Thursday, May 17, 2012

How To: PPTP VPN on Ubuntu 12.04 (pptpd)

I recently started renting a 128 MB RAM Xen VPS for $15/quarter with a promotional offer for nqhost.com as seen on http://www.lowendbox.com/blog/nqhost-15quarter-128mb-xen-vps-in-dallas/
Since nqhost.com offers unmetered bandwidth through a SoftLayer data center in Texas, I decided to set up a VPN server for my own use.

In this tutorial, I will be showing you how to set up pptpd (poptop) on Ubuntu 12.04 to provide PPTP VPN services.

The following instructions are inspired by http://eran.sandler.co.il/2010/08/30/pptp-vpn-on-ubuntu-10-04-for-your-iphone-ipad/


Install Software
sudo apt-get install pptpd ufw

Allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don't get kicked off.

sudo ufw allow 22
sudo ufw allow 1723
sudo ufw enable


Edit /etc/ppp/pptpd-options
Comment out (by placing a "#" at the beginning of the line) the following lines in "/etc/ppp/pptpd-options":
  • refuse-pap
  • refuse-chap
  • refuse-mschap
If you don't want to require encryption, comment out "require-mppe-128" (might be good to disable it just for testing and re-enable it later)
Add the following:
ms-dns 208.67.222.222
ms-dns 208.67.220.220

*note, you can use any DNS servers you like, the two above are OpenDNS's public DNS servers.

Edit /etc/pptpd.conf
At the end of the file "/etc/pptpd.conf", add:
localip 10.99.99.99
remoteip 10.99.99.100-199


These values do not have to correspond to your network. It is best to pick un-accessible/unused addresses here if you only want to use the VPN for Internet access.

Edit /etc/ppp/chap-secrets
The format for "/etc/ppp/chap-secrets" is [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):
sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:
sudo /etc/init.d/pptpd restart

Edit /etc/sysctl.conf
Un-comment the following line in "/etc/sysctl.conf":
net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):
sudo sysctl -p

Edit /etc/default/ufw
Edit "/etc/default/ufw" and change the option "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT"

Edit /etc/ufw/before.rules
Add the following either at the beginning of "/etc/ufw/before.rules" or just before the *filter rules (recommended):
# NAT table rules
*nat

:POSTROUTING ACCEPT [0:0]
# Allow forward traffic to eth0
-A POSTROUTING -s 10.99.99.0/24 -o eth0 -j MASQUERADE

# Process the NAT table rules
COMMIT


At this point, you can run "sudo ufw disable && sudo ufw enable" or just reboot to be safe. You should be able to connect now. It took me several tries before I could get it to work, and it looks like the "require-mppe-128" line was what gave me so much trouble. I ultimately enabled encryption, but not before I tested it without.

31 comments:

  1. Thanks for sharing this such a great information i really appreciate your work i shared this link to my all fb friends and twitter followers and google circle friend because this information helps to every one and my hobby is knowledge sharing.

    I shared one thing with the help of your blog yesterday i was finding a pptp vpn service provider finally i found it the list of PPTP VPN provider this lists helps to every one

    Thanks
    Regards
    Pattinson

    ReplyDelete
  2. Thank you for your clearly written instructions. Awesome!

    ReplyDelete
  3. I followed these instructions and they worked perfectly with one caveat. I have to restart the server after every successful connection.

    I've tried restarting photos and ufw and neither worked.

    ReplyDelete
  4. Dumb question(s) - I'm connected to the VPN, but I can't access network resources.

    Also - how can I route my network traffic through my vpn?

    ReplyDelete
  5. Thanks for this Guide!
    It's work very well on VPS!
    Can you write a guide about: L2TP on Debian VPS, please?

    ReplyDelete
  6. can connect to pptp server but no internet :(

    ReplyDelete
    Replies
    1. Hi all;

      Nice guide but i missed something essential on ubuntu 12.04lts 64b

      Set up ip-masquerading: ‘sudo nano /etc/rc.local‘

      Add the following lines above the line that says ‘exit 0‘

      # PPTP IP forwarding

      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

      By default have ufw etc.. iptables -L showd me no nat rules.. so it connected but failed to forward my ip traffic.

      Hope it helps someone out there
      Narruz

      Delete
  7. I would think you could just use IP tables to allow the ports insead of installing UFW?

    ReplyDelete
    Replies
    1. Yeah, you could definitely use iptables directly instead of UFW, I remember seeing a lot of guides on how to do that.

      I think UFW is just a configuration tool for iptables, since those are iptables commands I put in the UFW configuration.

      iptables has a steep learning curve though, and if you're already using UFW, I think this is the best way to do it. You could probably just add iptables commands anyway though, as long as they're loaded after UFW.

      Delete
  8. It is perfect time to make some plans for the future and it's time to be happy. I've read this post and if I could I
    desire to suggest you some interesting things or tips. Perhaps you could write next articles referring to this article. I
    wish to read even more things about it!
    vpn accounts

    ReplyDelete
  9. great points altogether, you simply received a new reader. What may you recommend about your post that you just made a few days ago?
    VPN provider

    ReplyDelete
  10. Thank you, helpful document

    ReplyDelete
  11. Fantastic guide, but I see the server but not internet connection. Also I disable the firewall please help me

    ReplyDelete
  12. what localip i must use..??
    please help

    ReplyDelete
    Replies
    1. local ip in the example above is the external ip address that your server is using.

      Delete
  13. Here is an alternative using iptables that is also forwarding all local traffic for gaming.
    http://globalcynic.wordpress.com/2013/04/26/pptpd-ubuntu-12-04-vps-fail2ban/

    ReplyDelete
  14. can i access it over the internet ..??
    if can what I supoosed to do thx

    ReplyDelete
  15. I want to setup pptp client in ubuntu 12.4 . Can you help me anyone please.

    ReplyDelete
  16. Wonderful beat ! I would like to apprentice while you amend your website, how could i subscribe for a blog website? The account helped me a acceptable deal. I had been a little bit acquainted of this your broadcast offered bright clear concept Also visit my blog ...
    vpn accounts
    VPN provider

    ReplyDelete
  17. Hi,You explained the topic very well.The contents has provided meaningful information thanks for sharing info
    VPN for USA

    ReplyDelete
  18. wasel pro http://www.waselpro.com the best VPN service, you can you can with it unblock any site in the world, he was working on all android phones , iPhone and iPad ,compatible with windows and Mac systems

    ReplyDelete
  19. I made my VPN server with ubuntu 12.04.3 LTS, i can connect without encryption, but when i want connect with encrypt, i get this error message: "The PPTP-VPN did no respond. Try reconnecting..." (Mac) What's this? I'm not use kernel patches, or other tuning.

    ReplyDelete
  20. Hi
    The last days I followed the tutorial that you expose in the web named: ``How To Setup Your Own VPN With PPTP.
    In my case I configure the chap encryption and it worked ok. But when I try to configure pap encryption I never connect. Why?
    My configuration is:
    in /etc/pptpd.conf
    localip 192.168.20.9
    remoteip 192.168.20.30-40

    hostname in my server = server
    external ip 192.168.0.25
    hostname in my client = client
    external ip 192.168.0.232


    the /etc/ppp/pap-secret in my server is:
    server client 123456 *
    client server 123456 *
    the /etc/ppp/pap-secret in my client is:
    server client 123456 *
    client server 123456 *


    net.ipv4.ip_forward = 1
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save

    iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
    iptables -I INPUT -s 192.168.20.0/24 -i ppp0 -j ACCEPT
    iptables --append FORWARD --in-interface eth0 -j ACCEPT




    the log show me this:
    Jan 30 11:44:11 client NetworkManager[1041]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
    Jan 30 11:44:11 client pptp[3647]: nm-pptp-service-3631 log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed
    Jan 30 11:44:11 client pptp[3647]: nm-pptp-service-3631 log[callmgr_main:pptp_callmgr.c:258]: Closing connection (shutdown)
    Jan 30 11:44:11 client pptp[3647]: nm-pptp-service-3631 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
    Jan 30 11:44:11 client pptp[3647]: nm-pptp-service-3631 log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed
    Jan 30 11:44:11 client pptp[3647]: nm-pptp-service-3631 log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
    Jan 30 11:44:11 client NetworkManager[1041]: VPN plugin failed: 1
    Jan 30 11:44:11 client pppd[3635]: Exit.
    Jan 30 11:44:11 client NetworkManager[1041]: VPN plugin state changed: stopped (6)
    Jan 30 11:44:11 client NetworkManager[1041]: VPN plugin state change reason: 0
    Jan 30 11:44:11 client NetworkManager[1041]: error disconnecting VPN: Could not process the request because no VPN connection was active.

    I appreciated any help

    ReplyDelete
  21. The resource that you mentioned here is something that I have been looking from quite a time. It is really informative and quality of the content is extraordinary.

    VPN provider

    ReplyDelete
  22. What is Faceless.me VPN?
    Did you know that some people are tracking what you do online? Your ISP, the Government, Google or someone with hacker skills may spy on your online activities. Faceless.Me is a VPN service provider that grants you online Privacy and Security. By using our best VPN service you get yourself behind the shield, where no one can spy on your online identity or steal your data.

    ReplyDelete
  23. I thoroughly enjoyed reading your story. I really appreciate your wonderful know-how and the time you put into educating the rest of us.
    Cheers!

    ReplyDelete
  24. It's great! Thanks for all your efforts that you have put in this.

    using a vpn in china
    unblock vpn

    ReplyDelete
  25. YOURVPN provides you the Cheap Vpn For Windows,Android, Iphone, Linux Pptp L2tp Sstp Ovpn $12 Per Year Only so just visit us Cheap Vpn For Windows Pptp L2tp Sstp Ovpn

    ReplyDelete
  26. protect your privacy online and speed up your internet connection to surf the internet freely with big list of PROXY SERVERS presented from iwasel vpn service the BEST VPN SERVICE

    https://itunes.apple.com/us/app/iwasel-vpn-service-for-ios/id872471569?ls=1&mt=8

    http://www.waselproxy.com/#sthash.NQvuAO45.bM2XVSul.dpbs

    ReplyDelete