Simple Ubuntu Server: Part 9 – Setting Up VPN

In this part, we setup a VPN (Virtual Private Network) which allows access to a private network (such as a workplace LAN) over a public network (such as the internet or WAN). The VPN package I will be covering is called pptpd.

The first step as usual is to update your repository lists:

sudo apt-get update

Then download and install the package:

sudo apt-get install pptpd

The next step is to backup all the configuration files that we will edit:

sudo cp /etc/pptpd.conf{,.orig}
sudo cp /etc/ppp/pptpd-options{,.orig}
sudo cp /etc/ppp/chap-secrets{,.orig}

For the next part, you will need to know the IP address of your server. It is highly recommended that your server has a static IP address assigned. If you don’t, you’ll want to read and follow “Setting up a Static IP” where it details how to set a static IP. You can find this out from the command:


Before you edit the first configuration file below, open up your router/gateway’s settings page and forward Port 1723 TCP and GRE to your server.

The first configuration file we’ll edit is /etc/pptpd.conf. Open the file with your favorite editor:

sudo vi /etc/pptpd.conf

The lines you’ll want to edit are near the very bottom of the file and in their default settings are commented out. Remove the hashtags and replace the field localip with the IP address of the server itself and replace the field remoteip with the IP addresses/pool you want assigned to people that connect to your VPN.

Default IP settings

Default IP settings

Modified IP settings

Modified IP settings

Next up, open the file /etc/ppp/pptpd-options for editing.

sudo vi /etc/ppp/pptpd-options

This is strictly optional, but I like having a more descriptive name than the default. If you want to, change the name of line 18.

name myubuntuserverpptpd
Default server name

Default server name

Modified server name

Modified server name

That is the only change we will make in this file, but before you save and exit, take a look at lines 32-34, 37 and 40. These lines control what encryption schemes are allow to negotiate connections. If you have older machines, platforms that only support certain encryptions, etc. then you will need to make changes here.

Default encryption

Default encryption

Finally, we open the file /etc/ppp/chap-secrets for editing. This is the file that contains the username/password combinations for anyone that will connect to the VPN.

sudo vi /etc/ppp/chap-secrets
  • client     :the username for the person you want to grant access
  • server     :the server name you setup above (default: pptpd)
  • secret     :the password for the above username
  • IP address     :the assigned IP address (use “*” for any available)
/etc/ppp/chap-secrets contents

/etc/ppp/chap-secrets contents

As usual, in order for the changes you made to take effect, you’ll need to restart the server. The following command will do that for you.

sudo service pptpd restart

If you encounter any problems, you can troubleshoot them with help from the logfile:

sudo tail -f /var/log/syslog

If you want your clients to be able to reach anything other than the server itself, you will need to configure NAT for PPTP connections.

Open the file /etc/rc.local for editing

sudo vi /etc/rc.local

And add the following line just above the last line where it says “exit 0

# NAT IP Forwarding for PPTP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Next, open the file /etc/sysctl.conf for editing

sudo vi /etc/sysctl.conf

And enable IPv4 forwarding by uncommenting line 28


Finally, reload the changes you just made and you’re good to go.

sudo sysctl -p
Tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

Protected by WP Anti Spam