Open in app

Sign in

Write

Sign in

PPTP VPN Server On Raspberry PI

Maciej
4 min readSep 15, 2020

About Raspberry PI

It is a super small super recommended PC that you can buy for 25 $.

When using it as a VPN server, there was no particular problem if it was a wired LAN connection, but when using it with a Wi-fi wireless LAN adapter (USB), it is said that sufficient power cannot be stably supplied to the wireless LAN adapter. There was a problem with the old model. Searching in google I found information that to solve this problem, additional capacitors should be added.

If it is the new Raspberry Pi Model B +, I think that it can be operated stably without soldering work such as capacitors.

PPTPD installation and configuration

I think it can be done in five minutes 😊

Update your system to the latest version if necessary

$ sudo apt-get update
$ sudo apt-get upgrade

pptpd installation

$ sudo apt-get install pptpd

pptpd settings (own IP and assigned IP to connected clients)

$ sudo vi /etc/pptpd.conf

Uncomment the part that is commented out at the end of the file. Please set the IP of this terminal that is being set as a VPN server for localip. For the time being, please set the IP address fixedly to this terminal by DHCP from the setting screen of the router. As you probably know, you can $ ifconfiglook up the MAC address with.

localip 192.168.123.2
remoteip 192.168.123.234-238, 192.168.123.245

DNS settings

Let’s set the DNS server used by the connected client. In the normal case, 1.1.1.1 I think it's a good idea to insert the IP of the router or even if it is appropriate.

$ sudo vi /etc/ppp/pptpd-optionsms-dns 192.168.0.1

Account settings for connected clients

Add a user account that can be accessed with pptp. Note that the password is saved in clear text.

$ sudo vi /etc/ppp/chap-secrets#Username Servername Password Assigned IP
dummy pptpd dummy *

IP forward settings

If you do not enable IP forwarding in the Linux itself (disabled by default) and also forward packets whose destination address is not yours, all packets from terminals connected via VPN will be discarded.

$ sudo vi /etc/sysctl.confnet.ipv4.ip_forward = 1 # Uncomment
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

MTU/MRU settings

Even if you do not make this setting, it will connect depending on the machine, but iOS and Mac can be completely cut off. I can’t use it, yes. I think both were set to 1500 by default. The reason why this is cut off is that tunneling by VPN increases the amount of header information used for it, which exceeds 1500.

$ sudo vi /etc/ppp/optionsmtu 1280
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. Pppd
#will ask the peer to send packets of no more than <n> bytes. The
#minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP / IP header + 256
# bytes of data).
mru 1280

As an aside, as mentioned above, the mru config says that 296 bytes is recommended at low speeds.

Let’s set up the router

If you have a separate router (which I think is usually the case), set up port forwarding on your router. 😊

Testing

Try connecting with the PPTP protocol from your iPhone/Android/Mac.
For the server IP, set the global IP of the VPN server terminal and router that you have set, or DNS. RSA SecureId is not set, so it is off. Please enter the account and password you set earlier. Since I haven’t set any proxy this time, I usually don’t need to set it.

Firewall

If you need it, You can setup a firewall on your VPN server. Install ufw or IPTables which is fine too

$ sudo apt-get install ufw
$ sudo ufw status

Allowed port settings

In T\this time, our VPN server is running on the default port 1723, so allow 1723. Other than that, please set it yourself. Or rather, I think that there are many people who have already set IPTables, so please set it yourself.
When will doing forget to allow the ssh ‘s it but commonplace but I take care.

$ sudo ufw allow ssh
$ sudo ufw allow 1723 / tcp

For the time being, leave the default setting as deny

$ sudo ufw default deny

Packet forwarding permission settings

$ sudo vi /etc/default/ufw

Change forward policy to ACCEPT

DEFAULT_FORWARD_POLICY="ACCEPT"

Add NAT settings

$ sudo vi /etc/ufw/before.rules

Add the following line to the beginning of the file. It means forwarding packets from 192.168.123.0/24 to eth0. Of course, if you are using eth other than eth0, please change it. You know what you’re using, but you ifconfigcan check it with a command.

# NAT Table Rules
*nat
: POSTROUTING ACCEPT [0:0]
# Allow forward traffic from eth0:0 to eth0
-A POSTROUTING -s 192.168.123.0/24 -o eth0 -j MASQUERADE

COMMIT

Finally restart ufw to reflect the settings

sudo ufw disable &&  sudo ufw enable

The raspberry pi is now a VPN server. Congrats!

Raspberry Pi
Linux
VPN
Pptp
Ubuntu

 by the author.

--

--

Maciej

Written by Maciej

731 Followers

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams