PPTP server

From LinuxMCE
Jump to: navigation, search
Version Status Date Updated Updated By
710 Unknown N/A N/A
810 Works 5 October 2010 pw44
1004 Works 1 November 2011 OnTarget
1204 Unknown N/A N/A
Usage Information

Setting up a PPTP Server.

The pptp server is the right tool to use for outside access to your internal network. While not the most secure VPN solution, PPTP is the most simple to install, configure and connect from windows, and mobile devices.

Reasons for doing it:

  1. Having your mobile as an extension of your asterisk server (Iphone, for example, can do it, Nokia can do it via an add on), even from public wifi spots.
  2. Being able to remotely access files or anything in your server from anywhere, even from wifi spots.
  3. Others, as you wish.

Lets make it simple:

Server Setup - install the pptp server package:

sudo apt-get install pptpd

edit the /etc/pptpd.conf file:

sudo vi /etc/pptpd.conf

and add:

localip 192.168.80.245,192.168.0.245
remoteip 192.168.80.246-250,192.168.0.246-250

where the localip is the address of the server, and the remoteip are the addresses that will be assigned to clients.

edit the /etc/ppp/pptpd-options file:

sudo vi /etc/ppp/pptpd-options

append the following directives:

ms-dns 192.168.80.1
nobsdcomp
noipx
mtu 1490
mru 1490

Mine looks like:

name dcerouter
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.80.1
proxyarp
nodefaultroute
debug
lock
nobsdcomp

Add the user credentials for authentication to you chap secrets file:

sudo vi /etc/ppp/chap-secrets

Add to it the user name + password in the following syntax:

usernmae <TAB> dcerouter <TAB> users-password <TAB> *

Restart the server for the settings to take affect:

sudo /etc/init.d/pptpd restart

Firewall rules:

Webadmin -> advanced -> Network -> Firewall Rules: core input for port 1723

You need to append the following lines to /usr/pluto/bin/Network_Firewall.sh, in order to permit GRE protocol flow (needed by PPTP):

iptables --append INPUT  --protocol 47 --jump ACCEPT
iptables --append OUTPUT --protocol 47 --jump ACCEPT

If you also have a router running Tomato or DD-WRT, the following iptables rules shall be applied (these are the ones in my Tomato router): My LinuxMCE has the eth0 setted to 192.168.0.160, defined by static address in my Tomato.

# init pptp + gre pass thru
iptables -t nat -I PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.0.160:1723
iptables -I FORWARD -p tcp -d 192.168.0.160 --dport 1723 -j ACCEPT
iptables -t nat -I PREROUTING -p 47 -j DNAT --to 192.168.0.160
iptables -I FORWARD -p 47 -d 192.168.0.160 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 0/0 --dport 1723 -j DNAT --to-destination 192.168.0.160
iptables -t nat -A PREROUTING -i ppp0 -p gre -d 0/0 -j DNAT --to-destination 192.168.0.160

iptables -A FORWARD -i ppp0 -o br0 -p tcp --dport 1723 -d 192.168.0.160 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.0.160 --sport 1723 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o br0 -p gre -d 192.168.0.160 -m state --state NEW,ESTABLISHED,RELATED-j ACCEPT
iptables -A FORWARD -i br0 -o ppp0 -p gre -s 192.168.0.160 -m state --state ESTABLISHED,RELATED -j ACCEPT
# end pptp + gre pass thru

Once done, reload DCERouter, in order that the /usr/pluto/bin/Network_Firewall.sh is reloaded,and if you have Tomato or DD-WRT, reboot it.

Configure your client to use PPTP and test (beyond this wiki).