Thursday, January 10, 2013


Installing and Configuring PPTP VPN on RHEL/CentOS 5



In the following tutorial, I will explain how to set up a PPTP VPN server on RHEL/CentOS 5, so that you can use it to browse the internet. So, if you have a RHEL/CentOS 5 dedicated server in US, you will be able to access US only sites.A set up like this also has other benefits. Since the connection between the server and your computer will be encrypted, your ISP wont be able to intercept or track your internet usage.

Installation and Configuration

Ok, so lets get started. First make sure that you have ppp installed.
yum install ppp
In my case it was already installed, so I got the message ‘Package ppp – 2.4.4-1.el5.x86_64 is already installed’.
After you make sure that you have ppp installed, download and install Poptop. You can get the RHEL/CentOS 5 RPMs from http://poptop.sourceforge.net/yum/stable/rhel5/. I was using 64 bit version of CentOS 5. So I downloaded and installed the 64 bit (x86_64) version of the RPM.
wget http://poptop.sourceforge.net/yum/stable/rhel5/x86_64/pptpd-1.3.4-1.rhel5.1.x86_64.rpm
rpm -ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm
After installing Poptop, open the file /etc/pptpd.conf.
nano /etc/pptpd.conf
Go to the end of the file where you can see examples of localip and remoteip. Below them add your own values for localip and remoteip.
localip 10.0.0.1
remoteip 10.0.0.10-100
In the above, 10.0.0.1 will be used for the ppp interface and 10.0.0.10 – 10.0.0.100 will be assigned to the clients. You can also use different private IPs in ‘localip’ and ‘remoteip’, like 10.20.26.1 and 10.20.26.10-100. The OpenVPN documentation has some good info about numbering private subnets. Click here to check it out.
Next, open the file /etc/ppp/options.pptpd.
nano /etc/ppp/options.pptpd
Uncomment the ms-dns lines (by removing the ‘#’ in front of them) and change them to the dns servers provided by your ISP or to public DNS servers like ones provided by OpenDNS.
ms-dns 208.67.222.222
ms-dns 208.67.220.220
Thats all you need to change in the options.pptpd file. Next you will need to edit the file /etc/ppp/chap-secrets to add usernames and passwords for your clients. You need to enter the usernames and passwords in the following format.
# Secrets for authentication using CHAP
# client server secret IP addresses
username pptpd password *
username2 pptpd password2 *
You can also put a * in place of ‘pptpd’ just like there is a * below ‘IP addresses’. Also instead of a * below ‘IP addresses’ you can put the IP address from which the client will be connecting.

IP Forwarding and Firewall Rules

Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1.
net.ipv4.ip_forward = 1
To make the changes to sysctl.conf take effect, use the following command.
sysctl -p
Or you can also use the following command to enable IP forwarding temporarily.
echo 1 > /proc/sys/net/ipv4/ip_forward
Next, configure iptables to do NAT.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Next, we need to allow TCP port 1723 and the GRE protocol through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
Now start the PPTP server if you haven’t already.
service pptpd start
If you followed the above steps correctly, the PPTP server should now be ready for use.

Troubleshooting

In case you are unable to connect to the VPN, check out the following Microsoft knowledge base article. It has some good troubleshooting tips.
If you are unable to browse certain sites through the VPN, you may need to change the MTU of the ppp interface. To do this open the /etc/ppp/ip-up file and just before the last line, add the following line.
/sbin/ifconfig $1 mtu 1400
Save the file after that and then restart the PPTP server.
service pptpd restart
In my case the ppp interface was being assigned 1396 as the MTU. Due to which I was unable to browse some sites. After changing MTU to 1400, the problem went away.

Notes

I initially used PPTP since the site Relakks.com uses the same. But due to poor performance I have now switched to OpenVPN instead. If you are not satisfied with PPTP you should try OpenVPN. You will find excellent documentation on their website.

No comments:

Post a Comment