Terry : PPTP VPN on VPS

PPTP

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

Set up PPTP VPN on Arch Linux (OpenVZ VPS)

Verify the availability of PPP device. Latest version of OpenVZ offers support for ppp device.

http://wiki.openvz.org/PPP_in_container

Verify the availability of ppp and tun devices, check /dev
/dev/ppp
/dev/net/tun
Install pptp and ppp
pacman -S pptpd ppp
Verify if the ppp device is working or NOT
pppd

If the below return is seen, the ppp device is working.

~}#!}!}!} }4}"}&} } } } }%}&)Q}4}'}"}(}"p})
Config PPTP VPN

Edit /etc/pptp.conf

listen 0.0.0.0
debug
localip 192.168.100.1
remoteip 192.168.100-254

Edit /etc/ppp/options

name pptpd
lock
debug
+chap
ms-dns 8.8.4.4 # primary DNS server IP address
ms-dns 8.8.8.8 # secondary DNS server IP address

On Debian (BuyVM) the configuration file is => /etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
+chap
nobsdcomp
novj
novjccomp
logfile /var/log/pptpd.log
nologfd

Edit /etc/ppp/chap-secrets, add users

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
terry    pptpd    password    *
# * means accepting connection from all IP addresses
Start pptpd
/etc/rc.d/pptpd start
Install iptables
pacman -S iptables
Start iptables
/etc/rc.d/iptables start
iptables rules

INPUT Chain - Allow connection from clients, open port 1723 (GRE does not use port, it uses IP protocol type 47)

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

FORWARD chain - forward from ppp+ to virtual network interface

iptables -A FORWARD -i ppp+ -o venet0 -j ACCEPT

Forward packets from Input interface ppp+ => output interface vent0

NOTE: on BuyVM OpenVZ containers, after network infrastructure change (venet0:0-00 is an alias that has been assigned a public IP), the rule should be like below

iptables -A FORWARD -i ppp+ -o venet0:0-00 -j ACCEPT

Add forwarding rules

The following command forward all traffic (originated from 192.168.100.*) to the real network adaptor so as to access external network.

OpenVZ

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source EXTERNAL_IP

NOTE: EXTERNAL_IP is the IPv4 address of the VPS server, get it from ifconfig / ip addr or curl ifconfig.me ;-D

Sample iptables rules from Debian stable

iptables-save
# Generated by iptables-save v1.4.8 on Wed Dec  5 19:57:39 2012
*mangle
:PREROUTING ACCEPT [25450:13366851]
:INPUT ACCEPT [24423:13088484]
:FORWARD ACCEPT [1027:278367]
:OUTPUT ACCEPT [14976:4993062]
:POSTROUTING ACCEPT [15997:5270727]
COMMIT
# Completed on Wed Dec  5 19:57:39 2012
# Generated by iptables-save v1.4.8 on Wed Dec  5 19:57:39 2012
*filter
:INPUT DROP [8:1022]
:FORWARD ACCEPT [421:228894]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
-A INPUT -j sshguard
-A INPUT -j sshguard
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -i ppp+ -o venet0:0-00 -j ACCEPT
-A OUTPUT -j ACCEPT
-A sshguard -s 124.126.19.75/32 -j DROP
-A sshguard -s 219.143.87.251/32 -j DROP
COMMIT
# Completed on Wed Dec  5 19:57:39 2012
# Generated by iptables-save v1.4.8 on Wed Dec  5 19:57:39 2012
*nat
:PREROUTING ACCEPT [600:35100]
:POSTROUTING ACCEPT [38:2791]
:OUTPUT ACCEPT [38:2791]
-A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 209.141.56.191
COMMIT
# Completed on Wed Dec  5 19:57:39 2012

XEN and KVM

# All networks
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Specify a source network
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE

NOTE: make sure to use the correct interface, use ifconfig -a to verify.

iptables rules on Ubuntu 12.04 LTS

iptables-save
# Generated by iptables-save v1.4.12 on Wed Jul 31 15:13:01 2013
*nat
:PREROUTING ACCEPT [518:32537]
:INPUT ACCEPT [118:6780]
:OUTPUT ACCEPT [19:1207]
:POSTROUTING ACCEPT [19:1207]
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jul 31 15:13:01 2013
# Generated by iptables-save v1.4.12 on Wed Jul 31 15:13:01 2013
*filter
:INPUT DROP [53:3207]
:FORWARD ACCEPT [2793:1186308]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
-A INPUT -j sshguard
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Jul 31 15:13:01 2013

If VPS is restarted, iptables rules needs to be added again. To avoid adding everything VPS reboots, create a script and invoke it in /etc/init.d/rc.local

Icon

iptables on Debian by default open all connections, so just add the forwarding rules.

Optional, save the new iptables rules with

/etc/rc.d/iptables save
Enable IP Forwarding by editing /etc/sysctl.conf
net.ipv4.ip_forward=1

The same can be done On-The-Fly by doing the below

echo 1 > /proc/sys/net/ipv4/ip_forward

NOTE: This does NOT survive reboot.

Edit /etc/rc.conf, add iptables and pptpd in DAEMONS section
DAEMONS=( iptables  pptpd  bftpd mysqld php-fpm nginx vnstat syslog-ng network crond sshd "vzquota" )

With systemd

systemctl enable pptpd.service

Start pptpd and enjoy!

Reference

PPTN on Arch Linux powered by OpenVZ

http://wiki.archlinux.org/index.php/PPTP_Server

http://blog.fangjian.me/posts/2011/01/12/pptp-and-l2tp-vpn-on-linode-gentoo/