Thursday, May 17, 2012

How To: PPTP VPN on Ubuntu 12.04 (pptpd)

I recently started renting a 128 MB RAM Xen VPS for $15/quarter with a promotional offer for nqhost.com as seen on http://www.lowendbox.com/blog/nqhost-15quarter-128mb-xen-vps-in-dallas/
Since nqhost.com offers unmetered bandwidth through a SoftLayer data center in Texas, I decided to set up a VPN server for my own use.

In this tutorial, I will be showing you how to set up pptpd (poptop) on Ubuntu 12.04 to provide PPTP VPN services.

The following instructions are inspired by http://eran.sandler.co.il/2010/08/30/pptp-vpn-on-ubuntu-10-04-for-your-iphone-ipad/


Install Software
sudo apt-get install pptpd ufw

Allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don't get kicked off.

sudo ufw allow 22
sudo ufw allow 1723
sudo ufw enable


Edit /etc/ppp/pptpd-options
Comment out (by placing a "#" at the beginning of the line) the following lines in "/etc/ppp/pptpd-options":
  • refuse-pap
  • refuse-chap
  • refuse-mschap
If you don't want to require encryption, comment out "require-mppe-128" (might be good to disable it just for testing and re-enable it later)
Add the following:
ms-dns 208.67.222.222
ms-dns 208.67.220.220

*note, you can use any DNS servers you like, the two above are OpenDNS's public DNS servers.

Edit /etc/pptpd.conf
At the end of the file "/etc/pptpd.conf", add:
localip 10.99.99.99
remoteip 10.99.99.100-199


These values do not have to correspond to your network. It is best to pick un-accessible/unused addresses here if you only want to use the VPN for Internet access.

Edit /etc/ppp/chap-secrets
The format for "/etc/ppp/chap-secrets" is [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):
sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:
sudo /etc/init.d/pptpd restart

Edit /etc/sysctl.conf
Un-comment the following line in "/etc/sysctl.conf":
net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):
sudo sysctl -p

Edit /etc/default/ufw
Edit "/etc/default/ufw" and change the option "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT"

Edit /etc/ufw/before.rules
Add the following either at the beginning of "/etc/ufw/before.rules" or just before the *filter rules (recommended):
# NAT table rules
*nat

:POSTROUTING ACCEPT [0:0]
# Allow forward traffic to eth0
-A POSTROUTING -s 10.99.99.0/24 -o eth0 -j MASQUERADE

# Process the NAT table rules
COMMIT


At this point, you can run "sudo ufw disable && sudo ufw enable" or just reboot to be safe. You should be able to connect now. It took me several tries before I could get it to work, and it looks like the "require-mppe-128" line was what gave me so much trouble. I ultimately enabled encryption, but not before I tested it without.