said
let’s get started:

1. Download the Lucid Lynx Alpha 2 server CD image from this page: http://releases.ubuntu.com/releases/10.04/

2. Follow the installation wizard and install the core system

3. Under software selection select OpenSSH server – for remote management of the machine – and manual package selection for the actual pptpd package. If you want more services, for example if you want to use the computer also as a webserver, you may of course select the additional software. For security reasons I generally advise people to only run one from the outside accessible service per machine if set up in a critical environment, but really that’s up to you.

Lucid server install, software selection

Software selection

4. In manual selection navigate to ‘not installed packages’ -> ‘net’ where you will find pptpd. Select it and press ‘g’ twice in order to install the package.

Lucid server install package selection

Package selction --> PPTPd

5. Let the installation finish and reboot your system.

6. SSH into your newly set up machine and run ‘sudo aptitude update && sudo aptitude safe-upgrade’ first to update all packages. Reboot if necessary.

7. Open the pptpd.conf file: ‘sudo nano /etc/pptpd.conf‘ Adjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don’t know it type ‘sudo ifconfig’ and it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.

8. If you want to, you can change the hostname in /etc/ppp/pptpd-options

9. Specify the user names and passwords you want to give access to your vpn: ‘sudo nano /etc/ppp/chap-secrets‘. If you changed the hostname in the step before make sure you type in the same hostname now under ‘server’

Example:

# client server secret IP addresses
eubolist pptpd myübersecretpassword *

As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.

10. Now we need to set up ip-masquerading: ‘sudo nano /etc/rc.local

Add the following lines above the line that says ‘exit 0

# PPTP IP forwarding

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Optionally I recommend securing your SSH server against brute force attacks:

# SSH Brute Force Protection

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

(also to be inserted above ‘exit 0′)

You may have to change ‘eth 0′ to another interface, depending on which interface is configured to connect to the internet on your machine.

11. Lastly, uncomment this line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

12. Reboot

13. In case your vpn-server doesn’t directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router’s manual or to portforward.com for vendor specific instructions.

Done. Enjoy!

UPDATE(2010-07-18): If connecting to the vpn-server goes well but you can’t connect to the internet you might want to try uncommenting the ms-dns entries in /etc/ppp/pptpd-options so it looks like this:

ms-dns 208.67.222.222
ms-dns 208.67.220.220

About these ads

Written by eubolist

2010/01/28 at 15:56

19 Responses

Subscribe to comments with RSS.

  1. [...] via eubolist.wordpress.com [...]

  2. I’m not able to download the image files at below. Can you check if it is still available?

    1. Download the Lucid Lynx Alpha 2 server CD image from this page: http://releases.ubuntu.com/releases/10.04/

    Katie Tam

    2010/05/03 at 20:59

    • Try a download over the bittorrent network, .torrent files are available at the bottom of the page.

      eubolist

      2010/05/03 at 21:06

  3. I use a commercial VPN Account for my business travels.

    I would like to try this guide and see if I can set up my own PPTP VPN.

    Do you have a guide on OpenvPN? I hear OpenVPN is easier?

    Thanks

    vpnuser

    2010/05/17 at 11:04

    • OpenVPN is not equal to PPTP, they use completely different software and protocols. Personally, I find OpenVPN harder to set up, especially since you need extra software on the client side whereas PPTP is supported by every major OS out of the box. I would recommend to start with PPTP and DynDNS, if you want to set up a personal VPN server at home.

      eubolist

      2010/05/17 at 11:59

  4. Thank for info, we still learning VPN.

    Imam

    2010/06/20 at 18:56

  5. thanks for ur tutorial :)

    herupriadi

    2010/06/30 at 06:39

  6. hi, I tried to follow your tutorial but somehow the client still can’t connect to the vpn server. could you pls give me a hand? thx in advanced.

    prana

    2010/08/12 at 02:30

    • starting with the client: what’s the os? and what error messgage do you get?
      the server: is it behind a router? what does it say in /var/log/syslog after you tried to connect?

      eubolist

      2010/08/12 at 16:27

      • hi eubolist,

        thx for your reply. the client is ubuntu 10.04 and I setup the vpn through network manager. the error msg that the client get is “connection failed”.

        yes, the vpn server is behind a modem/router (192.168.1.1) I’ve setup virtual server and port triggering on the modem/router as well setting the firewall on the server to accept connection from ports 47 & 1723, but still can’t connect.

        for additional information, I’m using DSL-526B for modem/router.

        prana

        2010/08/18 at 06:27

      • On your server side, are there any entries in /var/log/syslog that indicate that the connection succeeded?

        Remember that you also need to forward GRE traffic to your server.

        If you have ssh-server running, try to forward port TCP 22 to your server. If you can’t connect from your remote client you have to take a closer look at your modem or linux firewall configuration. If you can connect to the server, stakes are high that something with your pptpd-config is wrong.

        eubolist

        2010/08/18 at 17:12

      • hi eubolist, i’ve checked the /var/log/syslog on the server & client side, it seems that the connection is established, but somehow it failed in the middle, so the connection is dropped.

        do you mind if i send you the syslog by e-mail?

        prana

        2010/08/19 at 13:13

  7. for additional info, here’s the syslog from the server:

    pptpd[25672]: CTRL: Client 125.166.191.204 control connection started
    pptpd[25672]: CTRL: Starting call (launching pppd, opening GRE)
    pppd[25673]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
    pppd[25673]: pppd 2.4.5 started by root, uid 0
    pppd[25673]: Using interface ppp0
    pppd[25673]: Connect: ppp0 /dev/pts/0
    pptpd[25672]: GRE: Bad checksum from pppd.
    pppd[25673]: No CHAP secret found for authenticating \\prana
    pppd[25673]: Peer \\prana failed CHAP authentication
    pppd[25673]: Connection terminated.
    pppd[25673]: Exit.
    pptpd[25672]: GRE: read(fd=6,buffer=611640,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    pptpd[25672]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    pptpd[25672]: CTRL: Reaping child PPP[25673]
    pptpd[25672]: CTRL: Client 125.166.191.204 control connection finished

    prana

    2010/08/20 at 03:37

    • pptpd[25672]: GRE: Bad checksum from pppd
      - This means wrong user/password combination

      pppd[25673]: Peer \\prana failed CHAP authentication
      - You probably specified the wrong user / password in /etc/ppp/chap-secrets (maybe remove the two backslashes?)

      eubolist

      2010/08/20 at 13:54

  8. I’ll look into the chap-secret again later and keep you informed. Danke nochmal & schönes Wochenende

    prana

    2010/08/20 at 15:29

    • latest update: I’d like to confirm that the connection can be established from clients using Win XP & Win Vista. as for clients using Ubuntu, the connection still cannot be established.

      prana

      2010/08/26 at 03:40

  9. How to install UBUNTU SERVER quick and easy.Any questions just post them on the youtube channel.

    VFXashley

    2011/10/11 at 14:21

  10. i always do some business travel at least once a week from time to time. i always do some air travel.,

    Look at all of the newest posting on our personal web portal
    <img src="http://www.foodsupplementcenter.com/cheap-protein-powder/ “>

    Lucienne Demott

    2013/01/10 at 12:16

  11. I know this if off topic but I’m looking into starting my own blog and was wondering what all is required to get set up? I’m assuming having a blog like yours would cost a pretty penny?

    I’m not very internet savvy so I’m not 100% positive. Any suggestions or advice would be greatly appreciated. Cheers


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: