Feb 112014
 

SoftEther works (see my previous post), but it needs an extra install of software, while PPTP is pretty much standard for many operating systems. So we’ll set this up.

It’s actually very easy too

Server side

Debian server: install some packges:

aptitude install pptpd

/etc/pptpd.conf (I removed all comments here):

option /etc/ppp/pptpd-options
logwtmp
localip 192.168.31.1
remoteip 192.168.31.10-249

/etc/ppp/pptpd-options (again, no comments):

name SERVERNAME
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490
ipcp-accept-remote
netmask 255.255.255.0

Add this to /etc/rc.local:

/sbin/iptables-restore </etc/iptables.save

Setting up routing and firewall:

iptables -A FORWARD -s 192.168.31.0/24 -d 192.168.31.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.31.0/24 -j REJECT

Edit /etc/sysctl.conf to enable IP fording:

net.ipv4.ip_forward=1

Enable sysctl.conf changes:

sysctl -p

Edit /etc/ppp/chap.secrets to have all accounts, e.g.:

username1<TAB>*<TAB>password<TAB>*

 

Client side

Debian: install some packages

 aptitude install pptp-linux

Create /etc/ppp/peers/BoxPPTP (BoxPPTP is the name of the connection):

pty "pptp PPTPSERVERNAME --nolaunchpppd"
name harald
remotename BoxPPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam BoxPPTP
192.168.31.10:

192.168.31.10 is the IP the client wants to have.

/etc/ppp/options.pptp:

lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Add your account in /etc/ppp/chap-secrets:

username1<TAB>BoxPPTP<TAB>password<TAB>*

Add this to /etc/network/interfaces:

auto ppp0
iface ppp0 inet ppp
  provider BoxPPTP
  post-up sleep 2 ; route add -net 192.168.31.0 netmask 255.255.255.0 gw 192.168.31.1

To enable the PPTP connection, do:

ifup ppp0

Check via:

# ip addr list ppp0
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1486 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 192.168.31.11 peer 192.168.31.1/32 scope global ppp0
# ip route list
default via 192.168.11.1 dev eth0 
192.168.11.0/24 dev eth0  proto kernel  scope link  src 192.168.11.36 
192.168.31.0/24 via 192.168.31.1 dev ppp0 
192.168.31.1 dev ppp0  proto kernel  scope link  src 192.168.31.11

At this point you can ping the PPTP server (192.168.31.1 in this case) as well as all other clients as long as they are not firewalled.