PPTP VPN Setup Guide for a Debian OpenVZ VPS

This guide is intended for those who want to set up a PPTP VPN on OpenVZ with Debian or Ubuntu on a capable provider such as BuyVM.net. Lots of time has been spent through trial and error trying to figure it out. Insight and portions of this guide have been taken from howtogeek.com.

An new automated script is now available! Check it out!

To verify PPP is working, run:

cat /dev/ppp

It should return this:

cat: /dev/ppp: No such device or address

Server Setup:

1. Install the pptp server package:

apt-get install pptpd

2. Edit the “pptpd.conf” configuration file:

vim /etc/pptpd.conf

Uncomment the localip and remoteip lines and change them to something like this:

localip 11.22.33.44
remoteip 10.1.0.1-100

Where the “localip” is the address of your VPS, and the remoteip are the addresses that will be handed out to the clients, it is up to you to adjust these for your network’s requirements.

3. Edit the “pptpd-options” configuration file:

vim /etc/ppp/pptpd-options

Uncomment the ms-dns lines and change them to:

ms-dns 208.67.222.222
ms-dns 208.67.220.220

Where the IP used for the ms-dns line is the DNS server for the local network your client will be connecting to. In my example, I used OpenDNS’s DNS servers.

4. Edit the “chap-secrets” file:

vim /etc/ppp/chap-secrets

Add the authentication credentials for a user’s connection, in the following syntax:

username<tab>*<tab> userpassword<tab>*

Make sure that you separate each entry with a single tab. It could be like this:

john    *    jsmith88    *

5. Edit the MTU settings:

vim /etc/ppp/ip-up

Add this line to the end of the file:

ifconfig $1 mtu 1400

6. Allow PPTP through the firewall (iptables):

iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44

Change 11.22.33.44 to your VPS’s public IP address.

After that, type in:

iptables-save

7. Restart the pptpd for the settings to take affect:

/etc/init.d/pptpd restart

If you don’t want to grant yourself access to anything beyond the server, then you’re done on the server side.

8. Enable Forwarding:

By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to “jump” through the VPN server, to all other devices on the network. If you don’t enable forwarding, you will not be able to browse the web through your proxy.

Edit the sysctl file:

vim /etc/sysctl.conf

Find the “net.ipv4.ip_forward” and uncomment it by removing the “#”:

net.ipv4.ip_forward=1

You can either restart the system or issue this command for the setting to take affect:

sysctl -p

With forwarding enabled, all the server side settings are prepared.

Here is a script to reapply iptables settings at boot (in case your server restarts/crashes/etc.) Make sure you change the IP address to your VPS address.

iptables-save > /etc/iptables.conf
cat > /etc/network/if-pre-up.d/iptables <<END
#!/bin/sh
iptables-restore < /etc/iptables.conf
END
chmod +x /etc/network/if-pre-up.d/iptables

Hope this works well for you, if not, let me know in the comments!

Bookmark the permalink.