Saturday, 25 August 2012

Raspberry Pi - Use as a VPN Server

Anyway, I find myself needing access to my internal network when I'm out and about and decided to look at using my Raspberry Pi as a VPN server.

For the VPN virgin's out there, a VPN allows you to connect to your internal network securely over the internet and gain access to the resources you have at home, perhaps you want to read documents off your NAS drive, open an SSH connect to your Pi, or if your away in a different country you can use your home internet connection to access services which are restricted to your country (i.e. BBC iPlayer in the UK or Hulu in the US).

I choose to use PPTP on the Raspberry Pi, its not as secure as other services such as OpenVPN, but its much easier to setup, maintain and as a typical home user the additional risk was outweighed by the simple maintenance.

I used the instructions on this blog as the basis for installing PPTP on the Raspbian distribution.

Install PPTP

sudo apt-get install pptpd

Configure PPTP
I needed to specify the IP addresses I wanted my VPN to use in the pptpd configuration file.

sudo nano /etc/pptpd.conf

Adding the following configuration lines to the bottom of the file, you will see some examples commented out:

localip 192.168.1.99
remoteip 192.168.1.100-110

localip is the IP address of your Raspberry Pi, my Raspberry Pi has static IP address making this step easier if your network assigns IP addresses dynamically (pretty typical), see this post for details on how to set a static IP address.

remoteip is a range of IP addresses which your Raspberry Pi will give out to clients who join the VPN.  You need to give sufficient range to cope with the number of clients that may need to connect.

I modified the pptpd options file:

sudo nano /etc/ppp/pptpd-options

Adding the following to the bottom of the file:

ms-dns 192.168.1.1
nobsdcomp
noipx
mtu 1490
mru 1490

ms-dns is the ip address of your local dns service, more than often this will be the IP address of your router.

I created a user and password in the chap-secrets config file, this will be the user and password you login as, so its definitely a good idea to make this a strong password.

sudo nano /etc/ppp/chap-secrets

The username and password is put into the chap-secrets file in the format:

username[TAB]*[TAB]password[TAB]*

So it looks like this (obviously with your username and password!):

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
username  *       password        *

Restart PPTPD:

sudo service pptpd restart

Configure Pi to forward traffic
In order to access network resources, other than the Pi itself, over the VPN, the Pi needed configuring the forward traffic, modify /etc/sysctl.conf and apply the change:

sudo nano /etc/sysctl.conf

Find the option "net.ipv4.ip_forward", which should be commented out and look like:

#net.ipv4.ip_forward=1

Un-comment it and save the changes:

net.ipv4.ip_forward=1

Apply the change:

sudo sysctl -p

Configure router
In order to access the VPN from outside your network you need to configure your router to forward TCP port 1723 to the IP address of your Raspberry Pi, see portforward.com for more information about port forwarding guides and info; you may find setting up port forwarding simpler if your raspberry Pi has a static IP address, see this post on how to set a static IP address.

I had a problem with my router, in that i didn't support "GRE Protocol 47", which meant that when I tried to connect to the VPN from internet it would fail, router support for protocol 47 seems pretty random not necessarily related to a specific brand or price point.  So if you have problems connecting to your VPN do a google search for our router and GRE.

Connect to the VPN
Setting up the connection to the VPN will be different depending on the client (e.g. PC, iPad, Phone) but most setups are you are going to need this information:
  • Host = this is your external internet address, you might find it useful to use a dynamic IP service such as no-ip so you can use a DNS (e.g. myhost.no-ip.com) see this post for more information about no-ip and how to setup it up.
  • Type of VPN = PPTP
  • Domain = leave blank
  • Username - the username you setup in the chap-secrets file
  • Password - the password you setup in the chap-secrets file

27 comments:

  1. Were you able to ever to get it working as an L2TP endpoint? I'm thinking about having mine work as a universal end point for both PPTP/L2TP and OpenVPN.

    ReplyDelete
    Replies
    1. I never bothered, Ive seen a few tutorials online about how to do it though.

      Delete
  2. I've opened port 1723 and its even called GRE so I'm assuming that its working but I still can't connect to the VPN from outside the network. Is there any way to check for sure that my ISP isn't blocking the VPN traffic?

    ReplyDelete
  3. There was nothing in the sysctl.conf file for me, it was all blank. I just added "net.ipv4.ip_forward=1" and saved the file and continued on with the tutorial but it does not work. Any ideas?

    ReplyDelete
    Replies
    1. I would double check the path, what happens when you apply the change to sysctl? Do you get an error? Are you running raspbian?

      Delete
  4. yes! works on first try. this is the simplest solution. thanks

    ReplyDelete
  5. Hi, I'm sorry if I am asking any stupid questions. I have been trying to get something like this working but with one difference. I am not using a router but a 3g dongle (eth1) plugged into a powered usb hub that is connected to my RPi. eth0 is then connected to the one device that I want to be able to access from anywhere via a pptp VPN connection, but just can't get it to connect. Is there any way to get this working with just the 3g dongle (I'm trying to keep down the amount of hardware)? I'm using noip.com for my ddns and have ddclient which all works perfectly, I think there may be a solution with the iptable settings but have drawn a blank so far. Please help if you can.

    ReplyDelete
  6. Great tutorial; I've got the VPN up and running. The one problem I'm facing started out just on my Android device but it has since "spread" to my Windows machine. While I can connect to the VPN, I cannot access the Internet through my RPi. I followed all the instructions but I am unsure as to where I should be looking for the fix.

    ReplyDelete
    Replies
    1. First thing to check is that you have successfully completed the step to uncommented ipforward in sysctl1.

      Delete
    2. I know this thread is pretty old, but i've recently been trying to set up a VPN server myself. I'm having almost the exact same issue; I can connect to the vpn throught its internal IP address, however, I get "limited" access, and am not actually capable of accessing the internet. If I try to connect to the external IP address, I get "Network Error 619: Could not extablish a connection to the port" or something along those lines... I have set up a Port Forward on my router to port 1723, I have enabled ipforward in sysctl1, and I have even experimented with port forwarding 47 to my raspberry pi, to give it dirrect access to the GRE port, but that didn't work as well. I am using a Netgear WNR834B router, and have not yet had success in establishing a connection. I have tried to connect with a Windows 8, a Windows Vista, and an Adroid phone, all of them experiencing the same problem, that connecting internally works, but doesn't provide internet connection, and connecting externally supplies some form of an error stating that a connection was not made...

      Delete
    3. I would put money on that you cant connect to your VPN via the internet because your router doesn't support GRE Protocol 47, unfortunately this requires more than just forwarding the port.

      As regards to getting an internet connect through you VPN, check you have "configured the pi to forward IP traffic" correctly.

      snippet from above:

      sudo nano /etc/sysctl.conf

      Find the option "net.ipv4.ip_forward", which should be commented out and look like:

      #net.ipv4.ip_forward=1

      Un-comment it and save the changes:

      net.ipv4.ip_forward=1

      Delete
    4. I had the same problem. Apparently the Pi's iptables is blocking all the traffic thats not from it's local subnet. I changed remoteip 192.168.1.100-110 to the same ip range i'm using on my local network. Works like a charm!

      Delete
  7. This comment has been removed by the author.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. no gateway address in ipconfig

    ReplyDelete
  10. I have the vpn working and can see that the ip address of my phone is changing to my home network. Now I want to be able to connect to my home vigin media tivo box when away and i'm not sure that's working...are there any other steps needed to make the pi access the tivo box?

    ReplyDelete
    Replies
    1. Not as far as Im aware. Sorry I cant be more help!

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
  12. awesome tutorial martin, am able to access internet through the VPN but no the local devices like printer or NAS, what did i miss?

    ReplyDelete
  13. I have a problem with my vpn-server.
    It is possible to connect to the VPN tunnel but only sometimes it is possible to connect to internet via the tunnel.

    Anyone knows what to do?

    ReplyDelete
  14. I have everything configured right. I'm able to connect to the VPN and I pull an Ip address
    link/ppp0
    inet 192.168.0.50 peer 192.168.0.14/32 scope global ppp0
    but i cant ping anything on the network or i can access the internet. Any suggestions.


    Kevin


    ReplyDelete
  15. Nice tutorial, i wander what is your configuration,
    Device -- wired or wifi ? -- Rpi -- wifi or wired ? -- Router/Modem

    ReplyDelete
  16. Hi Martin and others

    Thanks for the toutorial. With this and another one I was able to get PPTP VPN running, but it was slow going. Like others I could access my Pi and some network resources but not many web pages (google, YouTube worked but not most others. I think this is an issue with PPTP and windows.

    I believe OpenVpn is more robust, more secure and does not have these limitations.
    I am running on a new v2 Pi running Jessie. I found a great auto-install of OpenVPN on Github, which works flawlessly. It performs the full install, builds server and client certificates and drops the .ovpn file in your Pi folder, ready to export to your windows or other client pc. It works flawlessly. I thought this might be useful so I am linking to it here:

    https://github.com/StarshipEngineer/OpenVPN-Setup

    Thanks

    Thanks

    ReplyDelete
  17. um,sorry to revive this ancient threa,but i'm going to test something like this,and just want to ask how many clients the raspberry pi 3 model b could handle...thanks and sorry.

    ReplyDelete
    Replies
    1. No idea... I suspect quite a few tho.

      Delete