Batista R. Harahap

Cubieboard - Part 2 - VPN

So after setting my Cubieboard for my liking, another thing I want is to be able to access it anywhere and anytime. The trouble is, the ISP I am with right now is blocking all incoming ports, needs a work around.

After some browsing and also from past experiences, I feel PPTP is my best bet. Incredibly easy to implement from a client/server perspective. The challenge is to keep the tunnel open at all times.

I'm using Digital Ocean to host the PPTP server and it so happens they already have a tutorial in their blog right here. I'm just customizing based on that blog post.

The VM is using Ubuntu 13.04 Server image.

PPTP Server Side

This is what I did on the server end.

$ apt-get update && apt-get upgrade -y # Optional
$ apt-get install -y pptpd

Server & Client IP Allocations

Now let's setup the IP Range we're gonna allocate to connecting clients. Add the lines below to /etc/pptpd.conf.

localip 10.0.0.1
remoteip 10.0.0.100-200

The localip part is for the server and the remoteip part is for connecting clients.

Defining Valid Users

Next up we're gonna setup valid clients and allocate IP Addresses based on the user they are connecting as. Edit /etc/ppp/chap-secrets to reflect the followings.

cubie pptpd cubie_secret 10.0.0.23

We can add as many users we want. If you don't want to assign static IPs, you can use the template below.

john pptpd john_secret *

DNS for Clients

The lines below is using Google's DNS servers, if you have local DNS Servers, it will shorten round trips.

Go ahead and edit /etc/ppp/pptpd-options.

ms-dns 8.8.8.8
ms-dns 8.8.4.4

PPTPD Configuration Done

Restart the daemon.

service pptpd restart

Setting Up Forwarding & NAT

First of all, we need to enable IP Forwarding. Go ahead and edit /etc/sysctl.conf.

net.ipv4.ip_forward = 1

Let's setup forwarding with iptables and let clients communicate with each other.

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
$ iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

Setting Up Cubieboard As a Client

My Cubieboard has a GUI set using LXDE but I want to do this from the CLI. I've also setup a small Python script to keep monitoring the VPN Tunnel.

Installing The PPTP Client

$ apt-get install network-manager-pptp
$ modprobe ppp_mppe

Configuring The PPTP Client

This is the easy part. Fire up an editor and create a new file: /etc/ppp/peers/pptpserver.

pty "pptp x.x.x.x --nolaunchpppd"
name cubie
password cubie_password
remotename pptpserver
require-mppe-128

Replace the x.x.x.x line with the IP Address of your PPTPD Server. You can rename that particular pptpserver name to something more descriptive.

Connecting To The Server

Let's connect now!

$ pppd call pptpserver

Now it won't show any logging, you can tail the log at /var/log/syslog.

$ tail -f /var/log/syslog

Or you can just check if ppp0 is already available by doing a ifconfig -s ppp0. A successful connection will output something like below.

Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ppp0       1496 0         7      0      0 0             7      0      0      0 MOPRU

IP Routes

Let's add some more routes like so.

$ ip route add 10.0.0.0/8 dev ppp0

Making The VPN Tunnel Persistent

We need the tunnel to always be available at all times so we're gonna need a monitoring solution to reconnect when the tunnel is broken. I made a small Python script available below.

Save the file as `/root/bin/checkapp.py`, adjust permission and let's add this to our crontab.
$ curl https://gist.github.com/tistaharahap/8059219/raw/e3e8ac07308cc06e24694c182b09428901f36f9b/checkppp.py > /root/bin/checkapp.py
$ chmod +x /root/bin/checkapp.py
$ crontab -e
Add the following line below for a 5 minute check interval.
*/5 * * * * /root/bin/checkapp.py
## Done Now I have a persistent tunnel and available anytime I need it.
21 December 2013 by Batista Harahap on hack | cubieboard | pptp | vpn | remote | python | ubuntu | tunnel
comments powered by Disqus