VPN-ing into your
server will allow you to connect to every possible service running on it, as if
you were sitting next to it on the same network, without individually
forwarding every port combination for every service you would like to access
remotely.
Using a VPN
connection also has the upshot of, if desired, granting access to other
computers on the network as if you where in it locally from anywhere across the
internet.
While not the most
secure of the VPN solutions out there, PPTP is by far the
simplest to install, configure and connect to from any modern system and from
windows specifically as the client is a part of the OS since the XP days and
you don’t need to mess with certificates (like with L2TP+IPsec or SSL VPNs) on
both sides of the connection.
You will need to forward port 1723 from the internet to the
server to enable the connection (not covered here).
Server Setup
Install the pptp
server package:
sudo aptitude install
pptpd
Edit the
“/etc/pptpd.conf” configuration file:
sudo vim
/etc/pptpd.conf
Add to it:
localip 192.168.1.5
remoteip
192.168.1.234-238,192.168.1.245
Where the “localip”
is the address of the server, and the remoteip are the addresses that will be
handed out to the clients, it is up to you to adjust these for your network’s
requirements.
Edit the
“/etc/ppp/pptpd-options” configuration file:
sudo vim /etc/ppp/pptpd-options
Append to the end
of the file, the following directives:
ms-dns 192.168.1.1
nobsdcomp
noipx
mtu 1490
mru 1490
Where the IP used
for the ms-dns directive is the DNS server for the local network your client
will be connecting to and, again, it is your responsibility to adjust this to
your network’s configuration.
Edit the chap
secrets file:
sudo vim
/etc/ppp/chap-secrets
Add to it the
authentication credentials for a user’s connection, in the following syntax:
username <TAB> * <TAB> users-password
<TAB> *
Restart the
connection’s daemon for the settings to take affect:
sudo /etc/init.d/pptpd
restart
If you don’t want
to grant yourself access to anything beyond the server, then you’re done on the
server side.
Enable Forwarding (optional)
While this step is
optional and could be viewed as a security risk for the extremely paranoid, it
is my opinion that not doing it defeats the purpose of even having a VPN
connection into your network.
By enabling
forwarding we make the entire network available to us when we connect and not
just the VPN server itself. Doing so allows the connecting client to “jump”
through the VPN server, to all other devices on the network.
To achieve this we
will be flipping the switch on the “forwarding” parameter of the system.
Edit the “sysctl”
file:
sudo vim
/etc/sysctl.conf
Find the “net.ipv4.ip_forward” line
and change the parameter from 0 (disabled) to 1 (enabled):
net.ipv4.ip_forward=1
You can either
restart the system or issue this command for the setting to take affect:
sudo sysctl -p
With forwarding
enabled, all the server side settings are prepared.
No comments:
Post a Comment