We will install poptop the open source PPTP server and set it up so that it authenticates off of FreeRADIUS on CentOS and Ubuntu, useful if your using in conjunction with our WHMCS module, should also work on other distros.
For CentOS we need the PPTP server software RPM:
Centos 6
wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm
Install it:
rpm -ivh pptpd-1.3.4-2.el6.i686.rpm
Ubuntu
Following command:
sudo apt-get install ppp pptpd
After installing Poptop, open the file /etc/pptpd.conf and add this at the very bottom:
localip 10.0.0.1 remoteip 10.0.0.10-100
In the above, 10.0.0.1 will be used for the ppp interface and 10.0.0.10 – 10.0.0.100 will be assigned to the clients. You can also use different private IPs in ‘localip’ and ‘remoteip’, like 10.20.26.1 and 10.20.26.10-100.
Next, open this file on CentOS: /etc/ppp/options.pptpd on Ubuntu: /etc/ppp/pptpd-options and uncomment the ms-dns lines (by removing the ‘#’ in front of them) and change them to the dns servers provided by your ISP or to public DNS servers like ones provided by Google DNS or OpenDNS.
ms-dns 8.8.8.8 ms-dns 8.8.4.4
Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1 on CentOS:
net.ipv4.ip_forward = 1
On Ubuntu change:
#net.ipv4.ip_forward=1
To:
net.ipv4.ip_forward=1
To make the changes to sysctl.conf take effect, use the following command.
sysctl -p
Next, configure iptables to do NAT.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Next, we need to allow TCP port 1723 and the GRE protocol through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
Save iptables.
service iptables save
Now start the PPTP server if you haven’t already.
service pptpd restart
Now that should be it for PPTP, if you have problems browsing sites when connected to PPTP, you may need to change the MTU of the ppp interface. To do this open the /etc/ppp/ip-up file and just before the last line, add the following line.
/sbin/ifconfig $1 mtu 1400
Save the file after that and then restart the PPTP server.
service pptpd restart
Now we need to setup the radiusclient to have PPTP authenticate off Radius, lets grab the radius client package.
For CentOS
wget http://pkgs.repoforge.org/radiusclient/radiusclient-0.3.2-0.2.el6.rf.i686.rpm
Install it:
rpm -i radiusclient-0.3.2-0.2.el6.rf.i686.rpm
On Ubuntu:
apt-get install radiusclient1
Now open up /etc/radiusclient/servers it should look like below, changing the values to your radius servers hostname or IP and it’s secret which is specified in /etc/raddb/clients.conf on your freeradius server:
#Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone YOUR_RADIUS_SERVER_HOSTNAME_OR_IP YOUR_RADIUS_SERVER_SECRET Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below (I stripped all the remarks out):
auth_order radius,local login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver RADIUS_SERVER_IP_OR_HOSTNAME:1812 acctserver RADIUS_SERVER_IP_OR_HOSTNAME:1813 servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
Now save it, in the /etc/radiusclient directory there is a file called dictionary, add this line at the very bottom of it:
INCLUDE /etc/radiusclient/dictionary.microsoft
Next modify the CentOS: /etc/ppp/options.pptpd file, on Ubuntu: /etc/ppp/options-pptpd to include these two lines at the very bottom of the file:
[ads]
plugin radius.so plugin radattr.so
Now restart PPTPD and you should now have PPTP authenticating off your FreeRADIUS server:
service pptpd restart
And make sure PPTPD starts at boot:
chkconfig pptpd on
ONLY FOLLOW BELOW TO USE WITHOUT FREERADIUS
IF you want to configure PPTP NOT to use FreeRADIUS and to use user and passwords stored in /etc/ppp/chap-secrets then all you have to do is remove the radius plugin lines from CentOS: /etc/ppp/options.pptpd , Ubuntu: /etc/ppp/options-pptpd and add a user pass in the chap-secrets file like below:
# Secrets for authentication using CHAP # client server secret IP addresses username * user-password *
Now restart PPTPD and you should now have PPTP authenticating off your chap-secrets file:
service pptpd restart
whats the new radius client url?