There are tasks when you need to gain access to equipment located on a local network with Internet access, but without an external IP address. In this case, there may be several local networks and devices. There are several different services for this. In this example, we will look at installing a PPTP service on a VDS server running Debian 12.
Our goal is to configure the server part of the service, to which we can connect devices from the local network and thereby gain remote access to them, since the VDS server has a dedicated IP.
For example: You have placed a server in your office or country house that connects via mobile Internet. Often, mobile operators do not provide permanent, dedicated IP to individuals. In order to be able to connect to it via the Internet, we will configure the server part of the PPTP service on VDS Debian 12, and your home server as the client part, where it will connect to the server.
#1. Installing services
apt install ppp pptpd
1.1 Configuring the PPTP service /etc/pptpd.conf
Let's decide on the local network and bring the configuration to the form
localip 10.10.10.1
remoteip 10.10.10.2-254
If you ordered a server with several external IP addresses, you can add a line that will clearly indicate which IP our service will work on.
listen external_internet_ip
1.2 Add options to the end of the /etc/ppp/pptpd-options file
mtu 1400
mru 1400
auth
require-mppe
Edit settings if necessary
ms-dns 8.8.8.8
ms-dns 8.8.4.4
1.3 Uncomment the /etc/sysctl.conf option
net.ipv4.ip_forward=1
Apply the settings:
sysctl -p
1.4 Let's set up a firewall, in our case iptables
apt install iptables
1.4.1 Add rules, where eth0 is the name of the external interface
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
1.4.2 Enabling local networking between connected clients, where eth0 is the name of the external interface
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.10.10.0/24 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
1.4.3 Disabling Internet access via VDS server
If necessary, when the goal is to combine local networks and access local equipment so that devices continue to use their Internet, add a rule where eth0 is the interface with the external ip.
iptables -I FORWARD -s 10.10.10.0/24 -o eth0 -j DROP
Pay attention to the client part, you will need to uncheck the Use the default gateway on the remote network option. We will unite local networks, but access to the Internet will be through a local provider, and not through a VDS server.
1.4.4 Let's save the rules
iptables-save > /etc/iptables.conf
1.4.5 Add rules to startup, add a line to the end of the /etc/network/interfaces file
pre-up /sbin/iptables-restore < /etc/iptables.conf
1.5 Add users to the /etc/ppp/chap-secrets file
In this example, user1 is assigned any free IP address, while user2 will always receive a static IP.
user1 pptpd password1 "*"
user2 pptpd password2 "10.10.10.10"
1.6 Add to startup and apply settings
systemctl enable pptpd
service pptpd restart
#2. View active connections
You can see all active connections and their IP addresses using commands.
2.1 Using ifconfig
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1396
inet 10.10.10.1 netmask 255.255.255.255 destination 10.10.10.2
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 323 bytes 49503 (48.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 626 (626.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1396
inet 10.10.10.1 netmask 255.255.255.255 destination 10.10.10.10
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 24 bytes 896 (896.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 890 (890.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.2 Using route
10.10.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.10.10.10 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
2.3 Using service pptpd status
pptpd.service - PoPToP Point to Point Tunneling Server
Loaded: loaded (/lib/systemd/system/pptpd.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-03-07 13:42:51 MSK; 4h 5min ago
Docs: man:pptpd(8)
man:pptpctrl(8)
man:pptpd.conf(5)
Main PID: 480 (pptpd)
Tasks: 5 (limit: 1099)
Memory: 4.3M
CPU: 9.462s
CGroup: /system.slice/pptpd.service
├─480 /usr/sbin/pptpd --fg
├─605 "pptpd [123.123.123.123:97EE - 0400]"
├─606 /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 10.10.10.1:10.10.10.3 ipparam 123.123.123.123 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 123. 123 .123.123>
├─986 "pptpd [123.123.123.123:D114 - 0580]"
└─987 /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 10.10.10.1:10.10.10.2 ipparam 123.123.123.123 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 123. 123 .123.123>
The server is configured and ready for connections.
See also:
- Setting up a PPTP client to gain remote access to a Debian 12 workstation
- Setting up a PPTP client to gain remote access to a Windows 10 workstation