PPTP VPN server using accel-ppp on Ubuntu

A how-to by niels.
Published: 2020-08-17 11:42:32. Updated: 2020-08-17 11:42:32.

In this how-to I'll explain how to configure accel-ppp as a PPTP VPN daemon.

Requirements

Ubuntu 20.04 server (or compatible) with accel-ppp. Please see our building and installing accel-ppp on Ubuntu page for instructions if needed.

Configure users

Create a folder to put our user database:

mkdir /etc/ppp

You could put it in /etc/accel-ppp if you prefer, but /etc/ppp is typically where it goes for backwards compatibility with pppd.

Use your preferred text editor to create /etc/ppp/chap-secrets . Mine looks like this:

# username server secret        ip-address speed
niels      *      lamepassword  *

The chap-secrets file is fairly self-explanatory. If you're wondering about the plain-text passwords: yes, you can hash the usernames and password, as well as encrypt the entire file. Please see the accel-ppp documentation for details. I'll keep it simple for now.

Configure accel-ppp for PPTP

Use your preferred text editor to create /etc/accel-ppp.conf and copy our content:

[modules]
log_syslog
pptp
auth_mschap_v2
auth_mschap_v1
auth_chap_md5
auth_pap
chap-secrets
ippool
pppd_compat

[core]
thread-count=4

[common]

[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
lcp-echo-timeout=120
unit-cache=1

[pptp]
verbose=1

[dns]
dns1=9.9.9.9
dns2=1.1.1.1

[ip-pool]
gw-ip-address=192.168.88.1
attr=Framed-Pool
192.168.88.2-255

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
level=3

[pppd-compat]
verbose=1

[chap-secrets]
chap-secrets=/etc/ppp/chap-secrets

[client-ip-range]
disable

[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001

[connlimit]
limit=10/min
burst=3
timeout=60

[ipv6-pool]
fc00:0:1::/48,64
delegate=fc00:1::/36,48

[ipv6-dns]

[ipv6-dhcp]
verbose=1
pref-lifetime=604800
valid-lifetime=2592000
route-via-gw=1

You'll notice I'm using the 192.168.88.x IP range. This is a private IP range for use by the VPN clients only. It should be different from the IP range on your local network. (If your VPN server is on the local network.)

Start accel-ppp

sudo systemctl start accel-ppp

It's probably a good idea to have accel-ppp start automatically when you boot your server:

sudo systemctl enable accel-ppp

Enable IP forwarding

Use your preferred text editor to add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward=1

Tell your system to reload the sysctl.conf file. (Normally read during boot.)

sudo sysctl -p /etc/sysctl.conf

Enable NAT

The 192.168.88.x IP's that our VPN clients will use is not recognized by your provider, so 'll need to NAT (translate) those to the IP of your server. (Just like your Wi-Fi router does for your devices at home.)

sudo iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp1s0 -j MASQUERADE

Important detail here: enp1s0 is the primary network interface on my server. It may be something else on you server.

Finally, you'll want to run this iptables command automatically when the server boots. Check my how-to on automatically starting the firewall on how to do that.

Tags: pptp ubuntu
Please login to watch this page.

Comments

Please register or login to leave a comment.

Toast