admin | Category: Linux Administration
PPTP (Point to Point Tunneling Protocol) is a method for implementing VPN (Virtual Private Networks). The basic requirement to configure PPTP VPN is to allow port 1723 (TCP) in the server firewall and to load ip_gre module in the kernel. The module is by default compiled with the kernel but sometimes it is not loaded which can be done using the modprobe command.
# modprobe ip_gre
If you have a VPS, you have to ask your hosting provider to enable the PPP module on your VPS and to load the ip_gre module on the host server. Refer:
Now lets get started with the installation:
1) Install the PPP and PPTPD package on your server. You can either use YUM to install them OR install them manually by downloading their RPMs.
# yum install ppp
# yum install pptpd
download the PPP and PPTPD RPMs from http://poptop.sourceforge.net/yum/stable/rhel5 according to your server architecture. Once downloaded, install them using the ‘rpm’ command:
# rpm -ivh ppp-2.4.4-14.1.rhel5.x86_64.rpm
# rpm -ivh pptpd-1.3.4-2.rhel5.x86_64.rpm
2) Now, open the /etc/pptpd.conf file. The only change you have to make in this file is to specify the localip and remoteip. The parameters are defined at the end of the file.
The IP 10.0.0.2 (localip) will be assigned to the PPP interface created on your server. IPs from the IP range 10.0.0.10-50 (remoteip) will be assigned to the clients who will connect to the PPP interface. You can use any Private IP range instead of the above IPs.
3) You now have to define the DNS that PPTP is going to use. The DNS can either be the one provided by your ISP/hosting provider OR you can use Google DNS too.
Edit the file /etc/ppp/options.pptpd and scroll down to the line which states “ms-dns” and uncomment the lines. They should look like follows:
Save the file.
4) The next step is to add username/passwords of your clients in the /etc/ppp/chap-secrets file (one user per line). The server by default is pptpd and you can restrict a user to a specific IP as well. The file should look like the following:
# client server secret IP addresses
client1 pptpd pass1 10.0.0.10
client2 pptpd pass2 10.0.0.11
So the above lines state that their are 2 users, client1 and client2 to whom IPs 10.0.0.10 and 10.0.0.11 will be assigned when their connection to the PPTP server will be established.
You can also state * instead of the IP in the above file and any IP from the ‘remoteip’ range will be assigned randomly to the user.
5) Now activate IP forwarding in the sysctl.conf file by enabling “net.ipv4.ip_forward”. Open /etc/sysctl.conf file and add the following:
net.ipv4.ip_forward = 1
to make the changes active immediately, execute:
# sysctl -p
6) Now add the firewall rules to do NAT, accept connections on GRE protocol and on port 1723. You should also add FORWARD rules if you want to route all your internet traffic through the VPN server.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
7) Now start the pptpd service
# service pptpd start
Your are done with the server side configuration.
Now the second part is to configure the Client side VPN network:
1) Goto Start -> Settings -> Control Panel -> ‘Network Connections’
2) Click on “Create a New Connection” and click Next
3) Select ‘connect to the network at my workplace’
4) Select ‘Virtual Private Network connection’
5) Type a name for your connection and click Next
6) Select ‘Do not dial the initial connection’
7) Type IP or Hostname of the server on which server side PPTP is configured
8 ) Click Finish and it will prompt for username/password
9) Enter one of the username/password that you have specified in the /etc/ppp/chap-secrets file
10) Click Connect.
That’s it. You will now be connected to the PPTP VPN server.
To verify whether your requests are going through the VPN server, browse the website http://whatismyip.com which will display the VPN server IP address instead of your local internet IP.