The independent technical support site for all things networking!

Archive for January, 2011

VPN Server

January 30th, 2011 by Kieran in Articles

So you’ve got a well secured LAN but want to work on “local things” while out on the road. What do you do? Get a home VPN! This is surprisingly easy to get configured, especially given that your average Windows machine will have all the software you need to connect to a VPN by default.

Getting Started

So, first things first, to get started you need:

  • Linux box that is always on
  • A static IP or domain name that tracks your dynamic IP

We’re going to assuming you’re running Debian Linux at home and thus these instructions will also cover Deibian-like distributions such as Ubuntu. Please note that all commands and actions are to be carried out as root

Install and configure PPTPD

Firstly, install the PPTP VPN server

apt-get install pptpd

Once installed, we need to modify the configuration files

nano /etc/pptpd.conf

Then ensure that the following is present in the file. Some entries may be present already, some may be missing, or some may be present but not the same as below. Be sure to change the file carefully.

# Options path
option /etc/ppp/pptpd-options
# Relay
bcrelay eth0
# IP addresses
localip 10.0.0.3
remoteip 10.0.0.254

This configuration makes use of the following assumptions

  • Your router has IP 10.0.0.2 and that your LAN uses IPs in the range 10.0.0.xxx
  • Your always on home Linux server has IP 10.0.0.3
  • That IP address 10.0.0.254 has not being allocated out to a machine on your LAN

This configuration, withstanding these assumptions, will provide the connecting VPN user with an IP of 10.0.0.254, thus giving them a LAN-like presence on your network.

Configure PPP

Now edit the following config file

nano /etc/ppp/pptpd-options

Then ensure that the following is present in the file. Some entries may be present already, some may be missing, or some may be present but not the same as below. Be sure to change the file carefully.

# Authentication name
name pptpd
# Encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
mppe-stateful
# DNS servers
ms-dns 208.67.222.222
ms-dns 208.67.220.220
# Routing
nodefaultroute
# Compression
nobsdcomp
nodeflate
# MTU and MRU settings
mtu 1500
mru 1500

Ensure correct MTU

If you plan on connecting to your VPN from Windows XP, or you think you might ever want to do this, you’ll want to tweak the MTU that is doled out to VPN clients.

When a PPP link is setup, pppd allows the client to request it’s own MTU. This is all well and good except where the MTU your client chooses is completely unsuitable and causes some websites, particularly those using SSL, to not load at all.

With this in mind, we force a fixed MTU, irrespective of client choice. This will ensure all normal client connections will have full connectivity.

nano /etc/ppp/ip-up

Then ensure the follwing lines are added, after export PATH, near the top of the file

ifconfig $1 mtu 1500
ifconfig $1 mru 1500

Configure Login Details

In order to login to your VPN remotely, you’ll want to configure a permitted user. Do this by editing the following file

nano /etc/ppp/chap-secrets

Into this file, place a user who can gain access, obviously don’t use “password” as the password!

# Secrets for authentication using CHAP
# client server secret IP addresses
user pptpd password *

Permit Forwarding

Packet forwarding must be enabled in order to pass VPN traffic between the connected client, the VPN server and the outside world. We enable this by modifying the following file

nano /etc/sysctl.conf

Into this file, ensure the following variable is set

net/ipv4/ip_forward=1

Restart PPTPD

We need to pick up our settings so we restart the PPTPD service

/etc/init.d/pptpd restart

Restart the Server

Due to the fact we modified sysctl.conf we need to restart the whole server too. Issue the following command as root.

restart

Firewall Settings

That’s about it for server configuration but if you want to connect to your VPN server from outside the LAN you’ll need to make sure that the appropriate ports are open to the outside world.

Incoming, TCP, 1723, forward to 10.0.0.3
Incoming, GRE, Protocol 47, forward to 10.0.0.3

Consult your router manual for specifics on how to do this or ask in our forums stating your router model.

Testing

You can test your server by attempting a connection from a Windows machine. Set up a VPN connection from the network wizard, use the IP address of your server, 10.0.0.3, and the username and password you set in chap-secrets. You should be able to access the internet as normal once connected and also machines on your LAN.

In Use

In reality you won’t want to connect using 10.0.0.3 as this is an internal IP accessible only on your LAN. You’ll want to port forward to this IP from your WAN IP as per the firewall rules mentioned above and use your WAN side IP in the networking wizard to connect.

If you don’t have a static WAN IP then you can use a service like DynDNS to provide a fixed domain name that always points to your dynamic IP.

Happy VPN’ing!

We’re sure these settings will work for you but if you encounter any issues, please head over to the networking area of our forum and ask one of the experts.

Powered by phpBB & WordPress     Hosted by Kieran O'Shea     Site Code © 2005-2011 Kieran O'Shea     All site contents © 2005-2011 RouterTech - All rights reserved     Valid HTML     Valid CSS     Graphics by Neo