Ubuntu: Easiest way to setup Ubuntu as a VPN server


I know there are many tutorials on the net for setting up VPN client and server.

I you find one that is simple/short, I am interested only in the server part.

For client, I will use OS X so I prefer a solution that uses L2TP over IPsec or PPTP because I suppose Cisco IPsec would cost something.

I don't want to spent too many hours setting it up. You know, maybe someone already made a setup script :)

Note: I am using an EC2 micro instance running Ubuntu 12.04 on it.


UPDATE: As of Sierra, macOS no longer supports PPTP vpn. This answer is not valid for macOS clients Sierra and beyond.

PPTP via PoPToP is easy

  1. apt-get install pptpd
  2. edit /etc/pptpd.conf and set the remoteip option to a range on your network that is NOT served by your DHCP server.
  3. edit /etc/ppp/chap-secrets and add a username and password


vpnuser pptpd vpnpassword *  

This is all it takes to setup pptp. Now test it with your OS X client.


WARNING: PPTP IS AN INSECURE PROTOCOL! Not only has the encryption been breached, but it sends your authentication in clear text and is easily intercepted. It has been estimated that the amount of time required to brute-force the password is roughly equivalent to the time required to brute-force a single DES key. Consider using OpenVPN or another VPN architecture instead of PPTP!

I used this guide to set up a PPTP VPN server on my Ubuntu 12.04 server.

To summarize the main points in the link, though:

1: Install pptpd and ufw. iptables can be used in place of ufw, but for the sake of easiness, ufw is better if you don't know iptables.

sudo apt-get install pptpd ufw

2: Open the ports needed. The guide suggests 22 (SSH) and 1723 for the pptp vpn.

sudo ufw allow 22  sudo ufw allow 1723  sudo ufw enable

3: Edit /etc/ppp/pptpd-options. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/pptpd-options), and comment out these lines by putting a # before them, if you want this to work universally on all OSes:

refuse-pap  refuse-chap  refuse-mschap

You can comment this line if you want to disable encryption: require-mppe-128

4: While editing /etc/ppp/pptpd-options, add DNS servers for the VPN. This example uses OpenDNS servers:

ms-dns  ms-dns

5: Edit /etc/pptpd.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/pptpd.conf). You need to add the local VPN IPs for the system, so add:

localip  remoteip

If your system is a VPS, use the public IP for "localip". If it is not and is on a local network, use your computer's network IP. Use different IPs and ranges if these IPs exist on your subnet! If you don't know your public IP of your VPS, find it by running dig +short myip.opendns.com @resolver1.opendns.com

6: Edit /etc/ppp/chap-secrets. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/ppp/chap-secrets), and add the auth data.
The format for /etc/ppp/chap-secrets is:

[Username] [Service] [Password] [Allowed IP Address]

An example would be: sampleuser pptpd samplepassword *

7: Restart pptpd. Run this command in terminal: sudo /etc/init.d/pptpd restart

8: Edit /etc/sysctl.conf. Open the file with your favorite editor (mine's nano, so the command for me is sudo nano /etc/sysctl.conf). Un-comment the following line (by removing the # at the beginning of it) in /etc/sysctl.conf: net.ipv4.ip_forward=1
Reload the configuration: sudo sysctl -p

9: This step assumes you have ufw.
Edit /etc/default/ufw and change the option DEFAULT_FORWARD_POLICY from DROP to ACCEPT

10: This step assumes you have ufw.
Edit /etc/ufw/before.rules, and add the following either at the beginning of /etc/ufw/before.rules or just before the *filter rules (recommended):

# NAT table rules  *nat    :POSTROUTING ACCEPT [0:0]  # Allow forward traffic to eth0  -A POSTROUTING -s -o eth0 -j MASQUERADE    # Process the NAT table rules  COMMIT

If you have kernel version 3.18 and newer (you can check this by running uname -r), also add the following lines before the # drop INVALID packets ... line:

-A ufw-before-input -p 47 -j ACCEPT  

11: Restart the firewall, to refresh the rule sets and to apply the rules we added to the /etc/ufw/*.rules files: sudo ufw disable && sudo ufw enable

Warning: If you have other ports you need open, such as for HTTPS if your server hosts a website, you need to individually add those ports to the allowed list with sudo ufw allow <PORT>


PPTP VPN on Ubuntu 12.04 Example

Here is a quick tutorial to set up a basic PPTP VPN server on Ubuntu 12.04.

Install Necessary Packages

                          sudo apt-get install ppp pptpd  

Configure PPTP IP Ranges on the Server

                          sudo nano /etc/pptpd.conf  

Add the following lines in end

                          localip                            remoteip  

This sets up the PPTP server to use IP while distributing the IP range to to PPTP clients. Change these as you wish as long as they are private IP addresses and do not conflict with IP addresses already used by your server.

Configure DNS Servers to Use When Clients Connect to this PPTP Server

                          sudo nano /etc/ppp/pptpd-options  

Modify OR Add the following lines in end

                          ms-dns                            ms-dns  

Create a PPTP User

                          sudo nano /etc/ppp/chap-secrets  

Append a line at the bottom so your file looks something like:

                          # client    server  secret          IP addresses                            test        pptpd   abcd1234        *  

Configure NAT for PPTP Connections

Without this step you will be able to connect but your connection will not be able to load any web connection from this server.

                          sudo nano /etc/rc.local  

Add the following to the bottom right before “exit 0” line:

                          iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  

Assuming eth0, you can use ifconfig to check network name.

Enable IPv4 forwading:

                          sudo nano /etc/sysctl.conf  

Uncomment the following line:


Then reload the configuration:

                          sudo sysctl -p  

Reboot your VPS and everything should work swimmingly from any PPTP client.

Client side configuration

For Mac, make sure you added PPTP VPN connection. Besides that you only need to setup server address, account name, and password in authentication settings. No pain here.

For Linux, NetworkManager to add VPN connections. Make sure you added PPTP VPN connection. And the configuration I use is here:

How To Debug and Fix PPTP/VPN Client Connection

enter image description here

And for Windows

enter image description here


The other answers on this thread were only partial answers in my case. Here's what worked for me on Ubuntu 12.04.3

sudo apt-get install pptpd  

Append the following to /etc/pptpd.conf (IP Address does not matter, this is only IP Addresses for your ppp0 interface.)

localip  remoteip  

Add DNS Servers to /etc/ppp/pptpd-options

ms-dns  ms-dns  

Enable IP Forwarding

sudo vim /etc/sysctl.conf  

Uncomment this line


Save changes

sudo sysctl -p /etc/sysctl.conf  

Edit /etc/ppp/chap-secrets, add a VPN user in this format:

# Secrets for authentication using CHAP  # client    server  secret          IP addresses  username pptpd supersecretpassword *  

Restart PPTP

service pptpd restart  

Run ifconfigand find your default interface, in my case it was br0 (I changed it to allow virtual machines on my physical machine to share the interface. Yours will probably be en0)

enter image description here

Back up iptables

iptables-save > ~/iptables.save  

Now make your iptables changes use your default interface as revealed by ifconfig.

iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE  iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE  iptables -I INPUT -s -i ppp0 -j ACCEPT  iptables --append FORWARD --in-interface br0 -j ACCEPT  

To keep it persistent when your system reboots;

sudo apt-get install iptables-persistent  

Add VPN on client computer (Mac)

System Preferences > Network > [+] > VPN

enter image description here

enter image description here

Then choose Authentication settings > Password, then fill in your password here

enter image description here


Here's a pretty sweet project that scripts away the OpenVPN pain:


Just run it and it will install open vpn and configure it. At the end it will pop out a client.ovpn file that you can use to setup you client. Seems to work pretty well.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »