How to install a VPN Server (PPTP) on Debian/Ubuntu Linux VPS

How to install a VPN Server (PPTP) on Debian/Ubuntu Linux VPS 

**WARNING** PPTP is insecure. It’s better and arguably easier to setup OpenVPN instead:     OpenVPN setup tutorial

Low-end (cheap) VPS accounts are very popular nowadays and one of the reason is that people use them for personal VPN purposes.
There are some advantages on using a personal VPN server:
- server resources such as CPU, bandwidth are not shared among others
- you will know for certain what VPN or Internet activity logs are kept on the server (even though many public VPN providers say that they do not keep any logs on servers, you can’t really verify that)

PPTP is probably the most popular VPN protocol. Here is a short installation guide for Debian Linux (or Ubuntu).

Step 1: install pptpd

apt-get update

apt-get install pptpd

this will install bcrelay, ppp, pptpd

Step 2: configure pptpd and ppp

pico -w /etc/pptpd.conf

(or use your favorite text editor, like vim)

Add the local and remote IP pool and the end of file:

localip 10.10.0.1

remoteip 10.10.0.2-10

in the above example, the VPN server IP will be 10.10.0.1 and the clients connecting to the VPN will be assigned private IP addresses from 10.10.0.2 to 10.10.0.10. You can obviously use other IP range or different private IP addresses (ex.: 192.168.x.y)

Save the file and exit the editor. Now edit the ppp configuration file:

pico -w /etc/ppp/pptpd-options

add the following at the end of file:

name pptpd

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

ms-dns 8.8.8.8

#ms-dns 8.8.4.4

proxyarp

nodefaultroute

lock

nobsdcomp

mtu 1490

mru 1490

this is what you should have in the file. Notice that the ppp daemon will refuse unsecure CHAP and MSCHAP V1 authentications. MS-CHAP V2 PPTP VPN is not too safe, either, but is definitely a better option that older CHAP and MS-CHAP V1.

Now you should add the VPN account username/password to the ppp secrets file. Edit /etc/ppp/chap-secrets and add something like this:

myusername pptpd mys3cr3tpass 10.10.0.2

myfriendsuser pptpd hisp@ssword 10.10.0.3

Step 3: enable packets forwarding 

Edit /etc/sysctl.conf and enable ipv4 forwarding by un-commenting the line (removing the # sign) and changing 0 to 1 so it looks like this:

net.ipv4.ip_forward=1

Save & exit the editor, then run:

sysctl -p

for the changes to take effect.

Add the iptables rule to create the NAT between eth0 and ppp interfaces:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

Note that iptables MASQUERADE doesn’t work on OpenVZ VPS containers. Works on KVM and XEN.

If you use OpenVZ, you need to use iptables SOURCE like this:

iptables -t nat -A POSTROUTING -j SNAT --to-source <Public Server IP>

now restart pptpd by running:

service pptpd restart

that’s all. Now you should test the connection.