Creating VPN server for allowing users to connect is as early practice as the internet was used over Dial-Up modems. PPTP Connections were useful for separating user accounts traffic and easily keeping an eye on who connects to a server via phone line. Besides that VPN tunnels allows the user to connect to every possible running service locally on the server, meaning whether a user opens a VPN (PoPTOP) connection to the VPN server there is no need for port forwarding to local running server services.
Other advantages of plain VPN connection is it is a good way to grant access of Remote host not belonging to a network to have access to a distant local network using the internet as well as it is ultra easy to configure and use.
Even better PPTP is supported by virtually almost any modern operating system including all versions of Microsoft Windows.
As connection between client -> server is insecure and only password is transferred securily there is no complexity of SSL Certificate generation and Exchange like for instance whether configuring to use OpenVPN tunnel, IPsec or L2TP+IPsec.
Besides the many upmentioned advantages, there are some disadvantages of PPTP as it is unsecurely transferring data between VPN Client and VPN server.
After this short intro, here is how easy is to configure PPTP.
1. Install pptpd deb package
apt-get install pptpd
2. Edit /etc/pptpd.conf
vim /etc/pptpd.conf
Place near end of file:
localip 10.10.10.1
remoteip 10.0.10.2-250
localip variable sets local VPN server main IP and remoteip sets range of IPs in which VPN clients will be assigned IPs. As you see clients IPs will be assigned from;
10.0.10.2 to 10.0.10.250
.
Some other reasonable values for localip and remoteip are:
localip 192.168.1.6
remoteip 192.168.1.150-183,192.168.1.244
As you see it is possible to set only a set of few ranges of IP in class C network to be assigned new IPs on connect to PPTPD server.
3. Modify /etc/ppp/pptpd-options configuration
ms-dns 8.8.8.8
ms-dns 8.8.4.4
nobsdcomp
noipx
mtu 1490
mru 1490
I prefer setting Google's Public DNS for VPN clients use (ms-dns 8.8.8.8 … etc.), as they are often more reliable than provided ones by ISPs, however others might be happier with custom ones as they might be quicker to resolve.
4. Edit chap-secrets to place client authentication usernames and passwords
File should look something like:
# Secrets for authentication using CHAP
# client server secret IP addresses
internet pptpd qwerty
For multiple VPN users just add all user usernames and passwords. If you want to assign certain username IPs from above pre-selected range put write it too.
5. Restart PPTPD server script
/etc/init.d/pptpd restart
Restarting PPTP:
Stopping PPTP: pptpd.
Starting PPTP Daemon pptpd.
By default PPTP server listens for network connections via port 1723. If server launches properly port 1723 should be listening for connections.
netstat -etna|grep -i 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 0 32810
6. Enable VPN server access to all nodes on local network
Enabling PPTP Client to access the whole network is tricky and very bad security practice especially if VPN server is not behind DMZ. Anyways allowing a client to all local network computers is often needed. This is done via;
– enabling IP Forwarding
To do so add in /etc/sysctl.conf
net.ipv4.ip_forward=1
i.e. exec:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
…
That's all now PPTP is ready to accept connections. I will not get into details how to configure VPN PPTP Connection from Windows host as this is an easy task and there are plenty of good tutorials online.
Cheers 😉
More helpful Articles
Tags: certificate generation, complexity, deb package, dial up modems, ipsec, l2tp, Linux, local network, Microsoft, modern operating system, pptp connections, server services, traffic, user accounts, variable sets, versions of microsoft windows, vpn clients, vpn connection, vpn tunnels
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0
If you want to build wheezy-based PPTP server, be careful, because latest kernel versions doesn’t work correctly with pptpd, and downgrade kernel is needed.
If you have 619 windows client errors and “LCP: timeout sending Config-Requests” messages in /var/log/syslog, try “apt-get install linux-image-3.2.0-4-amd64=3.2.65-1” and “aptitude hold linux-image-3.2.0-4-amd64” to hold kernel version. Reboot is needed.
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Thanks Infra
View CommentView Comment