Tuesday, September 02, 2008

VPN Server + NAT on Ubuntu

(should work with Microsoft Windows Vista/XP and Apple Mac OS Panther/Tiger/Leopard etc clients also)

Tested on Ubuntu Hardy (8.04)

1) Install pptpd

sudo apt-get install pptpd


2) Edit /etc/pptpd.conf and add the following two lines:

localip 10.2.2.1
remoteip 10.2.2.2-5

localip is the address of t he VPN (ppp0) interface on the VPN server (this interface will be create automatically).
remoteip is the range of IP addresses that will be given to the VPN clients

Please add an empty newline at the end of /etc/pptpd.conf, or the daemon will hang.

3) Edit /etc/ppp/chap-secrets and add one line for each VPN user:

USERNAME pptpd PASSWORD *


where USERNAME is the username, pptpd should remain as it is, and PASSWORD is the password. The * at the end means that this particular user can connect to the VPN server from any IP address. You couldd replace it with an ip address range:

"Any following words on the same line are taken to be a list of acceptable IP addresses for that client. If there are only 3 words on the line, or if the first word is "-", then all IP addresses are disallowed. To allow any address, use "*". A word starting with "!" indicates that the specified address is not acceptable. An address may be followed by "/" and a number n, to indicate a whole subnet, i.e. all addresses which have the same value in the most significant n bits. In this form, the address may be followed by a plus sign ("+") to indicate that one address from the subnet is authorized, based on the ppp network interface unit number in use. In this case, the host part of the address will be set to the unit number plus one." (pptpd manual)

4) Add the following lines in /etc/rc.local

# pptp VPN NAT
iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.2.2.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.2.2.0/24 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
route add -net 10.2.2.0 netmask 255.255.255.0 dev ppp0
where eth0 is your "Internet" interface on the server, the one connected directly to the Internet.

5) Start pptpd

/etc/init.d/pptpd stop
/etc/init.d/pptpd start


6) Run /etc/rc.local

7) If you run a firewall on the server make sure to open port 1723. I do this with the following command:
# pptp VPN
/sbin/iptables -A extern -p tcp --dport 1723 -j RETURN
Notice that I am using a chain named "extern". This is probably not the case at your end.

8) Connect from your VPN client
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)