Setting up a VPN on Linux with PopTop pptpd

Warning: This is an old howto that I wrote a few years ago, so some things may be out of date

What is a VPN and why would I want one

If you don’t know what it is, a Virtual Private Network (VPN) is a way to establish a connection between two network devices which are not on the same local network, effectively act as though they were. This is accomplished by encrypting and tunneling the traffic between the two end points so that data, in transmission, cannot be viewed by lurking eyes. By using a VPN, it is possible to either connect to, or allow remote users to connect to your local computing environment just as securely as if they were plugged into a port on your router.

How does it work?

Every VPN needs to have the ability to both encrypt and decrypt data. The typical installation involves a VPN server on the host network, which can be done either with a dedicated appliance, or software on a server, and a client piece on a traveling computer. In the case of the PPTP protocol used for windows VPN, most modern versions of windows come with a VPN client pre-installed. Alternatively, you may have two devices, on each end of the link, such as the Linksys BEFSX41 which will create a dedicated VPN link between two networks. In this case, both physical networks act as if they are separate nodes on the same virtual network. There is no need for additional clients or servers.

Why would I want a VPN?

There are many reasons that you might want a VPN. The most common, however, is to let telecommuters have access to your private network from their home or another remote site. This might be used to access internal e-mail, company documents, or other applications not visible to the outside world. While they are on the VPN, the users will be assigned a local IP address and will behave as if they are actually at your office. The data transmitted between the remote client and the server will be encrypted end to end to avoid data falling into the wrong hands.

How do I set up a VPN on Linux using PopTop?

In this example, I will show how to set up a simple PPTP (Windows VPN) server using an existing Linux server and the PopTop package. All of this, other than hardware, is available free online. This tutorial assumes that you already have a version of Fedora up and running, a working installation of yum, and that you have general knowledge about setting up networking on your computer.

Note: Many of the following commands will either need to be run as root or run using sudo privileges.

Set up the repository for yum

rpm-Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm

Install pptpd

yum install pptpd –enablerepo=pptp-stable

Edit pptp.conf

nano /etc/pptpd.conf

Add the line:

localip [ip address of server]
remoteip [ip addresses to assign]

The remoteip will be the address assigned to the clients attaching to this server. These addresses should not be in the range otherwise assigned by any DHCP server on your network and can be given within a range. You should also keep in mind that many hotels, and other private networks use the 192.168.x subnets, therefore you might benefit by assigning in the 172.16.x.x or 10.x.x.x range. If you are on the 172.16.1.x range, you could including something like:

remoteip 172.16.1.241-246

to assign addresses between 172.16.1.241 and 172.16.1.246.

Modify options.pptpd

You must set up domain name resolution (DNS) for your new clients. You may add multiple dns servers in this file:

nano /etc/ppp/options.pptpd

uncomment the line and modify to read:

ms-dns 172.16.1.1

Modify the above line to reflect your appropriate DNS server address.

Modify chap-secrets

You must add a user and password to the chap-secrets file.

nano /etc/ppp/chap-secrets

add the line

[username] pptpd [password] *

Where you substitute your values for [username] and [password]. It is highly advisable to use strong passwords for VPN access. The * indicates which addresses the client may connect from. If your client will always be connecting from a fixed IP address, you may substitute that address for the ‘‘. If the client will be roaming, you should leave the ‘‘.

Static IP

Make sure that your computer is assigned a static IP address on your network. If you have a DHCP server running, verify that the static IP address you are assigning is on the same subnet as those assigned by your DHCP server, but is not within the range being assigned. Failure to verify this could result in two computers being assigned the same IP address which could lead to major problems on the network.

Forward Packets

If the server is not directly connected to the internet, configure the any router or firewall on the system to permit the passage of port 1723 to the server’s static ip address.

You must also make sure that the server has IP Forwarding enabled to access other computers on the network. To verify if forwarding is enabled type

cat /proc/sys/net/ipv4/ip_forward

If the response is a ‘0’, forwarding is not enabled. To fix this on a permanent basis, edit /etc/sysctl.conf adding the line:

net.ipv4.ip_forward=1

Then run

sysctl -p /etc/sysctl.conf

Finally, restart the network service.

Set the firewall rules on the server

If you have iptables or another firewall running on the Linux server, configure it to allow the passages of data on port 1723. When using iptables, this can be done by executing:

/sbin/system-config-securitylevel

And adding an execption for port 1723. When you later view the exception, it will show up as pptp.

Restart the necessary services

Depending on the changes you have had to make (to the ip address and the services) you may need to do all or any of the following:

service network restart
service iptables restart
service pptpd start

Once the VPN is up and running, you can now connect to your local network from any windows machine using the username and password you designated in the chap-secrets file. You can then browse your network accessing files and e-mails as if you were in the office.

Leave a Reply

Your email address will not be published. Required fields are marked *