wahlau's online hut

since i finally figured out how to connect to my department's VPN server, i just wonder whether is it also easy to create my own vpn server at home. The idea is - with vpn connect i can easy browse files i need from the file server, or to synchronize repositories/backup files. I won't need to stream stuffs from home, or sneak naughty packets through my home network :)

Thereforer i make a quick check on pptp and openvpn server setup. I realise both are relatively easy, but pptp looks more straight forward. True that pptp is not as secure as many claim, but i think for a home network remote access we are not talking corperate level of security. I am pretty comfortable with ssh tunnels, but for each service i use i have to build a new tunnel - that is tedious. So a quicky vpn server setup fits me perfectly. so off i went on with pptp server setup on Ubuntu.

For ubuntu 8.04 system it is surprisingly simple (i assume for other distribution it would be equally simple and direct too). First of all use either apt-get (console method) or synaptic (gui method) to install pptpd. So for a console guy like me, it is just a quicky

mybox： ~$ sudo apt-get install pptpd

and install whatever it ask you to install - in simple words, just keyin "yes" to go on :)

the next step is a brief edit on your pptpd.conf file. This will be the few lines that say something on your network configuration. For simplicity's sake, just scroll all the way down to the end of file, where you might see some example ip addresses. This is where you define network addresses for your vpn server (local ip point) and the road warriors ips. This is the part where i got confused a little in the beginning, so i think i will explain a little if it might help some of you out there.

the parameter localip means the ip address of your vpn server endpoint. Do not put the actual ip address of your server. I did that initially and i could not access the other services on the server at all! After playing around i only understood it as an ip address you can assign additionally to the vpn server as an endpoint to connect from outside. to simplify this, refer to the picture below how i can imagine the network:

[ road warriors ]   -------   [vpn server] --- internal network /other workstation/servers in network.

192.168.1.200-205          192.168.1.199         192.168.1.2-198

until i get time to draw a real network, this simple text illustration should explain it well. Take an example network 192.168.1.0/255.255.255.0 as your home network. Say normally at home you get automatic dhcp addresses from .2 until .198. therefore you wish to assign road warriors (those who connect from outside using vpn, if this term is something new for you) say .200 until .205 (so maximum you can have 6 road warriors). The server serving VPN can be using any address from .2 until .198. This is what i mean by actual ip address above. So in this way, you should already understand what you should give to the parameter localip. in this case, i propose an address that is available, so in the example we will use 192.168.1.199 as the vpn server address.

you might realise now - oh, does it mean when the VPN server is up and running, it will have 2 addresses? my answer will be Yes! As soon as a road warrior comes in, the new interface will be up. In other words, your road warriors will receive the addresses allocated, and enters to the internal network via 192.168.1.199 (localip). At this point you should have roughly figured out what you should give to the parameter remoteip. got it? yes, it would be in our example 192.168.1.200-205! you can even use this syntax exactly. The - sign indicates to. So if you have coincidentally the same network and you want to use the same setting as in the example, at the end of the file pptpd.conf should look like this:

localip 192.168.1.199
remoteip 192.168.1.200-205

save this file and you are done.

next step is to set password for every possible roadwarrior. the file to edit is /etc/ppp/chap-secrets. Just key in following information with tab separating each other - username, pptpd, password and ip address where it is allowed to connect from. If your road warriors only connect from a specific network, say from a range of ip addresses (this would be common if you wish to connect from company with fixed ip address), then you can put this ip range at the end of a line. I would say for us, who might connect from anywhere will just put wild card "*" including the quotes. So as an example, you have a user call Rudolph (yes, it is near christmas now), and his password is reind33r. then your entry for him in /etc/ppp/chap-secrets will be:

rudolph  pptpd   reind33r   "*"

i am not sure whether if names should be case sensitive, but i assume yes. repeat this step for all potential road warriors, and you are done. Don't worry about people being able to read the password - the file can and should only be read by root (which is the administrator). It should be safe until someone cracks into your system and obtain root permission/right. When that happens, even if you encrypt everything it is also easy for him to undo most of the things. This gives another idea - don't use the usual username and password combination then. use another set so that if a fake root ever reads this file, he can't really use the username password somewhere else. It's your decision. :)

if you follow the instruction so far, you are actually almost done. two more things to do. 1) restart pptpd. 2) check the setting of your router. to do the first, do the following:

mybox: ~$ sudo /etc/init.d/pptpd restart

and for the router setting, you must know how to enable port forwarding for your firewall/router. The simpler explanation is to allow your router to divert a request/connection from outside to your vpn server that is placed in internal network. I cannot give settings example for you here, since each router might have different ways to do this. For example, my router already has an automatic setting for pptp vpn. Once i have chosen this, it automatically creates port forwarding for tcp port 1723 and GRE 47 protocol. So it was really easy for me. Hope it would be also not too difficult for you.

once this is done, you can then try to connect from outside and see how it will work out for you. I use NetworkManager pptp plug-in and it was just a few click away. The setting is the same as the one i set for my previous blog.

Hope this simple short how-to will also help you to get a pptp vpn server up in 10 minutes. Enjoy.