pptp VPN server on ubuntu 12 open vz

These are the instructions to create a simple VPN server on Open VZ Ubuntu:

I'd run sudo -i so you won't have to keep asking ubuntu to continuously enter sudo in the beginning of each command.

Install Software
apt-get install pptpd

Allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don't get kicked off.

sudo ufw allow 22
sudo ufw allow 1723
sudo ufw enable

Edit /etc/ppp/pptpd-options
Comment out (by placing a "#" at the beginning of the line) the following lines in "/etc/ppp/pptpd-options":
  • refuse-pap
  • refuse-chap
  • refuse-mschap
If you don't want to require encryption, comment out "require-mppe-128" (might be good to disable it just for testing and re-enable it later)
Add the following:
ms-dns 208.67.222.222
ms-dns 208.67.220.220

*note, you can use any DNS servers you like, the two above are OpenDNS's public DNS servers.
Google's public IPs are 8.8.8.8 and 8.8.4.4.

Edit /etc/pptpd.conf
At the end of the file "/etc/pptpd.conf", add:
localip <enter your venet0:0 private IP>
remoteip 10.99.99.100-199

The remoteip doesn't have to correspond to your network. It is best to pick un-accessible/unused addresses here if you only want to use the VPN for Internet access.

Edit /etc/ppp/chap-secrets
The format for "/etc/ppp/chap-secrets" is [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):
sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:
sudo /etc/init.d/pptpd restart

Edit /etc/sysctl.conf
Un-comment the following line in "/etc/sysctl.conf":
net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):
sudo sysctl -p

Edit /etc/default/ufw
Edit "/etc/default/ufw" and change the option "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT"

Edit /etc/ufw/before.rules
Add the following either at the beginning of "/etc/ufw/before.rules" or just before the *filter rules (recommended):
# NAT table rules
*nat

:pOSTROUTING ACCEPT [0:0]
# Allow forward traffic to venet0:0
-A POSTROUTING -s 199.x.x.0/32 -o venet0:0 -j MASQUERADE

# Process the NAT table rules

COMMIT

*note, the 199.x.x.0/32 will be your venet IP address and subnet cidr.
For example, if your ip is 199.24.24.54 on subnet 255.255.255.255, then you would input 199.24.24.0/32.

Enter iptables -t nat -A POSTROUTING -j SNAT --to-source <venet0:0 IP address>

After that, type in:
iptables-save

Restart the pptpd:
/etc/init.d/pptpd restart


~~~~~~~~~~~~~~~~~~~~~~

It's fairly straight forward, but sometimes you'll need some tweaking.
Whatever errors you encounter, check the logs and google to find your solution.

~~~~~~~~~~~~~~~~~~~~~~

Some things that caught me off guard:

- Ask interserver (opened a problem ticket) to install ppp modules to the host server you're on otherwise you'll get dropped connections when you attempt to connect your vpn.

- After the ppp module is installed, you may still have problems... the admin had seen the following errors, which resulted the need to manually create /dev/ppp
Create /dev/ppp:
mknod /dev/ppp c 108 0 (The 0 is zero)
chmod 600 /dev/ppp

Error:
CTRL: Starting call (launching pppd, opening GRE)
Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Couldn't open the /dev/ppp device: No such file or directory
CTRL: EOF or bad error reading ctrl packet length.
CTRL: couldn't read packet header (exit)
CTRL: CTRL read failed
CTRL: Reaping child PPP[1099]
 

Quags

Administrator
Staff member
Thanks for posting. PPP does come up occasionally from clients and this will be very helpful. It takes a little more effort to get PPP working on OpenVZ over KVM or a dedicated server but is possible to do. As mentioned above just contact support to enable PPP in your VPS account if you have openVZ.

For KVM or a dedicated server ppp just needs to be loaded with modprobe (generally it is in the kernel already) and the device entry in /dev gets created automatically.
 

arewethereyeti

New Member
I've followed the instructions as exactly above, however skipping the UFW part because my VPS has no firewall configured. I can log in to the VPN, but the internet connectivity is spotty. For example, visiting Yahoo.com for the first time loads, however on second time it fails to load. Same goes to some other sites such youtube.com etc. However, sites like hulu.com, or netflix.com does not have this problem.

Can someone verify that the iptables statements are valid? Since I do not understand iptables at all. Or can someone point me to an automated setup for PPTP VPN?

Thanks.
 

Quags

Administrator
Staff member
If the connection is spotty to youtube but works for hulu / netflix your VPN sounds connected properly, but may have a poor connection to google. Is this an interserver vps or server you installed the VPN on? InterServer peers directly with google not (includes you tube) as of 7/30 so speeds to any google services should be insanely fast:

Example:
traceroute youtube.com
traceroute: Warning: youtube.com has multiple addresses; using 173.194.43.37
traceroute to youtube.com (173.194.43.37), 64 hops max, 40 byte packets
1 vl1001.cr1.teb1.us.as19318.net (66.45.228.1) 0.693 ms 0.353 ms 0.323 ms
2 64.20.32.213 (64.20.32.213) 0.601 ms 0.400 ms 0.360 ms
3 vl568.cr1.lga2.us.as19318.net (64.20.32.66) 0.630 ms 17.971 ms 0.649 ms
4 core1-0-0-8.lga.net.google.com (198.32.118.39) 0.581 ms 0.612 ms 0.612 ms
5 209.85.248.180 (209.85.248.180) 8.630 ms 0.775 ms 0.779 ms
6 72.14.237.254 (72.14.237.254) 1.230 ms 1.406 ms 1.194 ms
7 lga15s35-in-f5.1e100.net (173.194.43.37) 0.795 ms 0.967 ms 0.867 ms


Under 1 MS
 

arewethereyeti

New Member
I understand that the pings are low. But for some reason, there is still intermittent connectivity to some sites when you try to visit them, which I suspect is due to errors in the iptables statement.

Perhaps you could try connecting to the VPN to see what I mean?
IP: 199.231.188.54 (Interserver VPS, PPTP)
Username: *
Password: *

There is nothing running on the VPS, apart from the necessary software for VPN.

And also there seems to be a hard limit on upload speeds to around 2mb/s to Asian countries, which is where I currently reside.

http://www.speedtest.net/result/2879758557.png
http://www.speedtest.net/result/2879761790.png
http://www.speedtest.net/result/2879762930.png
http://www.speedtest.net/result/2879765819.png
http://www.speedtest.net/result/2879774126.png
 
Last edited by a moderator:

Quags

Administrator
Staff member
Removed passwords for security

Checking the system if you are just using this for vpn

apache2
xinetd
vsftpd
saslauthd
sendmail

Can be stopped

The speeds may be improved now. What country are you in, LA may be a better fit than NJ for speeds.
 

michael lundbøl

New Member
Hm, i am haveing truble setting my VPN server up.. Could someone help me? i have PPTP enabled but i do also have some other tasks running on it :)
 

txo

New Member
Brilliant, tut worked just fine and support were very quick to get the ppp module loaded.
The only problem now is tun support seems to have gone, I'm getting a "/dev/net/tun: Operation not permitted" on a "cat /dev/net/tun", it was working before setting up the vpn. Is it perhaps the ppp and the tun module conflicting?
 

Quags

Administrator
Staff member
Brilliant, tut worked just fine and support were very quick to get the ppp module loaded.
The only problem now is tun support seems to have gone, I'm getting a "/dev/net/tun: Operation not permitted" on a "cat /dev/net/tun", it was working before setting up the vpn. Is it perhaps the ppp and the tun module conflicting?
Ask support to enable TUN as well.
 

M4erSam

New Member
This is very interested, it actually crossed my mind the other day that It would come useful to setup one of these.
 
Top