Disclaimer

How to setup a dedicated PPTP VPN Server at your home office or main office

(Main purpose: for road warriors or telecommuters to access servers and network resources behind a firewall)

Pros and Cons of setting up (and using) PPTP VPN:
Pros:
(1) PPTP VPN client comes with all Windows XP.
(2) PPTP VPN uses TCP port 1723. Port 1723 is a standard well-know port used by Microsoft PPTP VPN clients/servers, hence it is unlikely that this port will be blocked by wire-line ISPs. (Most wireless and cellular network operators very cleverly mess up VPN traffic unless you pay them an extra monthly ransom fee to have the VPN traffic un-messed).
(3) Implementing a PPTP VPN server using Linux is more cost effective than using Windows Server 2003. In this example, the Linux PPTP VPN server software is free. Windows Server 2003 with 5 client-access has a price tag of US $999, ISA Server 2004 has a street price of US $1975. (but of course these products comes with many, many other features).
(4) Hardware cost is low - Linux can run happily on modest hardware platforms.
Cons:
(1) In developing countries, hotels may use older routers that allows zero or one PPTP VPN session per hotel. If your road warriors are in these hotels, only zero or one user can use PPTP VPN at any given time. Reason: PPTP VPN uses GRE 47 routing protocol which does not coexist well with older NAT routers. See this diagram.
(2) User authentication depends completely on password, hence the security of the network depends on good user passwords.
 

Caveats:
-Assuming you have an externally accessible IP address, some ISPs do not give out externally accessible IP address.
-Assuming that your ISP allows you to set up a server in your network.
-Depends on the type of firewall/router (Dlink, Linksys, Linux, etc) you use at the home/office perimeter, the road warrior may or may not be able to access web sites that are outside the firewall while he is VPN into the internal network. For Debian PPTP VPN, it seems to be a hit and miss situation, depends on the type of router and firewall you have at the main entry point. Of course after the road warrior disconnects from the VPN, he can have full access the outside web sites again.
-If you VPN into your home/office network and still want "outside access", you can use OpenVPN as OpenVPN is NAT and router friendly, but OpenVPN is slightly harder to setup. In addition, OpenVPN connects you to your network inside, and it can also route all your traffic from your network to the "outside world", so that you have full access to all search engines and VoIP traffic as if you were at home.
-If you VPN into your home/office network and still want "outside access", you can also consider using a Linksys WRT54GL box as an appliance PPTP VPN server, replace the factory firmware with DD-WRT firmware (use the DD-WRT vpn version). You can put the WRT54GL appliance as the main entry router, or behind a D-LINK 604 main entry router and port forward TCP 1723 to the WRT54GL appliance.

How to setup a Debian PPTP VPN Server:
(user reported that this "how to" also works for Ubuntu Linux)

Server hardware:

An Intel P3 or Intel P4 or AMD CPU (>500 MHz CPU), >64 Meg RAM, >20 G Hard disk.


Instead of building a Linux server, you can also use a Linksys WRT54GL, replace the Linksys firmware with DD-WRT's VPN version.
The DD-WRT VPN version has an excellent PPTP server which is exteremely easy to set up and works nicely behind consumer grade router/firewalls.
The PPTP server is in the Administration Tab, Services Tab. Check the PPTP check box. Server IP is the IP address of the WRT54GL box itself.
CHAP secret field is in the form of  username * password *
e.g. alice * strong-password  *

Software for Debian:

Create a "Debian install CD" using a CD image file.
Download the file "debian-40r0-i386-netinst.iso"  (about 160 meg bytes) from
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/
Create a CD using the iso image file and a suitable CD burner software.

Insert the Debian (netinst) install CD in the server, power up the server.
Follow the prompts to install a standard system (not a desktop, not a workstation, not a server)

After the Debian operating system is installed, install the Microsoft-compatible PPTP VPN server as follows:
(pptpd is the PPTP VPN server, mc is Midnight Commander, an editor similar to "notepad")
aptitude install pptpd mc

Type ifconfig and inspect the "eth0" section to find out the IP address of your server [inet addr]

mc -e /etc/pptpd.conf  
  add two lines: 
Assuming that your internal network IP address is 10.5.1.xxx, geeks call this the 10.5.1.0/24 subnet.
If you are not using this subnet, change the IP addresses below to suit your local environment.
localip 10.5.1.3  (this address should be the IP address of your server [inet addr] when you type ifconfig, see above )
remoteip   10.5.1.241-246 

Above allocation assigns 6 IP addresses for 6 roaming users/telecommuters to VPN into your corporate network simultaneously,
super geeks call this the 10.5.1.240/29 subnet (to intimidate others), see this subnet chart on the different subnets you can choose without having to ask a super geek. The first address in a block is called the "network address", the last number in a block is called the "broadcast address",
to be an Internet purist, you should avoid assigning the network address or broadcast address to any roaming users.

Specify two DNS servers which are provided by your ISP.
mc  -e   /etc/ppp/options
find the line that says ms-dns, modify the IP addresses to suit your local environment.
These two IP addresses should be the IP addresses of the DNS servers provided to you by your ISP/cable/ADSL company.
Don't use other DNS servers as they may block queries that come from outside their network environment.
ms-dns  216.21.128.22 
ms-dns  216.21.129.22

Create user accounts and passwords for roaming/telecommuting users to access your VPN server (use strong passwords for security)
mc  -e  /etc/ppp/chap-secrets
    e.g.
alice pptpd a-strong-password  *
bob pptpd another-strong-password  *

The trailing * means these users are allowed to come in from any IP address, if the telecommuter or branch office
has a static or fixed IP address and never roams, then you can replace the * with his/her fixed IP address (or IP address block) for increased security.

One more tweak is to instruct the Linux kernel to "forward" VPN packets.

mc -e   /etc/sysctrl.conf
fine the line that says:
#net.ipv4.conf.default.forwarding=1
delete the #
save the file.
reboot
With older kernels, you may need to add this (depreciated) steps:
touch   /etc/init.d/pptp
chmod 755  /etc/init.d/pptp
mc  -e  /etc/init.d/pptp   edit the file, add one line, save the file.
echo 1 > /proc/sys/net/ipv4/ip_forward

cd   /etc/rcS.d
ln  -s   /etc/init.d/pptp   S85-pptp-packet-forward
reboot


If the PPTP VPN server is behind a DLINK router/firewall, configure your router/firewall to forward (or allow) TCP port 1723 to the PPTP VPN server. You can find out what IP address the VPN server is using, simply type ifconfig and inspect the "eth0" section.
You also need to forward protocol GRE 47 to the PPTP server, modern D-Link routers will do this automatically for you when you forward TCP port 1723 to an internal IP address.


Linksys WRT54G V4 with factory firmware does not seem to forward GRE 47 protocol from WAN-to-LAN, hence you cannot use a PPTP VPN server behind such router/firewall.
Consider changing the factory firmware to DD-WRT www.dd-wrt.com   Disclaimer 

g
On the roaming or telecommuter XP laptop, create a VPN network connection icon.
Start ... Connect To ... Show All ....Create New Connection ... connect to the network at my workplace...
Virtual Private Network connection ... Company is myHQ ... Do not dial the initial connection ...
Hostname or IP address is your externally accessible IP address ... add a shortcut to desktop

To establish a VPN connection from hotels or telecommuting offices:

Double click the desktop VPN icon, enter username and password.
You are now VPN'ed to your home office or corporate office! This has the effect of moving the roaming user into the home/office. Click here

You can access your home/corporate email servers and other TCP-based services (such as print servers, VNC servers, etc) almost exactly as if you were sitting at home/office, except perhaps slower. The PPTP VPN is a tunnel which encrypts the data traffic while traveling over a public network.

Caveats:
 You might not be able to do full Windows Network Browsing. There is a work around. Click here.
 Your home/corporate network IP address range (geeks call subnet) should be different than that of hotel/telecommuter, e.g., in above example, it might not work if the hotel or telecommuter also uses IP addresses 192.168.1.xxx.  Note that 192.168.1.xxx is the default IP subnet used by the popular Linksys WRT54G routers. In other words, if your home/corporate network is 192.168.1.xxx, then the road warriors will complain for sure because many hotels are also using 192.168.1.xxx, in that case, you need to change your home/office network to 10.x.x.x, which is a rather painful exercise.

Maintenance.
Periodically issue two commands to keep the system patched up to the latest security fixes. Click here.

Disclaimer

© 2007-2008 Nicholas Fong

Revised February 21, 2008