How to setup a PPTP VPN server in your home or corporate office

How to setup a dedicated PPTP VPN Server at your home office or main office.

(Purpose is to enable road warriors, telecommuters, iPhones or iPads to access servers and network resources behind a company firewall.
If this setup gets too complicated, use commercial grade dedicated server hosting )

Pros and Cons of setting up (and using) PPTP VPN:
Pros:
(1) PPTP VPN client comes native with all Windows XP and Vista, and iPhone.
(2) PPTP VPN uses TCP port 1723 (plus some nasty called GRE 47 protocol). Port 1723 is a standard well-know port used by Microsoft PPTP VPN clients/servers, hence it is unlikely that this port is blocked by wire-line ISPs. (However, wireless operators block VPN traffic unless you pay them an extra monthly ransom fee to have the VPN traffic unblocked).
(3) Software cost for a PPTP VPN server using

Linux is much lower than Windows Servers.
(4) Hardware cost is low - Linux can run happily on low end hardware platforms.
Cons:
(1) In developing countries and small towns where log cabins and garden sheds are plentiful, hotels may use old routers that allows zero or one PPTP VPN session per hotel. If your road warriors are in these locations, only zero or one user can use PPTP VPN at any given time.
Reason: PPTP VPN uses the nasty GRE 47 routing protocol which does not work with old NAT routers. See this diagram.
(2) User authentication depends completely on password, hence the security of the network depends on users having good passwords.

(3) A fact of life: remote users will experience a performance hit, depends on the network conditions.

Hint: For large files that are on a "shared" network drive, grab the file from remote to local desktop, then do editing, then drag the edited file back to remote server.

Caveats emptor:
-Assuming you have an externally accessible IP address, some ISPs do not give out externally accessible IP address.
-Assuming that your ISP allows you to set up a server in your network.
-Depends on the type of firewall/router, the road warrior may or may not be able to access the Internet while VPN. See this combination.
-If you use an internal Linksys WRT54GL with DD-WRT-VPN firmware upgrade, behind a D-LINK main firewall, don't forget to port forward TCP 1723 (and Protocol 47 GRE which is done automatically by the D-LINK firmware) to the IP address of the internal Linksys box.
-If you VPN into your home/office network and still want "Internet access", consider OpenVPN (OpenVPN is NAT and router friendly), OpenVPN is slightly harder to setup. In addition, OpenVPN can be configured to operate as: (default, partial stealth) only the internal traffic goes home; or (full stealth) all traffic goes through home.

How to setup a Debian PPTP VPN Server:
(user reported that this also works for Ubuntu Linux)

Server hardware:

Intel Pentium 3 or Intel Pentium 4 or AMD CPU (500 MHz CPU), 64 Meg RAM, 20 G Hard disk.

Software for Debian:

Create a "Debian install CD" from a CD image file.
Download the iso file "debian-xxx-i386-CD-1.iso" or
download the iso file "debian-xxxx-i386-netinst.iso" from Debian.org
Create a CD from the iso image file using any suitable CD burning software.

Insert the Debian install CD in the server, power up the server.
Follow the prompts to install a standard system (not a desktop, not a workstation, not a server)

After the Debian operating system is installed, login as root, install the Microsoft-compatible PPTP VPN server as follows:
(pptpd is the PPTP VPN server, mc is Midnight Commander, an editor similar to "notepad")
aptitude install pptpd mc

Type ifconfig and inspect the "eth0" section to find out the IP address of your server [inet addr]

mc -e /etc/pptpd.conf
add two lines:
(Assuming that your internal network IP address is 10.5.1.xxx, geeks call this the 10.5.1.0/24 subnet).
(It is important to avoid using the 192.168.1.xxx subnet for your home because most hotels, Linksys boxes, Cisco boxes, TP-LINK and Trendnet default to 192.168.1.xxx You cannot VPN from one 192.168.1.0/24 network into another 192.168.1.0/24 network)
localip 10.5.1.3 (this address should be your server's IP address, [inet addr] when you type ifconfig, see above )
remoteip 10.5.1.241-246

Above configuration assigns six (6) IP addresses for 6 roaming users to VPN into your home/corporate network simultaneously, super geeks (geeks that have network knowledge over and above normal geeks) call this the 10.5.1.240/29 subnet (to intimidate other ordinary geeks), see this subnet chart for different subnets you can choose from, without having to ask a super geek. The first address in a block is called the "network address", the last number in a block is called the "broadcast address", to be an Internet purist, avoid assigning the network address or the broadcast address to any roaming users (the first and last address of any block in the subnet chart).

mc -e /etc/ppp/options
find the line that says ms-dns, modify the IP addresses to suit your local environment.
These two IP addresses should be the IP addresses of the DNS servers provided to you by your ISP.
The following examples are the OpenDNS servers which anyone can use.
ms-dns 208.67.222.222
ms-dns 208.67.220.220

If you like to use Google's public DNS servers, do this
ms-dns 8.8.8.8
ms-dns 8.8.4.4

Create user accounts and passwords for roaming/telecommuting users to access your VPN server (use strong passwords for security)
mc -e /etc/ppp/chap-secrets
e.g.
alice pptpd a-strong-password *
bob pptpd another-strong-password *

The trailing * means these users are allowed to come in from any IP address, if the telecommuter or branch office
has a static or fixed IP address and never roams, then you can replace the * with his/her fixed IP address (or IP address block) for added security.

Change the Debian box from DHCP to static IP address:
mc -e /etc/network/interfaces
find the line that says iface eth0 inet dhcp
change the above line to iface eth0 inet static
add 4 lines below the iface eth0 inet static line, the actual addresses you use should be your own internal network environment.
    address 10.5.1.3
    netmask 255.255.255.0
    broadcast 10.5.1.255
    gateway 10.5.1.1
F2 to save the file, F10 to quit editing

One final tweak before you can go live.
Add 2 lines to instruct the Linux kernel (at boot time) to "forward" packets and to "nat postrouting masquerade" (real gooblygook).
Thanks to Axel Sylvester of Germany for the masquerade command.

mc -e /etc/rc.local
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
save the file.
reboot

With older kernels, do these (depreciated) steps instead of above:
touch /etc/init.d/pptp
chmod 755 /etc/init.d/pptp
mc -e /etc/init.d/pptp edit the file, add one line, save the file.
echo 1 > /proc/sys/net/ipv4/ip_forward

cd /etc/rcS.d
ln -s /etc/init.d/pptp S85-pptp-packet-forward
reboot

If the PPTP VPN server is behind a D-LINK router/firewall, configure your D-LINK router/firewall to forward (or allow) TCP port 1723 to the PPTP VPN server. You can find out what IP address the VPN server is using, simply type ifconfig and inspect the "eth0" section.
You also need to forward protocol GRE 47 to the PPTP server, D-Link routers will do this automatically for you when you forward TCP port 1723 to an internal IP address.

Linksys WRT54G V4 with factory firmware (or DD-WRT firmware) cannot forward GRE 47 protocol from WAN-to-LAN, hence you cannot use a PPTP VPN server behind such router/firewall. But if you upgrade the firmware to DD-WRT-VPN , you can use the same box to do firewall and PPTP VPN at the main entry point. Other combinations that might work are shown in this combination chart.

Disclaimer

On the roaming or telecommuter

XP or

Windows 7 laptop (or iPhone iPad), create a VPN network connection icon.
Start ... Connect To ... Show All ....Create New Connection ... connect to the network at my workplace...
Virtual Private Network connection ... Company is myHQ ... Do not dial the initial connection ...
Hostname or IP address is your externally accessible IP address ... add a shortcut to desktop

To establish a VPN connection from hotels or telecommuting offices:

Double click the desktop VPN icon, enter username and password.

You are now VPN'ed to your home office or corporate office! This has the effect of moving the roaming user into the home/office. Click here

You can access your home/corporate email servers and other TCP-based services (such as print servers, VNC servers, etc) almost exactly as if you were sitting at home/office, except perhaps much slower. The PPTP VPN is a tunnel which encrypts the data traffic while traveling over a public network.

Caveats:

You might not be able to do full Windows Network Browsing. There is a work around. Click here.

Your home/corporate network IP address range (geeks call subnet) should be different than that of hotel/telecommuter, e.g., in above example, it might not work if the hotel or telecommuter also uses IP addresses 192.168.1.xxx. Note that 192.168.1.xxx is the default IP subnet used by the popular Linksys WRT54G routers. In other words, if your home/corporate network is 192.168.1.xxx, then the road warriors will complain for sure because most hotels are also using 192.168.1.xxx, in that case, you need to change your home/office network to 10.x.x.x, which is a rather painful exercise.

Maintenance.
Periodically issue two commands to keep the system patched up to the latest security fixes. Click here.

Once you have a VPN server, you may want to increase your security by using email security software