I managed to get the poptop aka pptpd server running to my content today.
I have an Ubuntu server at home, which I would like to access from the internet side. I mostly use Windows machines, which natively support pptp connections so the choice of poptop was obvious. A good alternative would be OpenVPN, of course.
First I installed pptpd:
$ sudo apt-get install pptpd
This will install the pptp daemon and cause it to start on boot. Next I added users:
$ sudo pico /etc/ppp/chap-secrets
The lines of chap-secrets has the format:
my_username pptpd my_password *
It is possible to authenticate against other sources, but for my small network (a couple of users) it seemed a bit overkill.
Next I opened:
$ sudo pico /etc/pptpd.conf
Where I defined the ip addresses to be used by inserting the lines:
localip 192.168.1.200 remoteip 192.168.1.201-250
Note here that local ip becomes the address of VPN server and should be different from the ip address of the servers physical network interface (which is 192.168.1.100 in my case). The remoteip line defines an address range from which VPN clients receive their addresses.
I believe it is important that these addresses are in the same range as the rest of your LAN, otherwise you will only be able to access resources on the VPN server.
I want to access not only the VPN server but also resources on the LAN and for this I enabled ip forwarding:
$ sudo pico /etc/sysctl.conf
In this file I inserted the lines:
net.ipv4.conf.default.forwarding=1 net.ipv4.conf.all.forwarding=1
This will take effect on each next boot, to enable ip forwarding right away run:
$ sudo sysctl -p
You should now be able to access other hosts on the LAN as the VPN server can now forward your requests.
Last we define a DNS server to be assigned to VPN clients, so that they may use the gateway of the VPN as default gateway and thus obtain a full tunneling experience. This is useful if you are on an insecure network (eg. unsecured wireless) and want to, for instance, browse plain http websites without the risk of leaking information.
$ sudo pico /etc/ppp/pptpd-options
Insert this line:
ms-dns 192.168.1.1
Exchanging 192.168.1.1 with your DNS server. In my case 192.168.1.1 is the ISP-supplied NAT router, which serves as both gateway and DNS relay.
Finally restart the pptpd by issuing the command:
$ sudo /etc/init.d/pptpd restart
Using these instructions you should now be able to create a new VPN connection in Windows using credentials you inserted into chap-secrets. A trick here is to select a username and password which is the same as your Windows username and password. In the properties of the VPN connection you can then go to the Security tab and check Automatically use my Windows logon name and password and in the future you don’t need to enter your credentials.
If you don’t want to route all traffic over the tunnel open to properties of the connection, go to the Networking tab, choose Properties and then Advanced for TCP/IP and un-check the Use default gateway on remote network checkbox.