In this article we show you how to install and properly configure a PPTP VPN server in RHEL/CentOS linux. With this VPN you’ll have access to transfering your data encrypted and using a ethernet interface that uses your Server IP address. This tunneling technology is compatible with several devices like desktop operating systems, mobile phones and tablets.
First need enable tun module (tunelling kernel module):
# echo 'modprobe tun' >> /etc/rc.modules # chmod +x /etc/rc.modules
At next boot will be loaded tun module in kernel
Make sure you begin with a clean install by removing any previously installed packages:
yum remove -y pptpd ppp iptables --flush POSTROUTING --table nat iptables --flush FORWARD rm -rf /etc/pptpd.conf rm -rf /etc/ppp
Installation procedure
First, install the poptop package from sourceforge:
rpm -Uhv http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers dkms kernel_ppp_mppe ppp pptpd
Now, we need to enable IP forwading, set internal IP addresses and point the DNS Servers that will be used by the pptp server:
mknod /dev/ppp c 108 0 echo 1 > /proc/sys/net/ipv4/ip_forward echo "mknod /dev/ppp c 108 0" >> /etc/rc.local echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local echo "localip 172.16.36.1" >> /etc/pptpd.conf echo "remoteip 172.16.36.2-254" >> /etc/pptpd.conf echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd
Then, create your users credentials for the PPTP server. This credentials will be used to log in to the PPTP server on every client/device you connect from:
nano /etc/ppp/chap-secrets
Your chap-secrets file should look like this:
# Secrets for authentication using CHAP # client server secret IP addresses yourusername pptpd yourpassword *
Save and close the file.
Next, you need to add the following iptables rules in order to open the correct ports and properly forward the data packets:
[ads]
# VPN rules (pptpd) iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -p tcp -s 172.16.36.0/24 -j TCPMSS --syn --set-mss 1356
Save and restart your iptables firewall:
service iptables save service iptables restart
Make sure you load your iptables after every reboot:
chkconfig iptables on chkconfig pptpd on
And finally, restart iptables and pptpd services:
service iptables start service pptpd start
That is it.
Note: pptp is unsecure. Not to use it in the production machine. This article written only education purpose.
Also check out How to install and configure the OpenVPN server on CentOS 6.4 Linux
First need enable tun module (tunelling kernel module):
At next boot will be loaded tun module in kernel
i have all in server running and port 1723 listening , i’m trying to connect from a winxp client but i can’t i don’t know really whats’s the problem when I trying gives to me error769 :the specified destination is not reachable
please if you can help me with that….
netstat -anp | grep 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 3502/pptpd
tcpdump
02:30:11.484231 IP 10.0.0.30 > 10.0.0.50: ICMP host 10.0.0.50 unreachable – admin prohibited
where 10.0.0.30 server and 10.0.0.50 remote , and the error error769 continues ….
I have gone over this setup atleast 8 times today and never even came close to getting it to work. I’m 100% lost. Can anyone assist me in what i’m missing?
Enable tun module (tunelling kernel module)
# echo ‘modprobe tun’ >> /etc/rc.modules
# chmod +x /etc/rc.modules
and reboot system.
I did that previously, when i run ifconfig i still see no tun. So i’m still stuck in the same position.
Not bad, but how do you configure if you want the authentication directed to AD instead of the flat file?
You’ll want to add these two config parameters to your options.pptp file:
plugin winbind.so
ntlm_auth-helper “/usr/bin/ntlm_auth –helper-protocol=ntlm-server-1”
Those two lines should be the only thing you’re missing once you have AD fully working already. Most of the doc that google showed me (in 2 seconds; hope you weren’t waiting long!) deals with setting up AD auth, which you won’t need.
http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml
That’s right on the poptop site. Wow!
“The PPTP protocol does not allow two VPN connections from the same remote IP address”
I like the simple instructions. I’d be surprised if the mknod step is still required, though.
Apparently, “pptp is unsecure[sic]” . Care to elaborate? I see many people repeating the same thing over and over, but any supporting docs seem to be old and deal with win2k servers. I think pptp is the only thing more maligned than vtun (itself the target of kneejerk sharing of some ulterior piece).
If you know pptp isn’t secure, I’m interested in finding a good, fresh, unbiased reference.
Oh. And this step is also very bad:
echo “echo 1 > /proc/sys/net/ipv4/ip_forward” >> /etc/rc.local
in a modern OS, newer than 2010, you’ll want to just
mkdir -p /etc/sysctl.d # in case your OS has broken packaging
echo “net.ipv4.ip_forward = 0” > /etc/sysctl.d/pptp-forward.conf
And that’s it. Dumping things into rc.local is a lazy thing, and I wouldn’t recommend using it when so many better ideas are out there!
when getting to
alialameh@s45-40-138-160 [~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
FATAL: Module ip_tables not found.
iptables v1.4.7: can’t initialize iptables table `nat’: Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
I’m getting 807 error and I couldn’t fix it at all. Could you please help me with the problem?
See this link https://www.centos.org/forums/viewtopic.php?f=14&t=45192