Creating VPN server for allowing users to connect is as early practice as the internet was used over Dial-Up modems. PPTP Connections were useful for separating user accounts traffic and easily keeping an eye on who connects to a server via phone line. Besides that VPN tunnels allows the user to connect to every possible running service locally on the server, meaning whether a user opens a VPN (PoPTOP) connection to the VPN server there is no need for port forwarding to local running server services.
Other advantages of plain VPN connection is it is a good way to grant access of Remote host not belonging to a network to have access to a distant local network using the internet as well as it is ultra easy to configure and use.
Even better PPTP is supported by virtually almost any modern operating system including all versions of Microsoft Windows.
As connection between client -> server is insecure and only password is transferred securily there is no complexity of SSL Certificate generation and Exchange like for instance whether configuring to use OpenVPN tunnel, IPsec or L2TP+IPsec.
Besides the many upmentioned advantages, there are some disadvantages of PPTP as it is unsecurely transferring data between VPN Client and VPN server.
After this short intro, here is how easy is to configure PPTP.
1. Install pptpd deb package
apt-get install pptpd
2. Edit /etc/pptpd.conf
Place near end of file:
localip variable sets local VPN server main IP and remoteip sets range of IPs in which VPN clients will be assigned IPs. As you see clients IPs will be assigned from;
10.0.10.2 to 10.0.10.250.
Some other reasonable values for localip and remoteip are:
As you see it is possible to set only a set of few ranges of IP in class C network to be assigned new IPs on connect to PPTPD server.
3. Modify /etc/ppp/pptpd-options configuration
I prefer setting Google's Public DNS for VPN clients use (ms-dns 220.127.116.11 … etc.), as they are often more reliable than provided ones by ISPs, however others might be happier with custom ones as they might be quicker to resolve.
4. Edit chap-secrets to place client authentication usernames and passwords
File should look something like:
# Secrets for authentication using CHAP
# client server secret IP addresses
internet pptpd qwerty
For multiple VPN users just add all user usernames and passwords. If you want to assign certain username IPs from above pre-selected range put write it too.
5. Restart PPTPD server script
Stopping PPTP: pptpd.
Starting PPTP Daemon pptpd.
By default PPTP server listens for network connections via port 1723. If server launches properly port 1723 should be listening for connections.
netstat -etna|grep -i 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 0 32810
6. Enable VPN server access to all nodes on local network
Enabling PPTP Client to access the whole network is tricky and very bad security practice especially if VPN server is not behind DMZ. Anyways allowing a client to all local network computers is often needed. This is done via;
– enabling IP Forwarding
To do so add in /etc/sysctl.conf
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
That's all now PPTP is ready to accept connections. I will not get into details how to configure VPN PPTP Connection from Windows host as this is an easy task and there are plenty of good tutorials online.