70

I know there are many tutorials on the net for setting up VPN client and server.

I you find one that is simple/short, I am interested only in the server part.

For client, I will use OS X so I prefer a solution that uses L2TP over IPsec or PPTP because I suppose Cisco IPsec would cost something.

I don't want to spent too many hours setting it up. You know, maybe someone already made a setup script :)

Note: I am using an EC2 micro instance running Ubuntu 12.04 on it.

Braiam
  • 67,791
  • 32
  • 179
  • 269
sorin
  • 9,888
  • 3
    Note: CISCO IPSec can be achieved via StrongSwan and a lot of configuration, but it's tricky. PPTP is not secure anymore. ANd L2TP over IPSec requires both L2TP and IPSec configuration. Pick at your leisure, although my answer explains PPTP – Thomas Ward Jun 03 '15 at 16:38

5 Answers5

85

WARNING: PPTP IS AN INSECURE PROTOCOL! Not only has the encryption been breached, but it sends your authentication in clear text and is easily intercepted. It has been estimated that the amount of time required to brute-force the password is roughly equivalent to the time required to brute-force a single DES key. Consider using OpenVPN or another VPN architecture instead of PPTP!

I used this guide to set up a PPTP VPN server on my Ubuntu 12.04 server.

To summarize the main points in the link, though:

1: Install pptpd and ufw. iptables can be used in place of ufw, but for the sake of easiness, ufw is better if you don't know iptables.

sudo apt-get install pptpd ufw

2: Open the ports needed. The guide suggests 22 (SSH) and 1723 for the pptp vpn.

sudo ufw allow 22
sudo ufw allow 1723
sudo ufw enable

3: Edit /etc/ppp/pptpd-options. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/pptpd-options), and comment out these lines by putting a # before them, if you want this to work universally on all OSes:

refuse-pap
refuse-chap
refuse-mschap

You can comment this line if you want to disable encryption: require-mppe-128

4: While editing /etc/ppp/pptpd-options, add DNS servers for the VPN. This example uses OpenDNS servers:

ms-dns 208.67.222.222
ms-dns 208.67.220.220

5: Edit /etc/pptpd.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/pptpd.conf). You need to add the local VPN IPs for the system, so add:

localip 10.99.99.99
remoteip 10.99.99.100-199

If your system is a VPS, use the public IP for "localip". If it is not and is on a local network, use your computer's network IP. Use different IPs and ranges if these IPs exist on your subnet! If you don't know your public IP of your VPS, find it by running dig +short myip.opendns.com @resolver1.opendns.com

6: Edit /etc/ppp/chap-secrets. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/chap-secrets), and add the auth data.
The format for /etc/ppp/chap-secrets is:

[Username] [Service] [Password] [Allowed IP Address]

An example would be: sampleuser pptpd samplepassword *

7: Restart pptpd. Run this command in terminal: sudo /etc/init.d/pptpd restart

8: Edit /etc/sysctl.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/sysctl.conf). Un-comment the following line (by removing the # at the beginning of it) in /etc/sysctl.conf: net.ipv4.ip_forward=1
Reload the configuration: sudo sysctl -p

9: This step assumes you have ufw.
Edit /etc/default/ufw and change the option DEFAULT_FORWARD_POLICY from DROP to ACCEPT

10: This step assumes you have ufw.
Edit /etc/ufw/before.rules, and add the following either at the beginning of /etc/ufw/before.rules or just before the *filter rules (recommended):

# NAT table rules
*nat

:POSTROUTING ACCEPT [0:0]
# Allow forward traffic to eth0
-A POSTROUTING -s 10.99.99.0/24 -o eth0 -j MASQUERADE

# Process the NAT table rules
COMMIT

If you have kernel version 3.18 and newer (you can check this by running uname -r), also add the following lines before the # drop INVALID packets ... line:

-A ufw-before-input -p 47 -j ACCEPT

11: Restart the firewall, to refresh the rule sets and to apply the rules we added to the /etc/ufw/*.rules files: sudo ufw disable && sudo ufw enable

Warning: If you have other ports you need open, such as for HTTPS if your server hosts a website, you need to individually add those ports to the allowed list with sudo ufw allow <PORT>

You'reAGitForNotUsingGit
  • 14,809
Thomas Ward
  • 74,764
  • 4
    Now what the heck do I do :D I've got that working on the server, no idea how to connect to it lol – Jamie Hutber Jul 02 '14 at 22:17
  • 1
    @Jamie There's a ton of other documents and entries here on Ask Ubuntu on connecting to a VPN not to mention documentation inside Network Manager. This question only covers setting up the VPN, and the server side. NOT the connecting to it part. – Thomas Ward Jul 02 '14 at 22:18
  • :D super fast response :D I think I may have worked it out, I must have just set something incorrectly. This said ufw is active and allowing most ports. I will play with iptables see if this gets me anyway – Jamie Hutber Jul 02 '14 at 22:35
  • @Jamie I can give you iptables commands to use when I get home of you prefer iptables to ufw. – Thomas Ward Jul 02 '14 at 22:36
  • Thanks @Thomas thats very nice of you. Although I do worry that I really am just closing my eyes and hoping this works :) I have already installed ufw, and now am running both. Although I don't think this should be a problem. If you believe that adding the commands for iptables then I'm a very eager and happy to try these out. – Jamie Hutber Jul 02 '14 at 22:52
  • @Jamie the iptables rules are the ones I use I'll have to dig them up though. – Thomas Ward Jul 02 '14 at 22:58
  • Wonder if its worth removing ufw. Although from using ufw, its super clean. I am rather liking this firewall. Having 2 installed seems overkill :D – Jamie Hutber Jul 02 '14 at 23:17
  • 1
    iptables/netfilter is used with ufw, ufw is just nicer with rules and commands handling for the end users. – Thomas Ward Jul 02 '14 at 23:19
  • Let us continue this discussion in chat. – Jamie Hutber Jul 03 '14 at 08:08
  • Hi again @thomas Just a random quick one, is there any reason why this would have closed access to port 443, I can't see it in the ufw status anymore and all https requests are timing out, opps. – Jamie Hutber Jul 07 '14 at 06:57
  • @Jamie 'sudo ufw allow 443', 'sudo ufw allow 80' (HTTPS and HTTP respectively). ufw will lock ports unless you tell it which ones you want. (you should just ping me in chat next time btw) – Thomas Ward Jul 07 '14 at 11:33
  • I did all this, started the service, but then ifconfig only shows etho and lo. What's wrong? – Yan King Yin Apr 19 '15 at 11:57
  • Wonderful. Worked the first time. You can login to your VPN through Windows 7 by going to connect to a network and typing your site's public IP address. Use the username and password you specified. It can time out without disconnecting; so, if your internet seems to be disconnected, disconnect and reconnect. – Wolfpack'08 Mar 30 '16 at 09:55
  • Please, remove the sudo ifw disable. It is bad advice. If the firewall goes down even for a split second, it is open to hackers to enjoy attacking your server. You may just do sudo ifw reload assuming it is already enabled (which it should be.) – Alexis Wilke Apr 14 '16 at 19:53
  • @AlexisWilke That was suggested in the source where I got the information. I agree, turning the firewall off is bad, but in this case you *will not apply the IPv4 forwarding rules that were added to the ufw rule configuration files* without restarting the ufw firewall. In this case, it is a necessity, not an optional step. – Thomas Ward Apr 14 '16 at 21:50
  • @ThomasW. what do if my local IP in 10.10.10.0/24 range and remote IP in 192.168.0.0/24 range? – d a i s y Jun 03 '16 at 06:50
  • @Lnux I don't understand the question? – Thomas Ward Jun 03 '16 at 12:31
  • @ThomasW. Can i set localip 10.10.10.50 remoteip 192.168.0.1-100 in /etc/pptpd.conf file ? – d a i s y Jun 04 '16 at 03:50
  • @Lnux I believe localip and remoteip have to be in the same subnet, so I don't think so... you are free to test though if you wish – Thomas Ward Jun 04 '16 at 13:57
  • @ThomasW.. You're right. local ip and remote ip should be in same subnet. still i am confused about dhcp. Do i need to configure dhcp to assign ip or it will be automatically assign by defining ip range with remoteip in /etc/pptpd.conf? – d a i s y Jun 23 '16 at 03:38
  • I tried all the solutions (including the accepted answer) and this is the only solution that full worked. It is working on my computer (windows 7), now to figure out the part on how to connect to my android mobile phone – supersan Aug 23 '16 at 20:51
23

UPDATE: As of Sierra, macOS no longer supports PPTP vpn. This answer is not valid for macOS clients Sierra and beyond.

PPTP via PoPToP is easy

  1. apt-get install pptpd
  2. edit /etc/pptpd.conf and set the remoteip option to a range on your network that is NOT served by your DHCP server.
  3. edit /etc/ppp/chap-secrets and add a username and password

e.g.

vpnuser pptpd vpnpassword *

This is all it takes to setup pptp. Now test it with your OS X client.

Jay _silly_evarlast_ Wren
  • 2,449
  • I'm also wondering which localip and remoteip values are the safest, considering that I'm going to connect to this server from any location. Definetly the default values with 192.168.0. and 192.168.1. are probably one of the worst possible. – sorin May 12 '12 at 11:56
  • May 12 13:28:06 zork pppd[9447]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. May 12 13:28:06 zork pppd[9447]: pppd 2.4.5 started by root, uid 0 May 12 13:28:06 zork pppd[9447]: Using interface ppp0 May 12 13:28:06 zork pppd[9447]: Connect: ppp0 <--> /dev/pts/3 May 12 13:28:36 zork pppd[9447]: Hangup (SIGHUP) May 12 13:28:36 zork pppd[9447]: Modem hangup May 12 13:28:36 zork pppd[9447]: Connection terminated. May 12 13:28:36 zork pppd[9447]: Exit.It doesn't work yet! Your guide is incomplete (yet) ;) – sorin May 12 '12 at 13:30
  • Yeah this does not work. – bkerensa Jun 07 '13 at 19:25
  • 1
    didn't work for me – Tyler Gillies Sep 15 '13 at 07:01
  • @SorinSbarnea those ips are private and never go over the internet, so I don't know what you mean by "safest". You'll have best luck if they aren't the same IP range as the cafe, or workplace from which you are connecting. Try 192.168.42.* :) – Jay _silly_evarlast_ Wren Dec 16 '13 at 20:31
  • PPTP does rely in ip protocol GRE. Some ISPs block this. If this is the case, a different solution is needed. – Jay _silly_evarlast_ Wren Dec 16 '13 at 20:33
18

PPTP VPN on Ubuntu 12.04 Example

Here is a quick tutorial to set up a basic PPTP VPN server on Ubuntu 12.04.

Install Necessary Packages

                          sudo apt-get install ppp pptpd

Configure PPTP IP Ranges on the Server

                          sudo nano /etc/pptpd.conf

Add the following lines in end

                          localip 10.89.64.1
                          remoteip 10.89.64.100-150

This sets up the PPTP server to use IP 10.89.64.1 while distributing the IP range 10.89.64.100 to 10.89.64.150 to PPTP clients. Change these as you wish as long as they are private IP addresses and do not conflict with IP addresses already used by your server.

Configure DNS Servers to Use When Clients Connect to this PPTP Server

                          sudo nano /etc/ppp/pptpd-options

Modify OR Add the following lines in end

                          ms-dns 8.8.8.8
                          ms-dns 8.8.4.4

Create a PPTP User

                          sudo nano /etc/ppp/chap-secrets

Append a line at the bottom so your file looks something like:

                          # client    server  secret          IP addresses
                          test        pptpd   abcd1234        *

Configure NAT for PPTP Connections

Without this step you will be able to connect but your connection will not be able to load any web connection from this server.

                          sudo nano /etc/rc.local

Add the following to the bottom right before “exit 0” line:

                          iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Assuming eth0, you can use ifconfig to check network name.

Enable IPv4 forwading:

                          sudo nano /etc/sysctl.conf

Uncomment the following line:

                          net.ipv4.ip_forward=1

Then reload the configuration:

                          sudo sysctl -p

Reboot your VPS and everything should work swimmingly from any PPTP client.

Client side configuration

For Mac, make sure you added PPTP VPN connection. Besides that you only need to setup server address, account name, and password in authentication settings. No pain here.

For Linux, NetworkManager to add VPN connections. Make sure you added PPTP VPN connection. And the configuration I use is here:

How To Debug and Fix PPTP/VPN Client Connection

enter image description here

And for Windows

enter image description here

Community
  • 1
Qasim
  • 22,092
  • Does this method also work on Ubuntu 12.04 non-server edition? What IP number the client has to use to connect to this VPN network? – Rasoul Aug 29 '13 at 14:55
  • Yes it is for non-server edition also, You have to use server ip on client to connect to vpn @Rasoul – Qasim Aug 30 '13 at 02:42
  • Doesn't work, Ubuntu server 13.04. Client stuck looking for DNS. – knutole Nov 12 '13 at 02:35
  • @knutole check that your IPTables rules are routing properly. Make sure you have the en0 interface and it's not named something else. You should see a public IP address listed. – Nick Woodhams Nov 20 '13 at 06:35
  • ok, so, in your example which ip is server ip? 10.89.64.1 ? Then in the Ubuntu network manager the client would list 10.89.64.1 as the Gateway? – dranxo Oct 13 '14 at 23:50
  • @dranxo No the server ip is public ip, when you connect with server ip, you will have 10. series ip. i hope you understand. – Qasim Oct 14 '14 at 04:31
8

The other answers on this thread were only partial answers in my case. Here's what worked for me on Ubuntu 12.04.3

sudo apt-get install pptpd

Append the following to /etc/pptpd.conf (IP Address does not matter, this is only IP Addresses for your ppp0 interface.)

localip 10.0.0.1
remoteip 10.0.0.100-200

Add DNS Servers to /etc/ppp/pptpd-options

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Enable IP Forwarding

sudo vim /etc/sysctl.conf

Uncomment this line 

net.ipv4.ip_forward=1

Save changes

sudo sysctl -p /etc/sysctl.conf

Edit /etc/ppp/chap-secrets, add a VPN user in this format:

# Secrets for authentication using CHAP
# client    server  secret          IP addresses
username pptpd supersecretpassword *

Restart PPTP 

service pptpd restart

Run ifconfigand find your default interface, in my case it was br0 (I changed it to allow virtual machines on my physical machine to share the interface. Yours will probably be en0)

enter image description here

Back up iptables

iptables-save > ~/iptables.save

Now make your iptables changes use your default interface as revealed by ifconfig.

iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface br0 -j ACCEPT

To keep it persistent when your system reboots;

sudo apt-get install iptables-persistent

Add VPN on client computer (Mac)

System Preferences > Network > [+] > VPN

enter image description here

enter image description here

Then choose Authentication settings > Password, then fill in your password here

enter image description here

Nick Woodhams
  • 511
7

Here's a pretty sweet project that scripts away the OpenVPN pain:

https://github.com/Nyr/openvpn-install

Just run it and it will install open vpn and configure it. At the end it will pop out a client.ovpn file that you can use to setup you client. Seems to work pretty well.

HappyCoder86
  • 171
  • 1
  • 2