Debian Linux VPN Server

1. Log in as root.

2. Configure server for unstable packages.

# vi /etc/apt/sources.lists

deb http://ftp.ie.debian.org/debian stable main contrib non-free
deb http://ftp.ie.debian.org/debian-non-US stable/non-US main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free

deb http://ftp.ie.debian.org/debian unstable main contrib non-free
deb http://ftp.ie.debian.org/debian-non-US unstable/non-US main contrib non-free

# apt-get update

3. Install required packages.

# apt-get -t unstable install \
	kernel-source-2.4.26 \
	pptpd \
	pptp-linux \
	ppp \
	kernel-package \
	gcc \
	libc6-dev \
	libncurses-dev \
	iptables \
	iproute \
	kernel-patch-freeswan \
	wget

4. Change directory.

# cd /usr/src

5. Get the kernel patches for MPPE encryption modules.

# wget http://heanet.dl.sourceforge.net/sourceforge/poptop/kernelmod-0.7.1.tar.gz

6. Extract the source code.

# tar zxf kernelmod-0.7.1.tar.gz
# tar jxf kernel-source-2.4.26.tar.bz2

7. Change directory.

# cd kernel-source-2.4.26

8. Copy old/current kernel configuration.

# uname --all !! Don't use a 2.2 config with 2.4 !!
# cp /boot/config-$(uname --kernel-release) .config
# make oldconfig

9. Configure the kernel source for VPN/IPSec/Firewall/Wireless.

# make menuconfig

Code maturity level options  --->
  [*] Prompt for development and/or incomplete code/drivers

Loadable module support  --->
  [*] Enable loadable module support
  [*]   Set version information on all module symbols
  [*]   Kernel module loader

Networking options  --->
  [*] Network packet filtering (replaces ipchains)
  [*] TCP/IP networking
     IP: AH transformation
     IP: ESP transformation
     IP: IPComp transformation
    IP: Netfilter Configuration  --->  !! Select all options as modules !!
    The IPv6 protocol (EXPERIMENTAL)
    IPv6: Netfilter Configuration  --->  !! Select all options as modules !!
   IPv6: AH transformation
   IPv6: ESP transformation
   IPv6: IPComp transformation
   IPv6: IPv6-in-IPv6 tunnel
     IP: IPsec user configuration interface
  QoS and/or fair queueing  --->  !! Select all options as modules !!

Network device support  --->
  [*] Network device support
     PPP (point-to-point protocol) supportd
    [*]   PPP multilink support (EXPERIMENTAL)
    [*]   PPP filtering
       PPP support for async serial ports
       PPP support for sync tty ports
       PPP Deflate compression
       PPP BSD-Compress compression
       PPP over Ethernet (EXPERIMENTAL)
    Wireless LAN (non-hamradio)  --->
      [*] Wireless LAN (non-hamradio)

Cryptographic options  --->  !! Select all options as modules !!

10. Compile the kernel.

# make-kpkg clean
# PATCH_THE_KERNEL=YES make-kpkg --append-to-version -vpn.1 --revision 1 kernel_image kernel_headers modules_image

You maybe prompted for extra kernel options, says yes.

11. Install newly created packages.

# dpkg --install kernel-image-2.4.26-vpn.1_1_i386.deb kernel-headers-2.4.26-vpn.1_1_i386.deb

12. Reboot the server.

# reboot

13. Log in as root.

14. Compile and install kernelmod modules.

# cd /usr/src/kernelmod
# ./kernelmod.sh

15. Configure pptpd server.

Add or replace the following in

# vi /etc/pptpd.conf

localip 10.1.1.1
remoteip 10.1.1.128-254

# vi /etc/ppp/pptp-options

name TESTVPN
auth
lock
proxyarp

default-mru
require-mppe-128
require-mschap-v2

ms-dns 10.1.1.1
netmask 255.255.255.0
nodefaultroute

debug
dump

# vi /etc/ppp/chap-secrets

"test"          TESTVPN     "test"       10.1.1.128

16. Restart pptpd daemon.

# /etc/init.d/pptpd restart

17. Change your firewall settings.

Example entires include:

iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -s 10.1.1.0/24 -j ACCEPT