How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user
As the current reality stands, there are so many reasons to have a VPN these days. Justifications range from the mundane not wanting your language to change in foreign countries, all the way up to legitimately protecting free speech. With so many sub-par or insecure sites offering this service, and the insane charges that these company ask here is a simple solution. Get yourself a Digital Ocean VPS. The lowest cost per droplet (their name for a virtual server) is US$5 per month, and it is charged only by the hours that it is provisioned. So if you only need a server one week a month… thats all you pay for (US$1.25). Just remember to make a backup, and remove the ‘droplet’ so you are not continually charged.
First, I have verified that this works with default clients for iphone4, iphone5, windows 7, Mac OS, android (ics), and I am sure many others. So lets get on with the configuration. I make no promises that this will work with other VPS solutions but it may.
Update: I have also verified that this works on Amazon EC2. (the only modification is Amazon does not start you off logged in as a root user so you will need to type “sudo su” before completing these instructions)
Lets start from the very first terminal/console session you make with your new droplet after you log in. When you log in, you will notice that you are root (tsk.. tsk…), but that makes everything simpler for us lets just roll with it shall we?
First, lets apply those updates:
apt-get update apt-get upgrade reboot now
My prerogative is to make you use vim because that’s what I prefer. You can use whatever you want, just replace vim with nano or vi or whatever.
apt-get install vim
You will for security sake want to create a new user (replace cynic with whatever you want)
Follow prompts (you don’t need to set useless fields like phone numbers)
Now lets make this user have admin rights and the sudoer right (ability to use sudo)
usermod -aG sudo cynic
Now lets make your ssh more secure (the most frequent attack is a brute force over ssh on port 22) simply changing the port makes you much safer.
In /etc/ssh/sshd_config Find this
Replace with this (or whatever you want)
Also in /etc/ssh/sshd_config Find this
Replace with this
Prevent IP Spoofing
In /etc/host.conf Add this to the bottom of the file
Install VPN Tunnel
apt-get install pptpd
In /etc/ppp/chap-secrets add one line for each user you want to authenticate
When you are adding data to this file, use tab to create spacing, although it may not appear that way in this post, those are tabs between the username, asterisk and password and the last asterisk.
# Secrets for authentication using CHAP # client server secret IP addresses user11 * s83udh2h * user * 8sku2hd *
Open the /etc/pptpd.conf
In /etc/pptpd.conf replace the entire file with this, but make sure to change the local ip. The local is the ip of your server (this is the ip sent to you when your created a new droplet). If you want, you can modify the remote ip. This is the range of ips that you will provide dhcp for. I have allowed for 21 connections below.
option /etc/ppp/pptpd-options logwtmp bcrelay eth0 localip 184.108.40.206 remoteip 192.168.10.100-120 netmask 255.255.255.0
Now lets edit the options
Replace the entire file with this:
name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 220.127.116.11 ms-dns 18.104.22.168 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp nodefaultroute #debug #dump netmask 255.255.255.0 lock nobsdcomp
Purge all iptable rules
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
Verify the tables are clean
It should return something like this
Chain INPUT (policy ACCEPT 24 packets, 1688 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 2144 bytes) pkts bytes target prot opt in out source destination
Now lets enable forwarding
In /etc/sysctl.conf uncomment the following line (remove the #)
Apply the change
Setup forwarding rules
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT iptables --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
It should be noted that the “iptables –table nat –append POSTROUTING –out-interface ppp0 –jump MASQUERADE” command will be adding peer communication (meaning two connected clients to the vpn will be able to ping and communicate with each other) so you can use icmp, samba, or whatever else.
It should also be noted that “iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu” will solve a problem with MTU size variations (make sure to check this rule if you are unable to load some wbsites, but others work fine).
Now we must save the rules and set them to restore on reboot
sh -c "iptables-save > /etc/iptables.rules"
Create new file /etc/network/if-pre-up.d/iptablesload
Update /etc/network/if-pre-up.d/iptablesload with the following:
#!/bin/sh iptables-restore < /etc/iptables.rules exit 0
Make your script executable
chmod +x /etc/network/if-pre-up.d/iptablesload
Automatically ban hosts that bruteforce
apt-get install denyhosts fail2ban
Update the ssh port to monitor
In /etc/fail2ban/jail.conf Find this
port = ssh
Replace with this
port = 102
Lets get it all over with
Now next time you login to your server make sure to use port 102 instead of 22 (or whatever you happened to change it to). You should be able to use pptpd now. if you were to have literally used all the configuration settings above your new login information is:
VPN Type: PPTP Server: 22.214.171.124 User: user11 Password: s83udh2h
With these settings I have confirmed the following can connect with the OS default PPTP adapter: Windows 7, Windows 8, Mac OSX, Iphone 4s (IOS6.1.1), Iphone 5 (IOS 6.1), Ubuntu 13.04 x64. I am sure many others work. I sucessfully am using ubuntu samba, windows broadcasts and am able to play games on windows using this VPN.
Problem 1 – Your unable to connect to the VPN and reviewing the /var/log/syslog you find the following:
GRE: Bad checksum from pppd.
MPPE required but peer negotiation failed
GRE: read(fd=6,buffer=80504c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
In many cases this is due to the fact that the client trying to connect is not sending its authorizaton using mppe. If its a linux machine, likely you need to turn on encyrption in your vpn settings. If this is a router, and you have ensured that you have set enyrption, likely it is a router limitation and you will need to remove the require-mppe-128 and require-mschap-v2 options from /etc/ppp/pptpd-options.
Problem 2 – You connect to the VPN and have internet, but cannot ping other machines on your VPN
Likely this is due to a routing or configuration issue. Make sure bcrelay is enabled for eth0 in /etc/pptpd.conf. Make sure sure proxyarp is enabled in /etc/ppp/pptpd-options. Then follow the best guide I have ever seen on the subject at http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml (my hats off to the creator) to troubleshoot.
Problem 3 – You can connect to the VPN but you are not getting internet.
Likely this is due to your dns server. Make sure you are using the correct dns in /etc/ppp/pptpd-options. Try using googles dns servers ms-dns 126.96.36.199 ms-dns 188.8.131.52.