Last month the undersea cable SEA-ME-WE 4 cable was cut near Egypt causing a massive degradation of internet speed in India. For me several websites including the world’s 6th popular website Wikipedia didn’t load at all. And to make matters worse I wasn’t able to access my own blog :'( as it was located in Dallas (so traffic had to pass through damaged cable). So I quickly setup VPN server on an AWS micro instance running Linux (Ubuntu) and accessed everything I wanted, so here I am writing this article for the benefit of all netizens. To create a similar type of VPN server in windows read this tutorial. You’ll find a lot of articles on the internet with the similar topic but in this article I’ll keep the configuration part as short as possible setting up only the bare minimum to get a PPTP VPN server running in the time it takes to make noodles!
Quick setup: Copy and Paste
This section is for the impatient. All you have to do is login to your Debian/Ubuntu server and copy paste the following commands and you’ll have a working VPN server in less than 2 mins.
In this section I assume you’re logged in as the root user, do NOT have any instance of pptpd installed now or earlier and the “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file.
apt-get install pptpd -y update-rc.d pptpd defaults echo "localip 172.20.1.1" >> /etc/pptpd.conf echo "remoteip 172.20.1.2-254" >> /etc/pptpd.conf echo "ms-dns 8.8.8.8" >> /etc/ppp/pptpd-options echo "ms-dns 8.8.4.4" >> /etc/ppp/pptpd-options echo "username * Pa55w0rd *" >> /etc/ppp/chap-secrets service pptpd restart echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT iptables -I INPUT -p gre -j ACCEPT iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS --clamp-mss-to-pmtu
Notice the bolded username and password you should change it to your preferred combination. To save IPtables rules read this tutorial. Proceed to creating a VPN connection.
Install the PPTPD package
On Debian/Ubuntu operating systems
apt-get install pptpd -y update-rc.d pptpd defaults
Setup VPN and DNS IP addresses
Edit the following file
nano /etc/pptpd.conf
And add the following lines to the end
localip 172.20.1.1 remoteip 172.20.1.2-254
You can use any private IP address range just make sure it is not already used in your local network and the local IP and the remote IP are in the same range.
Edit the following file to mention DNS servers
nano /etc/ppp/pptpd-options
Add the following lines to the end
ms-dns 8.8.8.8 ms-dns 8.8.4.4
You can use any DNS server here I’m using Google Public DNS just as an example.
Add usernames and passwords
Edit the following file
nano /etc/ppp/chap-secrets
and add username/password combinations one in each line in the following format
username * password *
Example
jesin * s3cRet * user2 * vPnpass *
If only you are going to use this VPN server a single username/password combination is enough.
Restart the pptpd service
service pptpd restart
Enable forwarding and create iptables rules
Our main purpose of setting up this VPN server is to access website right ? So our traffic has to be forwarded out of the VPN server’s public network interface.
Enable port forwarding on Linux by editing the sysctl.conf file
nano /etc/sysctl.conf
Add or find and comment out the following line
net.ipv4.ip_forward=1
Save, close the file and run the following command to make the changes take effect.
sysctl -p
The following iptables firewall rules allow port 1723, GRE and perform NAT
iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT iptables -I INPUT -p gre -j ACCEPT iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
In the last rule replace “eth0” with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS --clamp-mss-to-pmtu
Replace 172.20.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation. To save the IPTables rules read this article.
Create a VPN connection on your computer
If you are using Linux at home refer this article.
Windows users follow the instructions below.
1. Navigate to Control Panel\Network and Internet\Network and Sharing Center and click “Setup a new connection or network”.
2. Choose “Connect to a workplace” option and click next.
3. Under “How do you want to connect?” click “Use my internet connection (VPN)”.
4. Enter the public IP address or the FQDN of the VPN server configured previously, enter a name for the VPN connection, also check “Don’t connect now; just set it up so I can connect later” and click next.
5. In the final screen enter an username/password combination from the chap-secrets file, click create and close.
6. Back in the “Network and sharing center” from the top left click “Change Adapter Settings”.
7. Right-click the VPN connection created now, go to properties, choose the “Security” tab, under “Type of VPN” select “Point to Point Tunneling Protocol (PPTP)” and click OK.
8. Now click connect, fire your favourite browser and go to this page to check if you are using a different IP address.
Any problems/suggestions just comment below. Happy browsing !!!
Hire me to setup this PPTP VPN on your server.
Thank you very much. This has helped me a lot!
Thank you very much . I successfully setup a pptp vpn server on debian wheezy according to your post.
I am getting 868 error.. I have done exact steps you mentioned here. I have 64mb vps with Debian minimal
Hi Rakesh,
What Client OS are you using? Windows XP, 7 or 8?
It could be a DNS issue, try using the IP of the VPN server instead of the domain name in the VPN connection.
Yes I did use IP. I think problem is in server configuration.
Can you tell me what should I type exactly for the following step?
Local IP – Server ip?
Remote IP – What should I type here?
The localip is the IP the VPN server will use on its end for the tunnel interface.
It should preferably be a private IP address which is not assigned to any other interface.
The remoteip takes in a range of IP addresses which will be assigned to VPN clients after a connection has been established.
It must be in the same network as the localip.
Between I use Windows 7
Tried all the steps, the last one doesn’t work. Just tells me iptables invalid mask “254” specified. the Ip I am putting in is 192.168.8.200/254. any help?
Hi Kyle,
The correct format is 192.168.8.0/24.
Hi Jesin,
i have configured vpn and i’m able to to connect it in lan but not from outside from other network please help me on this .
Hi Kirthan,
Are you planning to connect to your VPN server from the Internet?
If this is the case you’ll have to configure port forwarding on your modem to forward port 1723 to the VPN server.
Also set the DMZ host as the IP of your VPN server so that it receives GRE traffic.
Then use Open port checker to see if your modem allows port 1723.
Hi Jesin,
Thanks a lot, As you told after setting DMZ it worked.
Hi, thanks for this very useful article.
I have a VMware with Kali Linux and I follow (I suppose) all the steps.
I log into the VPN and I’ve one point-to-point connection when I “ifconfig”, so it’s work, but even with this, I can get it to connect to Internet… (I don’t open any port in my modem but it’s local? and I try with/without the Windows/Avast firewall enabled).
Thanks in advance.
PS: My VM local IP is 192.168.223.129, I put “192.168.5.10” as localip, “192.168.5.11-20” as remoteip, and I put “192.168.5.0/24” at the last iptables command.
Hi Raphael,
Yes it’ll work locally.
If you want to use this VPN server from anywhere you have to forward port 1723 and GRE traffic from your modem.
Most modems don’t have an option for forwarding GRE so you can set your VPN server as a DMZ
Hi, thanks for your answer.
Well, I probably find what’s wrong ; the fact is that I use a Virtual Machine as server? I mean, since my VM use my host machine connection, if put the VPN server in my VM and passed my host machine connection through the VPN, i’ll be some kind of vicious circle, right?
Sorry, my network knowledge is close to 0, how am I suppose to set up my VPN server as a DMZ please?
Thanks in advance.
Using a VM as a VPN server won’t cause any problems. The only problem you’ll face is lack of performance if lots of users connect and use your VPN.
What mode of VMWare networking are you using for the VPN – Bridged or NAT?
I need to know the model number of your modem to tell you how to set a DMZ server.
Hi, thanks for your answer.
I use NAT mode with VMWare.
My modem model is NETGEAR ProSafe VPN Firewall FVS336GV2.
Change the VM’s network mode to bridged and assign the following IP settings to the VM
IP Address: 192.168.1.10
Netmask: 255.255.255.0
Gateway IP: 192.168.1.1
DNS1: 8.8.8.8
DNS2: 8.8.4.4
Check if your VM is able to access the internet at this point and then proceed.
Open your browser, go to http://192.168.1.1/
Login with the credentials admin/password
Navigate to Security > Firewall and under inbound services click add and fill the form as follows.
Service: PPTP
Action: ALLOW always
Send to LAN server: 192.168.1.10
Leave everything else to their defaults and click apply. Now you’ll be able to connect to the VPN server from the Internet.
I’ll test this, thanks for the detailled explication! Sorry for my lack of knowledge..
– Raphael
Hello, I found your article very helpful. I set up the vpn server on Ubuntu server and able to access it via my internal LAN using local IP address (i.e 10.0.0.21). As I try to access it from outside the network, it doesn’t connect either if I use my public IP or local ip address.
I set up this server on VMware and bridged the network to my physical connection. I have also forwarded the port on my router and also enable DMZ.
What would be the issue?
I am looking forward to hearing from you soon.
Best Regards,
Saqlain
Hi Saqlain,
What is the error message you’re getting?
Check if the ports are properly forwarded by going to the Open Port Checker and entering port 1723.
What IP addresses have you entered for localip and remoteip?
Hello. I did all steps and now I can connect to pptp. But i don’t have internet access with pptp connected. i can only access the websites hosted on my server. is it possible to fix this?
Hello there,
I am having problem setting a vpn server using pptpd. I have setup it accrding to your tutorial, but even though i cant connect to the server even on the internal network. I am getting errors 809 on windows when trying to connect (says the server doesnt ansfer). I have forwarded the port 1723 in my router for remote connection but i cant even connect locally :(. Could i get any help on that?
Hi Lukas,
Is the pptpd service running on your Linux machine? Try this
Also check if your firewall (iptables) allows incoming GRE traffic and port 1723. From windows try the following command.
You should get a blank screen for this.
When i enter service pptpd status i get no output. When i connect using telnet i am getting connected but after a while i get Connection closed by foreign host.
How is the windows machine connected with the VPN server? Using a switch or is there a router in between them.
a router with enabled port 1723
You need to allow GRE traffic too. What is the model no. of the router?
I believe this is an internal network right?
Yes this is a regular lan network. I am using NETGEAR DGN2200v4
I can connect when trying on lan side but when using outside of home i receive error 619. the port is forwarded correctly and even ip of server set to dmz fails to connect. Any ideas please?
Check if port 1723 is open from the Internet. Don’t use both port forwarding and DMZ for the VPN server’s IP, stick to one preferably DMZ.
Hi, I got it connected (connecting using bt-wifi does not work) however I get no web access. It states connected but no internet pages will display even when trying dns ip instead of url. Any further help Jesin?
How I can route to a different subnet? I have the VPN functional but I can’t access my other location. for example my VPN is setup in the network 192.168.1.0 but I can’t access my other subnet 192.168.2.0 when I connect to with My VPN. The only way I’m able to connect to the other subnet is when I add a route to my VPN client, but I want to do it in the server side so when I connect to my VPN I can access both subnets without having to add a route to my client?
What OS is installed on the VPN client? I can’t think of any methods to do this on the server.
You can configure the client system to automatically insert the route when a VPN connection is established.
The pptp server is an Ubuntu. And all my clients are windows pcs.
Dear sir
very good tutorial about pptp vpn. please sir also guide me. how to allow only one specific external static ip connect vpn server. other
Hi, excellent tutorial, works great 🙂
I have a question about the maximum speed i can get,
i’m getting download speeds at 23Mbs and Upload Speeds at 5Mbs when connected, i was wondering if there was a way that i can max out these numbers?
My Arm Linux Machine’s CPUs aren’t maxed out (About 20% only) 🙁 , would be great if u could help me.
I’m using a macbook pro retina 2013 late, and wireless 802.11n the speed i normally get without VPNs are about 40Mbs/40Mbs, and the Debian PC is connected with wired network 100Mbs i suppose.
Thanks,
Ken
Dear Ken,
i think, with Gigabit network hardware it’s faster.
Add upload and download rate and ~ 20% handshake.
If possible, try with a 2nd network card.
Do you use a Raspberry PI?
nope I’m using a Cubieboard 2
it seems that the best i can get out of this machine is 30Mbps/30Mbps after slightly overclocking.
I checked the CPU usage using another program, it was 50% rather than 20%, with one core maxed out and the other left 5%.
It seems that PPTP doesn’t support using multiple-CPUs at the same 🙁
Thanks for your help though 🙂
Note that iptables MASQUERADE doesn’t work on OpenVZ VPS containers (e.g. my VPS on VMware). Works on KVM and XEN.
If you use OpenVZ, you need to use iptables SOURCE like this:
iptables -t nat -A POSTROUTING -j SNAT –to-source “Public Server IP”
Now it works fine. Thx.
iptables -t nat -A POSTROUTING -j SNAT –to-source “Public Server IP”
Thank you for the “last” iptables rule… it is really necessary for some sites.
Hi Jesin,
i have configured vpn and i’m able to to connect it from internet but i get problem and i Check if port 1723 is open from the Internet it’s open but i got this message
When I connect I get this error:
” Error 619: A connection to the remote computer could not be established, so the port used for this connection was closed. ”
I’m using a Debian Linux Dedicated Server so its not a vps but it should work the same just a few tweaks.
Maybe a firewall or antivirus is blocking ports on your desktop PC. Try connecting from another PC/Laptop.
Also Check if the dedicated server allows incoming connections on port 1723 by use this tool.
Tried on another pc nope, checked if the port was open yes, any other ideas?
I tried what you said it didn’t work, the port was etc D : it worked on my vps but it wont work on my deti hmm
Very nice tutorial, was able to set it up easily!
Just wondering if you have a tutorial on setting up a VPN using certificates for authentication? Or if we are able to change this so that certificates are used to authenticate the user?
Thanks Jeff!
PPTP doesn’t have any certificate base auth feature. OpenVPN is the right application for that. Try this DigitalOcean tutorial.
Hi,
I did as your guide and has a working VPN on my iPhone. But not on my laptop running Windows 7.
I do the same as you said, but it doesn’t have access to the Internet. Then if I uncheck “Use default gateway on remote network“, the browser will surf website well with my original IP, not the VPN IP. I don’t know why. Any suggestions? Appreciate your guide.
Thanks. Black Shadow.
Did you enter all the IPTables rules in the VPN server? On the Windows 7 system check if you can ping an IP address like 8.8.8.8 via VPN, also verify if any firewall on Windows 7 is blocking your VPN connection.
hello i gave error 800
what can I do?
I have Debian server and window’s 8.1 client
Hello I have followed your guide but trying to connect it comes with and error
“The connection was interrupted by the communication device. Try to reconnect. If the problem persists, check the settings.”
Can you help?
Hi, i want to redirect connect of user to an orther website when user open browser ( chrome , firefox , safari ) and open any website ( only first connect ) . but i don’t search any solutions … can you help me ?
Hi,
I have created a PPTPD server on linux, and i want to access it remotely. Iam trying to connect it from another network to the VPN, it is rejecting the connection. Iam using beetel router. I have also done the configuration for ip forwarding in router. Can you help me please.
Excellent article! I had the whole thing working in just a few minutes on my Debian web server. But I have a question now…
Say I want to run a specific service on the client side and have it accessible to the internet with it being connected to the client. How would I open the ports for said service and have them sent to the remote client thru the vpn server. So if I wanted to run an FTP server on the “client machine” and have my friends connect to it by using the “VPN server” IP address.
Ensure the FTP ports (or whatever service’s ports) are open on the client system (on Windows Firewall or the firewall used by your OS). Then use the following iptables rules on your VPN server:
Here 172.20.1.2 is the IP assigned to your client when it connects to the VPN server. I haven’t tried these rules, so let me know how it goes.
Hi,
Thanks for the article. I’m getting caught up on the second step, after I install the PPTPD package.
When I try to add the new IP addresses (using either Nano or geddit after opening the file through the GUI /etc/pptpd.conf), i’m getting a message saying that I do not have permissions to edit the pptpd.conf file?
None of the blog posts I’ve seen about setting up a VPN seem to run into this problem, which leads me to believe that I must be doing something wrong. (new linux user, learning as I go)
Any help would be greatly appreciated. Thank you.
Hi,
Either login as the “root” user or use the “sudo” command before the commands like:
how to connect from linux ubuntu (not desktop version but server version) client via CLI
Hi,
I have found a bug? in the bcrelay (related to low MTU size) and i have cloned the GitHub project and made some modifications to the bcrelay.c file and done configure –enable-bcrelay and make (compile) but if I replace the bcrelay file on one of my pptpd CentOS machines the pptpd do not start the child process of bcrelay. Am I doing it wrong or am I missing something.