This is short guide how to set-up VPN service on Ubuntu Linux server. VPN is intended to secure your internet traffic against local snooping by encrypting the traffic and tunneling it out from known good server. Possible use cases are
- Secure your organization internal traffic between home office, mobile devices an the office
- Hide internet traffic from the big brother
- Spoof your location for TV and video streams: you are renting a server in a different country, like US, allowing you to watch US only video streams
- Spoof your location for iPhone / iPad / iPod / Android apps
- Visit sites which are otherwise unreachable (though in this case an SSH tunnel + SOCKS proxy is easier to set-up, more lightweight, alternative)
- Test mobile applications against local servers during mobile app development
These instructions set-up VPN using PPTP protocol which is widely supported. After the server has been set-up you can use any modern OS or device to connect to the VPN: Windows, OSX, Linux, iOS, Android, etc.
- Basics of UNIX command line (the hacker typing thing)
- Basics of Linux server administration
2. Setting up PPTP daemon
We are using (old) Ubuntu 8.04 server though instructions should apply for later Ubuntu versions too. These installation instructions are restart free – however few commands must be placed into /etc/rc.local file to make the changed settings persist over Linux restarts.
First install some free software
sudo apt-get install pptpd telnet iptables
Pick up your server public fixed IP address. Usually this is what you see in ethernet 0 adapter.
Then edit /etc/pptpd.conf
sudo nano /etc/pptpd.conf
(Use sudo nano for editing other files too later in this tutorial)
Uncomment and change the localip line to your server public IP address
Then edit /etc/ppp/pptpd-options
Make PPTP service to give DNS name resolving servers for the VPN clients. In optimal case you use the DNS server from your server provider, but Google’s public DNS servers (below) work fine:
sudo nano /etc/ppp/pptpd-options
Uncomment and change ms-dns lines to
ms-dns 188.8.131.52 ms-dns 184.108.40.206
Edit /etc/ppp/chap-secrets as sudo and add your PPTP username and password (plaintext)
sudo nano /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses opensource pptpd hacker *
Run the following commands to enable IP NAT routing on your server (allows piping traffic through the public IP of the server):
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sysctl net.ipv4.ip_forward=1
These settings above are effective only until the server restart. Put them into /etc/rc.local start-up script file to make sure Linux runs them on the start-up.
Restart PPTP daemon to make it read settings again
sudo /etc/init.d/pptpd restart
3. Setting VPN PPTP client
For the VPN client (iPad, Windows, OSX, Ubuntu Network Manager) the settings would be for the example above:
- Protocol: PPTP
- Server: your server public IP or DNS name
- Login: opensource
- Password: hacker
- Encryption level: auto (or it should pick secure MPPE 128 by default)
- Send all traffic: Yes (will forward all traffic through VPN, not just one inside your VPN devices)
If the VPN traffic is not going through, i.e. your internet stops working when VPN client is active, here are some instructions to pinpoint where the error happens.
Inspect the server syslog while connecting to the VPN service
sudo tail -f /var/log/syslog
These lines are “normal”:
Oct 22 18:34:05 ubuntu pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Oct 22 18:34:05 ubuntu pppd: pppd 2.4.4 started by root, uid 0 Oct 22 18:34:05 ubuntu pppd: Using interface ppp0 Oct 22 18:34:05 ubuntu pppd: Connect: ppp0 <--> /dev/pts/1 Oct 22 18:34:05 ubuntu pptpd: GRE: Bad checksum from pppd. Oct 22 18:34:08 ubuntu pppd: MPPE 128-bit stateless compression enabled Oct 22 18:34:09 ubuntu pppd: Cannot determine ethernet address for proxy ARP Oct 22 18:34:09 ubuntu pppd: local IP address x.x.x.x Oct 22 18:34:09 ubuntu pppd: remote IP address 192.168.0.234
On the client side, try to use ping command to reach servers by IP address to determine if you have problems with DNS set-up
- Your server public IP
- 220.127.116.11 (Internet IP, Google’s public DNS server)
E.g. run the command
.. and see if the packets go through.
If you manage to ping numeric IPs, but not google.com the problem is with DNS settings.
After the traffic is flowing through check the public IP address your device using duckduckgo.com:
It should give your VPN server IP address instead of your lcoal public IP address.
5. Random notes
- iOS devices and Android devices also may use crowdsourced WLAN / 3G station data for determining yout location, so you might need to spoof your local WLAN connection somehow
- To determine if WLAN is being used just open Google Maps, show your location and if it doesn’t go to the location of VPN server then it is using your WLAN position
- Practical workaround: Just set a temporary tethering WLAN access point using your mobile phone (e.g. Android) and walk to somewhere where your device cannot hear WLAN to work around this – most of apps check the location only once during the launch