Ubuntu / CentOS pptpd howto
In this tutorial I will explain how to setup a Ubuntu / CentOS pptpd server.
The clients that connect to this server will have a dedicated ip address, this will be done with iptables NAT.
I’ll share a few tricks in order to configure this server for windows clients and to allow Yahoo/MSN connections.
Before we start you need at least a minimal knowledge of how linux ticks, this is just in case something goes wrong.
Let’s begin by installing pptpd… Don’t forget that you need to be logged on as root.
# For Ubuntu run: apt-get install pptpd # For CentOS run: rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel5/pptp-release-current.noarch.rpm yum --enablerepo=poptop-stable install pptpd
Now that you have installed pptpd, you need to configure it, let’s start with the main configuration.
Edit /etc/pptpd.conf, let’s use nano:
nano /etc/pptpd.conf
At the bottom of the configuration file there is a section dedicated to ip allocation for new incoming VPN connections, edit this section like this:
localip 10.10.1.1 remoteip 10.10.1.2-254
This means that pptp will use 10.10.1.1 as it’s main ip address and will allocate 10.10.1.2 and up
to 254 to all the clients that will connect to this server.
Now let’s configure the options for pptp connections, dns and encryption, edit: /etc/ppp/options.pptpd for CentOS and pptpd-options for Ubuntu.
Find the ms-dns entry, uncomment them and modify the dns ip address with your own dns like this:
ms-dns 192.168.1.1 ms-dns 192.168.3.1
Remember to replace 192.168.1.1 and 3.1 with your own dns servers, this will be allocated to the connecting clients.
Let’s configure the Encryption section, make sure it looks like this:
refuse-mschap require-mschap-v2 require-mppe-128 require-mppe
Let’s create a user and give it a static ip address, we’ll do this by editing /etc/ppp/chap-secrets, this file contains the user names, passwords and the ip that will be allocated to every client.
# client server secret IP addresses username pptpd password 10.10.1.3
Replace username with the desired username, pptpd with the server’s hostname, password with your own password.
This user will receive the ip 10.10.1.3, if you wanna give him a dynamic ip then replace 10.10.1.3 with *.
In order to make the live chats (yahoo, msn, google, etc) work as it should we need to modify the default MTU, this is done by adding the following line into /etc/ppp/ip-up
ifconfig $1 mtu 1400
Add it before “exit 0″, don’t add it after “exit 0″, if you do then this command will be ignored, exit 0 stands for “The script ends here”. You can check if this is working by running ifconfig after you make a pptp connection with your server from a remote computer.
Look at the pptp interface, it will show the MTU, if it is 1400 then this is working:
ppp0 Link encap:Point-to-Point Protocol
...
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
...
Now we need to allow ip forwarding, if this is not done then the clients connected won’t have internet access.
This is done by enabling ip_forwarding into the kernel and configuring the iptables forwarding policy to accept like this:
# Enabling ip_forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Or using sysctl sysctl net.ipv4.ip_forward=1
As for iptables:
iptables -P FORWARD ACCEPT
If you don’t have a public ip address for each local ip defined into /etc/pptpd.conf, then you will need to use iptables masquerade:
iptables -t nat -A POSTROUTING -j MASQUERADE
Or you could use SNAT for multiple local ip addresses:
iptables -t nat -A POSTROUTING -s 10.10.1.2 -j SNAT --to 22.22.22.2 iptables -t nat -A POSTROUTING -s 10.10.1.3 -j SNAT --to 22.22.22.2 iptables -t nat -A POSTROUTING -s 10.10.1.4 -j SNAT --to 22.22.22.2 ....
But if you do have a public ip address for each local ip, then you could use this bash script:
#!/bin/bash for ((i=2;i<=254;i+=1)); do ifconfig eth0:$i 22.22.22.$i netmask 255.255.255.0 iptables -t nat -A PREROUTING -d 22.22.22.$i -j DNAT --to-destination 10.10.1.$i iptables -t nat -A POSTROUTING -s 10.10.1.$i -j SNAT --to 22.22.22.$i done
This script will add a virtual interface for each public ip address and it will use iptables to redirect the traffic on a local ip address alocated to the pptp clients.
Replace 22.22.22 with your own public ip address, keep in mind that this is full nat, DNAT and SNAT, so you will need a public ip address for every local ip address, in this example the ip allocation is as it follows:
[/bash] 22.22.22.2 -> 10.10.1.2 22.22.22.3 -> 10.10.1.3 22.22.22.4 -> 10.10.1.4 ... 22.22.22.254 -> 10.10.1.254 1
This is it, you have a working VPN server.
September 10, 2010
Hi Iam Prabhu from chennai,joined today in this forum…
April 14, 2011
Dear Sir.
I hope you teach me, the problem as follows,
I made the vpn server by CentOS5.5.
The remoteip’s range of ” /etc/pptpd.conf ” is 2 different things.
1.1.1.1 1-125,2.2.2.2-125
And, ” /etc/ppp/chap-secrets ” ‘s range is as follows,
1.1.1.1-125 range: aaa pptpd 111 * (<<– In here, * 's mean is recive the ip of the 1.1.1.1-125 automatically)
2.2.2.2-125 range: bbb pptpd 222 2.2.2.2 (<<–Here is a problem. why I can't use * in here?)(I hope to can be to recive here the 2.2.2.2-125 's ip automatically)
Please teach me the answer.
Thank you very much. Best regards.
High school student in Korea, Byung Hyun, Kim
April 14, 2011
* – will allocate your users an IP from your entire IP pool, if you run out of 1.1.1.1 the server will allocate IP addresses from the 2.2.2.x pool
Try and add this:
aaa pptpd 111 1.1.1.*
bbb pptpd 222 2.2.2.*
Not sure if it will work since I never needed this and I don’t have a live pptpd server available at this time for testing.
May 19, 2011
Thanks a lot mate! You helped me overcome headaches with DNAT… there’s too many wrong ways to use it if you think it’s the same direction names as SNAT :/
July 3, 2011
this is great tutorial and great site.
my best regards to the author(s).
we implement this with automated scripts on Ubuntu 10.10 works perfectly
just add iptables rules in /etc/rc.local file so they remain after reboot