Overview

This article will walk you through enabling PPTP VPN on your server to serve as a web proxy.

Connecting to the Server with SSH

First, let’s use SSH to connect to your remote server. See how to lease a server from a hosting server provider here if you do not yet have one.

The default username for Ubuntu on Amazon Web Services is ubuntu.

ssh -i PATH-TO-CERTIFICATE USERNAME@IP-ADDRESS

ssh -i /User/Kurt/rsa-cert.pem ubuntu@kurtcms.org

Change the permission of the certificate file to 600 if prompted “Permissions 0644 for ‘/User/Kurt/Desktop/rsa-cert.pem’ are too open.”.

chmod 600 PATH-TO-CERTIFICATE

chmod 600 /User/Kurt/Desktop/rsa-cert.pem

Or if you have enabled password authentication.

ssh USERNAME@IP-ADDRESS

ssh ubuntu@kurtcms.org

Then enter the password at prompt.

Install PPTP

Install PPTP. Enter y for yes if prompted.

sudo apt-get install pptpd

Configuring PPTP

The PPTP server needs to be configured before it can function.

Private IP Address and DNS Server for PPTP Client

Edit the config file with the nano editor. When done, control + x to exit, press “y” and “enter” to save.

sudo nano /etc/pptpd.conf

Reserve a localip address for the PPTP server and a range of remoteip to assign to PPTP clients.

localip 10.0.0.1
remoteip 10.0.0.100-200

PPTP clients need to have a valid DNS server to send DNS query to. Google DNS servers are a good choice.

sudo nano /etc/ppp/pptpd-options

Add or modify these in the file.

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Adding PPTP Account

User name and password are stored in the chap-secrets file in the following format.

USERNAME SERVER PASSWORD IP

SERVER is pptpd. IP is the IP address reserved for this user, or you can use the wildcard to tell the PPTP server to pick one from the remoteip ramge.

sudo nano /etc/ppp/chap-secrets

Enter your username and password.

kurt pptpd password *

Restart the PPTP server.

service pptpd restart

And you should now be able to connect to the PPTP server with the the user name and password.

IP Forwarding and Network Address Translation (NAT)

To allow PPTP clients to access the Internet e.g. go to a website, IP forwarding needs to be enabled.

sudo nano /etc/sysctl.conf

Change net.ipv4.ip_forward to 1.

net.ipv4.ip_forward = 1

Load the new setting with sysctl command.

sysctl -p

And a rule needs to be added to translate the source IP address of any outgoing network packet originating from the PPTP client to the IP address of the Internet network interface often the ethernet interface (eth0) so the returning network packets know the way back.

To add the rule with the iptables command.

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now your PPTP client should be able to access the Internet through the PPTP VPN.

The sad thing about iptables is that it forgets this rule if the server reboots. To make this rule persistent, we need iptables-persistent.

sudo apt-get install iptables-persistent

iptables-persistent is a neat tool that reads from the /etc/iptables/rules.v4 file and apply the rules on boot. To save the rules to the /etc/iptables/rules.v4 file, we can use the iptables-save command.

The iptables-save command simply outputs all the rules that the current iptables have. We can use a chain command to put save rules to the /etc/iptables/rules.v4 file.

iptables-save > /etc/iptables/rules.v4

Restart iptables-persistent.

Conclusion

It is rather easy to set up a PPTP VPN server. PPTP has known security vulnerability but as a web proxy to tunnel your network traffic, it is still a good choice considering how easy it is to set up and all the major operating systems come with PPTP client installed.