Quick and Dirty VPN Server with pptpd

I’ve recently found myself wanting to be able to quickly create a VPN server, with minimal client-side setup. Normally, my VPN Server of choice is OpenVPN, but this doesn’t really fill those criteria – server side, you’ve got to generate keyfiles, certificates, config files. This wouldn’t be so bad – but it’s a similar story client-side. If your grandma want’s a VPN connection, then having to send over OpenVPN installers, certificate files and configs isn’t ideal.

Most operating systems have built-in support for a VPN Protocol called “PPTP”, or Point-to-Point Tunneling Protocol, so I decided to investigate. It turns out that minimal effort is required to set up a PPTP server, and virtually NO effort is required on the client side. PPTP is supported by OS X, Windows, Android, iOS natively, and can clients are easily obtainable for Linux and various BSD distributions.

Before I go any further – I’d like to clarify that PPTP is NOT terribly secure. I wouldn’t use it for transferring any particularly sensitive information; I’m using it purely for convenience reasons. I’d recommend it for watching Netflix or Hulu from outside the US, but not for transferring mega secret nuclear launch-codes. Services exist that allow the cracking of MS-CHAPv2, the protocol that PPTP uses for encrypting communications.

OK, now that you know not to use PPTP/MS-CHAPv2 as a security measure, lets move on.

These instructions were tested on Debian 7.0 – but installation aside, should be valid for any distro.

Install PPTPD. This can be done via a simple apt-get install pptpd.

Open up /etc/pptpd.conf in your editor of choice. At the end of the file, add these lines:

localip x.x.x.x
remoteip y.y.y.y-z

where x.x.x.x is the external IP of your server, and remoteip y.y.y.y-z, where y.y.y.y is the first address in the range you wish to assign to your clients, and z is the last octet of the last address you wish to assign to clients. For instance, if I wanted client IPs to lie in the range, I’d enter remoteip You don’t need to do anything special to be able to assign these IPs, it’s all handled for you. Just make sure you use private address space, it’d be rude not to.

You should also append:


to the file, in order to specific the DNS servers you want your clients to use. You can, of course, substitute the with DNS servers of your choice.

Now that the pptpd is configured, we need to allow our server to forward IPv4 traffic. This can be done by editing /etc/sysctl.conf, and uncommenting the line that reads #net.ipv4.ip_forward=1. We then need to reload the sysctl.conf file – this can be done by running sudo sysctl -p.

We also need to configure iptables to perform NAT – this can be done by running iptables -A POSTROUTING -t nat -j SNAT --to-source z.z.z.z, where z.z.z.z is the external IP of your VPS. It’s worth noting that iptables rules aren’t persisted to disk – check out this article to see how to make them survive a reboot.

We’re almost set – all that’s left to do is to create a pptpd user. This is done by editing the file /etc/ppp/chap-secrets. Entries are stored in the form username service password ip – so if I wanted to add a user called bob, with the password bananna and the IP, I’d add the line:

bob pptpd bananna

(Bear in mind that passwords in /etc/ppp/chap-secrets are stored in plaintext.)

Your pptpd VPN server is now configured – all that’s left to do is to run /etc/init.d/pptpd restart to make the changes take effect.

5 thoughts on “Quick and Dirty VPN Server with pptpd

  1. “We also need to configure iptables to perform NAT – this can be done by running iptables -A POSTROUTING -t nat -j SNAT –to-source z.z.z.z, where z.z.z.z is the external IP of your VPS.”

    Why even bother writing this article if you’re going to use acroymns when you should know not everyone is going to automatically know what “VPS” stands for, or explaining how to find the VPS external IP? Without that info this article is…well, useless, no?

    1. This article is targeted at people that already have a VPS (which stands for Virtual Private Server, like those available through Digital Ocean or Amazon AWS). Most people already know what their server’s external IP is, as it’s provided to them when they sign up.

      I can’t possibly provide a definition for every acronym under the sun, or tell you how to undertake every task, otherwise this post would have become ridiculously long. If people have any specific questions then I encourage them to ask.

  2. ok so….I take it you’re required to have a Virtual Private Server in order to use these directions? Would sure be nice to have been told in this article so I don’t have to google everything you spoke about

Leave a Reply

Your email address will not be published. Required fields are marked *