Setting up your own PPTP VPN

When it comes to VPNs, there is the choice between PPTP and OpenVPN. PPTP is pretty quick to setup and works out of the box with most (all?) OSes and devices.

OpenVPN offers a little better security, but is a little more hassle to setup and use. Strong VPN has a good comparison.

There are many reasons for getting your own VPN. My major concerns was security matters:

1. I’m accessing several services that are IP-restricted. This is cool when it comes to security, but not so cool when it comes to accessability when I’m not at the office.
2. I’m frequently using open, untrusted WiFis. I wanted an encrypted connection to a more trusted peer.

Get a VPS

I got myself a cheap US$5/month VPS (1 core, 512MB RAM) and followed my own guide for getting your VPS up and running.

Install PPTP

$ apt-get install pptpd

Add the IP config for the VPN to /etc/pptpd.conf. This is the IP address the server will be using and the IP address range it will assign to the clients. You will most likely do good with these values:

$ echo -e "localip 10.0.0.1\nremoteip 10.0.0.100-200" >> /etc/pptpd.conf

If you for some reason already use the 10.0.0.0 net on your local network, use another private IP net, like 192.168.123.0 (replace “10.0.0.” with “192.168.123.” in the command above).

Now edit /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

vpnuser1   pptpd   SecretPassword   *  
vpnuser2   pptpd   ReallySecret     *

This file has four columns: «client» which is the username for the VPN login (does not have to be a system account), «server» which should be «pptdp», «secret» which is the plaintext password (eek! I know), and «IP addresses» is the remote IP addresses which are allowed to connect.

Next you need to edit /etc/ppp/pptpd-options. Specifically the ms-dns option(s) which is the DNS server(s) the clients should use. Add one per line like this:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

I have used Google’s public DNS servers. You may of course use the ones provided by your VPS host insted. Another good option might be the public DNS servers 208.67.222.222 and 208.67.220.220 from OpenDNS.

Start the PPTP server:

$ service pptpd restart

Enable the «forwarding» system parameter so you actually can connect to anything but the VPN server itself. Edit the file /etc/sysctl.conf and make sure these lines are in it:

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1

Make the setting take effect:

$sysctl -p

Enable masquerading with iptables:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Install iptables-persistant to load the iptables rule on reboot:

$ apt-get install iptables-persistant

(It’s important that you install this package after applying the iptables rule. It saves the current rules on installation only.)

Set up the client (Mac OS X)

Sorry, I can only cover Max OS X here.

1. Go to System Preferences → Network
2. Add a new interface (bottom left “+”)
3. Set «Interface» to VPN, select «PPTP» as VPN Type and put a cool name in «Service Name»
4. Add your server hostname and your VPN username
5. Click «Authentication Settings» and add your VPN password
6. Click «Advanced» and check «Send all traffic over VPN connection»
7. Click «Connect» and you should be connected

P.S. It’s a good idea to check «Show VPN status in menu bar». It gives you easy access to connect/disconnect and of course; your connection status.