CentosLinuxUbuntu

Setup PPTP to Authenticate off FreeRADIUS on CentOS 6 and Ubuntu 11.10

We will install poptop the open source PPTP server and set it up so that it authenticates off of FreeRADIUS on CentOS and Ubuntu, useful if your using in conjunction with our WHMCS module, should also work on other distros.
For CentOS we need the PPTP server software RPM:

Centos 6

wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm

Install it:

rpm -ivh pptpd-1.3.4-2.el6.i686.rpm

Ubuntu

Following command:

sudo apt-get install ppp pptpd

After installing Poptop, open the file /etc/pptpd.conf and add this at the very bottom:

localip 10.0.0.1
remoteip 10.0.0.10-100

In the above, 10.0.0.1 will be used for the ppp interface and 10.0.0.10 – 10.0.0.100 will be assigned to the clients. You can also use different private IPs in ‘localip’ and ‘remoteip’, like 10.20.26.1 and 10.20.26.10-100.

Next, open this file on CentOS: /etc/ppp/options.pptpd on Ubuntu: /etc/ppp/pptpd-options and uncomment the ms-dns lines (by removing the ‘#’ in front of them) and change them to the dns servers provided by your ISP or to public DNS servers like ones provided by Google DNS or OpenDNS.

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1 on CentOS:

net.ipv4.ip_forward = 1

On Ubuntu change:

#net.ipv4.ip_forward=1

To:

net.ipv4.ip_forward=1

To make the changes to sysctl.conf take effect, use the following command.

sysctl -p

Next, configure iptables to do NAT.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Next, we need to allow TCP port 1723 and the GRE protocol through iptables.

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.

iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

Save iptables.

service iptables save

Now start the PPTP server if you haven’t already.

service pptpd restart

Now that should be it for PPTP, if you have problems browsing sites when connected to PPTP, you may need to change the MTU of the ppp interface. To do this open the /etc/ppp/ip-up file and just before the last line, add the following line.

/sbin/ifconfig $1 mtu 1400

Save the file after that and then restart the PPTP server.

service pptpd restart

Now we need to setup the radiusclient to have PPTP authenticate off Radius, lets grab the radius client package.

For CentOS

wget http://pkgs.repoforge.org/radiusclient/radiusclient-0.3.2-0.2.el6.rf.i686.rpm

Install it:

rpm -i radiusclient-0.3.2-0.2.el6.rf.i686.rpm

On Ubuntu:

apt-get install radiusclient1

Now open up /etc/radiusclient/servers it should look like below, changing the values to your radius servers hostname or IP and it’s secret which is specified in /etc/raddb/clients.conf on your freeradius server:

#Server Name or Client/Server pair Key
#---------------- ---------------
#portmaster.elemental.net hardlyasecret
#portmaster2.elemental.net donttellanyone
YOUR_RADIUS_SERVER_HOSTNAME_OR_IP YOUR_RADIUS_SERVER_SECRET
Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below (I stripped all the remarks out):
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver RADIUS_SERVER_IP_OR_HOSTNAME:1812
acctserver RADIUS_SERVER_IP_OR_HOSTNAME:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login

Now save it, in the /etc/radiusclient directory there is a file called dictionary, add this line at the very bottom of it:

INCLUDE /etc/radiusclient/dictionary.microsoft

The file, dictionary.microsoft, is not included in the radius client package but not to worry i made one up and you can download it here, just upload this file into the /etc/radiusclient/ directory.
Next modify the CentOS: /etc/ppp/options.pptpd file, on Ubuntu: /etc/ppp/options-pptpd to include these two lines at the very bottom of the file:

plugin radius.so
plugin radattr.so

Now restart PPTPD and you should now have PPTP authenticating off your FreeRADIUS server:

service pptpd restart

And make sure PPTPD starts at boot:

chkconfig pptpd on

ONLY FOLLOW BELOW TO USE WITHOUT FREERADIUS

IF you want to configure PPTP NOT to use FreeRADIUS and to use user and passwords stored in /etc/ppp/chap-secrets then all you have to do is remove the radius plugin lines from CentOS: /etc/ppp/options.pptpd , Ubuntu: /etc/ppp/options-pptpd and add a user pass in the chap-secrets file like below:

# Secrets for authentication using CHAP
# client server secret IP addresses
username * user-password *

Now restart PPTPD and you should now have PPTP authenticating off your chap-secrets file:

service pptpd restart

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close
Close