CentosDebianLinux

How to install PPTP VPN server in RHEL/Centos 6.4 Linux

In this article we show you how to install and properly configure a PPTP VPN server in RHEL/CentOS linux. With this VPN you’ll have access to transfering your data encrypted and using a ethernet interface that uses your Server IP address. This tunneling technology is compatible with several devices like desktop operating systems, mobile phones and tablets.
First need enable tun module (tunelling kernel module):

# echo 'modprobe tun' >> /etc/rc.modules
# chmod +x /etc/rc.modules

At next boot will be loaded tun module in kernel
Make sure you begin with a clean install by removing any previously installed packages:

yum remove -y pptpd ppp
iptables --flush POSTROUTING --table nat
iptables --flush FORWARD
rm -rf /etc/pptpd.conf
rm -rf /etc/ppp

Installation procedure

First, install the poptop package from sourceforge:

rpm -Uhv http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers dkms kernel_ppp_mppe ppp pptpd

Now, we need to enable IP forwading, set internal IP addresses and point the DNS Servers that will be used by the pptp server:

mknod /dev/ppp c 108 0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "mknod /dev/ppp c 108 0" >> /etc/rc.local
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
echo "localip 172.16.36.1" >> /etc/pptpd.conf
echo "remoteip 172.16.36.2-254" >> /etc/pptpd.conf
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

Then, create your users credentials for the PPTP server. This credentials will be used to log in to the PPTP server on every client/device you connect from:

nano /etc/ppp/chap-secrets

Your chap-secrets file should look like this:

# Secrets for authentication using CHAP
# client server secret IP addresses
yourusername pptpd yourpassword *

Save and close the file.
Next, you need to add the following iptables rules in order to open the correct ports and properly forward the data packets:

# VPN rules (pptpd)
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -s 172.16.36.0/24 -j TCPMSS --syn --set-mss 1356

Save and restart your iptables firewall:

service iptables save
service iptables restart

Make sure you load your iptables after every reboot:

chkconfig iptables on
chkconfig pptpd on

And finally, restart iptables and pptpd services:

service iptables start
service pptpd start

That is it.
Note: pptp is unsecure. Not to use it in the production machine. This article written only education purpose.
Also check out How to install and configure the OpenVPN server on CentOS 6.4 Linux

14 Comments

  1. First need enable tun module (tunelling kernel module):

    # echo 'modprobe tun' >> /etc/rc.modules
    # chmod +x /etc/rc.modules
    

    At next boot will be loaded tun module in kernel

  2. i have all in server running and port 1723 listening , i’m trying to connect from a winxp client but i can’t i don’t know really whats’s the problem when I trying gives to me error769 :the specified destination is not reachable
    please if you can help me with that….

  3. netstat -anp | grep 1723

    tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 3502/pptpd

    tcpdump

    02:30:11.484231 IP 10.0.0.30 > 10.0.0.50: ICMP host 10.0.0.50 unreachable – admin prohibited

    where 10.0.0.30 server and 10.0.0.50 remote , and the error error769 continues ….

    1. I have gone over this setup atleast 8 times today and never even came close to getting it to work. I’m 100% lost. Can anyone assist me in what i’m missing?

      1. Enable tun module (tunelling kernel module)

        # echo ‘modprobe tun’ >> /etc/rc.modules
        # chmod +x /etc/rc.modules

        and reboot system.

        1. I did that previously, when i run ifconfig i still see no tun. So i’m still stuck in the same position.

  4. Not bad, but how do you configure if you want the authentication directed to AD instead of the flat file?

    1. You’ll want to add these two config parameters to your options.pptp file:
      plugin winbind.so
      ntlm_auth-helper “/usr/bin/ntlm_auth –helper-protocol=ntlm-server-1”

      Those two lines should be the only thing you’re missing once you have AD fully working already. Most of the doc that google showed me (in 2 seconds; hope you weren’t waiting long!) deals with setting up AD auth, which you won’t need.

      http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml

      That’s right on the poptop site. Wow!

  5. I like the simple instructions. I’d be surprised if the mknod step is still required, though.

    Apparently, “pptp is unsecure[sic]” . Care to elaborate? I see many people repeating the same thing over and over, but any supporting docs seem to be old and deal with win2k servers. I think pptp is the only thing more maligned than vtun (itself the target of kneejerk sharing of some ulterior piece).

    If you know pptp isn’t secure, I’m interested in finding a good, fresh, unbiased reference.

  6. Oh. And this step is also very bad:

    echo “echo 1 > /proc/sys/net/ipv4/ip_forward” >> /etc/rc.local

    in a modern OS, newer than 2010, you’ll want to just

    mkdir -p /etc/sysctl.d # in case your OS has broken packaging
    echo “net.ipv4.ip_forward = 0” > /etc/sysctl.d/pptp-forward.conf

    And that’s it. Dumping things into rc.local is a lazy thing, and I wouldn’t recommend using it when so many better ideas are out there!

  7. when getting to
    alialameh@s45-40-138-160 [~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    FATAL: Module ip_tables not found.
    iptables v1.4.7: can’t initialize iptables table `nat’: Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button