How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

As the current reality stands, there are so many reasons to have a VPN these days. Justifications range from the mundane not wanting your language to change in foreign countries, all the way up to legitimately protecting free speech. With so many sub-par or insecure sites offering this service, and the insane charges that these company ask here is a simple solution. Get yourself a Digital Ocean VPS. The lowest cost per droplet (their name for a virtual server) is US$5 per month, and it is charged only by the hours that it is provisioned. So if you only need a server one week a month… thats all you pay for (US$1.25). Just remember to make a backup, and remove the ‘droplet’ so you are not continually charged.

First, I have verified that this works with default clients for iphone4, iphone5, windows 7, Mac OS, android (ics), and I am sure many others. So lets get on with the configuration. I make no promises that this will work with other VPS solutions but it may.

Update: I have also verified that this works on Amazon EC2. (the only modification is Amazon does not start you off logged in as a root user so you will need to type “sudo su” before completing these instructions)

Lets start from the very first terminal/console session you make with your new droplet after you log in. When you log in, you will notice that you are root (tsk.. tsk…), but that makes everything simpler for us lets just roll with it shall we?

First, lets apply those updates:

apt-get update
apt-get upgrade
reboot now

My prerogative is to make you use vim because that’s what I prefer. You can use whatever you want, just replace vim with nano or vi or whatever.

apt-get install vim

You will for security sake want to create a new user (replace cynic with whatever you want)

 adduser cynic

Follow prompts (you don’t need to set useless fields like phone numbers)

Now lets make this user have admin rights and the sudoer right (ability to use sudo)

usermod -aG sudo cynic

Now lets make your ssh more secure (the most frequent attack is a brute force over ssh on port 22) simply changing the port makes you much safer.

vim /etc/ssh/sshd_config

In /etc/ssh/sshd_config Find this

Port 22

Replace with this (or whatever you want)

Port 102

Also in /etc/ssh/sshd_config Find this

PermitRootLogin yes

Replace with this

PermitRootLogin no

Prevent IP Spoofing

vim /etc/host.conf

In /etc/host.conf Add this to the bottom of the file

nospoof on

Install VPN Tunnel

apt-get install pptpd

In /etc/ppp/chap-secrets add one line for each user you want to authenticate

vim /etc/ppp/chap-secrets

When you are adding data to this file, use tab to create spacing, although it may not appear that way in this post, those are tabs between the username, asterisk and password and the last asterisk.

# Secrets for authentication using CHAP
# client server secret IP addresses
user11 * s83udh2h *
user * 8sku2hd *

Open the /etc/pptpd.conf

vim /etc/pptpd.conf

In /etc/pptpd.conf replace the entire file with this, but make sure to change the local ip. The local is the ip of your server (this is the ip sent to you when your created a new droplet). If you want, you can modify the remote ip. This is the range of ips that you will provide dhcp for. I have allowed for 21 connections below.

option /etc/ppp/pptpd-options
logwtmp
bcrelay eth0
localip 198.142.70.106
remoteip 192.168.10.100-120
netmask 255.255.255.0

Now lets edit the options

vim /etc/ppp/pptpd-options

In /etc/ppp/pptpd-options

Replace the entire file with this:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
nodefaultroute
#debug
#dump
netmask 255.255.255.0
lock
nobsdcomp

Purge all iptable rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Verify the tables are clean

iptables -nvL

It should return something like this

Chain INPUT (policy ACCEPT 24 packets, 1688 bytes)
 pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 2144 bytes)
 pkts bytes target prot opt in out source destination

Now lets enable forwarding

vim /etc/sysctl.conf

In /etc/sysctl.conf uncomment the following line (remove the #)

net.ipv4.ip_forward=1

Apply the change

sysctl -p

Setup forwarding rules

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables --table nat --append POSTROUTING   --out-interface ppp0 --jump MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It should be noted that the “iptables –table nat –append POSTROUTING   –out-interface ppp0 –jump MASQUERADE” command will be adding peer communication (meaning two connected clients to the vpn will be able to ping and communicate with each other) so you can use icmp, samba, or whatever else.

It should also be noted that “iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu” will solve a problem with MTU size variations (make sure to check this rule if you are unable to load some wbsites, but others work fine).

Now we must save the rules and set them to restore on reboot

sh -c "iptables-save > /etc/iptables.rules"

Create new file /etc/network/if-pre-up.d/iptablesload

vim /etc/network/if-pre-up.d/iptablesload

Update /etc/network/if-pre-up.d/iptablesload with the following:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Make your script executable

chmod +x /etc/network/if-pre-up.d/iptablesload

Automatically ban hosts that bruteforce

apt-get install denyhosts fail2ban

Update the ssh port to monitor

vim /etc/fail2ban/jail.conf

In /etc/fail2ban/jail.conf Find this

port = ssh

Replace with this

port = 102

Lets get it all over with

reboot

Now next time you login to your server make sure to use port 102 instead of 22 (or whatever you happened to change it to). You should be able to use pptpd now. if you were to have literally used all the configuration settings above your new login information is:

VPN Type: PPTP
Server: 198.14.7.31
User: user11
Password: s83udh2h

With these settings I have confirmed the following can connect with the OS default PPTP adapter: Windows 7, Windows 8, Mac OSX, Iphone 4s (IOS6.1.1), Iphone 5 (IOS 6.1), Ubuntu 13.04 x64. I am sure many others work. I sucessfully am using ubuntu samba, windows broadcasts and am able to play games on windows using this VPN.

Common problems:

Problem 1 – Your unable to connect to the VPN and reviewing the /var/log/syslog you find the following:
GRE: Bad checksum from pppd.
MPPE required but peer negotiation failed
GRE: read(fd=6,buffer=80504c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

Solution 1:
In many cases this is due to the fact that the client trying to connect is not sending its authorizaton using mppe. If its a linux machine, likely you need to turn on encyrption in your vpn settings. If this is a router, and you have ensured that you have set enyrption, likely it is a router limitation and you will need to remove the require-mppe-128 and require-mschap-v2 options from /etc/ppp/pptpd-options.

Problem 2 – You connect to the VPN and have internet, but cannot ping other machines on your VPN

Solution 2:
Likely this is due to a routing or configuration issue. Make sure bcrelay is enabled for eth0 in /etc/pptpd.conf. Make sure sure proxyarp is enabled in /etc/ppp/pptpd-options. Then follow the best guide I have ever seen on the subject at http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml (my hats off to the creator) to troubleshoot.

Problem 3 – You can connect to the VPN but you are not getting internet.

Solution 3:
Likely this is due to your dns server. Make sure you are using the correct dns in /etc/ppp/pptpd-options. Try using googles dns servers ms-dns 8.8.8.8 ms-dns 8.8.4.4.

About these ads

19 thoughts on “How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

    • I did configure an OpenVPN using port 80 previously, but honestly I was just following other peoples how-to on the subject. http://www.slsmk.com/installing-openvpn-on-ubuntu-server-12-04/ I followed that guide. However, if I remember correctly I was receiving errors generating the client certificate. Before you begin the section to generate the sever certificates link the expected openssl to the existing version one before you start “cd /etc/openvpn/easy-rsa/” then “ln -s openssl-1.0.0.cnf openssl.cnf”

  1. Thanks for the tutorial. Got everything set up but found a major problem.

    I’m using a Mac and I can’t connect to my VPN unless I turn my Encryption to None in System Preferences –> Network.

    Can you help?

    • Well I avoid MAC like the plague, however my co-workers are able to connect using their Mac. What do you see in /var/log/syslog when you try to connect? What authentication is being sent by the mac client by default? You can try to comment refuse-pap refuse-chap and refuse-mschap in the /etc/ppp/pptpd-options by placing a # in front of those lines. I suspect your client is not sending ms-chap-v2 (please note if ms-chap is not being sent then you cannot achieve mppe-128).

      • I’ve spun down the VPS instance and no longer have it at hand. When I press connect, it immediately bounces back with an immediate error: “The PPTP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.” I’ve tried deleting the lines require-mope-128 and require-mschap-v2 but it did not work.

        However, if I set Encryption from 128 bit to None, it works. But that’s a problem because I would prefer to have Encryption enabled.

        • GC, thanks for the earlier reply. I’ve managed to restore it from an earlier backup:

          sudo cat /var/log/syslog yields these interesting results –>

          May 20 08:33:53 localhost pptpd[995]: CTRL: Client xx.xxx.xxx.xxx control connection started
          May 20 08:33:53 localhost pptpd[995]: CTRL: Starting call (launching pppd, opening GRE)
          May 20 08:33:53 localhost pppd[996]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
          May 20 08:33:53 localhost pppd[996]: pppd 2.4.5 started by root, uid 0
          May 20 08:33:53 localhost pppd[996]: Using interface ppp0
          May 20 08:33:53 localhost pppd[996]: Connect: ppp0 /dev/pts/0
          May 20 08:33:53 localhost pptpd[995]: GRE: Bad checksum from pppd.
          May 20 08:33:54 localhost pppd[996]: peer from calling number xx.xxx.xxx.xxx authorized
          May 20 08:33:54 localhost kernel: [ 53.704341] PPP Deflate Compression module registered
          May 20 08:33:54 localhost pppd[996]: LCP terminated by peer (MPPE required but not available)
          May 20 08:33:54 localhost pptpd[995]: CTRL: EOF or bad error reading ctrl packet length.
          May 20 08:33:54 localhost pptpd[995]: CTRL: couldn’t read packet header (exit)
          May 20 08:33:54 localhost pptpd[995]: CTRL: CTRL read failed
          May 20 08:33:54 localhost pptpd[995]: CTRL: Reaping child PPP[996]
          May 20 08:33:54 localhost pppd[996]: Hangup (SIGHUP)
          May 20 08:33:54 localhost pppd[996]: Modem hangup
          May 20 08:33:54 localhost pppd[996]: Connection terminated.
          May 20 08:33:54 localhost pppd[996]: Exit.
          May 20 08:33:54 localhost pptpd[995]: CTRL: Client xx.xxx.xxx.xxx control connection finished
          May 20 08:33:57 localhost pptpd[1005]: CTRL: Client xx.xxx.xxx.xxx control connection started
          May 20 08:33:57 localhost pptpd[1005]: CTRL: Starting call (launching pppd, opening GRE)
          May 20 08:33:57 localhost pppd[1006]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
          May 20 08:33:57 localhost pppd[1006]: pppd 2.4.5 started by root, uid 0
          May 20 08:33:57 localhost pppd[1006]: Using interface ppp0
          May 20 08:33:57 localhost pppd[1006]: Connect: ppp0 /dev/pts/0
          May 20 08:33:57 localhost pptpd[1005]: GRE: Bad checksum from pppd.
          May 20 08:33:57 localhost pppd[1006]: peer from calling number xx.xxx.xxx.xxx authorized
          May 20 08:33:58 localhost pppd[1006]: LCP terminated by peer (MPPE required but not available)
          May 20 08:33:58 localhost pptpd[1005]: CTRL: EOF or bad error reading ctrl packet length.
          May 20 08:33:58 localhost pptpd[1005]: CTRL: couldn’t read packet header (exit)
          May 20 08:33:58 localhost pptpd[1005]: CTRL: CTRL read failed
          May 20 08:33:58 localhost pppd[1006]: Modem hangup
          May 20 08:33:58 localhost pppd[1006]: Connection terminated.
          May 20 08:33:58 localhost pptpd[1005]: CTRL: Reaping child PPP[1006]
          May 20 08:33:58 localhost pppd[1006]: Exit.
          May 20 08:33:58 localhost pptpd[1005]: CTRL: Client xx.xxx.xxx.xxx control connection finished

          • I’ve tried uncommenting, but nevertheless I could not connect. The error appeared immediately.

            May 20 08:44:38 localhost pppd[810]: peer from calling number xx.xxx.xxx.xxx authorized
            May 20 08:44:38 localhost pppd[810]: LCP terminated by peer (MPPE required but not available)
            May 20 08:44:38 localhost pptpd[809]: CTRL: EOF or bad error reading ctrl packet length.
            May 20 08:44:38 localhost pptpd[809]: CTRL: couldn’t read packet header (exit)
            May 20 08:44:38 localhost pptpd[809]: CTRL: CTRL read failed
            May 20 08:44:38 localhost pppd[810]: Modem hangup
            May 20 08:44:38 localhost pppd[810]: Connection terminated.
            May 20 08:44:38 localhost pptpd[809]: CTRL: Reaping child PPP[810]
            May 20 08:44:38 localhost pppd[810]: Exit.
            May 20 08:44:38 localhost pptpd[809]: CTRL: Client xx.xxx.xxx.xxx control connection finished
            May 20 08:44:50 localhost dbus[355]: [system] Activating service name=’org.freedesktop.ConsoleKit’ (using servicehelper)
            May 20 08:44:50 localhost dbus[355]: [system] Successfully activated service ‘org.freedesktop.ConsoleKit’

          • Okay, this is a pretty common issue and there are several possible causes. Since most of them deal with VPN config, lets get the non config issues out of the way. 1) can you connect (with encryption enabled on the server) on any non-mac device? 2) Are you possibly behind a corporate firewall that would use advanced vpn filtering to prevent you from doing just this? 3) Are you on an extremely outdated version of Mac OS (2007 era)? 4) Are you using MSCHAPv2?

            What it looks like to me is that the client is sending a malformed header. This would happen if your using an authentication protocol that it could not understand or if the server could not understand the encryption itself.

            Another possibility, it is possible that the chap-secrets file is not being parsed properly, although that usually gives another error it could also cause this.

            Beyond that, you can either do a copy paste of your 3 config files and dump them here, or if there is nothing sensitive (i.e. chap-secrets, personal/company details) we can take this offline and I can take a look.

          • Thanks for the reply.

            1. Don’t have any non-Mac devices at hand, I’m afraid.
            2. Tried using another Internet connection to no avail.
            3. Mac OSX 10.8. Pretty modern OS.
            4. Unsure but I am able to connect to another VPN with encryption enabled.

            I’ve tried using another Internet connection and the problem persists. I’m only able to connect if Encryption is set to None. Which three config files do you want to look at?

            sudo nano /etc/pptpd.conf

            option /etc/ppp/pptpd-options
            logwtmp
            bcrelay eth0
            localip 198.199.112.83
            remoteip 192.168.10.100-120
            netmask 255.255.255.0

            sudo nano /etc/ppp/pptpd-options

            name pptpd
            refuse-pap
            refuse-chap
            refuse-mschap
            ms-dns 8.8.8.8
            ms-dns 8.8.4.4
            #ms-wins 10.0.0.3
            #ms-wins 10.0.0.4
            proxyarp
            nodefaultroute
            #debug
            #dump
            netmask 255.255.255.0
            lock
            nobsdcomp

            /etc/ppp/chap-secrets

            # Secrets for authentication using CHAP
            # client server secret IP addresses

            pptp * asdjflkasdjkfkladfs *
            pptp2 * asdjflkasdjkfkladfs *

          • Well, lets try this way.. I have a machine that I have configured and have verified that it is able connect using MSChap2 and MPPE. Can you please check if you can connect? If this works for you great, if not I will borrow a mac tomorrow and write the steps that I follow to connect. Please let me know once you have connected (or failed) so I can edit this comment and destroy the server.

          • Wow, that is disappointing. I had three people test on this instance with Mountain Lion and they were all able to connect. We have over 25 macs in an office that connect to a similar but larger vpn instance. However, to me a Mac is a big brick with a single button mouse, so I am happy to stand corrected or know of other configuration options that may effect this. I asked someone to make a set of instructions for how they are connecting, but since this is your primary OS, I will have to give you the benefit of the doubt you are doing it correctly. I will update those instructions to connect next week (we are a bit busy). I will tentatively write some Mac OS in the title. I am sorry Johnington. I did however just see something cool, that may interest you https://www.boxpn.com/ . It seems that boxpn is offering low cost vpn instances. And with someone who can afford to do the networking for you will probably work better! The downside is they dont support gaming :| or peer to peer.

        • This is intensely strange because I am able to connect to another VPN (non-Digital Ocean). It’s probably something to do with the network that I am on at the moment. I will try to test it on another network sometime later.

          Are the three config files that I’ve posted up fine? For the remote IP, should it have the same IP as the localip? I’m not really sure what it is for.

          Thanks in advance.

  2. All of a sudden it’s stopped working over iPhone 3G, works on multiple devices on home wifi though.

    Any ideas?

      • Hi, Yes the VPN on phone works on Wifi. When I use iPhone personal hotspot to share the internet to my mac the VPN fails as well so the provider dropping packets sounds right. However I can connect using Tunnel Bear on 3G and it did work before for about a month.

        • sudo cat /var/log/syslog

          Jun 11 13:36:01 localhost pptpd[7718]: CTRL: Client 101.119.15.234 control connection started
          Jun 11 13:36:02 localhost pptpd[7718]: CTRL: Starting call (launching pppd, opening GRE)
          Jun 11 13:36:02 localhost pppd[7719]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
          Jun 11 13:36:02 localhost pppd[7719]: pppd 2.4.5 started by root, uid 0
          Jun 11 13:36:02 localhost pppd[7719]: Using interface ppp0
          Jun 11 13:36:02 localhost pppd[7719]: Connect: ppp0 /dev/pts/1
          Jun 11 13:36:02 localhost pptpd[7718]: GRE: Bad checksum from pppd.
          Jun 11 13:36:32 localhost pppd[7719]: LCP: timeout sending Config-Requests
          Jun 11 13:36:32 localhost pppd[7719]: Connection terminated.
          Jun 11 13:36:32 localhost pppd[7719]: Modem hangup
          Jun 11 13:36:32 localhost pppd[7719]: Exit.
          Jun 11 13:36:32 localhost pptpd[7718]: GRE: read(fd=6,buffer=6075c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
          Jun 11 13:36:32 localhost pptpd[7718]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
          Jun 11 13:36:32 localhost pptpd[7718]: CTRL: Reaping child PPP[7719]
          Jun 11 13:36:32 localhost pptpd[7718]: CTRL: Client 101.119.15.234 control connection finished

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s