This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).
If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.
PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.
1. Install the PPTP server package.
apt-get install pptpd
2. Edit the /etc/pptpd.conf configuration file.
echo "localip 192.168.1.1" >> /etc/pptpd.conf echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf
The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.
3. Edit the /etc/ppp/pptpd-options configuration file:
4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:
username <TAB> * <TAB> users-password <TAB> *
5. Restart the connection’s daemon for the settings to take affect:
6. Enable Forwarding (this is an optional step).
Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.
Edit the sysctl file:
Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):
6. You can either restart the system or issue this command for the setting to take affect:
7. Configure Arno iptables firewall script
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
8. Restart Arno iptables firewall script:
If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Execute the /etc/rc.local file: