Setting up and debugging a PPTP server on Debian

If you want a personal VPN solution that you can host at home or on a VPS, PPTP is the easiest way to do it. Or if you want a VPN test subject, PPTP is also the easiest way to do it. The following will detail how to set up a PPTP server on a Debian (version 7.8) machine. To be understood that choosing PPTP as a VPN doesn’t guarantee a really secure solution , but it can save time and setup issues associated with other alternatives. For a more secure alternative over PPTP, I’d recommend OpenVPN.

I’ve also prepared a qcow2 image that you can add to your qemu-kvm setup, that you can download from here. Still, you have to go through the post to understand how it works and what to do in order to add a user and connect.

VM details

  • Image type – qcow2 (ready to be added in qemu-kvm)
  • Root credentials – root:test
  • User credetials – test:test
  • VPN client credentials – testvpncl:testpass
  • VPN localip / remoteip settings (see below) – 192.168.122.58 / 192.168.122.200-220
  • PPTP server download link

Server configuration

Installing the base package

apt-get install pptpd

Configuring the server

Defining the machine IP as well as the IP ranges for the clients that connect to the PPTP server. Replace “10.0.0.1” with your server local IP and “10.0.0.100-200” with the IP range that should be available for connecting clients.

nano /etc/pptpd.conf
localip 10.0.0.1
remoteip 10.0.0.100-200

Defining DNS servers that the clients should use. In the example below I’m using Googles DNS, but you can as well specify the internal DNS server of your network, which would usually be the router (e.g. 192.168.0.1)

nano /etc/ppp/pptpd-options
ms-dns 8.8.8.8
ms-dns 8.8.4.4

Encryption and authentication. Make sure you have the following lines in the file mentioned above. These handle the encryption and authentication protocols used by the server. They’re set to use the newest protocols supported and the highest encryption grade supported. These being MSCHAPv2 (a protocol created by Microsoft), that even though its the best supported it does has its flaws, and RSA 128bit session keys (mppe).

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

User management

Users and passwords are being kept in plain text in the /etc/ppp/chap-secrets file. Add the following line below to the file, where you replace the marked variables with the ones you choose.

<yourusername> pptpd <yourpassword> *

To apply all the changes above, restart the server.

service pptpd restart

Traffic handling

Traffic must pass through the server in order for clients to have internet connectivity. To enable this edit the /etc/sysctl.conf file, by adding the following :

net.ipv4.ip_forward = 1

Then run the below command, which will reload the settings and apply them.

sysctl -p

Since the VPN server now acts like a gateway for the connected clients, it must proper forward the packages, like it is done by routers using NATing :

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save

Client configuration

Command-line

It easier to set up on the graphical interface, but one might want to have some configurations ready on the command line for scripting (e.g. automatically connecting to VPN when being on a certain network).

Install the debian client :

apt-get install pptp-linux

Create a connection file (nano /etc/ppp/peers/connectionname) and replace the variables with the values according to your environment.

pty “pptp $SERVER –nolaunchpppd”
name $DOMAIN\\$USERNAME
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam connectionname

Now connect to it via the cli.

pon connectionname

Network manager in Debian

Make sure you have the “network-manager-pptp-gnome” package installed, as Debian does not ship it with network manager by default. In case you’re using a different desktop flavor, change -gnome with the one appropriate. Open up network manager and create a new VPN connection.


vpn-pptp-normal-options

Then click on “Advanced” to get the window below:

vpn-pptp-advanced-options

Untick all boxes in the “Authentication” section, except MSCHAPv2. Leave the rest as in the screenshot above.


 

Debugging

It didn’t work at first for me so I had to do some debugging. Some fast ways to do it from a different machine is by using the commands below. First things to check would be network connectivity and if the service is working on the expected port.

telnet SERVER 1723

nmap SERVER_IP -p 1723

Trying to connect to the host, while following what’s happening by inspecting packages and logs :

tcpdump port 1723
tail -f /var/log/syslog

Errors and ideas.

root@debian7clean:~# pppd call pptpserver
pppd: The remote system (PPTP) is required to authenticate itself
pppd: but I couldn’t find any suitable secret (password) for it to use to do so.

The VPN user is not properly added into the file that stores credentials. Check it – cat /etc/ppp/chap-secrets

root@debian7clean:~# pon
/usr/sbin/pppd: In file /etc/ppp/peers/provider: unrecognized option ‘/dev/modem’

Pon tries to connect to the default “provider” file. Specify the “connectionname” that you’ve used to create the connection file above. Or try creating a new connection file and inspect the output using the following arguments

pon connectionname debug dump logfd 2 nodetach

Resources and more info

  • https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp
  • http://pptpclient.sourceforge.net/howto-debian.phtml