If you need to access your network (be it a home network, or a work network) from a remote location, a great option is to set up some sort of VPN connection. There are a few different types of VPN connections, such as PPTP, L2TP, and IPSec, and each has advantages and disadvantages. One of the advantages of PPTP VPN connections is that almost all devices that can create VPN connections, have a PPTP VPN client already.
Linux can be set up as a PPTP Server easily, and the following guide will outline how to do this.
Install the PPTP server package:
$ sudo apt-get install pptpd
Edit the chap-secrets file, which contains the usernames and passwords for the users that will connect to the VPN.
$ sudo nano /etc/ppp/chap-secrets
Example blank chap-secrets file:
# Secrets for authentication using CHAP # client server secret IP addresses
The following example shows two users (‘vpnuser’ and ‘vpnuser2’), and their plain text password of ‘pass123’. The ‘vpnuser2’ user has been set to use the same IP address (192.168.0.90) on each connection. This is how you can assign a static VPN IP to a specific user.
# Secrets for authentication using CHAP # client server secret IP addresses vpnuser * pass123 * vpnuser2 * pass123 192.168.0.103
Once you have added any users that you want to add, save the file and exit the editor.
Edit the main PPTP configuration file:
$ sudo nano /etc/pptpd.conf
The configuration file is well documented, so have a read through it and see if there are any options you need to change.
The main option that you will need to modify, is the ‘localip’ and ‘remoteip’ settings. I set the ‘localip’ option to be the IP address of the computer on the LAN side (192.168.0.1 in this case), and the ‘remoteip’ to be a range of IP’s on the same subnet as your LAN (192.168.0.100 through to 192.168.0.120 in this case).
Sample configuration settings:
localip 192.168.0.1 remoteip 192.168.0.100-120
Save the file and exit the editor.
Restart the PPTP/VPN server service for the changes to take effect.
sudo /etc/init.d/pptpd restart
You can now try and connect to the server from a PPTP VPN client.
Use the ifconfig command to see the status of the VPN interfaces, if there are any users connected.
The VPN connections will appear as ppp# connections.
Example ifconfig output with a VPN user connected:
ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.0.1 P-t-P:192.168.0.100 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1 RX packets:86 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:7659 (7.6 KB) TX bytes:98 (98.0 B)
Keep in mind that if your server has firewall rules on it, you will need to allow access to port 1723 with the TCP protocol, and also allow the GRE protocol (protocol number 47). You may also need to allow access from the PPP connections if the VPN users need to access services on the VPN server itself.
If the Linux server is behind a firewall/router, port forward TCP port 1723 to the VPN server (and also GRE if available on your firewall/router). Some routers may have a pre-defined rule named ‘PPTP’. Use this if it exists. Some NAT routers don’t seem to forward the GRE protocol correctly. Make sure your router has PPTP Pass through support.
If you need to access computers on the LAN behind the VPN server machine, you will have to look at enabling forwarding and setting up iptables forwarding rules.
The following should allow all traffic from the VPN to the LAN and vice versa, however don’t use this on a server directly connected to the Internet:
$ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT $ sudo iptables -A FORWARD -o ppp+ -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
(This assuming your LAN subnet is 192.168.0.0/24 on the eth0 network interface.)