Configure a PPTP VPN Server on Ubuntu Linux Submitted by admin, on February 10th, 2012 If you need to access your network (be it a home network, or a work network) from a remote location, a great option is to set up some sort of VPN connection.
SubscribeSubscribed
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →
Introduction
Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks privately and securely as if you were on a private network. The traffic emerges from the VPN server and continues its journey to the destination.
When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from the untrusted network.
OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we'll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.
Note: If you plan to set up an OpenVPN server on a DigitalOcean Droplet, be aware that we, like many hosting providers, charge for bandwidth overages. For this reason, please be mindful of how much traffic your server is handling.
See this page for more info.
Prerequisites
To complete this tutorial, you will need access to an Ubuntu 16.04 server.
You will need to configure a non-root user with
sudo
privileges before you start this guide. You can follow our Ubuntu 16.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which we will assume is in place during this guide.When you are ready to begin, log into your Ubuntu server as your
sudo
user and continue below.Step 1: Install OpenVPN
To start off, we will install OpenVPN onto our server. OpenVPN is available in Ubuntu's default repositories, so we can use
apt
for the installation. We will also be installing the easy-rsa
package, which will help us set up an internal CA (certificate authority) for use with our VPN.To update your server's package index and install the necessary packages type:
The needed software is now on the server, ready to be configured.
Step 2: Set Up the CA Directory
OpenVPN is an TLS/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. In order to issue trusted certificates, we will need to set up our own simple certificate authority (CA).
To begin, we can copy the
easy-rsa
template directory into our home directory with the make-cadir
command:Move into the newly created directory to begin configuring the CA:
Step 3: Configure the CA Variables
To configure the values our CA will use, we need to edit the
vars
file within the directory. Open that file now in your text editor:Inside, you will find some variables that can be adjusted to determine how your certificates will be created. We only need to worry about a few of these.
Towards the bottom of the file, find the settings that set field defaults for new certificates. It should look something like this:
Edit the values in red to whatever you'd prefer, but do not leave them blank:
~/openvpn-ca/vars
While we are here, we will also edit the
KEY_NAME
value just below this section, which populates the subject field. To keep this simple, we'll call it server
in this guide:When you are finished, save and close the file.
Step 4: Build the Certificate Authority
Now, we can use the variables we set and the
easy-rsa
utilities to build our certificate authority.Ensure you are in your CA directory, and then source the
vars
file you just edited:You should see the following if it was sourced correctly:
Make sure we're operating in a clean environment by typing:
Now, we can build our root CA by typing:
This will initiate the process of creating the root certificate authority key and certificate. Since we filled out the
vars
file, all of the values should be populated automatically. Just press ENTER through the prompts to confirm the selections:We now have a CA that can be used to create the rest of the files we need.
Step 5: Create the Server Certificate, Key, and Encryption Files
Next, we will generate our server certificate and key pair, as well as some additional files used during the encryption process.
Start by generating the OpenVPN server certificate and key pair. We can do this by typing:
Note: If you choose a name other than
server
here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn
directroy, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf
file later to point to the correct .crt
and .key
files.Once again, the prompts will have default values based on the argument we just passed in (
server
) and the contents of our vars
file we sourced.Feel free to accept the default values by pressing ENTER. Do not enter a challenge password for this setup. Towards the end, you will have to enter y to two questions to sign and commit the certificate:
Next, we'll generate a few other items. We can generate a strong Diffie-Hellman keys to use during key exchange by typing:
This might take a few minutes to complete.
Afterwards, we can generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:
Step 6: Generate a Client Certificate and Key Pair
Next, we can generate a client certificate and key pair. Although this can be done on the client machine and then signed by the server/CA for security purposes, for this guide we will generate the signed key on the server for the sake of simplicity.
We will generate a single client key/certificate for this guide, but if you have more than one client, you can repeat this process as many times as you'd like. Pass in a unique value to the script for each client.
Because you may come back to this step at a later time, we'll re-source the
vars
file. We will use client1
as the value for our first certificate/key pair for this guide.To produce credentials without a password, to aid in automated connections, use the
build-key
command like this:If instead, you wish to create a password-protected set of credentials, use the
build-key-pass
command:Again, the defaults should be populated, so you can just hit ENTER to continue. Leave the challenge password blank and make sure to enter y for the prompts that ask whether to sign and commit the certificate.
Step 7: Configure the OpenVPN Service
Next, we can begin configuring the OpenVPN service using the credentials and files we've generated.
Copy the Files to the OpenVPN Directory
To begin, we need to copy the files we need to the
/etc/openvpn
configuration directory.We can start with all of the files that we just generated. These were placed within the
~/openvpn-ca/keys
directory as they were created. We need to move our CA cert, our server cert and key, the HMAC signature, and the Diffie-Hellman file:Next, we need to copy and unzip a sample OpenVPN configuration file into configuration directory so that we can use it as a basis for our setup:
Adjust the OpenVPN Configuration
Now that our files are in place, we can modify the server configuration file:
Basic Configuration
First, find the HMAC section by looking for the
tls-auth
directive. Remove the ';' to uncomment the tls-auth
line. Below this, add the key-direction
parameter set to '0':/etc/openvpn/server.conf
Next, find the section on cryptographic ciphers by looking for the commented out
cipher
lines. The AES-128-CBC
cipher offers a good level of encryption and is well supported. Remove the ';' to uncomment the cipher AES-128-CBC
line:Below this, add an
auth
line to select the HMAC message digest algorithm. For this, SHA256
is a good choice:/etc/openvpn/server.conf
Finally, find the
user
and group
settings and remove the ';' at the beginning of to uncomment those lines:(Optional) Push DNS Changes to Redirect All Traffic Through the VPN
The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers.
You can do this, uncomment a few directives that will configure client machines to redirect all web traffic through the VPN. Find the
redirect-gateway
section and remove the semicolon ';' from the beginning of the redirect-gateway
line to uncomment it:/etc/openvpn/server.conf
Just below this, find the
dhcp-option
section. Again, remove the ';' from in front of both of the lines to uncomment them:This should assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway.
(Optional) Adjust the Port and Protocol
By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the
port
option. If you are not hosting web content your OpenVPN server, port 443 is a popular choice since this is usually allowed through firewall rules.![Install Install](/uploads/1/2/5/7/125780689/517118828.png)
/etc/openvpn/server.conf
Often if the protocol will be restricted to that port as well. If so, change
proto
from UDP to TCP:If you have no need to use a different port, it is best to leave these two settings as their default.
(Optional) Point to Non-Default Credentials
If you selected a different name during the
./build-key-server
command earlier, modify the cert
and key
lines that you see to point to the appropriate .crt
and .key
files. If you used the default server
, this should already be set correctly:/etc/openvpn/server.conf
When you are finished, save and close the file.
Step 8: Adjust the Server Networking Configuration
Next, we need to adjust some aspects of the server's networking so that OpenVPN can correctly route traffic.
Allow IP Forwarding
First, we need to allow the server to forward traffic. This is fairly essential to the functionality we want our VPN server to provide.
We can adjust this setting by modifying the
/etc/sysctl.conf
file:Inside, look for the line that sets
net.ipv4.ip_forward
. Remove the '#' character from the beginning of the line to uncomment that setting:Save and close the file when you are finished.
To read the file and adjust the values for the current session, type:
Adjust the UFW Rules to Masquerade Client Connections
If you followed the Ubuntu 16.04 initial server setup guide in the prerequisites, you should have the UFW firewall in place. Regardless of whether you use the firewall to block unwanted traffic (which you almost always should do), we need the firewall in this guide to manipulate some of the traffic coming into the server. We need to modify the rules file to set up masquerading, an
iptables
concept that provides on-the-fly dynamic NAT to correctly route client connections.Before we open the firewall configuration file to add masquerading, we need to find the public network interface of our machine. To do this, type:
Your public interface should follow the word 'dev'. For example, this result shows the interface named
wlp11s0
, which is highlighted below:When you have the interface associated with your default route, open the
/etc/ufw/before.rules
file to add the relevant configuration:This file handles configuration that should be put into place before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the
POSTROUTING
chain in the nat
table and masquerade any traffic coming from the VPN:Note: Remember to replace
wlp11s0
in the -A POSTROUTING
line below with the interface you found in the above command./etc/ufw/before.rules
Save and close the file when you are finished.
We need to tell UFW to allow forwarded packets by default as well. To do this, we will open the
/etc/default/ufw
file:Inside, find the
DEFAULT_FORWARD_POLICY
directive. We will change the value from DROP
to ACCEPT
:Save and close the file when you are finished.
Open the OpenVPN Port and Enable the Changes
Next, we'll adjust the firewall itself to allow traffic to OpenVPN.
If you did not change the port and protocol in the
/etc/openvpn/server.conf
file, you will need to open up UDP traffic to port 1194. If you modified the port and/or protocol, substitute the values you selected here.We'll also add the SSH port in case you forgot to add it when following the prerequisite tutorial:
Now, we can disable and re-enable UFW to load the changes from all of the files we've modified:
Our server is now configured to correctly handle OpenVPN traffic.
Step 9: Start and Enable the OpenVPN Service
We're finally ready to start the OpenVPN service on our server. We can do this using systemd.
We need to start the OpenVPN server by specifying our configuration file name as an instance variable after the systemd unit file name. Our configuration file for our server is called
/etc/openvpn/server.conf
, so we will add @server
to end of our unit file when calling it:Double-check that the service has started successfully by typing:
If everything went well, your output should look something that looks like this:
You can also check that the OpenVPN
tun0
interface is available by typing:You should see a configured interface:
If everything went well, enable the service so that it starts automatically at boot:
Step 10: Create Client Configuration Infrastructure
Next, we need to set up a system that will allow us to create client configuration files easily.
Creating the Client Config Directory Structure
Create a directory structure within your home directory to store the files:
Since our client configuration files will have the client keys embedded, we should lock down permissions on our inner directory:
Creating a Base Configuration
Next, let's copy an example client configuration into our directory to use as our base configuration:
Open this new file in your text editor:
Inside, we need to make a few adjustments.
First, locate the
remote
directive. This points the client to our OpenVPN server address. This should be the public IP address of your OpenVPN server. If you changed the port that the OpenVPN server is listening on, change 1194
to the port you selected:~/client-configs/base.conf
Be sure that the protocol matches the value you are using in the server configuration:
Next, uncomment the
user
and group
directives by removing the ';':~/client-configs/base.conf
Find the directives that set the
ca
, cert
, and key
. Comment out these directives since we will be adding the certs and keys within the file itself:Mirror the
cipher
and auth
settings that we set in the /etc/openvpn/server.conf
file:~/client-configs/base.conf
Next, add the
key-direction
directive somewhere in the file. This must be set to '1' to work with the server:Finally, add a few commented out lines. We want to include these with every config, but should only enable them for Linux clients that ship with a
/etc/openvpn/update-resolv-conf
file. This script uses the resolvconf
utility to update DNS information for Linux clients.~/client-configs/base.conf
If your client is running Linux and has an
/etc/openvpn/update-resolv-conf
file, you should uncomment these lines from the generated OpenVPN client configuration file.Save the file when you are finished.
Creating a Configuration Generation Script
Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the
~/client-configs/files
directory.Create and open a file called
make_config.sh
within the ~/client-configs
directory:Inside, paste the following script:
Save and close the file when you are finished.
Mark the file as executable by typing:
Step 11: Generate Client Configurations
Now, we can easily generate client configuration files.
If you followed along with the guide, you created a client certificate and key called
client1.crt
and client1.key
respectively by running the ./build-key client1
command in step 6. We can generate a config for these credentials by moving into our ~/client-configs
directory and using the script we made:If everything went well, we should have a
client1.ovpn
file in our ~/client-configs/files
directory:Transferring Configuration to Client Devices
We need to transfer the client configuration file to the relevant device. For instance, this could be your local computer or a mobile device.
While the exact applications used to accomplish this transfer will depend on your choice and device's operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client's VPN authentication files over an encrypted connection.
Here is an example SFTP command using our client1.ovpn example. This command can be run from your local computer (OS X or Linux). It places the
.ovpn
file in your home directory:Here are several tools and tutorials for securely transferring files from the server to a local computer:
Step 12: Install the Client Configuration
Now, we'll discuss how to install a client VPN profile on Windows, OS X, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to you.
The OpenVPN connection will be called whatever you named the
.ovpn
file. In our example, this means that the connection will be called client1.ovpn
for the first client file we generated.Windows
Installing
The OpenVPN client application for Windows can be found on OpenVPN's Downloads page. Choose the appropriate installer version for your version of Windows.
Note
OpenVPN needs administrative privileges to install.After installing OpenVPN, copy the
.ovpn
file to:When you launch OpenVPN, it will automatically see the profile and makes it available.
OpenVPN must be run as an administrator each time it's used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you can preset this, but this must be done from an administrative account. This also means that standard users will need to enter the administrator's password to use OpenVPN. On the other hand, standard users can't properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.
Connecting
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so that the VPN can be connected and disconnected as needed; it does not actually make the VPN connection.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that's our
client1.ovpn
profile) and choose Connect.A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect.
OS X
Installing
Tunnelblick is a free, open source OpenVPN client for Mac OS X. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded
.dmg
file and follow the prompts to install.Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. It can be easier to answer No and let Tunnelblick finish. Open a Finder window and double-click
client1.ovpn
. Tunnelblick will install the client profile. Administrative privileges are required.Connecting
Launch Tunnelblick by double-clicking Tunnelblick in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect menu item to initiate the VPN connection. Select the client1 connection.
Linux
Installing
If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.
The most universal way of connecting, however, is to just use the OpenVPN software.
On Ubuntu or Debian, you can install it just as you did on the server by typing:
On CentOS you can enable the EPEL repositories and then install it by typing:
Configuring
Check to see if your distribution includes a
/etc/openvpn/update-resolv-conf
script:Next, edit the OpenVPN client configuration file you transfered:
Uncomment the three lines we placed in to adjust the DNS settings if you were able to find an
update-resolv-conf
file:If you are using CentOS, change the
group
from nogroup
to nobody
to match the distribution's available groups:client1.ovpn
Save and close the file.
Now, you can connect to the VPN by just pointing the
openvpn
command to the client configuration file:This should connect you to your server.
iOS
Installing
From the iTunes App Store, search for and install OpenVPN Connect, the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.
Completing the transfer with iTunes will be outlined here. Open iTunes on the computer and click on iPhone > apps. Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents, is for sharing files. Drag the
.ovpn
file to the OpenVPN Documents window.Now launch the OpenVPN app on the iPhone. There will be a notification that a new profile is ready to import. Tap the green plus sign to import it.
Connecting
OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off.
The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.Android
Installing
Open the Google Play Store. Search for and install Android OpenVPN Connect, the official Android OpenVPN client application.
The
.ovpn
profile can be transferred by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device's SD card, copy the profile onto it and then insert the card back into the Android device. Start the OpenVPN app and tap the menu to import the profile.
Then navigate to the location of the saved profile (the screenshot uses
/sdcard/Download/
) and select the file. The app will make a note that the profile was imported.Connecting
To connect, simply tap the Connect button. You'll be asked if you trust the OpenVPN application. Choose OK to initiate the connection. To disconnect from the VPN, go back to the OpenVPN app and choose Disconnect.
Step 13: Test Your VPN Connection
Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest.
The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.
Now connect the OpenVPN client to your Droplet's VPN and refresh the browser. The completely different IP address of your VPN server should now appear. That is now how you appear to the world. Again, DNSLeakTest'sExtended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.
Step 14: Revoking Client Certificates
Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.
To do so, enter your CA directory and re-source the
vars
file:Next, call the
revoke-full
command using the client name that you wish to revoke:This will show some output, ending in
error 23
. This is normal and the process should have successfully generated the necessary revocation information, which is stored in a file called crl.pem
within the keys
subdirectory.Transfer this file to the
/etc/openvpn
configuration directory:Next, open the OpenVPN server configuration file:
At the bottom of the file, add the
crl-verify
option, so that the OpenVPN server checks the certificate revocation list that we've created each time a connection attempt is made:/etc/openvpn/server.conf
Save and close the file.
Finally, restart OpenVPN to implement the certificate revocation:
The client should now longer be able to successfully connect to the server using the old credential.
To revoke additional clients, follow this process:
- Generate a new certificate revocation list by sourcing the
vars
file in the~/openvpn-ca
directory and then calling therevoke-full
script on the client name. - Copy the new certificate revocation list to the
/etc/openvpn
directory to overwrite the old list. - Restart the OpenVPN service.
This process can be used to revoke any certificates that you've previously issued for your server.
Conclusion
Congratulations! You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors.
To configure more clients, you only need to follow steps 6, and 11-13 for each additional device. To revoke access to clients, follow step 14.
Point-to-Point Tunneling Protocol (PPTP) is used in virtual private networks (VPN), or used by some ISPs as the client's connection protocol
![Pptp Ubuntu Server Pptp Ubuntu Server](/uploads/1/2/5/7/125780689/380970185.png)
1
0answers
PPTP server how to add shared secret key [closed]
I have configured simple PPTP software on Centos. It is connecting perfectly with other Centos client. As it is required by my client, I knew it is un-secure but due to specific requirement I setup it....
1
1answer
How to connect to PPTP VPN in Kubuntu 18.04 LTS?
I am trying to set a VPN client to connect through the insecure PPTP protocol to a VPN server. I was only given a gateway, an user and a password.I followed the classic tutorials in which you create ...
0
1answer
PPTPD on lxd unprivileged container
There is lxd-3.0.3 unprivileged (containers with uid shift started by root) on Ubuntu-18.04 (amd64). In container there is Ubuntu-16.04.5 (amd64).How to configure pptpd on it? It seems that there is ...
1
0answers
Ubuntu 18.04 after PPTP session default route
I connect to several PPTP networks using network manager. No problems there, but when I disconnect I loose internet access completely.The 'route' command shows that even after the PPTP disconnects I ...
1
0answers
Ubuntu 18.04 VPN cannot ping window samba host-names but can resolve via IP
I am currently running ubuntu 18.04 box and I have configured pptpd to run a PPTP VPN server.I have followed this guide:https://help.ubuntu.com/community/PPTPServerI’ve tried configuring the ...
0
1answer
Ubuntu 18.04 VPN (PPTP) Connection Works until large packet received
BackgroundI've a VPN server running on a draytek modem.If I connect through the modem from an Android mobile phone, everything works fine.Whereas if I connect from NetworkManager using pptp, it ...
0
1answer
vpn has no internet after upgrading to 18.04
Resently,i upgrade my ubuntu 16.04 server to 18.04but after upgrading ,my (Cisco anyconnect,pptp) vpn servers have no internet access...Can anyone help me?
1
0answers
Forward traffic from vpn clients to another vpn server
I have one vpn server(server A). Server A is connected to another vpn server(server B). Server A has some clients.Is it possible to route only traffic from vpn clients of server A to the connection ...
0
0answers
Cannot connect to VPN
I am using Ubuntu 14.04.I was able to connect to VPN for around 30 mins properly and all of a sudden it got disconnected and from then on I had trouble connecting to VPN. The same VPN is reachable ...
0
0answers
VPN connection crashes after few seconds after manual configuration of /etc/ppp files
I am using PPTP VPN. It used to work fine but now it does not connect. After googling and trying some solutions:1) Creating a new file netfilter.conf2) uninstalling and reinstalling Network ...
0
0answers
PPTP VPN not working ubuntu 18.04
I'm trying to set up a VPN using PPTP. I've followed the instructions of this link https://www.vultr.com/docs/setup-a-pptp-vpn-server-on-ubuntuI've chosen 10.69.69.1-49 as remoteip range and the ...
0
0answers
PPTP server not working
Recently I configured VPN Server PPTP on amazon lighsail, I have configured these steps but it doesn't work I am connecting it from android mobile./etc/pptpd.conf/etc/ppp/pptpd-options/etc/ppp/...
0
0answers
ubuntu pptp vpn with no encryption option not available
I am using ubuntu 18.04 LTS. I have setup a pptp VPN in network manager. The point is when I use windows to setup pptp VPN i should have select 'no encryption option' as well as MSCHAP-v2 and it ...
0
0answers
PPTP connects but immediately logged out on server
I have a VPS and I am trying to setup a VPN on it (my VPS is the VPN client). I've managed to establish the VPN connection by runningpon myvpn debug dump logfd 2 nodetach I get the output that I'm ...
0
0answers
Block outgoing traffic for PPTP clients
I have PPTP server that is installed within Ubuntu VM. Ubuntu host is configured to pass-thought VPN traffic to this VM from external clients to internal server resources. Now I need to block access ...
153050per page