• ARTICLES
SEARCH

How-To Geek

How to Setup a VPN (PPTP) Server on Debian Linux

VPN-ing into your server will allow you to connect to every possible service running on it, as if you were sitting next to it on the same network, without individually forwarding every port combination for every service you would like to access remotely.

Using a VPN connection also has the upshot of, if desired, granting access to other computers on the network as if you where in it locally from anywhere across the internet.

While not the most secure of the VPN solutions out there, PPTP is by far the simplest to install, configure and connect to from any modern system and from windows specifically as the client is a part of the OS since the XP days and you don’t need to mess with certificates (like with L2TP+IPsec or SSL VPNs) on both sides of the connection.

Did i get you interested? then let’s go :)

Preface

  • You will need to forward port 1723 from the internet to the server to enable the connection (not covered here).
  • You will see me use VIM as the editor program, this is just because I’m used to it… you may use any other editor that you’d like.

Server Setup

Install the pptp server package:

sudo aptitude install pptpd

Edit the “/etc/pptpd.conf” configuration file:

sudo vim /etc/pptpd.conf

Add to it:

localip 192.168.1.5

remoteip 192.168.1.234-238,192.168.1.245

Where the “localip” is the address of the server, and the remoteip are the addresses that will be handed out to the clients, it is up to you to adjust these for your network’s requirements.

Edit the “/etc/ppp/pptpd-options” configuration file:

sudo vim /etc/ppp/pptpd-options

Append to the end of the file, the following directives:

ms-dns 192.168.1.1

nobsdcomp

noipx

mtu 1490

mru 1490

Where the IP used for the ms-dns directive is the DNS server for the local network your client will be connecting to and, again, it is your responsibility to adjust this to your network’s configuration.

Edit the chap secrets file:

sudo vim /etc/ppp/chap-secrets

Add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

Restart the connection’s daemon for the settings to take affect:

sudo /etc/init.d/pptpd restart

If you don’t want to grant yourself access to anything beyond the server, then you’re done on the server side.

Enable Forwarding (optional)

While this step is optional and could be viewed as a security risk for the extremely paranoid, it is my opinion that not doing it defeats the purpose of even having a VPN connection into your network.

By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to “jump” through the VPN server, to all other devices on the network.

To achieve this we will be flipping the switch on the “forwarding” parameter of the system.

Edit the “sysctl” file:

sudo vim /etc/sysctl.conf

Find the “net.ipv4.ip_forward” line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

You can either restart the system or issue this command for the setting to take affect:

sudo sysctl -p

With forwarding enabled, all the server side settings are prepared.

We recommend using a “Split Tunnel” connection mode for the VPN client.

A more in depth explanation about the recommended “Split Tunnel” mode, as well as instructions for Ubuntu Linux users can be found in the “Setting up a “Split Tunnel” VPN (PPTP) Client on Ubuntu 10.04” guide.

For windows users, follow the guides below to create the VPN client on your system.

PPTP VPN Dialer Setup on XP (split tunnel)

We will create a regular VPN dialer with one note worthy exception, that we will set the system to NOT use it as the “Default Gateway” when connected.

Skipping this step will limit the connecting computer’s surfing speed to the VPN server’s upload speed (usually slow) because all of it’s traffic would be routed through the VPN connection and that’s not what we want.

We need to start the connection wizard, so we will go to control panel.

Go to “Start” and then “Control Panel”.

xp-vpn01

*If your system is setup with the “Classic Start Menu” you need to just point on the “Control Panel” icon and then select “Network Connections”.

In “Control Panel” double click “Network Connections”.

xp-vpn02

Double click “New Connection wizard”.

xp-vpn03

In the “New Connection wizard” welcome screen click “Next”.

xp-vpn04

Select the “Connect to the network at my workspace” option and then “Next”.

xp-vpn05

Select the “Virtual Private Network connection” option and then “Next”.

xp-vpn06

Give a name to the VPN connection.

xp-vpn07

Type in the name of your VPN servers DNS-name or IP address as seen from the Internet.

xp-vpn08

Optionally You may choose to “Add a shortcut to the desktop” and “Finish”.

xp-vpn09

Now comes the tricky part, it is vitally important you do NOT try to connect now and go into the dialer’s “Properties”.

xp-vpn10

Go to the networking tab and change the “Type of VPN” to “PPTP VPN” as shown in the picture below (this is optional but will shorten the time it takes to connect) then go into “Properties”.

xp-vpn11

On the next window go into “Advance” without changing anything else.

xp-vpn12

On the next window, uncheck the “Use default gateway on remote network” option.

xp-vpn13

Now enter the connection’s credentials as you set them on the server and connect.

xp-vpn14

That’s it, you should now be able to access all the computers on your network from the XP client… Enjoy.

PPTP VPN Dialer Setup on Win7 (split tunnel)

We will create a regular VPN dialer with one note worthy exception, that we will set the system to NOT use it as the “Default Gateway” when connected.

Skipping this step will limit the connecting computer’s surfing speed to the VPN server’s upload speed (usually slow) because all of it’s traffic would be routed through the VPN connection and that’s not what we want.

We need to start the connection wizard, so we will go to the “Network and Sharing Center”.

Click the network icon in the system tray and then “Open Network and Sharing Center”

win7-vpn1

In the Network center click on “Set up a new connection or network”.

win7-vpn2
Select “Connect to a workplace” and then “Next”.
win7-vpn3
Click on the first option of “Use my Internet connection (VPN)”.

win7-vpn4
Set the address of your VPN server as seen from the internet either by DNS-name or IP.

win7-vpn5
Even though it won’t connect now because we stil need to go into the dialer’s properties, Set the username and password and hit connect.

win7-vpn6
After the connection will fails to connect (that’s normal), click on “Set up the connection anyway”.

win7-vpn7
Back in the “Network Center”, click on “Change adapter settings”.

win7-vpn8
Find the dialer we have just created, right click it and select “Properties”.

win7-vpn9

While its optional, for a faster connecting dialer, set the “type” of VPN to PPTP under “the “Security” tab.

Go to the “Networking” tab, select the IPv4 protocol and go into it’s properties.

win7-vpn10a

In the next window, click “Advance” without changing anything else.

win7-vpn11

On the next window, uncheck the “Use default gateway on remote network” option.

win7-vpn12

Now enter the connection’s credentials as you set them on the server and connect.

win7-vpn13

That’s it, you should now be able to access all the computers on your network from the win7 client.

Note: Be sure and read our guide to setting up a VPN client for Ubuntu Linux.

Enjoy :)

Aviad Raviv, is an agile IT implementer that has reached the level of "Bankai" and is now working on incorporating the "hollow" side. https://www.facebook.com/Hotfortech

  • Published 10/11/10

Comments (16)

  1. Chris Williams

    Excellent article. Just what a sysadmin on a tight budget needs. Free VPN server. Thank you.

    I did find one typo that will be a problem if readers copy and paste to edit the chap-secrets file:

    usernmae * users-password *

    Shouldn’t this be username not usernmae?

  2. aviad

    Thank you for the compliment and the feedback, i have corrected the typo.

  3. tommie

    Nice article. Is there a way to sync users from LDAP or other directory service? Maybe even *nix users?

  4. dzinks

    Could You tell me how to locked PPTP users after 10 failed login?

  5. Compassman

    Will this work on any Debian-based linux server or must it be pure Debian?

  6. Nemesio

    Fantastic!!

    I have done this before but I had to gathered information from several sources. Love the one stop shop

    You guys rock!

  7. Aviad (a.k.a Hotfortech)

    @Nemesio
    That was the intent… glad you found it useful as it was meant to be :)

  8. Plasmo

    I can’t believe how easy this was to set up. Better than having to use Putty. Thanks for putting this together.

    I run Fedora 14 and pptpd can be downloaded/installed by performing the “Quick Start” found here:
    http://poptop.sourceforge.net/dox/redhat-howto.phtml

  9. Mearaji.ir

    tanx ;)

  10. Ryan Draga

    I tried this, but I can’t ping any hosts on the remote network.

  11. Muhammad Zubair

    Great work,

    I think some of your will need

    [quote]
    modprobe ip_gre
    [/quote]
    if the are running a Linux router and wanna connect destination pptp server

  12. Edmund Fisher

    Why do I get a “Error 619: A connection to the remote computer could not be established, so the port that was used for the connection was closed” I’m using windows XP to connect.

    I think something is wrong with my /etc/ppp/chap-secrets file which i have pasted below.

    # Secrets for authentication using CHAP
    # client server secret IP addresses

    linuxthefish * mypassword *

  13. sa144

    I have set up PPTP VPN server on linux.
    But accounts are open for concurrent simultaneous connections. means there can be many users using one account at the time.
    i need to limit that to one user at the time.
    anybody knows how it can be done?

  14. lukas

    Hello there. Thanks for very nice PPTP VPN manual. I got just one question. IS it possible to monitor users traffic on VPN ? Give users quota for VPN ? Problem is on my server is users making too mutch traffic and i need to stop this. Thanks for any help. lu

  15. Ashiq Irphan

    What if my server does not have a public IP ????
    Is there any work around for a scenario where my server`s IP is a private IP ???

  16. Roman

    Why the WAN IP of the client PC wasn’t changed to the server’s WAN IP?

    Thanks.

Enter Your Email Here to Get Access for Free:

Go check your email!