Ubuntu / CentOS pptpd howto
In this tutorial I will explain how to setup a Ubuntu / CentOS pptpd server.
The clients that connect to this server will have a dedicated ip address, this will be done with iptables NAT.
I’ll share a few tricks in order to configure this server for windows clients and to allow Yahoo/MSN connections.
Before we start you need at least a minimal knowledge of how linux ticks, this is just in case something goes wrong.
Let’s begin by installing pptpd… Don’t forget that you need to be logged on as root.
# For Ubuntu run: apt-get install pptpd # For CentOS run: rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel5/pptp-release-current.noarch.rpm yum --enablerepo=poptop-stable install pptpd
Now that you have installed pptpd, you need to configure it, let’s start with the main configuration.
Edit /etc/pptpd.conf, let’s use nano:
nano /etc/pptpd.conf
At the bottom of the configuration file there is a section dedicated to ip allocation for new incoming VPN connections, edit this section like this:
localip 10.10.1.1 remoteip 10.10.1.2-254
This means that pptp will use 10.10.1.1 as it’s main ip address and will allocate 10.10.1.2 and up
to 254 to all the clients that will connect to this server.
Now let’s configure the options for pptp connections, dns and encryption, edit: /etc/ppp/options.pptpd for CentOS and pptpd-options for Ubuntu.
Find the ms-dns entry, uncomment them and modify the dns ip address with your own dns like this:
ms-dns 192.168.1.1 ms-dns 192.168.3.1
Remember to replace 192.168.1.1 and 3.1 with your own dns servers, this will be allocated to the connecting clients.
Let’s configure the Encryption section, make sure it looks like this:
refuse-mschap require-mschap-v2 require-mppe-128 require-mppe
Let’s create a user and give it a static ip address, we’ll do this by editing /etc/ppp/chap-secrets, this file contains the user names, passwords and the ip that will be allocated to every client.
# client server secret IP addresses username pptpd password 10.10.1.3
Replace username with the desired username, pptpd with the server’s hostname, password with your own password.
This user will receive the ip 10.10.1.3, if you wanna give him a dynamic ip then replace 10.10.1.3 with *.
In order to make the live chats (yahoo, msn, google, etc) work as it should we need to modify the default MTU, this is done by adding the following line into /etc/ppp/ip-up
ifconfig $1 mtu 1400
Add it before “exit 0″, don’t add it after “exit 0″, if you do then this command will be ignored, exit 0 stands for “The script ends here”. You can check if this is working by running ifconfig after you make a pptp connection with your server from a remote computer.
Look at the pptp interface, it will show the MTU, if it is 1400 then this is working:
ppp0 Link encap:Point-to-Point Protocol
...
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
...
Now we need to allow ip forwarding, if this is not done then the clients connected won’t have internet access.
This is done by enabling ip_forwarding into the kernel and configuring the iptables forwarding policy to accept like this:
# Enabling ip_forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Or using sysctl sysctl net.ipv4.ip_forward=1
As for iptables:
iptables -P FORWARD ACCEPT
If you don’t have a public ip address for each local ip defined into /etc/pptpd.conf, then you will need to use iptables masquerade:
iptables -t nat -A POSTROUTING -j MASQUERADE
Or you could use SNAT for multiple local ip addresses:
iptables -t nat -A POSTROUTING -s 10.10.1.2 -j SNAT --to 22.22.22.2 iptables -t nat -A POSTROUTING -s 10.10.1.3 -j SNAT --to 22.22.22.2 iptables -t nat -A POSTROUTING -s 10.10.1.4 -j SNAT --to 22.22.22.2 ....
But if you do have a public ip address for each local ip, then you could use this bash script:
#!/bin/bash for ((i=2;i<=254;i+=1)); do ifconfig eth0:$i 22.22.22.$i netmask 255.255.255.0 iptables -t nat -A PREROUTING -d 22.22.22.$i -j DNAT --to-destination 10.10.1.$i iptables -t nat -A POSTROUTING -s 10.10.1.$i -j SNAT --to 22.22.22.$i done
This script will add a virtual interface for each public ip address and it will use iptables to redirect the traffic on a local ip address alocated to the pptp clients.
Replace 22.22.22 with your own public ip address, keep in mind that this is full nat, DNAT and SNAT, so you will need a public ip address for every local ip address, in this example the ip allocation is as it follows:
[/bash] 22.22.22.2 -> 10.10.1.2 22.22.22.3 -> 10.10.1.3 22.22.22.4 -> 10.10.1.4 ... 22.22.22.254 -> 10.10.1.254 [bash]
This is it, you have a working VPN server.
