We'll see here how to setup PPTP for real use, covering issues like Wan access, port forwarding, and PPTP passthrough. We'll use a Cisco Small Business RV110W as a VPN server, Debian 7.5 LXDE as VPN client, and a DLink DIR-626L to test PPTP Passthrough.
[ Last Edited June 21 2014 ]
1. Debian PPTP Client Setup
We first install the required packages :
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install pptp-linux
sudo apt-get install network-manager-pptp
sudo apt-get install network-manager-pptp-gnome
( If you're not using LXDE or gnome, the network-manager packages might be different )
2. Simple Lan PPTP Setup
We'll first see the simplest topology, a local Lan Access :
We setup the RV 110-W for PPTP :
Menu Tab : VPN Client TAB
. Allow the PPTP Server
. Choose VPN Server IP and leased IP range if needed
. Allow MPPE encryption
. Create client with password
[ reminder : use a real 128 bits entropy password, ie 20 characters long using numbers, lower-case letters, higher-case letters, special characters ]
We then setup the VPN tunnel in Debian by left-clicking on the network-manager :
We fill-in the gateway, user/password, and enable MPPE in advanced options.
IPv4 settings can be left on automatic ( VPN ) :
Here we have our VPN tunnel set :
3. Simple Lan PPTP Setup with exit router
Here we have a little more complexe situation, where PC1 ( Client ) has to exit through a first router ( DIR 626 L ) before reaching the VPN Server :
There is nothing new to actually setup here, as the DIR 626-L handles the situation quite brilliantly. No firewall-opening needed, neither the need to tick the DIR 626-L PPTP Pass-through.
The DIR 626-L PPTP Pass-through option will only be needed if multiple concurrent PPTP sessions are initiated from the DIR 626-L Lan.
4. Lan PPTP Setup with entry Router
Here we have to pass-in a first router ( DIR 626-L ) before reaching the PPTP server :
Things get a little more complicated here, but still quite easy : we just need the DIR 626-L to forward TCP port 1723 to the VPN Server :
5. PPTP Server reachable from Wan
The last topology will allow access from Wan :
We need our Internet Gateway to handle-in the PPTP protocol ( ie TCP port 1723 and GRE protocol ). We have three options here :
1. The Internet Gateway is PPTP friendly
We just have to forward port 1723 ( and protocol GRE = IP protocol 47 eventually ).
2. The Internet gateway can be bridged
If the Internet Gateway can be bridged ( ie its router can be deactivated, so that it performs like a bridge ), any protocol / port will freely flow-by
3. We put the PPTP Server in a DMZ
We setup our Internet gateway so that the PPTP Server IP is in DMZ