Raspberry Pi PPTP VPN
The RPI unit is a perfect candicate to function as a VPN gateway, either from home or a remote datacenter (tip: free hosting at EDIS in Austria, as of November 2012).
This will work on any Debian based Raspberry Pi distribution.
Intall PPTP
The protocol used here is the PPTP (point-to-point tunneling protocol). Install the PPTP and required PPP packages using the following command.
sudo apt-get install pptpd
Configure PPTP
Now configure PPTP to use a set of local and remote private IP addresses. Edit the configureation file.
sudo nano /etc/pptpd.conf
At the end of the file, append the following lines. You can use any ip range you want, these are allocated internally to the VPN system.
localip 10.1.3.37 remoteip 10.1.3.3.70-79
Now edit the PPTP options file.
sudo nano sudo vi /etc/ppp/pptpd-options
Append the following lines to specify the DNS server (using the Google public one) and some data packet definition.
ms-dns 8.8.8.8 nobsdcomp noipx mtu 1490 mru 1490
Add users
Now, to add users to the VPN system, edit the CHAP user-data file.
sudo nano /etc/ppp/chap-secrets
For each user you want to add, insert one of the following lines.
username[TAB]*[TAB]password[TAB]*
For instance to add user ivc with the password n0thingt0hide, I would use:
ivc * n0thingt0hide *
Now, the PPTP section of the setup is finished. Reload the PPTP daemon by executing this command.
sudo service pptpd restart
Packet forwarding
To make it possible to forward data packets from the VPN system over to the regular network and thus the Internet, the kernel has to be configured to allow IP packet forwarding between interfaces.
sudo nano /etc/sysctl.conf
Find the line below and remove the "#" to enable the option.
net.ipv4.ip_forward=1
Reload the system and kernel using the following command.
sudo sysctl -p
The VPN system is now partly ready, only thing left to do is to configure the preferred way to connect externally to the VPN server. If your network is behind a NAT router, a.k.a. not directly connected to the Internet with a public IP address, you need to configure port forwarding on the NAT router.
Remote access
NAT router
Configure the local NAT router to forward TCP port 1723 to the internal IP address of the Raspberry Pi. This procedure differs between routers and is easily done by following the instructions outlined by the excellent Port Forward website.
Public IP address
If your Raspberry Pi is connected directly to the Internet and has a public IP address, the packets from the VPN system cannot traverse directly to the Internet because they below to a range of private IP adresses (10.x.x.x or 192.168.x.x.).
To correct this, the routing system on the Rasberry Pi need to have a NAT system to masquerade the private addresses and pass them between the local and public network.
Fortunately, this is easily done by adding a single line to the start-up script. Edit the follwing file.
sudo nano /etc/rc.local
And add the following line at the end of file.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Now reboot the machine or execute the command above to enable the NAT function.
Client setup
The last step to set-up the VPN system is to configure the end-point clients. This differs from Windows, Mac and Linux, but it essentially breaks down to adding the following VPN profile to the operating system.
- VPN type: PPTP
- Server address: hostname or IP address of the router/Raspberry Pi
- Account: the one added in /etc/ppp/chap-secrets above
- Encryption: select 128-bit
- Authentication: pick password and the one configured above
- Advanced: Send all traffic over VPN connection
