Jul 13, 2011

OpenVPN and PPTP Server Setup

I wrote this awhile ago trying to figure out how to set up a vpn server to connect to while on unsecure networks (e.g., hotels, coffee shops, etc.). Essentially, using openvpn will connect you and route all traffic through an encrypted connection to the server.

Most of the server setup came from here and the config file and routing setup came from here.

This setup has been tested on Ubuntu 8.04, but should work for most debian-based linux distros. For redhat or other linux distros, substitute yum for apt-get. This tutorial uses the network for openvpn and the network for pptp. Any private network should work as long as the same subnet is not in use on the server or client's existing networks.


1. Install OpenVPN on the server:
$ apt-get install openvpn openssl
2. Set up OpenVPN:
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
$ cd /etc/openvpn/
$ mkdir keys
3. Create keys:
$ nano vars (edit the last section)
$ source ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client
$ ./build-dh
4. Repeat the $ ./build-key [client name] line to create additional client keys

5. Create Server Config File:
$ nano server.conf
Insert the following text in server.conf:
dev tun
proto tcp
port 1194
ca /etc/openvpn/keys/ca.crt # Path of ca.crt file you generated
cert /etc/openvpn/keys/server.crt # Path of certificate you generated
key /etc/openvpn/keys/server.key # Path of key file you generated
dh /etc/openvpn/keys/dh1024.pem # Path of dh file you generated
user nobody
group nogroup
server # Any private subnet not currently in use
#status openvpn-status.log
verb 3
push "dhcp-option DOMAIN ###.###.###.###" # Server public IP or domain name
push "dhcp-option DNS" # Primary dns server (opendns shown)
push "dhcp-option DNS" # Secondary dns server (opendns shown)
push "redirect-gateway" # Directs all traffic through your VPN
#log-append /var/log/openvpn
6. Make OpenVPN start automatically (debian-based instructions only):
$ nano /etc/default/openvpn
Uncomment or add the following line:
7. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
8. Allow IP Forwarding:
Edit the file /etc/sysctl.conf
$ nano proc/sys/net/ipv4/ip_forward
Uncomment the following line:
net.ipv4.ip_forward = 1
9. Restart OpenVPN and Networking:
$ /etc/init.d/networking restart
$ /etc/init.d/openvpn restart

1. Copy the ca.crt and the client key and cert files to the client computer.
2. Create a client config file with the extension '.conf':
3. Insert the following text: (Note: for windows clients, the paths will look like "C:\Program Files\OpenVPN\Config\ca.crt")
dev tun
proto tcp
remote ###.###.###.### 1194 # Server IP address or domain name
remote-cert-tls server
resolv-retry infinite
user nobody
group nogroup
ca /etc/openvpn/keys/ca.crt # Path of ca.crt you generated
cert /etc/openvpn/keys/client.crt # Path of client certificate you generated
key /etc/openvpn/keys/client.key # Path of client key you generated
verb 3

4. Start OpenVPN using the client software of your choice:
If you're using an Ubuntu client:
Place your *.conf file and keys in "/etc/openvpn/" and run
$ /etc/init.d/openvpn start
If you're using a windows client.
Place your *.conf and keys in "C:\Program Files\OpenVPN\Config".
Start OpenVPN in windows services.

1. Install pptpd:
$ apt-get install pptpd

2. Edit /etc/pptpd.conf and change the following lines as shown:
3. Edit /etc/ppp/chap-secrets and add new users as follows:
# Secrets for authentication using CHAP
# client server secret IP addresses
username1 pptpd password1
username2 pptpd password2
4. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
5. To allow dns routing, edit /etc/ppp/pptpd-options and uncomment/edit the following lines (the DNS addresses can be whatever you want - opendns shown):

To check your VPN connection, open a web browser and navigate to http://whatismyip.com or http://getip.com. Your IP address should be the same as the VPN server.