Setting up PPTP and OpenVPN Service on Ubuntu Linux

Yunzhu Li on May 31, 2015   Tech

Use VPN to avoid network censorship / logging and stay secure on open wifi networks.

Following is a configuration and troubleshooting process on an AWS EC2 instance.

I. Initial configuration

Install pptpd

apt-get install pptpd

Configure address pool

Add following to /etc/pptpd.conf:

localip 192.168.0.1
remoteip 192.168.0.2-10

Set DNS servers for clients

Add following to /etc/ppp/pptpd-options:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Add user accounts

Add following to /etc/ppp/chap-secrets:

user1  pptpd   passwd1  *
user2  pptpd   passwd2  *

Enable packet forwarding

Uncomment the following line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Reload settings

service pptpd restart
sysctl -p

Enable NAT

Add following lines above exit 0 in /etc/rc.local:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1200

Configure firewall rules

Permit inbound TCP 1723 and GRE(Protocol 47) traffic.

View VPN connection log (logwtmp must be enabled in /etc/pptpd.conf)

last | grep ppp
last -f /var/log/wtmp | grep ppp
last -f /var/log/wtmp.1 | grep ppp
...

II. Setting up OpenVPN Service

Reference: How To Set Up an OpenVPN Server on Ubuntu 14.04 - Digital Ocean

Install OpenVPN

apt-get install openvpn

Copy example configuration

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

In /etc/openvpn/server.conf, change:

dh dh1024.pem

to

dh dh2048.pem

Uncomment

;push "redirect-gateway def1 bypass-dhcp"

and

;push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 8.8.4.4"

and

;user nobody
;group nogroup

and

# For multiple connections from clients using same certificate / key.
duplicate-cn

Configure Packet Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Add following lines above exit 0 in /etc/rc.local (If different subnet from PPTP service):

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1200

Generate and copy CA & server certificates and key to /etc/openvpn/

Then, start and check the status of OpenVPN service:

service openvpn start
service openvpn status

View log in /var/log/syslog for troubleshooting.

III. Troubleshooting VPN Services

Problem 1

After setting up my VPN service, I found it was inaccessible from my home network, but accessible from mobile network.

I started pppd in debug mode (uncomment #debug in /etc/ppp/pptpd-options) plus Wireshark sniffing on client side, and I got result like this;

pppd[3273]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x64b52959> <pcomp> <accomp>]
pppd[3273]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x378a50ac> <pcomp> <accomp>]
pppd[3273]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x378a50ac> <pcomp> <accomp>]
pppd[3273]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x64b52959> <pcomp> <accomp>]
pppd[3273]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x378a50ac> <pcomp> <accomp>]
pppd[3273]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x378a50ac> <pcomp> <accomp>]

Apparently the server received ConfReq messages from the client and responded with ConfAck messages, but the client didn&’t receive them, the problem may be on the inbound firewall rules of client side.

Add an inbound rule on the client side router, the problem is solved.

Problem 2

Another problem is a Windows 7 running on my VM was not able to connect to VPN.

Using the same technique, I got the following:

sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x23cf9cf3> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x63d1323> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x63d1323> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x1 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x23cf9cf3> <pcomp> <accomp>]

It seems like the client requested with the Callback Control Protocol, which is not allowed on server side, hence the server replied with ConfRej messages.

After searching around the Internet for hours, I found a post said this is also a client-side firewall problem, after changing the VM networking mode from NAT to bridged network, the problem is solved.

Problem 3

On some network, connection will stop working after a heavy bandwidth utilization is occurred, your host will receive a large amount of Protocol Reject packets. This is mainly an ISP problem.