How to setup PPTP VPN server in Debian and Ubuntu

Update 2016-04-06: It’s been tested on Ubuntu 14.04 and it works just fine.

Update 2016-10-03: It works even on Ubuntu 16.04 but the service for some reason fails to start on boot, if that’s your case run: sudo systemctl enable pptpd

I’ve tried several dozen’s how-tos before I tried this and I can confirm it’s working. First of all make sure that the virtualization you’re using will work with VPN – it doesn’t work with Linux vServer virtualization but it does work with KVM virtualization.

To verify that you have right virtualization platform just type in terminal:

cat /dev/ppp

You should see this:

cat: /dev/ppp: No such device or address

Ok so now you know that your virtualization is qualified for setup and here is the howto:

Install the PPTP package:

apt-get install pptpd

Edit pptpd.conf

nano /etc/pptpd.conf

In pptpd.conf find lines containing:

localip 11.22.33.44
remoteip 10.1.0.1-100

and replace 11.22.33.44 with your public IP address

also replace range 10.1.0.1-100 with your desired range – ie. 192.168.123.1-254

So the PPTP will hand out IP addresses within range 192.168.123.1 to 192.168.123.254

Edit pptpd-options:

nano /etc/ppp/pptpd-options

In pptpd-options find lines beginning:

ms-dns

And replace the values with following:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

If you’re wondering what 8.8.8.8 and 8.8.4.4 means – those are Google’s public DNS servers, anyone can use them. Obviously you can (should) use your provider’s DNS servers unless there is a reason you want Google’s DNS servers. Such reason might be that your provider’s DNS servers are less reliable than Google’s, which is likely, though it’s Google and “Don’t be evil” is long gone…

Edit chap-secrets:

nano /etc/ppp/chap-secrets

this file chap-secrets contains username and passwords of your clients. It is also possible to set a static IP address which should be always assigned to specific username. Example of what chap-secrets can contain is this:

ClientsUserName1  *       ClientsPassword1    192.168.123.77
ClientsUserName2  *       ClientsPassword2    192.168.123.78

Or you can add just this:

ClientsUserName1  *       ClientsPassword1    *
ClientsUserName2  *       ClientsPassword2    *

And the IPs within range (192.168.123.1-254) will be automatically assigned to ClientsUserName1 and ClientsUserName2. I personally prefer static settings – ClientsUserName1 gets 192.168.123.77 and so on…

Edit ip-up:

nano /etc/ppp/ip-up

Now add to the very end this line:

ifconfig $1 mtu 1400

You might experiment with higher values like mtu 1500 which might improve throughput a bit.

Now allow PPTP through firewall:

iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44

Obviously the value 11.22.33.44 replace with your public IP address.

Save the configuration in firewall:

iptables-save

Restart the PPTP server to take settings in effect:

/etc/init.d/pptpd restart

You are done. But if you would like to enable forwarding (remote gateway) as most people probably want then edit sysctl.conf:

nano /etc/sysctl.conf

find in the sysctl.conf:

#net.ipv4.ip_forward=1

and remove the # (=uncomment it).

To enforce the effects run:

sysctl -p

So now when a client connects to the VPN he is not only able to connect directly to the other VPN clients but also to use VPN server’s public IP address, so the client is not revealing his actual public IP address. Also there are services which are accessible from only a specific IP address this is a way how to guarantee the client will always have the same public IP address.

On top of that – here is a script how to force firewall to enable PPTP to go through even after reboot:

iptables-save > /etc/iptables.conf
cat > /etc/network/if-pre-up.d/iptables <<END
#!/bin/sh
iptables-restore < /etc/iptables.conf
END
chmod +x /etc/network/if-pre-up.d/iptables

So now you’re done. Enjoy your VPN and congratulations 😉