- Category: Linux Server
- Published: 20 August 2010
- Hits: 28616
Hello all i was recently trying to figure out how to create a good VPN(Virtual Private Network) on a Linux server. I have done many on Windows Server and ISA as well.
Here it is... I didn't do a fresh install for it so i had to search apt for the right package.
So first i ran
apt-get install pptpd
this will install the pptp server package that is needed for this install.
7. Open the pptpd.conf file: ‘
sudo nano /etc/pptpd.confAdjust the IP settings at the bottom to your needs. Under local IP you enter the IP in the local network of your VPN server (if you don’t know it type
sudo ifconfigand it will show you your network interfaces and the assigned IPs). For that matter I recommend to set up a static IP in /etc/network/interfaces or in your router configuration.
8. If you want to, you can change the hostname in /etc/ppp/pptpd-options
9. Specify the user names and passwords you want to give access to your vpn:
sudo nano /etc/ppp/chap-secrets. If you changed the hostname in the step before make sure you type in the same hostname now under ‘server’
# client server secret IP addresses username pptpd myübersecretpassword *
As in pptp there is no keyfile security depends solely on the password. Which is why you should choose a long (eg. 32 characters), random password. You can generate such a password here.
10. Now we need to set up ip-masquerading:
sudo nano /etc/rc.local
Add the following lines above the line that says ‘exit 0‘
# PPTP IP forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Optionally I recommend securing your SSH server against brute force attacks:
# SSH Brute Force Protection iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP
(also to be inserted above ‘exit 0?)
You may have to change ‘eth 0? to another interface, depending on which interface is configured to connect to the internet on your machine.
11. Lastly, uncomment this line in /etc/sysctl.conf:
13. In case your vpn-server doesn’t directly connect to the internet you may need to forward port 1723 TCP and GRE to the LAN IP of your vpn-server. Refer to your router’s manual or to portforward.com for vendor specific instructions.
UPDATE(2010-07-18): If connecting to the vpn-server goes well but you can’t connect to the internet you might want to try uncommenting the ms-dns entries in /etc/ppp/pptpd-options so it looks like this:
And that's it. I was able to connect fine through my local network as well as the external. Thanks for reading.