Gregory Colpart's blog

PPTP VPN gateway can avoid various constraints : single connection, delay for switching VPN between two hosts, etc.

Here is an easy solution :

– Install Debian with ppp and pptp-linux packages
– RTFM and create /etc/ppp/options.pptp file :

lock noauth nobsdcomp nodeflate

And /etc/ppp/peers/my-tunnel file :

pty "pptp SERVER-IP --nolaunchpppd"
name LOGIN
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam my-tunnel

where LOGIN is your PPTP login.

Put Microsoft CHAP parameters in /etc/ppp/chap-secrets file :

LOGIN PPTP PASSWORD *

where PASSWORD is your PPTP password.

Then, PPTP connection is ready.
Add it in interfaces file :

auto mobile
iface mobile inet ppp
provider my-tunnel
up sleep 10 && route add -net 192.168.x.0/24 dev ppp0
up route add -net 192.168.y.0/24 dev ppp0
up /etc/init.d/firewall start

In this example, 192.168.x.0/24 and 192.168.y.0/24 are in VPN network.

And /etc/init.d/firewall file is easy IPTables script :

#!/bin/sh

# just route it !
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_ecn
iptables -t nat -D POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# MTU in tunnel (only for Windows machines... strange)
iptables -D FORWARD -p tcp  --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp  --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

(update : I use now "--set-mss 294" option after some problems with "--clamp-mss-to-pmtu")

iptables -L --line-numbers
iptables -L -t nat --line-numbers

Then, to enable or disable your PPTP VPN Gateway :

# ifup mobile
# ifdown mobile

This entry was posted on Monday, December 18th, 2006 at 10:37 pm and is filed under Debian, English, Network. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.