Here's how it went. On a whim, even though I'd just given my Raspi a full software update just two days ago when I made that earlier post, I repeated the process again today:
sudo apt-get update
sudo apt-get upgrade
...and lo, there were some important packages that updated. Sniffing further, I attempted the first step of the installation process for installing a "real" PPTP VPN onto Debian Linux:
sudo modprobe ppp-compress-18 && echo success
No error was reported! The formerly-missing MPPE module has been added to the kernel.
Well now. This poses the tantalizing possibility of setting up a real, Point To Point Protocol (PPTP) Virtual Private Network using the Raspberry Pi as a gateway.
A VPN strategy for every situationAmong the highly non-trivial benefits of the PPTP VPN versus the ssh proxy tunnel I documented previously include compatibility with iPhones, iPads and other mobile devices which might not offer ssh port forwarding capabilities in their operating systems. That was the basic trick of the ssh proxy tunnel.
On the other hand, PPTP VPNs utilize the GRE 47 protocol which is some routers find indigestible while others can accommodate only one GRE 47 connection at a time and will block all others-- a recipe for trouble in hotels and public hotspots. By comparison, the ssh proxy trick I documented--which leveraged the https or other common port for the ssh proxy tunnel--will be more likely to always work as you travel, at least for your laptops. Frankly, at this point I have both the ssh proxy tunnel and the PPTP VPN set up on my Raspberry Pi, and I might as well leave it that way so I'm covered for just about any circumstances.
There are many tutorials available for setting up the PPTP server daemon (pptpd) on a generic Debian Linux machine. However, I've found that the Raspberry Pi presents a few quirks and needs its own instructions. The following steps worked for me and resulted in a robust VPN that has held up to my usage so far-- this blog post was constructed entirely while connected via my Raspberry Pi's new PPTP VPN.
- Open port 1723 on your router, pointing it to your Raspberry Pi's IP address on your LAN.
- Your Raspberry Pi should have a static IP address on your LAN. Good instructions for that are here.
- Next, if your home ISP does not give you a static IP address on the Internet, you'll need to set up an account with a dynamic DNS (DDNS) service. This will give you a URL which will always point to your router.
My D-Link DIR-655 router (a truly excellent router, by the way) earns me a free DDNS account on D-Link's service; there are plenty of alternatives. In D-Link's case, the url will look like [username].dlinkddns.com.UPDATE: My trusty DIR-655 died, and the units currently being sold now are totally different. I switched to an Apple Time Capsule, which necessitated a new dynamic DNS provider. I chose DynDNS.org... you get one free host name for trying their 14-day "pro" account (which you can cancel, keeping the host name, though their services are powerful and quite cost-effective for what you get).
- Log into your Raspberry Pi either via its local console or via ssh.
- Issue sudo apt-get install pptpd
- Issue sudo nano /etc/pptpd.conf --this will start a simple text editor on your Raspi. Note that most lines are comments and are commented-out with a "#" at the beginning. Scroll down until you find the lines which set localip and remoteip.
- Set localip to your Raspberry Pi's IP address. For me, that line becomes localip 192.168.202.
- Set remoteip to encompass a small block of IP addresses on your LAN that will be made available to your remote client(s). For me, that line became localip 192.168.240-255 ...there are various rules for how that block can be constructed; use the format shown here or it might not work.
- Hit ctrl-X and save the file.
- Now issue nano /etc/resolv.conf and make a note of the nameserver identified in this file --for me, and I'd bet most other folks, it's the LAN address of my router, 192.168.0.1. Hit ctrl-X to close the editor.
- Issue sudo nano /etc/ppp/pptpd-options and scroll down until you find references that set ms-wins and ms-dns. You want to set thise to the nameserver address you just noted. For me, these lines became ms-wins 192.168.0.1 and ms-dns 192.168.0.1 respectively. Hit ctrl-X and save the file. This completes the basic IP setup for your new VPN.
- Issue sudo nano /etc/ppp/chap-secrets and scroll down to an empty line. Here is where you will specify your users who can use your VPN. For a user named Ralph with a password of SuperSecret123, the line would simply be Ralph pptpd SuperSecret123 * --the asterisk at the end is important as it specifies that Ralph can tunnel in from any IP address. Repeat with additional lines to specify other users you want to allow to tunnel in via your Raspberry Pi. Then hit ctrl-X and save the file.
- Issue sudo nano /proc/sys/net/ipv4/ip_forward ...see the zero? Change it to a 1. This tells your PPTP daemon to forward remote clients to the Internet. Hit ctrl-X to save the file and exit the editor.
- Issue sudo nano /etc/sysctl.conf and scroll down until you see the commented-out line that states net.ipv4.ip_forward=1 ...uncomment this line (remove the"#"). This will tell your Raspberry Pi to always allow remote clients to access the Internet via their tunneled connection.
- You're done! Reboot your Raspberry Pi.
- While you're waiting for it to sort itself out, you can set up a VPN connection on your traveling (client) machine. On the Mac, go to System Preferences | Network, click on the padlock and authenticate as an administrator user, Click the "+" sign and select "VPN" from the pull-down menu. Give this new VPN a name. Voila a new, unconfigured VPN connection will pop into your network-connections options. With this selected, type in your dynamic DNS address for your Raspberry Pi (e.g., YourUserName.DynDNS.org). In the Account Name field, put the username you specified in step 12 ("Ralph"). Click the Authentication Settings and specify the password from step 12 ("SuperSecret123"). Click the Advanced button, and be sure to checkmark the option to route all your Internet traffic through the VPN.
You're done! (Setting it up on an iPhone or iPad is even easier.)
You should be able to connect now, and all your Internet traffic will be encrypted and funneled through your Raspberry Pi from wherever you are... or at least from wherever VPN connections are tolerated. For other places, consider the ssh proxy tunnel I wrote about before.