How to install PPTP VPN server in RHEL/Centos 6.4 Linux

In this article we show you how to install and properly configure a PPTP VPN server in RHEL/CentOS linux. With this VPN you’ll have access to transfering your data encrypted and using a ethernet interface that uses your Server IP address. This tunneling technology is compatible with several devices like desktop operating systems, mobile phones and tablets.
First need enable tun module (tunelling kernel module):

# echo 'modprobe tun' >> /etc/rc.modules
# chmod +x /etc/rc.modules

At next boot will be loaded tun module in kernel
Make sure you begin with a clean install by removing any previously installed packages:

yum remove -y pptpd ppp
iptables --flush POSTROUTING --table nat
iptables --flush FORWARD
rm -rf /etc/pptpd.conf
rm -rf /etc/ppp

Installation procedure

First, install the poptop package from sourceforge:

rpm -Uhv
yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers dkms kernel_ppp_mppe ppp pptpd

Now, we need to enable IP forwading, set internal IP addresses and point the DNS Servers that will be used by the pptp server:

mknod /dev/ppp c 108 0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "mknod /dev/ppp c 108 0" >> /etc/rc.local
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
echo "localip" >> /etc/pptpd.conf
echo "remoteip" >> /etc/pptpd.conf
echo "ms-dns" >> /etc/ppp/options.pptpd
echo "ms-dns" >> /etc/ppp/options.pptpd

Then, create your users credentials for the PPTP server. This credentials will be used to log in to the PPTP server on every client/device you connect from:

nano /etc/ppp/chap-secrets

Your chap-secrets file should look like this:

# Secrets for authentication using CHAP
# client server secret IP addresses
yourusername pptpd yourpassword *

Save and close the file.
Next, you need to add the following iptables rules in order to open the correct ports and properly forward the data packets:

# VPN rules (pptpd)
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -s -j TCPMSS --syn --set-mss 1356

Save and restart your iptables firewall:

service iptables save
service iptables restart

Make sure you load your iptables after every reboot:

chkconfig iptables on
chkconfig pptpd on

And finally, restart iptables and pptpd services:

service iptables start
service pptpd start

That is it.
Note: pptp is unsecure. Not to use it in the production machine. This article written only education purpose.
Also check out How to install and configure the OpenVPN server on CentOS 6.4 Linux


Linux System Administrator with over 7 years experience in administering production level servers (CentOS/Ubuntu/Debian with apache2/nginx, mysql server, etc)

You may also like...

12 Responses

  1. Jack says:

    First need enable tun module (tunelling kernel module):

    # echo 'modprobe tun' >> /etc/rc.modules
    # chmod +x /etc/rc.modules

    At next boot will be loaded tun module in kernel

  2. mario vargas careaga says:

    i have all in server running and port 1723 listening , i’m trying to connect from a winxp client but i can’t i don’t know really whats’s the problem when I trying gives to me error769 :the specified destination is not reachable
    please if you can help me with that….

  3. mario vargas careaga says:

    netstat -anp | grep 1723

    tcp 0 0* LISTEN 3502/pptpd


    02:30:11.484231 IP > ICMP host unreachable – admin prohibited

    where server and remote , and the error error769 continues ….

    • Jeff Scharfenberg says:

      I have gone over this setup atleast 8 times today and never even came close to getting it to work. I’m 100% lost. Can anyone assist me in what i’m missing?

      • Charles Wells says:

        Enable tun module (tunelling kernel module)

        # echo ‘modprobe tun’ >> /etc/rc.modules
        # chmod +x /etc/rc.modules

        and reboot system.

        • Jeff Scharfenberg says:

          I did that previously, when i run ifconfig i still see no tun. So i’m still stuck in the same position.

  4. WPeckham says:

    Not bad, but how do you configure if you want the authentication directed to AD instead of the flat file?

    • Bishop Clark says:

      You’ll want to add these two config parameters to your options.pptp file:
      ntlm_auth-helper “/usr/bin/ntlm_auth –helper-protocol=ntlm-server-1”

      Those two lines should be the only thing you’re missing once you have AD fully working already. Most of the doc that google showed me (in 2 seconds; hope you weren’t waiting long!) deals with setting up AD auth, which you won’t need.

      That’s right on the poptop site. Wow!

  5. fehmi says:

    “The PPTP protocol does not allow two VPN connections from the same remote IP address”

  6. Bishop Clark says:

    I like the simple instructions. I’d be surprised if the mknod step is still required, though.

    Apparently, “pptp is unsecure[sic]” . Care to elaborate? I see many people repeating the same thing over and over, but any supporting docs seem to be old and deal with win2k servers. I think pptp is the only thing more maligned than vtun (itself the target of kneejerk sharing of some ulterior piece).

    If you know pptp isn’t secure, I’m interested in finding a good, fresh, unbiased reference.

  7. Bishop Clark says:

    Oh. And this step is also very bad:

    echo “echo 1 > /proc/sys/net/ipv4/ip_forward” >> /etc/rc.local

    in a modern OS, newer than 2010, you’ll want to just

    mkdir -p /etc/sysctl.d # in case your OS has broken packaging
    echo “net.ipv4.ip_forward = 0” > /etc/sysctl.d/pptp-forward.conf

    And that’s it. Dumping things into rc.local is a lazy thing, and I wouldn’t recommend using it when so many better ideas are out there!

  8. ali alameh says:

    when getting to
    alialameh@s45-40-138-160 [~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    FATAL: Module ip_tables not found.
    iptables v1.4.7: can’t initialize iptables table `nat’: Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.

Leave a Reply

Your email address will not be published. Required fields are marked *