PPTP VPN Server for Site-to-Site VPN Tunneling (Connect Branch Offices to Central Office-HQ)
What is this howto...
This how to will help to configure Ubuntu/Debian as PPTP VPN Server for Site-to-Site VPN.
Here the main vpn-server will be kept in a Centeral location (Head Office - HQ), and some other remote locations (Branch Offices-BR) will be connected to the HQ through the vpn-tunnel. In remote locations there will be a vpn-box configured by Ubuntu/Debian and will be connected to the HQ as vpn client. Behind the remote vpn-box there will be their local network and this remote location will get internet (using the proxy of HQ) to access the internal applications servers in HQ. This vpn-server also can be used for raod-warrior vpn-client.
In remote locations you may use D-Link, LinkSys, Micronet etc VPN Router as vpn-client and also Windows XP, this howto will not cover those, this howto is only for Ubuntu/Debian as VPN Client.
(Script Last Tested on Ubuntu-9.04)
Suppose...
In HQ You have a linux-box, which hostname is vpn-server; it has two network interface card as
netwrok interface 1: eth0 : IP: 123.49.42.180 and is connected to internet (WAN)
netwrok interface 2: eth1 : IP: 192.168.100.254 and is connected to local network (LAN) in HQ
Now this vpn server will have two types of client:
(a) Remote location (Branch Office-BR) will access the local network behind this vpn server.
(b) Any pc (A road warrior) on travel will access the local network behind this vpn server.
In remote location BR You have a linux-box, which hostname is vpn-client; it has two network interface card as
netwrok interface 1: eth0 : IP: 123.49.42.181 and is connected to internet (WAN)
netwrok interface 2: eth1 : IP: 192.168.111.254 and is connected to local network (LAN) in BR
Requirements...
> vpn-server linux-box
> internet connection ; for packages installation
> pptpd, pptp-linux
> windows client pc
> linux client pc
Special Note ...
While configuration of Ubuntu/Debian Servers/PC I always use the root shell; if you use Desktop/GUI editon of Linux, you have to open the terminal and apply "sudo su" ; otherwise you have to always put a sudo before all shell command.
So, lets start, I hope you have already installed Ubuntu/Debian.
| Login as root to your vpn-server; |
| Install the packages for PPTP vpn-server (pptpd) |
|
# apt-get update # apt-get -q -y install pptpd # cp /etc/pptpd.conf /etc/pptpd.conf.original # echo "" > /etc/pptpd.conf |
Add (copy/past) the following lines in /etc/pptpd.conf |
| # vim /etc/pptpd.conf |
|
option /etc/ppp/pptpd-options logwtmp localip 192.168.100.254 remoteip 192.168.100.130-199 |
| Save + Exit |
| Configure the option file /etc/ppp/options |
|
# cp /etc/ppp/options /etc/ppp/options.original # echo "" > /etc/ppp/options # vim /etc/ppp/options |
Add (copy/past) the following lines (please use your own dns server address in 'ms-dns') ... |
|
ms-dns 192.168.100.254 ms-dns 192.168.100.253 asyncmap 0 noauth crtscts lock hide-password modem proxyarp lcp-echo-interval 30 lcp-echo-failure 4 noipx |
| Save + Exit |
| Add the user/ip for vpn-cleint/user in chap-secret file /etc/ppp/chap-secrets |
| # vim /etc/ppp/chap-secrets |
|
# Secrets for authentication using CHAP # client server secret IP addresses user1 pptpd pwuser1 192.168.100.130 user2 pptpd pwuser2 192.168.100.131 |
| Save + Exit |
| Fnally start/restart the pptdp service/daemon |
| # /etc/init.d/pptpd start # /etc/init.d/pptpd restart |
In your firewall you have to allow the following lines ... |
|
iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --sport 1723 -s 123.49.42.180 -j ACCEPT iptables -A OUTPUT -p tcp --dport 1723 -d 123.49.42.180 -j ACCEPT |
So, your PPTP Vpn Server is now ready for action |
STEP-02: Linux as pptp vpn client (Ubuntu/Debian ) for Site-to-Site VPN Tunneling
| Login as root to your VPN Client in BR; and install the pptp client package |
| # apt-get -q -y install pptp-linux network-manager-pptp |
Set the username/password in /etc/ppp/chap-secrets |
| # vim /etc/ppp/chap-secrets |
|
# Secrets for authentication using CHAP # client server secret IP addresses user1 PPTP pwuser1 * |
| Save + Exit |
| Make the vpn-dialar (add config lines in /etc/ppp/peers/conntovpns.sh)... |
| # vim /etc/ppp/peers/conntovpns.sh |
|
pty "pptp 123.49.42.180 --nolaunchpppd" name user1 remotename PPTP require-mppe-128 file /etc/ppp/options.pptp ipparam conntovpns.sh |
| Save + Exit |
| Configure vpn connection options |
|
# cp /etc/ppp/options /etc/ppp/options.original # echo "" > /etc/ppp/options.pptp # vim /etc/ppp/options.pptp |
Add (copy/past) the following lines |
|
lock noauth refuse-pap refuse-eap refuse-chap refuse-mschap nobsdcomp nodeflate |
| Save + Exit |
| Routing the vpn traffic; make the route script as /etc/ppp/ip-up.d/route-traffic.sh |
| # vim /etc/ppp/ip-up.d/route-traffic.sh |
Add the following lines |
|
#!/bin/bash NET="192.168.100.0/24" IFACE="ppp0" route add -net ${NET} dev ${IFACE} |
| Save + Exit |
Change the file permissin and Now make the connection establish to vpn server |
|
# chmod +x /etc/ppp/ip-up.d/route-traffic.sh # pptpd call conntovpns.sh |
Now vpn connection should established and you will be able to reach the local network behind the vpn server |
To disconnect from vpn, apply the following command. |
| # killall pptpd |
There is a alternate method to dial the vpn; is as follows ... |
|
# pon conntovpns.sh ; to dial the vpn # poff conntovpns.sh ; to disconnect from vpn |
STEP-03: Route (NAT) the local netnwork in BR
| In this section we will provide the route/nat of local network in reomote office to get the access of application server in HQ. |
Login as root to your vpn-client in BR; make vpn_nat.sh script using iptalbes... |
| # vim /usr/bin/vpn_nat.sh |
Add (copy/past) the following lines ... |
|
#!/bin/bash echo "1" > /proc/sys/net/ipv4/ip_forward IPT="/sbin/iptables" $IPT -F $IPT -X $IPT -Z $IPT -t nat -F $IPT -t nat -X $IPT -t nat -Z $IPT -F -t nat $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t mangle $IPT --table nat -F $IPT --delete-chain $IPT --table nat --delete-chain $IPT -t mangle --delete-chain LAN_IP="192.168.111.0/24" # IP of local network of branch office WAN_IP="192.168.100.130" # IP of ppp0 interface; gained after vpn connection established to HQ $IPT -t nat -A POSTROUTING -s $LAN_IP -d 0/0 -j SNAT --to-source $WAN_IP |
| Save + Exit |
Change file permission and run the file... |
|
# chmod 755 /usr/bin/vpn_nat.sh # /usr/bin/vpn_nat.sh |
Now set the /etc/rc.local to run NAT and VPN auto connection script, so that all will be set ok while boot/reboot the system... |
| # vim /etc/rc.local |
Add the following lines, before the line 'exit 0' |
|
pon conntovpns.sh # to dial vpn vpn_nat.sh # to apply nat and basic firewall |
| Save + Exit |
So, your vpn-client in BR with its local network is ready, now reboot the system, and try to ping/reach from a local network ip behind vpn-client in BR to any ip behind the vpn-server in HQ, all should work properly. At this stage if you want to provide internet also to the vpn-client in BR controlled from HQ, you can simply put the proxy-ip and port that is configured in your HQ into the browsers network options in any pc/workstaion in BR (you have to allow the vpn-client ip gained by ppp0 in BR into the proxy in HQ). I will add a section with user-authentication and acl (access control list) inluding more options/extras for proxy in HQ very soon. |
STEP-04: Windows as pptp vpn client (XP) as Road-Warrior
| As it is much easier to make a pptp vpn dialer in windows then I am just providing a reference link only
You can try it yourself |
| # Reference link: http://doc.m0n0.ch/handbook/pptp-windows.html |