Quick, Step-by-Step Guide: Deploying PPTP VPN on Virtual Private Servers

Introduction

Deploying a PPTP VPN on a Virtual Private Server (VPS) remains a quick way to provide remote access for legacy systems or simple tunneling needs. Although PPTP is not the most secure protocol available today, it is widely supported across platforms and easy to configure. This guide walks you through a practical, step-by-step process to deploy PPTP on common Linux VPS distributions, covers networking and firewall considerations, and highlights important security caveats and alternatives.

Prerequisites and considerations

Before you begin, ensure you have:

A VPS with a public IPv4 address and root (or sudo) access.
A Linux distribution: examples below use Ubuntu/Debian and CentOS/AlmaLinux.
Basic shell knowledge and ability to edit files with vi/nano.
Awareness that PPTP is weaker than modern VPNs — it uses MPPE with MS-CHAPv2 which is vulnerable to offline password cracking. Use strong passwords and consider OpenVPN or WireGuard for sensitive traffic.

Overview of steps

Install required packages (pptpd and ppp).
Configure pptpd.conf and options.pptpd.
Set VPN user credentials in /etc/ppp/chap-secrets.
Enable IP forwarding and configure NAT/forwarding rules.
Adjust firewall rules (iptables/nftables/ufw) and save them.
Start and test the PPTP service.
Harden basic configuration and monitor connections.

Step 1 — Install PPTP server software

Install the PPTP daemon and PPP package appropriate for your distribution.

On Ubuntu / Debian

Run:

sudo apt-get update && sudo apt-get install -y pptpd ppp

On CentOS / RHEL / AlmaLinux

Enable EPEL and install:

sudo yum install -y epel-release

sudo yum install -y pptpd ppp

Or, on dnf-based systems:

sudo dnf install -y epel-release && sudo dnf install -y pptpd ppp

Step 2 — Configure PPTP daemon

Primary configuration files are /etc/pptpd.conf and /etc/ppp/options.pptpd. Edit them as root.

/etc/pptpd.conf

Minimal configuration example — declare local and remote IP ranges:

localip 192.168.0.1

remoteip 192.168.0.100-199

You can also add pptpd-options like logwtmp if you want accounting in wtmp.

/etc/ppp/options.pptpd

Core PPP options control authentication, DNS, and compression. Example:

name pptpd

login

ms-dns 8.8.8.8

ms-dns 8.8.4.4

mtu 1400

mru 1400

Important: Avoid enabling deprecated compression/auth options that may leak data. Keep the MTU/MRU conservative (e.g., 1400) to reduce fragmentation.

Step 3 — Add user credentials

PPTP uses MS-CHAPv2 via PPP. Add VPN users to /etc/ppp/chap-secrets with the format: "username" pptpd "password" IPs.

Example:

vpnuser pptpd strongP@ssw0rd 192.168.0.101

Or allow any assigned VPN IP:

vpnuser pptpd strongP@ssw0rd

Ensure passwords are strong; PPTP’s weaknesses allow offline attacks if the handshake is captured. Consider using long, random passphrases.

Step 4 — Enable IP forwarding

Allow traffic from VPN clients to be routed to the public internet via your VPS. Temporarily enable forwarding for the current session:

sudo sysctl -w net.ipv4.ip_forward=1

To make it persistent, edit /etc/sysctl.conf or a drop-in file and set:

net.ipv4.ip_forward = 1

Then reload with:

sudo sysctl -p

Step 5 — Configure NAT and firewall

Most VPS setups require NAT (masquerading) so VPN client traffic egresses through the server’s public IP. Apply iptables rules or equivalent firewall rules for nftables/ufw.

iptables example

Assume your public interface is eth0 and VPN clients use 192.168.0.0/24. Run:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

Allow forwarding:

sudo iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

sudo iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

Save rules persistently across reboots:

On Debian/Ubuntu:

sudo apt-get install -y iptables-persistent

sudo netfilter-persistent save

On CentOS, install iptables-services or add rules in a startup script.

ufw (Ubuntu) example

If you use ufw, add raw rules for NAT in /etc/ufw/before.rules above the filter rules and enable IP forwarding. Then allow PPTP ports and GRE:

sudo ufw allow 1723/tcp

GRE protocol must be permitted; ufw doesn’t expose GRE by name, so ensure the kernel allows it and iptables rules above handle GRE (protocol 47).

Allow PPTP control and GRE

PPTP uses TCP port 1723 for control and GRE (protocol 47) for tunneled data. Ensure both are permitted in your VPS provider firewall and OS firewall. Example iptables rules include:

sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

sudo iptables -A INPUT -p 47 -j ACCEPT

Step 6 — Start and enable the PPTP service

Start the pptpd daemon and enable it on boot.

Systemd example:

sudo systemctl start pptpd

sudo systemctl enable pptpd

Check status and logs:

sudo systemctl status pptpd

PPP debug logs appear in /var/log/syslog (Debian/Ubuntu) or /var/log/messages (CentOS). Look for auth and pppd messages when a client connects.

Step 7 — Client configuration and testing

On client devices (Windows, macOS, Android), create a new VPN connection using PPTP:

Server / Hostname: your VPS public IP.
VPN type: PPTP.
Username and password: as set in /etc/ppp/chap-secrets.
For Windows, under Advanced settings, disable “use default gateway on remote network” if you only need remote resources and not all internet traffic.

Test connectivity: ping a public IP (8.8.8.8) and verify your public IP changes to the VPS IP when routing all traffic through VPN.

Troubleshooting tips

If authentication fails, check /var/log/syslog or /var/log/messages for pppd and pptpd errors.
GRE blocked: if control connects (1723) but tunnel fails, GRE (protocol 47) may be blocked by the provider or firewall. Confirm provider supports GRE on the VPS.
DNS not resolving: ensure ms-dns entries are set in /etc/ppp/options.pptpd or push DNS via client settings.
IP forwarding not functioning: verify sysctl net.ipv4.ip_forward equals 1 and check iptables FORWARD rules.
Connection drops or fragmentation: reduce MTU/MRU (e.g., 1400) as PPP over GRE can suffer MTU issues.

Security hardening and best practices

Because PPTP is inherently less secure, apply mitigations and monitor usage:

Use strong, unique passwords for all PPTP accounts and rotate credentials periodically.
Limit allowed IP ranges or per-user static IPs in chap-secrets where feasible.
Restrict access to known client IPs using firewall rules if the client endpoints are predictable.
Enable logging and monitor for repeated failed authentication attempts — implement fail2ban rules for PPTP log patterns.
Consider running PPTP in a network namespace or container to isolate and limit potential exposure.
Prefer modern alternatives where possible — WireGuard and OpenVPN provide stronger security and better performance.

Alternative protocols and migration guidance

If you are provisioning VPNs for business, developers, or employees, you should evaluate replacing PPTP with:

WireGuard: simpler codebase, high performance, modern cryptography, supported on Linux kernels and many platforms.
OpenVPN: mature, flexible, widely supported, good for complex authentication (TLS certificates, MFA) and network topologies.

Migration steps typically involve preparing a new server or co-locating services, generating keys/certificates (OpenVPN) or keypairs (WireGuard), configuring client profiles, and performing phased rollouts to minimize disruption.

Monitoring and maintenance

Operational best practices:

Monitor resource usage on the VPS (CPU, memory, network) — VPN traffic can be bandwidth-intensive.
Keep the OS and pptpd/ppp packages patched. Note that upstream maintenance for pptpd may be limited.
Regularly audit /etc/ppp/chap-secrets and remove unused accounts.
Automate backups of configuration files and firewall rules.

Conclusion

Setting up a PPTP VPN on a VPS is straightforward and fast: install pptpd and ppp, configure /etc/pptpd.conf and /etc/ppp/options.pptpd, create users in /etc/ppp/chap-secrets, enable IP forwarding, and add NAT/iptables rules. However, be mindful of inherent security limitations and use PPTP only for low-risk scenarios or legacy compatibility. For production environments handling sensitive data, plan migration to WireGuard or OpenVPN.

For more resources and VPN deployment tips, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.