VPN is a useful technique that can help you to access some forbidden website or service in some countries. Furthermore, we can use it to change the physical location, for example, if I want to buy something in US, I can use a US VPN to access the site.
Of course, there are a couple of VPN service that you can buy online, however, making use of a VPN Server provides you all kind of flexibility, especially if you have an existing VPS.
OK, no bullshit, let’s start.
The basic idea is, the VPN Client routes all traffic to the VPN Server, the Server acts as a jumping board and access the other services you want.
0. Config your VPS to enable PPP and TUN, usually you can find the settings in SolusVM Admin Console, it is a settings in Kernel. Another point to watch out is, on OpenVZ VPS, the network card is venet0 instead of eth0, it traps me for more than 4 hours. Jesus!
1. Add the dependencies
yum install -y ppp libpcap iptables
2. Get the PPTPD install RPM, select with either 32bit (i686) / 64bit (x86_64)
wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.4.0-1.el6.i686.rpm
OR
http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
Update (-uvh) or Install (-ivh)
rpm -ivh pptpd-1.4.0-1.el6.i686.rpm
3. Edit /etc/pptpd.conf, the is the private network section of the PPTPD. We will set the server with IP 192.168.5.1 while sequentially set the client as 192.168.5.171-175.
PS. In my case, I only need a few access, so I cut down the IP Range and number of max connections
connections 5
localip 192.168.5.1
remoteip 192.168.5.171-175
4. Edit /etc/sysctl.conf to change this line from 0 to 1
net.ipv4.ip_forward = 1
5. Set the DNS Server when the client connected, we will be using Google DNS 8.8.8.8 and 8.8.4.4. (Google, my Lord), edit /etc/ppp/options.pptpd
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
6. edit /etc/ppp/chap-secrets for the client credentials, remember to change the password, “password” is on the top list of hacker’s dictionary
# Secrets for authentication using CHAP
# client server secret IP addresses
vpnuser pptpd password *
7. It is time to set the IPTables. We have several to be done here.
a. Open port 47(GRE) and 1723
b. Enable NAT, so that the client can send traffic
c. Allow Input and Output traffic for ppp+ (It is wildcard for ppp0, ppp1, ppp2 and etc)
edit /etc/sysconfig/iptables
-A POSTROUTING -o venet0 -j MASQUERADE
-A POSTROUTING -o ppp+ -j MASQUERADE
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
8. We are almost done, it is time to restart all service.
service network reload
/etc/rc.d/init.d/iptables restart
/etc/rc.d/init.d/pptpd restart-kill
TROUBLE-SHOOTING
There are plenty of tutorials of VPN Setup on the web. but there are a few for helping you to trouble shoot. There are two main loophole for you, one is on setup, and the other is on routing rule.
Troubleshooting setup params
You can enable the logging of setup params in /etc/ppp/options.pptpd, uncomment “dump” in the files. You can find the log in /var/log/messages. It shows most information when the client is connecting to server.
Troubleshooting the Route
if your client can connect to the VPN Server, but unable to connect to the internet, probably the issue goes to the IPTables rules. Here is a 4 steps process.
1. VPN Client to VPN Server
2. VPN Client to VPN Server to External Machine
3. External Machine replies to VPN Server and then translate to Internal IP
4. External Machine replies to VPN Server and then send to VPN Client
Here, TCPDump and Ping is your friends, tcpdump help you to capture all packets going through the server by specifying the parameters.
tcpdump -n -i ppp0 icmp and src host 10.1.1.2 and dst host 72.14.207.99
ppp0 can be replaced by eth0 or venet0
src host can be your client IP address or external party (Case 1 and Case 3)
For details, you may refer to this link
http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml