A how-to by niels.
Published: 2020-08-17 11:42:32. Updated: 2020-08-17 11:42:32.
In this how-to I'll explain how to configure accel-ppp as a PPTP VPN daemon.
Ubuntu 20.04 server (or compatible) with accel-ppp. Please see our building and installing accel-ppp on Ubuntu page for instructions if needed.
Create a folder to put our user database:
You could put it in /etc/accel-ppp if you prefer, but /etc/ppp is typically where it goes for backwards compatibility with pppd.
Use your preferred text editor to create /etc/ppp/chap-secrets . Mine looks like this:
# username server secret ip-address speed niels * lamepassword *
The chap-secrets file is fairly self-explanatory. If you're wondering about the plain-text passwords: yes, you can hash the usernames and password, as well as encrypt the entire file. Please see the accel-ppp documentation for details. I'll keep it simple for now.
Use your preferred text editor to create /etc/accel-ppp.conf and copy our content:
[modules] log_syslog pptp auth_mschap_v2 auth_mschap_v1 auth_chap_md5 auth_pap chap-secrets ippool pppd_compat [core] thread-count=4 [common] [ppp] verbose=1 min-mtu=1280 mtu=1400 mru=1400 ipv4=require ipv6=deny ipv6-intf-id=0:0:0:1 ipv6-peer-intf-id=0:0:0:2 ipv6-accept-peer-intf-id=1 lcp-echo-interval=20 lcp-echo-timeout=120 unit-cache=1 [pptp] verbose=1 [dns] dns1=184.108.40.206 dns2=220.127.116.11 [ip-pool] gw-ip-address=192.168.88.1 attr=Framed-Pool 192.168.88.2-255 [log] log-file=/var/log/accel-ppp/accel-ppp.log log-emerg=/var/log/accel-ppp/emerg.log log-fail-file=/var/log/accel-ppp/auth-fail.log copy=1 level=3 [pppd-compat] verbose=1 [chap-secrets] chap-secrets=/etc/ppp/chap-secrets [client-ip-range] disable [cli] verbose=1 telnet=127.0.0.1:2000 tcp=127.0.0.1:2001 [connlimit] limit=10/min burst=3 timeout=60 [ipv6-pool] fc00:0:1::/48,64 delegate=fc00:1::/36,48 [ipv6-dns] [ipv6-dhcp] verbose=1 pref-lifetime=604800 valid-lifetime=2592000 route-via-gw=1
You'll notice I'm using the 192.168.88.x IP range. This is a private IP range for use by the VPN clients only. It should be different from the IP range on your local network. (If your VPN server is on the local network.)
sudo systemctl start accel-ppp
It's probably a good idea to have accel-ppp start automatically when you boot your server:
sudo systemctl enable accel-ppp
Use your preferred text editor to add the following line to /etc/sysctl.conf:
Tell your system to reload the sysctl.conf file. (Normally read during boot.)
sudo sysctl -p /etc/sysctl.conf
The 192.168.88.x IP's that our VPN clients will use is not recognized by your provider, so 'll need to NAT (translate) those to the IP of your server. (Just like your Wi-Fi router does for your devices at home.)
sudo iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp1s0 -j MASQUERADE
Important detail here: enp1s0 is the primary network interface on my server. It may be something else on you server.
Finally, you'll want to run this iptables command automatically when the server boots. Check my how-to on automatically starting the firewall on how to do that.