1. Mainpage
  2. Knowledge Base
  3. VPN server setup on Linux: PPTP or OpenVPN?

VPN server setup on Linux: PPTP or OpenVPN?


Nowadays, VPN technology becomes more popular. Ordinary users use VPN to safely access the Internet. It also helps get around locally blocked websites and services and protect against possible external malicious behavior. When you’re connecting to a VPN server, there’s a safe tunnel between your computer and the server that cannot be accessed from outside, so the VPN server becomes your Internet access point. There are lots of VPN services out there, both free and paid, but if they don’t work for you for some reason, you can always configure your own VPN server.

To run your oun VPN, you should rent VPS server. There’s different software that lets you create a VPN connection. It differs from each other by operating systems supported and algorithms used. We will take a look at two independent approaches to set up a VPN server. The first one is based on PPTP protocol that is already considered obsolete and not secure but is really easy to configure. The other one employs modern and secure software OpenVPN but requires installing a third-party client application and a more thorough setup process.

In our test environment, we are going to use a virtual server powered by Ubuntu Server 18.04. A firewall is going to be switched off on the server because its configuration deserves a separate article. We will describe the setup process on Windows 10.

Preparation

No matter which VPN server you choose, the Internet access will be set up by integrated means of the operating system. In order to open Internet access through an external service interface you have to allow packet forwarding between the interfaces and configure network address translation.

To switch on packet forwarding open the file “/etc/sysctl.conf” and change “net.ipv4.ip_forward” parameter value into 1.

turn on packets forwarding for VPN setup

In order to apply changes without rebooting the computer, run the command

sudo sysctl -p /etc/sysctl.conf

Network address translation is configured by the means of iptables. First, check the name of your external network interface running the command “ip link show” – you will need it at the next step. Our name is “ens3”.

ip link show

Enable network address translation at your external interface for all local network nodes.

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

Note that you need to specify the real name of your server’s interface, it can be different from ours.

By default, all rules created by iptables are reset after the server restart. In order to prevent that, use “iptables-persistent” utility. Install the following packet:

sudo apt install iptables-persistent

At some point during the installation process, you will see a configuration window that will suggest you saving current iptables rules. Since the rules are already defined, just confirm and click “Yes” twice. Since now the rules will be applied automatically after the server restart.

Turn on address translation

PPTP server

Server configuration

Install the packet:

sudo apt install pptpd

After the installation ends, open the file “/etc/pptpd.conf” in any text editor and edit it like this:

option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addresses

After that, edit the file “/etc/ppp/pptpd-options”. Most of the parameters are set up by default.

#name of the service for new client records
name pptpd
#restrict obsolete authentication methods
refuse-pap
refuse-chap
refuse-mschap
#allow a more secure authentication method
require-mschap-v2
#enable encryption
require-mppe-128
#specify dns servers for clients (use any available servers)
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfd

At the next stage, you will need to create a record for client connections. Let’s say you want to add a user “vpnuser” with password “1” and allow dynamic addressing for him. Open the file “/etc/ppp/chap-secrets” and add the following line with the user’s parameters at the end of the file:

vpnuser pptpd 1 *

“pptpd” value is the name of the service that we specified in the file “pptpd-options”. Instead of “*” you can specify a fixed IP address. In the result, the file “chap-secrets” should look like this:

VPN server setup

To apply the settings reset the pptpd service and add it to autoloading.

sudo systemctl restart pptpd
sudo systemctl enable pptpd

Server configuration is finished.

Client configuration

Open “Start”“Settings”“Network & Internet”“VPN” and click “Add a VPN connection”

Setup client for VPN connection

Enter the connection parameters in the window opened and click “Save”

  • VPN provider: “Windows (built-in)”
  • Connection name: “vpn_connect” (you can choose any name)
  • Server name or address: (specify the external IP address of the server)
  • VPN type: “Auto”
  • Type of sign-in info: “User name and password”
  • User name: vpnuser (name specified in the “chap-secrets” file on the server)
  • Password: 1 (as in the “chap-secrets” file)

After saving parameters, you will see the new VPN connection in the window. Left-click the connection and select “Connect”. In the case of a successful connection, you will see “Connected” status.

Adding VPN connection

In the Options, you will find internal addresses of the client and the server. Field “Destination address” displays the external server address.

How to setup VPN server by yourself

When connected, the internal IP address of the server, 172.16.0.1 in our case, becomes the default gateway for all outgoing packets.

Check external IP-address

Using any online service you can make sure that the external IP address of the computer is now the same as your VPN server’s IP address.

OpenVPN server

Server configuration

Let’s promote the permissions level of the current user because for our further configuration we will need root access.

sudo -s

Install all the necessary packets. We will need “Easy-RSA” packet to manage encryption keys.

apt install openvpn easy-rsa

Create a symbolic link to the configuration file OpenSSL. Otherwise. the system will throw an error when trying to load variable.

ln -s /usr/share/easy-rsa/openssl-1.0.0.cnf /usr/share/easy-rsa/openssl.cnf

Go to the work directory of the easy-rsa utility, load the variables and clear old configurations.

cd /usr/share/easy-rsa/
source ./vars
./clean-all

Then proceed to create the keys. Generate a Diffie–Hellman key. It may take some time.

./build-dh
Генерируем ключи
./build-ca

During that process, you will have to answer some questions and enter the key owner’s information. You can leave default values in the brackets. Click “Enter” to finish.

Generate keys for the server. Set any value as a parameter. In our case, it’s “vpn-server”

./build-key-server vpn-server

Answer the questions, just like at the previous step or leave default values. Press “y” at the final stage twice.

Генерация ключей

The keys generation is finished. You can find all the files in the “/usr/share/easy-rsa/keys” folder now.

все файлы находятся в папке “/usr/share/easy-rsa/keys”

Now let’s create the “keys” folder in the OpenVPN work directory to store the keys and copy all the necessary files in there.

mkdir /etc/openvpn/keys
cp ca.crt dh2048.pem vpn-server.key vpn-server.crt /etc/openvpn/keys/

Copy the config file template and unpack it into “/etc/openvpn/” directory.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz

Open the file “/etc/openvpn/server.conf” for editing, make sure it contains the following lines, and edit them if needed:

#Port, protocol, and interface
port 1194
proto udp
dev tun
#Path to the encryption keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-server.crt
key /etc/openvpn/keys/vpn-server.key
dh /etc/openvpn/keys/dh2048.pem
#Network parameters
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
#Switching off additional encryption
#tls-auth ta.key 0
#Switching on compression
compress lz4-v2
push "compress lz4-v2"
#Demoting the service OpenVPN after launch
user nobody
group nogroup
#Switching on parameters saving after reboot
persist-key
persist-tun
#Redirecting logs
log /var/log/openvpn/openvpn.log

Leave the rest unchanged.

Restart OpenVPN to apply the configuration.

systemctl restart openvpn

The server configuration is finished!

Client configuration

Go to the official website of OpenVPN “https://openvpn.net”, go to the “COMUNITY”“DOWNLOADS” section

Скачиваем клиент OpenVPN с официального сайта проекта

and download the installation file for your operating system. In our case, it’s Windows 10.

скачиваем инсталлятор для своей версии операционной системы

Install the application leaving all parameters by default.

At the next stage you will need to prepare the following file on the server and transfer them to the client computer:

  • public and private keys;
  • copy of the certification center key;
  • config file template.

Connect to the server, promote the permissions level, and go to the work directory of the “easy-rsa” utility and load the variables

sudo -s
cd /usr/share/easy-rsa/
source ./vars

Generate the key pair for the client. Set any name as the parameter (in our case it’s “client1”).

./build-key client1

Answer the questions entering your info or just press “ENTER” to leave default values. After that, press “y” twice.

Установка и настройка OpenVPN

You can find the generated keys in the “/usr/share/easy-rsa/keys/” folder. To make it more convenient, create “client1” folder in the home directory and copy all the files in it that you need to distribute to the client.

cd /usr/share/easy-rsa/keys/
mkdir ~/client1
cp client1.crt client1.key ca.crt ~/client1/

Copy the client config file template to the same directory. Change the file extension to “.ovpn” while copying.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpn

Change the owner of the directory and all the files “~/client1/” to be able to distribute them to the client. Let’s make “mihail” the owner in our case.

chown -R mihail:mihail ~/client1

Go to the client computer and copy the content of the “~/client1/” folder. You can do that with the help of “PSCP” utility, that goes with Putty.

PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1

You can store key files “ca.crt”, “client1.crt”, “client1.key” wherever you want. In our case, they are in this folder “c:\Program Files\OpenVPN\keys”, and we mode the config file “client.ovpn” into the “c:\Program Files\OpenVPN\config” directory.

Now let’s get to configuring the client. Open the file “c:\Program Files\OpenVPN\config\client.ovpn” in a text editor and edit the following lines:

#announce that this is the client
client
#interface and protocol just like on the server
dev tun
proto udp
#IP address of the server and port
remote ip_address 1194
#saving parameters after reload
persist-key
persist-tun
#key paths
ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”
cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”
key “c:\\Program Files\\OpenVPN\\keys\\client1.key”
#enable server verification
remote-cert-tls server
#disable extra encryption
#tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
auth-nocache
verb 3

Leave the rest untouched.

Save the file and launch the client application “OpenVPN GUI”.

VPN setup finished

Right-click on the app icon in the taskbar and choose “Connect”. If the connection is successful the icon will turn green.

Use any online service to make sure your public IP address has changed and is now the same as the server’s IP address.

Previous article How to set up Wireguard VPN on your server

Ask a question

We are always ready to answer your questions at any time of day or night.
Please, check our Knowledge base, most likely the answer to your question is already there!
svg--close svg--yes
Your message has been sent
We will definitely consider your message as soon as possible