First, go to www.ramnode.com, sign up for an OpenVZ SSD VPS in Seattle. They will email you login details as soon as you've paid. Pick Ubuntu 12.04 as OS. Enter whatever you want as the hostname (it'll be the name of the server - not its address).
Lines starting with "#" are an indication that you are entering commands as root (admin), unless otherwise stated.
Where you see "123.456.78.90" in the instructions below, replace it with the IP address of your own server.
Login to the SolusVM CP, shutdown the VPS. At the bottom of the page you have a few tabs of options:
- enable TUN/TAP
- enable PPP
- change the root password
Restart the VPS.
Connect to the VPS with your SSH client (Terminal on Mac, putty on windows).
ssh root@123.456.78.90
Run the following commands - it removes the rubbish installed by default, installs the VPN stuff needed, and upgrades everything to the latest version:
# apt-get autoremove sendmail-bin sendmail-cf sendmail-doc apache2.2-bin apache2-doc samba-common-bin samba-common
# apt-get update
# apt-get install pptpd
# apt-get upgrade -y
Edit the VPN connection settings:
# cd /etc/
# vi sysctl.conf
Enable ipv4 port forwarding, by uncommenting this line:
net.ipv4.ip_forward=1
# vi pptpd.conf
At the bottom of the file, enter these 2 lines:
localip 192.168.10.1 remoteip 192.168.10.10-100
# cd /etc/ppp/
# vi pptpd-options
At the bottom of the file, enter these 4 lines:
ms-dns 8.8.8.8 noipx mru 1440 mtu 1440
# vi ip-up.local
(Note: first line is a comment, not a command)
#!/bin/bash /sbin/ifconfig $1 mtu 1440 # uncomment the next 4 lines to restrict each user to 1 login session: #REALDEVICE=$1 #USER=`cat /dev/shm/pptpd-users/$REALDEVICE.new` #cp "/var/run/$REALDEVICE.pid" /dev/shm/pptpd-users/$USER #rm "/dev/shm/pptpd-users/$REALDEVICE.new"
# chmod +x ip-up.local
Create a user:
# vi chap-secrets
username * password *
(Tab after each field)
Reboot the VPS:
# reboot
Create a VPN connection on your device, use the server IP address from the SolusVM CP, and the username and password you just created.
Try to connect; every time I've done the above the first connection attempt has always failed, but then starts working, so don't panic if it doesn't work first time. If it keeps failing, you've done something wrong.
Finally, setup the routing. SSH into your server.
# cd /usr/local/bin/
# vi vmfw
(NOTE: This is the entire contents of the file, the # lines are comments, not commands)
#!/bin/bash # reset iptables -F iptables -F -t nat iptables -X # default policy iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # openvz policy iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # open ports iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT # vpn routing iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o venet0 -j SNAT --to-source 123.456.78.90
Make the script executable:
# chmod +x vmfw
Enable it at boot:
# cd /etc/
# vi rc.local
Enter this line above "exit 0":
/usr/local/bin/vmfw
Reboot:
# reboot
You're good to go. Hopefully you haven't locked yourself out of the server with the iptables rules above.
Notes:
- you don't have to use RamNode; any provider that allows TUN/TAP + PPP on OpenVZ should work without drama. google "low end box" for cheapo providers (you'll get what you pay for).
- the same instructions on Debian don't work, stick to Ubuntu. 12.10, 12.04, no matter.
- to add users, edit the "/etc/ppp/chap-secrets" file, just add entries to it. the passwords are in plain text, so be sensible. you can use www.pctools.com to generate random passwords.
- it would be a good idea to install fail2ban, to change the SSH port to a different one, and to add a non-root user, so you can disable remote root login. google for that stuff, or ask someone for help.
- you can point a domain to your server IP address; an A record is enough, anywhere that sells or hosts domains will get you sorted out, or you can use DynDNS.
- if it all goes wrong, just reinstall Ubuntu 12.04 from the SolusVM CP.
- poor performance could be due to the mru/mtu settings. 1440 for both gave me the best results. adjust the values by +/-20 increments in all 3 places to suit - once again, google is your friend for this.