How to install a VPN Server (PPTP) on Debian/Ubuntu Linux VPS

**WARNING** PPTP is insecure. It’s better and arguably easier to setup OpenVPN instead: OpenVPN setup tutorial

Low-end (cheap) VPS accounts are very popular nowadays and one of the reason is that people use them for personal VPN purposes.
There are some advantages on using a personal VPN server:
– server resources such as CPU, bandwidth are not shared among others
– you will know for certain what VPN or Internet activity logs are kept on the server (even though many public VPN providers say that they do not keep any logs on servers, you can’t really verify that)

PPTP is probably the most popular VPN protocol. Here is a short installation guide for Debian Linux (or Ubuntu).

Step 1: install pptpd

apt-get update
apt-get install pptpd

this will install bcrelay, ppp, pptpd

Step 2: configure pptpd and ppp

pico -w /etc/pptpd.conf

(or use your favorite text editor, like vim)

Add the local and remote IP pool and the end of file:


in the above example, the VPN server IP will be and the clients connecting to the VPN will be assigned private IP addresses from to You can obviously use other IP range or different private IP addresses (ex.: 192.168.x.y)

Save the file and exit the editor. Now edit the ppp configuration file:

pico -w /etc/ppp/pptpd-options

add the following at the end of file:

name pptpd
 mtu 1490
 mru 1490

this is what you should have in the file. Notice that the ppp daemon will refuse unsecure CHAP and MSCHAP V1 authentications. MS-CHAP V2 PPTP VPN is not too safe, either, but is definitely a better option that older CHAP and MS-CHAP V1.

Now you should add the VPN account username/password to the ppp secrets file. Edit /etc/ppp/chap-secrets and add something like this:

myusername pptpd mys3cr3tpass
myfriendsuser pptpd hisp@ssword

Step 3: enable packets forwarding 

Edit /etc/sysctl.conf and enable ipv4 forwarding by un-commenting the line (removing the # sign) and changing 0 to 1 so it looks like this:


Save & exit the editor, then run:

sysctl -p

for the changes to take effect.

Add the iptables rule to create the NAT between eth0 and ppp interfaces:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

Note that iptables MASQUERADE doesn’t work on OpenVZ VPS containers. Works on KVM and XEN.

If you use OpenVZ, you need to use iptables SOURCE like this:

iptables -t nat -A POSTROUTING -j SNAT --to-source <Public Server IP>

now restart pptpd by running:

service pptpd restart

that’s all. Now you should test the connection.


  1. Emily Taylor June 5, 2013
  2. smewp July 19, 2013
  3. smewp July 19, 2013
  4. smewp July 19, 2013
  5. AcuBcn September 3, 2013
  6. jose January 30, 2014
    • vpnreviewer January 30, 2014
      • jose January 31, 2014
        • vpnreviewer February 1, 2014
          • jose February 3, 2014
  7. vpnreviewer February 4, 2014
  8. Rick April 6, 2014
  9. Flesz April 9, 2014
  10. martin October 23, 2014
    • Anonymous February 8, 2015
  11. usm May 8, 2015
  12. Adrian September 20, 2017

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.