Installing a PPTP-VPN server on a Raspberry Pi

From Domoticz
Jump to: navigation, search

WARNING, PPTP is not safe, consider using L2TP or OpenVPN as an alternative if possible!
This tutorial may help you setup OpenVPN: https://wiki.debian.org/OpenVPN

Introduction to VPN

A lot of Domoticz users have remote access using a "dyndns" service and port forwarding for every local IP device like a Domoticz server. Using a VPN tunnel gives much more security.

This wiki describes the installation of a VPN server on a Raspberry Pi as a termination point. This can be done on the same Raspberry Pi where Domoticz is running on or any other Raspberry Pi in the private network. There is only one VPN server neccessary in the local network!

A VPN server offers a secure tunnel from a remote client to the local network and there to all devices. Once a VPN channel is established between a client (e.g. a Smartphone) and a server (Raspberry Pi, NAS, PC,…) all local devices are accessible by their local IP-address:port from remote without individual port forwarding for each IP-address in the router.

Limitations and hints:

  • An iPhone 4S with iOS7 (editors smartphone) will disable a VPN tunnel after some minutes if switched off/sleep mode.
  • Therefore a VPN connection has to be established always before getting access to the local network.
  • An open VPN tunnel needs additional power from the iPhone which results in less standby time.
  • Therefore it is advised to use the "VPN tunnel security feature" only for those users who needs secure access to the local nework only from time to time.


Installation on a Raspberry Pi

The original instruction can be found here: http://jankarres.de/2013/12/raspberry-pi-pptp-vpn-server-installieren/

The blogger (Jan) approved the usage of the commands used in this wiki guide.

It is written in German but more or less only the way and the commands are interesting. The blogger informs that using PPTP VPN server is not 100% save and proposes to install OpenVPN instead. Because OpenVPN is not supported by an iOS device (iPhone) and PPTP VPN is much more save than “nothing” here is the installation guide. Before starting it is strongly recommended to save an image using Win32DiskImager [1] should be taken from the Raspberry Pi, especially if it is the same one were Domoticz is running on. In case of something is going wrong this is an easy way to fall back.

At first install the latest updates (optional):

sudo apt-get update && sudo apt-get upgrade

or if your Debian installation is very old use:

sudo apt-get update && sudo apt-get dist-upgrade

This will take some minutes.

sudo apt-get install pptpd
sudo nano /etc/pptpd.conf

Remove the “#” and place there the IP-address of the Raspberry Pi. It could be that this is still done.

#localip 192.168.0.1  change to  localip 192.168.178.28

(use your PI’s IP address!)

sudo nano /etc/ppp/pptpd-options

Add following at the end of the file (DNS-servers):

ms-dns 8.8.8.8
noipx
mtu 1490
mru 1490

Instead of 8.8.8.8 also 208.67.222.222 or 213.73.91.35 should work.

Now configure internet traffic forwarding in your Pi to get access to your local network:

sudo nano /etc/sysctl.conf

Remove the “#”:

#net.ipv4.ip_forward=1     change to      net.ipv4.ip_forward=1

Change the firewall entry:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Make it permanent in case of a reboot:

sudo crontab –e

Add following line at the lower end:

@reboot sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now add a user and password in "chap-secrets". Both have to be the same as later on used in the smartphone client configuration. It is recommended to use a passwor longer than 13 characters:

sudo nano /etc/ppp/chap-secrets
Username[TAB]*[TAB]password[TAB]*

Example:

willie     *       fire45storm   *

Now restart the VPN server:

sudo service pptpd restart

Client installation on an iPhone4S (R7)

* Settings -> General-> VPN -> Add VPN Configuration
* Select PPTP
* Description: Give the VPN channel configuration a name
* Server: is the dyndns-address of the router
* Account: is the user name used in the VPN server configuration
* Password is the password used in the VPN server configuration
* RSA-SecureID is OFF
* Encryption  Level: Auto
* Send all Traffic ON
* Proxy OFF

Save the configuration

One port-forwarding in the router is still necessary. Enter your router menu and configure port-forwarding for your VPN-server IP address:

Raspberry.Pi.IP.address port 1723  to port 1723

Now disable all other port-forwarding configurations in the router where remote access will be done by using VPN in the future.

Disable WLAN (only for testing) on your smartphone and start the VPN client. (Select the stored VPN configuration and switch VPN to ON) If a VPN-symbol appears the tunnel is established. Now from Safari browser type your local Domoticz IP-adress:port e.g. 192.168.1.25:8080

Also all other IP-devices in your local network should now be accessible using the VPN tunnel and the local IP-address:port

Client installation on an Android phone

(Place here an installation guide for a VPN configuration)