How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

As the current reality stands, there are so many reasons to have a VPN these days. Justifications range from the mundane not wanting your language to change in foreign countries, all the way up to legitimately protecting free speech. With so many sub-par or insecure sites offering this service, and the insane charges that these company ask here is a simple solution. Get yourself a Digital Ocean VPS. The lowest cost per droplet (their name for a virtual server) is US$5 per month, and it is charged only by the hours that it is provisioned. So if you only need a server one week a month… thats all you pay for (US$1.25). Just remember to make a backup, and remove the ‘droplet’ so you are not continually charged.

First, I have verified that this works with default clients for iphone4, iphone5, windows 7, Mac OS, android (ics), and I am sure many others. So lets get on with the configuration. I make no promises that this will work with other VPS solutions but it may.

Update: I have also verified that this works on Amazon EC2. (the only modification is Amazon does not start you off logged in as a root user so you will need to type “sudo su” before completing these instructions)

Lets start from the very first terminal/console session you make with your new droplet after you log in. When you log in, you will notice that you are root (tsk.. tsk…), but that makes everything simpler for us lets just roll with it shall we?

First, lets apply those updates:

apt-get update
apt-get upgrade
reboot now

My prerogative is to make you use vim because that’s what I prefer. You can use whatever you want, just replace vim with nano or vi or whatever.

apt-get install vim

You will for security sake want to create a new user (replace cynic with whatever you want)

 adduser cynic

Follow prompts (you don’t need to set useless fields like phone numbers)

Now lets make this user have admin rights and the sudoer right (ability to use sudo)

usermod -aG sudo cynic

Now lets make your ssh more secure (the most frequent attack is a brute force over ssh on port 22) simply changing the port makes you much safer.

vim /etc/ssh/sshd_config

In /etc/ssh/sshd_config Find this

Port 22

Replace with this (or whatever you want)

Port 102

Also in /etc/ssh/sshd_config Find this

PermitRootLogin yes

Replace with this

PermitRootLogin no

Prevent IP Spoofing

vim /etc/host.conf

In /etc/host.conf Add this to the bottom of the file

nospoof on

Install VPN Tunnel

apt-get install pptpd

In /etc/ppp/chap-secrets add one line for each user you want to authenticate

vim /etc/ppp/chap-secrets

When you are adding data to this file, use tab to create spacing, although it may not appear that way in this post, those are tabs between the username, asterisk and password and the last asterisk.

# Secrets for authentication using CHAP
# client server secret IP addresses
user11 * s83udh2h *
user * 8sku2hd *

Open the /etc/pptpd.conf

vim /etc/pptpd.conf

In /etc/pptpd.conf replace the entire file with this, but make sure to change the local ip. The local is the ip of your server (this is the ip sent to you when your created a new droplet). If you want, you can modify the remote ip. This is the range of ips that you will provide dhcp for. I have allowed for 21 connections below.

option /etc/ppp/pptpd-options
logwtmp
bcrelay eth0
localip 198.142.70.106
remoteip 192.168.10.100-120
netmask 255.255.255.0

Now lets edit the options

vim /etc/ppp/pptpd-options

In /etc/ppp/pptpd-options

Replace the entire file with this:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
nodefaultroute
#debug
#dump
netmask 255.255.255.0
lock
nobsdcomp

Purge all iptable rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Verify the tables are clean

iptables -nvL

It should return something like this

Chain INPUT (policy ACCEPT 24 packets, 1688 bytes)
 pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 2144 bytes)
 pkts bytes target prot opt in out source destination

Now lets enable forwarding

vim /etc/sysctl.conf

In /etc/sysctl.conf uncomment the following line (remove the #)

net.ipv4.ip_forward=1

Apply the change

sysctl -p

Setup forwarding rules

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables --table nat --append POSTROUTING   --out-interface ppp0 --jump MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It should be noted that the “iptables –table nat –append POSTROUTING   –out-interface ppp0 –jump MASQUERADE” command will be adding peer communication (meaning two connected clients to the vpn will be able to ping and communicate with each other) so you can use icmp, samba, or whatever else.

It should also be noted that “iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu” will solve a problem with MTU size variations (make sure to check this rule if you are unable to load some wbsites, but others work fine).

Now we must save the rules and set them to restore on reboot

sh -c "iptables-save > /etc/iptables.rules"

Create new file /etc/network/if-pre-up.d/iptablesload

vim /etc/network/if-pre-up.d/iptablesload

Update /etc/network/if-pre-up.d/iptablesload with the following:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Make your script executable

chmod +x /etc/network/if-pre-up.d/iptablesload

Automatically ban hosts that bruteforce

apt-get install denyhosts fail2ban

Update the ssh port to monitor

vim /etc/fail2ban/jail.conf

In /etc/fail2ban/jail.conf Find this

port = ssh

Replace with this

port = 102

Lets get it all over with

reboot

Now next time you login to your server make sure to use port 102 instead of 22 (or whatever you happened to change it to). You should be able to use pptpd now. if you were to have literally used all the configuration settings above your new login information is:

VPN Type: PPTP
Server: 198.14.7.31
User: user11
Password: s83udh2h

With these settings I have confirmed the following can connect with the OS default PPTP adapter: Windows 7, Windows 8, Mac OSX, Iphone 4s (IOS6.1.1), Iphone 5 (IOS 6.1), Ubuntu 13.04 x64. I am sure many others work. I sucessfully am using ubuntu samba, windows broadcasts and am able to play games on windows using this VPN.

Common problems:

Problem 1 – Your unable to connect to the VPN and reviewing the /var/log/syslog you find the following:
GRE: Bad checksum from pppd.
MPPE required but peer negotiation failed
GRE: read(fd=6,buffer=80504c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

Solution 1:
In many cases this is due to the fact that the client trying to connect is not sending its authorizaton using mppe. If its a linux machine, likely you need to turn on encyrption in your vpn settings. If this is a router, and you have ensured that you have set enyrption, likely it is a router limitation and you will need to remove the require-mppe-128 and require-mschap-v2 options from /etc/ppp/pptpd-options.

Problem 2 – You connect to the VPN and have internet, but cannot ping other machines on your VPN

Solution 2:
Likely this is due to a routing or configuration issue. Make sure bcrelay is enabled for eth0 in /etc/pptpd.conf. Make sure sure proxyarp is enabled in /etc/ppp/pptpd-options. Then follow the best guide I have ever seen on the subject at http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml (my hats off to the creator) to troubleshoot.

Problem 3 – You can connect to the VPN but you are not getting internet.

Solution 3:
Likely this is due to your dns server. Make sure you are using the correct dns in /etc/ppp/pptpd-options. Try using googles dns servers ms-dns 8.8.8.8 ms-dns 8.8.4.4.