PPTP VPN Setup Guide for a Debian OpenVZ VPS

This guide is intended for those who want to set up a PPTP VPN on OpenVZ with Debian or Ubuntu on a capable provider such as BuyVM.net. Lots of time has been spent through trial and error trying to figure it out. Insight and portions of this guide have been taken from howtogeek.com.

An new automated script is now available! Check it out!

To verify PPP is working, run:

cat /dev/ppp

It should return this:

cat: /dev/ppp: No such device or address

Server Setup:

1. Install the pptp server package:

apt-get install pptpd

2. Edit the “pptpd.conf” configuration file:

vim /etc/pptpd.conf

Uncomment the localip and remoteip lines and change them to something like this:

localip 11.22.33.44
remoteip 10.1.0.1-100

Where the “localip” is the address of your VPS, and the remoteip are the addresses that will be handed out to the clients, it is up to you to adjust these for your network’s requirements.

3. Edit the “pptpd-options” configuration file:

vim /etc/ppp/pptpd-options

Uncomment the ms-dns lines and change them to:

ms-dns 208.67.222.222
ms-dns 208.67.220.220

Where the IP used for the ms-dns line is the DNS server for the local network your client will be connecting to. In my example, I used OpenDNS’s DNS servers.

4. Edit the “chap-secrets” file:

vim /etc/ppp/chap-secrets

Add the authentication credentials for a user’s connection, in the following syntax:

username<tab>*<tab> userpassword<tab>*

Make sure that you separate each entry with a single tab. It could be like this:

john    *    jsmith88    *

5. Edit the MTU settings:

vim /etc/ppp/ip-up

Add this line to the end of the file:

ifconfig $1 mtu 1400

6. Allow PPTP through the firewall (iptables):

iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44

Change 11.22.33.44 to your VPS’s public IP address.

After that, type in:

iptables-save

7. Restart the pptpd for the settings to take affect:

/etc/init.d/pptpd restart

If you don’t want to grant yourself access to anything beyond the server, then you’re done on the server side.

8. Enable Forwarding:

By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to “jump” through the VPN server, to all other devices on the network. If you don’t enable forwarding, you will not be able to browse the web through your proxy.

Edit the sysctl file:

vim /etc/sysctl.conf

Find the “net.ipv4.ip_forward” and uncomment it by removing the “#”:

net.ipv4.ip_forward=1

You can either restart the system or issue this command for the setting to take affect:

sysctl -p

With forwarding enabled, all the server side settings are prepared.

Here is a script to reapply iptables settings at boot (in case your server restarts/crashes/etc.) Make sure you change the IP address to your VPS address.

iptables-save > /etc/iptables.conf
cat > /etc/network/if-pre-up.d/iptables <<END
#!/bin/sh
iptables-restore < /etc/iptables.conf
END
chmod +x /etc/network/if-pre-up.d/iptables

Hope this works well for you, if not, let me know in the comments!

Bookmark the permalink.
  • hc

    Very cool! Thanks for this guide!

  • Wonderful post and a pleasant guidebook straightforward to examine for sure. please share much more of these top quality.

  • Narbeh Arakil Jahang

    Hello thanks for the guide, i need help. i can’t run this command:

    iptables -t nat -A POSTROUTING -j SNAT –to-source MYIP

    it says

    FATAL: Could not load /lib/modules/2.6.18-028stab085.3/modules.dep: No such file or directory
    iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.

    any idea?

    • admin

      Who is your VPS provider? The problem is that the iptables table isn’t enabled. You have to contact your provider and give them the command and error and they will enable it. I had an issue similar to that before.

  • Narbeh Arakil Jahang

    @Admin: hey, i contacted them and show them the problem, Thanks, problem solved.

    by the way, i’m using virtuozzo.

  • iWhiteTiger

    Thanks dear for the great guide.

    Everything works just fine with the VPN, but once I connect, I can’t browse the net at all. What shall I do?

    Thanks

    • admin

      Are you using Debian? Did you add the iptables rule and edit the MTU?

      • iWhiteTiger

        Thanks for your response.
        I’m using CentOS. Fresh installation on my BuyVM VPS. Followed your instructions and was my first successful time to connected to the VPN.

        And yes, I’ve added the iptables rules as you mentioned (nothing else), and edited the MTU.

        Also, I have Squid installed in the VPS with it’s default configurations.

        • iWhiteTiger

          CORRECTION;
          Sorry, I have Ubuntu 10.10 32bit NOT CentOS

          Note: I can do Re-Install again for the following as long as it’s necessary to make it right:
          1-CentOS 5 32bit
          2-Debian 5 32bit
          3-Fedora 12 32bit
          4-Ubuntu 10.10 32bit

          Thanks

          • admin

            I have this working with the Debian 5 template, but it should work with Ubuntu 10.10. Were there any steps that weren’t clear? Can you ping your VPS IP after connecting through the tunnel?

          • iWhiteTiger

            After I do every step, I reboot my VPS, then I connect to it normally but no browsing.
            Yes I can ping my VPS IP, but I can’t ping any of the DNSs.
            The only thing that I couldn’t apply is the script, because I don’t know to do it. (Sorry for my lack of knowledge)

  • admin

    Are you sure that you changed the ms-dns lines properly? Try pinging 8.8.8.8 to see if you get any response or connect to a website with the ip address only.

    • iWhiteTiger

      Yes I’m sure.
      I found the problem. It’s the iptables, I lose them after rebooting the VPS. and to fix this, I had to copy them and paste them in the “/etc/rc.local” so they got executed on boot (Got it from one of the topics in the net). Also, adding the internal ip scheme of the VPN in the iptables as following
      iptables -t nat -A POSTROUTING -s 192.168.X.X/24 -j SNAT –to-source

      This completely solved my problem, and now I can browse with the DNS that you mentioned without any problems.

      But, it’s very slow and so bad in the Youtube. Is there any tuning that I could add to make it faster?

      Many thanks,

      • admin

        Regarding IPtables being lost at reboot, you should look at the last paragraph of this post. It mentions there (just change the ip address afterwards).

        Run this command: wget http://cachefly.cachefly.net/100mb.test

        And see how fast your network speed is (from the VPS)

        • iWhiteTiger

          Thanks for your help. Maybe because I couldn’t figure out how to do the script of the last paragraph, I lose the iptables.

          I ran the command, here is the result:

          100%[======================================>] 104,857,600 18.3M/s in 5.2s

          2011-04-19 06:47:08 (19.3 MB/s) – `100mb.test’ saved [104857600/104857600]

          • admin

            Strange… no network problems. I don’t know what to say if everything was clear and you did it correctly. I guess you can ask Francisco if he’s on the IRC channel.

          • iWhiteTiger

            That’s why I’m wondering.
            Let me add one more thing, I’m actually accessing my VPS from Saudi Arabia with DSL speed of 10Mb/s, so logically I shouldn’t face any slowness when I connect, where the VPS speed is 19MB/s, but once I connect into it, I can’t even get more than 512Kb.

            In the other hand, when I use the Squid as my external proxy, I get more than 600KB download speed. and very good in youtube as well.

          • admin

            What is your download speed by connecting Firefox/Chrome through SSH tunnel?

          • iWhiteTiger

            Used Firefox to download a 20MB file, gave me 15KB. It’s even slower than the VPN.

          • iWhiteTiger

            Downloaded the same file through Squid as my manual proxy with speed 850KB.

  • admin

    I believe the problem is that your ISP is throttling encrypted connections. Try using a dedicated VPN provider and use the free trial to see if you have the same problem.

    • iWhiteTiger

      Thanks, good idea.
      I got a trial VPN from WorldVPN
      http://worldvpn.net/index.php
      and I downloaded 77MB file with average speed of 500KB/s. It’s really good and the browsing is so fast.
      BTW: mt VPS is the lowest specs from BuyVM. It has one CPU Core with 128MB RAM.
      Do you think this might be the problem and need a better VPS? because I’ve asked so many people about the VPS than I need it for two proposes only (Squid Proxy & VPN)

      • iWhiteTiger

        Just asking, is it possible to setup L2TP or OpenVPN on the same machine? and which one is better and faster?

        Thanks,

        • admin

          I have the same plan used for tunneling myself. PPTP perfomance is good (about 5mbits/s). OpenVPN is faster because of compression (you can get higher upload speeds than your isp provides), but it is harder to set up. I haven’t used L2TP yet. My CPU usage with PPTP never exceeds 5%.

  • Jack

    Would this guide work with CentOS from UP2VPS.com

    I know that I would change apt-get install to yum install.

    Thanks.

    • admin

      It should work, but I cannot guarantee anything. Perhaps you iptables-save may not work in CentOS, but you may find a solution. The most important thing is that your VPS provider support PPTP. If the node doesn’t, then this will never work (unless you use OpenVPN).

  • christian

    Hi,I’ve just set up a PPTP server on a BuyVM node on Debian5 32bit. However it is not really working.And I can also connect to the server via Windows7, but I have no network access, so I can’t browse with it. I also tried it with ubuntu before and had the some problems.Could someone help me why it is not working?

    • Anonymous

      Did you set the MTU to 1400 and the iptables script up?

  • jack

    I enjoyed reading this topic. Thank you

  • Thanks for the post.  Got it working first go on a BuyVM Debian 5.  It is very slow though.  The network speed on the VPS is fine and using another VPN service (also PPTP) is fine from my computer.  Not sure why it is so slow.  Did you come up with any ideas to optimise your VPN solution?

    • Anonymous

      Can you test the VPS through a SSH tunneling first? Run a speed test and post the results of SSH and PPTP side by side. Thanks

  • Pingback: Giardo » Blog Archive » [Link] Set up a PPTP VPN server on a VPS()

  • Jean

    thanks for the tutorial, works fine on the sevrer side. I can telnet to server on 1723.
    however, I can’t get client to connect to it.
    Tried with a Win7 client,  OS X10.7.2, none would connect.

    I assume this is a client side config problem.

    Is there a way to test the server to check that everything is fine on this side?

    • Anonymous

      Make sure openvpn daemon is running, that first. Run “top” and see if it’s on the list. Also make sure that the tun port is running. Run “ifconfig” to see if it is there.

  • Rasmusj78

    Hi

    Works great and speed is avarage. However when I try to connect with Netflix on iOS devices all I get is “a white screen”. Netflix works fine with several other VPN providers though.

    Br
    RasmusJ

    • Anonymous

      What kind of VPN are you using from other providers?

      • FlixVPN, StrongVPN, WorldVPN etc.

        • Anonymous

          Is the PPTP vpn working in windows? Can you check your ip address?

  • Mr Yiso

    Would love to know install it on CentOS5

    • Anonymous

      Sorry I don’t have any Centos guides.

  • Pingback: :: Setup PPTPd VPN on Linux | :: b l a c k o n s o l e ::()

  • Bentech4you

     i installed and configured pptpd on my VPS . when i tried to connect from my windows 7 PC by using native pptp dialer i am getting Error 806:

    on ubuntu i checked log(/var/log/messages). there i got ” Mar  3 15:36:02 cloud pppd[1025]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.”

    on windows 7 i got this error message

    “Error 806 The VPN connection between your computer and the VPN server could not be completed.The Most common cause for this failure is that at least one internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or internet Service Provider.”

    please help me to solve this

    Thanks
    Ben

     

  • Alessandro Zamai

    Setup on buyVM, but getting slow speeds… 

    wget test from cachefly
    Saving to: `100mb.test.1’100%[=========================================================>] 104,857,600 23.9M/s   in 4.6s    2012-04-01 09:15:17 (21.6 MB/s) – `100mb.test.1′ saved [104857600/104857600]

    Server seems quick enough, have tested different OS versions but same issue… tested a trial account with a VPN provider and had no speed issues

    Ideas?

    • CommanderWaffles

      I’ll have to retest the script and update soon. I’ll see then.

  • Salman Khaliq

    Hi there , all is working perfectly. i dnt know how to set up these ip tables automatically upon restart? thanks

  • Boy Barnes

    Cool – thanks for this. The script didn’t figure out my server IP, but once I had that sorted everything’s been working swimmingly.

    Thanks for putting in the hard work and sharing!

  • Dhomas

    I don’t know what I’m doing wrong, but I just can’t get it to work. I used the script to set everything up, but when it didn’t work I checked all the settings manually. When I try to connect to the vpn, my clients hang at the credential verification. Anyone know what I might be doing wrong?

  • tacos

    Thanks for this, but you’ve forgotten to include OpenVZ configuration part. Without it, this is just like a normal pptpd guide. :/

  • Thanks for the quick guide…. very helpful for me!!

  • Amit Chakradeo

    Thanks for the guide. It works great, except for 2 small problems that I needed to fix:

    1. Firewall rule should be added to allow traffic from TCP port 1723 (incoming pptp traffic)
    2. On debian squeeze server, I get the following error in daemon.log after connecting (and the connection terminates immediately):
    pptpd[19206]: GRE: read(fd=6,buffer=610d20,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

    To fix this, you need to create the /dev/ppp device like this:

    sudo /bin/mknod /dev/ppp c 108 0

    –Amit

    • topwubcom

      Don’t work ^^

  • David

    Hi, I don’t understand. How does the remote IP work?

  • inversechi

    Worked perfectly for me. I had a little bit of trouble understanding the remoteip section and left that automatically filled in with the ones specified. Could you provide me with more information as to what that part means?

    Is it the range that the machine allocates internally to identify each connecting client?

    Note: I had to check /var/log/daemon.log to see that I had misconfiguration this.

  • Jules D

    I have the error 619 ;(

  • Pingback: PPTP VPN server setup guide for Debian OpenVZ VPS()

  • john

    Doesn’t work for iPad, any idea?

  • Pingback: [Link] Set up a PPTP VPN server on a VPS | Andrea Giardini()

  • Pingback: VPN科学上网全攻略 | 云秀网|在云上开发优秀的网站()

  • Each conntrack cotoncnien is about 350 bytes worth of ram so ensure that you have enough ram to cope with these settings as it is non swappable kernel memory. Additionally to make this setting permenant you need to edit the /etc/sysctl.conf and add or modify this value :net.ipv4.netfilter.ip_conntrack_max = Thanks,