How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

As the current reality stands, there are so many reasons to have a VPN these days. Justifications range from the mundane not wanting your language to change in foreign countries, all the way up to legitimately protecting free speech. With so many sub-par or insecure sites offering this service, and the insane charges that these company ask here is a simple solution. Get yourself a Digital Ocean VPS. The lowest cost per droplet (their name for a virtual server) is US$5 per month, and it is charged only by the hours that it is provisioned. So if you only need a server one week a month… thats all you pay for (US$1.25). Just remember to make a backup, and remove the ‘droplet’ so you are not continually charged.

First, I have verified that this works with default clients for iphone4, iphone5, windows 7, Mac OS, android (ics), and I am sure many others. So lets get on with the configuration. I make no promises that this will work with other VPS solutions but it may.

Update: I have also verified that this works on Amazon EC2. (the only modification is Amazon does not start you off logged in as a root user so you will need to type “sudo su” before completing these instructions)

Lets start from the very first terminal/console session you make with your new droplet after you log in. When you log in, you will notice that you are root (tsk.. tsk…), but that makes everything simpler for us lets just roll with it shall we?

First, lets apply those updates:

apt-get update
apt-get upgrade
reboot now

My prerogative is to make you use vim because that’s what I prefer. You can use whatever you want, just replace vim with nano or vi or whatever.

apt-get install vim

You will for security sake want to create a new user (replace cynic with whatever you want)

 adduser cynic

Follow prompts (you don’t need to set useless fields like phone numbers)

Now lets make this user have admin rights and the sudoer right (ability to use sudo)

usermod -aG sudo cynic

Now lets make your ssh more secure (the most frequent attack is a brute force over ssh on port 22) simply changing the port makes you much safer.

vim /etc/ssh/sshd_config

In /etc/ssh/sshd_config Find this

Port 22

Replace with this (or whatever you want)

Port 102

Also in /etc/ssh/sshd_config Find this

PermitRootLogin yes

Replace with this

PermitRootLogin no

Prevent IP Spoofing

vim /etc/host.conf

In /etc/host.conf Add this to the bottom of the file

nospoof on

Install VPN Tunnel

apt-get install pptpd

In /etc/ppp/chap-secrets add one line for each user you want to authenticate

vim /etc/ppp/chap-secrets

When you are adding data to this file, use tab to create spacing, although it may not appear that way in this post, those are tabs between the username, asterisk and password and the last asterisk.

# Secrets for authentication using CHAP
# client server secret IP addresses
user11 * s83udh2h *
user * 8sku2hd *

Open the /etc/pptpd.conf

vim /etc/pptpd.conf

In /etc/pptpd.conf replace the entire file with this, but make sure to change the local ip. The local is the ip of your server (this is the ip sent to you when your created a new droplet). If you want, you can modify the remote ip. This is the range of ips that you will provide dhcp for. I have allowed for 21 connections below.

option /etc/ppp/pptpd-options
logwtmp
bcrelay eth0
localip 198.142.70.106
remoteip 192.168.10.100-120
netmask 255.255.255.0

Now lets edit the options

vim /etc/ppp/pptpd-options

In /etc/ppp/pptpd-options

Replace the entire file with this:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
nodefaultroute
#debug
#dump
netmask 255.255.255.0
lock
nobsdcomp

Purge all iptable rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Verify the tables are clean

iptables -nvL

It should return something like this

Chain INPUT (policy ACCEPT 24 packets, 1688 bytes)
 pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 2144 bytes)
 pkts bytes target prot opt in out source destination

Now lets enable forwarding

vim /etc/sysctl.conf

In /etc/sysctl.conf uncomment the following line (remove the #)

net.ipv4.ip_forward=1

Apply the change

sysctl -p

Setup forwarding rules

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables --table nat --append POSTROUTING   --out-interface ppp0 --jump MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It should be noted that the “iptables –table nat –append POSTROUTING   –out-interface ppp0 –jump MASQUERADE” command will be adding peer communication (meaning two connected clients to the vpn will be able to ping and communicate with each other) so you can use icmp, samba, or whatever else.

It should also be noted that “iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu” will solve a problem with MTU size variations (make sure to check this rule if you are unable to load some wbsites, but others work fine).

Now we must save the rules and set them to restore on reboot

sh -c "iptables-save > /etc/iptables.rules"

Create new file /etc/network/if-pre-up.d/iptablesload

vim /etc/network/if-pre-up.d/iptablesload

Update /etc/network/if-pre-up.d/iptablesload with the following:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Make your script executable

chmod +x /etc/network/if-pre-up.d/iptablesload

Automatically ban hosts that bruteforce

apt-get install denyhosts fail2ban

Update the ssh port to monitor

vim /etc/fail2ban/jail.conf

In /etc/fail2ban/jail.conf Find this

port = ssh

Replace with this

port = 102

Lets get it all over with

reboot

Now next time you login to your server make sure to use port 102 instead of 22 (or whatever you happened to change it to). You should be able to use pptpd now. if you were to have literally used all the configuration settings above your new login information is:

VPN Type: PPTP
Server: 198.14.7.31
User: user11
Password: s83udh2h

With these settings I have confirmed the following can connect with the OS default PPTP adapter: Windows 7, Windows 8, Mac OSX, Iphone 4s (IOS6.1.1), Iphone 5 (IOS 6.1), Ubuntu 13.04 x64. I am sure many others work. I sucessfully am using ubuntu samba, windows broadcasts and am able to play games on windows using this VPN.

Common problems:

Problem 1 – Your unable to connect to the VPN and reviewing the /var/log/syslog you find the following:
GRE: Bad checksum from pppd.
MPPE required but peer negotiation failed
GRE: read(fd=6,buffer=80504c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

Solution 1:
In many cases this is due to the fact that the client trying to connect is not sending its authorizaton using mppe. If its a linux machine, likely you need to turn on encyrption in your vpn settings. If this is a router, and you have ensured that you have set enyrption, likely it is a router limitation and you will need to remove the require-mppe-128 and require-mschap-v2 options from /etc/ppp/pptpd-options.

Problem 2 – You connect to the VPN and have internet, but cannot ping other machines on your VPN

Solution 2:
Likely this is due to a routing or configuration issue. Make sure bcrelay is enabled for eth0 in /etc/pptpd.conf. Make sure sure proxyarp is enabled in /etc/ppp/pptpd-options. Then follow the best guide I have ever seen on the subject at http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml (my hats off to the creator) to troubleshoot.

Problem 3 – You can connect to the VPN but you are not getting internet.

Solution 3:
Likely this is due to your dns server. Make sure you are using the correct dns in /etc/ppp/pptpd-options. Try using googles dns servers ms-dns 8.8.8.8 ms-dns 8.8.4.4.

A Traditionalists Guide to Configure – Ubuntu 11.10 Oneiric Ocelot

If your a traditionalist, you obviously want to get rid of the cumbersome left bar now configured by default in Ubuntu. Most likely you dont want it, dont need it, dont want to adjust to it, and had you wanted it you would have purchased an {insert shiver here} Apple (even then you would expect it to be customizable and not be bound to the left). Since Ubuntu 9.10 I, like many others, have spent their time systematically breaking, circumventing and cursing to the gods names like Shuttleworth. Well, since it has been made clear that no matter how many people do not like this new shit uhmm… functionality, it will proceed anyway, I have decided its time to move on.

Documented here is the simplest path (that I have found) to configuring Ubuntu the way that it should be out of the box. I have left the packages separate to make it easier to decide what a person wants or does not:

1) Ignoring Unity

From a terminal run the following commands
sudo apt-get install gnome-shell
sudo apt-get install gnome-session-fallback
If you want to move the buttons to the right run this command from terminal
gconftool-2 –set “/apps/metacity/general/button_layout” –type string “:minimize,maximize,close”
Now, you have spent enough time with Unity, go ahead and logout.
Now login again, click the settings icon, and choose Gnome Classic

2)Fix Dependencies (NEEDED FOR X64 VERSIONS ONLY)

sudo apt-get -f install

3) Install Chrome

I personally prefer to use Chrome instead of Chromium
Go HERE (or browse to Google yourself to download Chrome)
Download the deb Package (either 32 or 64 bit)
Only 32 bit just open the package to install
On 64 bit run the following from terminal (assuming you downloaded to the default firefox path)
sudo dpkg -i ‘./Downloads/google-chrome-stable_current_amd64.deb’
If you have some trouble with the install try the following command from terminal
sudo apt-get install libnspr4-0d libnss3-1d libxss1 libcurl3
then run dpkg again.
Install support for ffmpeg in Chrome (if your not using Chrome or Chromium skip this)
sudo apt-get install chromium-codecs-ffmpeg-extra

4) Install support for DVD playback and ‘proprietary’ codecs

sudo apt-get install ubuntu-restricted-extras
sudo apt-get install libdvdread4
sudo /usr/share/doc/libdvdread4/install-css.sh

5) Install support for you webcam

sudo apt-get install cheese

6) Install VLC Media Player

sudo apt-get install vlc

7) Install Dropbox

sudo apt-get install nautilus-dropbox

8) Install Pysdm (a lazy mans tool for automatically mounting windows or other partitions)

sudo apt-get install pysdm

9) Install audacious

sudo apt-get install audacious