Setting up a Debian PPTP VPN Server

I wanted to set up an external VPN server so I could close out some ports on my router and when required access more on our internal network when I’m outside.

I am pretty familiar with Debian and run a bunch or XEN virtual machines so figured that was a good place to start, I found a bunch of good examples on how to set this up, but they all missed a couple of not so obvious points.

This is a command line setup on a pretty fresh debian VM.

Connect to your box as root, else prepend each command with sudo. , The Internal IP of this box in this example is: and my router/firewall is

apt-get install pptpd

Next we need to set in the PPTP Conf this servers IP and the DHCP pool range to hand out to the connected clients.

nano /etc/pptpd.conf

Add the bottom add the following two lines adjust to suit your network


The IP range I have set will allow up to 20 connections, if you are expecting more, or only every expecting one you can adjust this range. It pays to make sure your router is not assigning DHCP addresses in this range – but not critical.

Next we need to set PPTP network options:

nano /etc/ppp/pptpd-options

My file looks like:

name pptpd
# domain
#DNS servers
# Router
ms-dns # Internal DNS Server 1
ms-dns # Internal DNS Server 2
# or use an external DNS Service, eg: google

mtu 1490
mru 1490

Note here, I have left the debug & dump lines, this will be useful while getting everything working.

Next we are going to add users that can connect in:
There are a couple of ways of doing things here, use the internal Secrets file to define your users or using SAMBA users.
below is the simple method using the chap-secrets file:

nano /etc/ppp/chap-secrets

Each user needs to be on a new line:

username * users-password * 
sheldon * myVPNPassword *

Make sure you set strong usernames & passwords

Now we need to restart the PPTP service to apply all of the changes we have made. NOTE: You can add/edit users with out restarting the PPTP service.

# /etc/init.d/pptpd restart

NAT routing:
If you want to allow users to access more than just the VPN server then you will need to enable NAT routing/forwarding.

The first thing to check is if this is enabled already:

cat /proc/sys/net/ipv4/ip_forward

If that returns zero, then your server isn’t enabled to do any routing.
Run this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then restart the service:

# /etc/init.d/pptpd restart

Some people consider this a security risk, but with out it, it defeats the purpose of accepting incoming connections.
Make sure you set strong usernames & passwords

Opening Ports:
This varies on on how to do this with EVERY router, but the thing to know is, you need to open two ports:

GRE Port 47 and 1723. Point both of these to your PPTP VPN servers IP address, in may case

All should be good to test now, find your external IP address by googling ‘IP Address‘, then test from out side of your network ( Hint: If your on the same network, get a friend via TeamViewer or other remote management app to test ).

While you are testing, or if you are having issues tail the syslog to see what is happening.

tail -f /var/logs/syslog