How to install a PPTP server on debian squeeze

This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.

PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.

1. Install the PPTP server package.

apt-get install pptpd

2. Edit the /etc/pptpd.conf configuration file.

echo "localip 192.168.1.1" >> /etc/pptpd.conf
echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf

The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.

3. Edit the /etc/ppp/pptpd-options configuration file:

name Private.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490

4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

5. Restart the connection’s daemon for the settings to take affect:

/etc/init.d/pptpd restart

6. Enable Forwarding (this is an optional step).

Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.

Edit the sysctl file:

vim /etc/sysctl.conf

Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

6. You can either restart the system or issue this command for the setting to take affect:

sysctl -p

7. Configure Arno iptables firewall script

vim /etc/arno-iptables-firewall/debconf.cfg

DC_EXT_IF="eth0"

DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="1723"
DC_OPEN_UDP=""
DC_INT_IF="ppp+"
DC_NAT=0
DC_INTERNAL_NET="192.168.1.236/30"
DC_NAT_INTERNAL_NET=""
DC_OPEN_ICMP=0

vim /etc/arno-iptables-firewall/custom-rules

/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

8. Restart Arno iptables firewall script:

/etc/init.d/arno-iptables-firewall restart

Note:

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Execute the /etc/rc.local file:

/etc/rc.local

Leave a Reply

Your email address will not be published. Required fields are marked *