PPTP using Poptop on CentOS 5
Just recently I needed to setup a quick and dirty VPN solution. I’ve used Poptop before on Mandrake 9 many years ago and it proved to be pretty easy to setup. Its even easier with CentOS 5, as the kernel is already patched with MPPE and MPPC encryption and authentication that is really required to create a secure VPN solution.
INSTALL AND CONFIGURE POPTOP
Firstly, make sure that ppp is installed using yum.
yum install ppp
I compiled the latest pptp version so grab the RPM from here and install it or add my custom yum repository. I would reccomend the latter as yum will update PPTP if I put an updated PPTP package on my yum repo.
If you would prefer to use my yum repository which also has a few other updated packages such as the patched iptables for L7 filtering (which I will talk about in a later post), you can add it by creating a new file “/etc/yum.repos.d/Doylenet.repo” and adding the following lines
[doylenet]
name=Doylenet custom repository for CentOS
baseurl=http://files.doylenet.net/linux/yum/centos/5/i386/doylenet/
gpgcheck=1
gpgkey=http://files.doylenet.net/linux/yum/centos/RPM-GPG-KEY-rdoyle
enabled=1
Once you have created this file, we need to install pptpd through yum.
yum install pptpd
Now we want to edit the /etc/pptp.conf file. Disable the line “logwtmp” by commenting it out otherwise PPTP will fail to start and get this error in the syslog, “Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd version 2.4.3, this is 2.4.4″. Like the error says, the library file is for PPP 2.4.3, but CentOS 5 uses 2.4.4. EDIT: This has now been corrected in the RPM package as pointed out by Peter. It is no longer required to disable this line.
Scroll down to the area localip and remoteip. So that we can keep routing issues to a minimum, set this to a range in your local LAN. For example, I use 10.0.0.0/24 for my private LAN. 10.0.0.1 is the IP address of my router and VPN server. I set the localip value to 10.0.0.2 and the remoteip range to 10.0.0.200-220, outside the DHCP assigned range.
localip 10.0.0.2
remoteip 10.0.0.200-220
Now edit the /etc/ppp/options.pptpd file. The defaults in here are fine as they are secure by default. The VPN will not form unless MSCHAPv2 is being used for authentication and 128bit MPPE encryption. Scroll down to “ms-dns”. It is commented out by default. Edit this to your internal DNS server address. Do this for WINS as well. If you don’t have an internal DNS server, this is fine, but name resolution is a lot less painful if you are using DNS and not relying on NetBIOS which requires broadcasts and doesn’t really work to well over a VPN.
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 10.0.0.240
#ms-dns 10.0.0.2# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
ms-wins 10.0.0.240
Finally we want to edit the file /etc/ppp/chap-secrets. This is where we will specify user names and passwords. Each user is specified on a new line.
username * password *
This is all the configuration that is needed as far as the PPTP server goes. Start it using the following command.
/etc/init.d/pptpd start
FIREWALL AND ROUTING
The only issues now that need to be resolved are routing and firewall issues. This is only relevant if the VPN server is on the same server as your firewall/router. By having the VPN clients on the same subnet as the rest of the trusted LAN, it makes it easier for the client, but slightly harder to configure, as we aren’t dealing with Layer 3. We need to allow the interface ppp0 access to the trusted interface. We will assume eth0 is the trusted interface
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD-i ppp0 -o eth0 -j ACCEPT
This could also be done using the 10.0.0.0/24 range, but this will only work for unicast addresses. To make these statements safe, 10.0.0.0 should be dropped at the external interface as well if not already done so. Its good practice to drop all RFC 1918 private addresses that which have their source address incoming from the external interface. A lot of malformed and spoofed IP packets often have source addresses from the private address range.
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 10.0.0.0/24 -j ACCEPT
Now we need to allow the VPN protocols that will be used to connect and communicate with the VPN server through our firewall. The authentication part of our VPN server uses the PPTP protocol which is on TCP port 1723. Actual data is then transfered using IP protocol GRE (Genertic Routing Encapsulation). Configure the following iptables commands.
iptables -A INPUT -i $external_interface -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i $external_interface -p gre -j ACCEPT
CONNECTING A WINDOWS CLIENT
Lastly, we will want to setup the client. Windows 2000 and XP and (i assume) Vista, come with a PPTP VPN client that is installed by default. You can get to it by going to the “Network Connections” dialog and clicking “Create a new connection”. Follow the wizard through selecting Connect to the network at my workplace > Virtual Private Network connection > Enter in a name for the connection > Enter in the IP or preferably DNS name of the VPN server. If the VPN server is the router/gateway, you can use your external IP address in your LAN. For testing purposes, I used the internal address of 10.0.0.1. If you run an internal DNS, use that name so when you are away from home you VPN in, it will grab the external address as long as you have set everything up properly (in terms of external DNS). For this, I reccomend you use the services provided at DynDNS or a simmilar free DNS provider.
Click “Properties”.
Navigate to the screen above and click “Properties” again.
Then “Advanced”
Then untick “Use default gateway on remote network”. This statement is important and needs to be unticked most of the time for simple VPN setups. What this means is that you existing default gateway will be used (what ever you are connecting through the internet to) for all traffic that isn’t related to the VPN. Remember how we used the same subnet for the VPN clients as the LAN clients? This is because if we used another subnet, the VPN clients would not know how to get to the LAN. This would require the Use default gateway on remote network to be ticked, but would also mean all unrelated traffic would go through the VPN. The technical term for this is “Split Tunneling” and can be a security concearn with larger enterprises as there is a potential for the remote user to be a gateway into the corporate network. Our setup is rather simple and we trust the users that are connecting, so this is not a concearn.
Once you have this option set, use the username and password that was set in the chap-secrets file to connect and to test your VPN.
October 01 2007 12:15 am | Linux
Peter on 28 Nov 2007 at 6:37 am #
Nice instructions!
If you look at the spec.file you will see a line that says:
echo ‘#define VERSION “2.4.3″‘ >> plugins/patchlevel.h
(all one line). If you change that to 2.4.4. you can use the logwtmp option, as well. I find it useful!
Dean Smith on 03 Dec 2007 at 8:47 pm #
I’ve been searching everywhere for a pptpd rpm so thank you for taking the trouble to create on.
Is there a source repository these packages or could you please post the SRPM or spec file for the pptpd package.
Thanks
ryan on 03 Dec 2007 at 9:34 pm #
Hi Guys
To Peter,
Thanks for the tip. This has now been fixed up.
To Dean,
I have provided the SRPM package as well. Its avaliable at http://files.doylenet.net/linux/yum/centos/5/SRPMS/doylenet/pptpd-1.3.4-1.src.rpm
Hans’ Blog » Blog Archive » PPTPD on 21 Jan 2008 at 5:52 pm #
[...] PPTP using POPTOP on CentOS 5 [...]
deRegen on 01 Feb 2008 at 2:39 pm #
Thanks, it’s work.
keilo on 02 Mar 2008 at 4:56 am #
I’m missing something, i believe, as this is my first attempt on VPN. I followed your tutorial and installed pptpd and ppp on the Centos box at office.
Home IP:
192.168.1.20
Office:
Router: 192.168.2.1
Centos(vpn + DNS + DHCP): 192.168.2.2
DHCP range 192.168.2.150-254
I configured pptpd conf and options.pp… with ms-dns pointing to 192.168.2.2 (which is the same server as VPN) as well as WINS. PPTPD.conf’s server section points to an empty IP 192.168.2.9 and the client IPs set as 192.168.2.20-40 (which is again not within DHCP range).
from home WinXP, created the connection, logged in allright. BUT, i can only ping to the 192.168.2.2 but no other computer in the office network. The only available computer is the VPN server itself and NO other computers in the office.
My gut feeling tells me i’m missing something here but couldnt nail it as i believe the setup meant to be straightforward. Would appreciate if you can shed some light on this.
ryan on 02 Mar 2008 at 11:08 am #
Hi Keilo
If you want to access other resources on the same network, you will want to have proxy arp enabled in your /etc/ppp/options.pptpd file.
Just add the word “proxyarp” to the bottom of the file and restart pptpd.
khaemi on 02 Mar 2008 at 11:11 am #
your tutorial sucks
it never worked. Iptables give me invalid result.
cannot use -o with INPUT
packet routing never worked
ryan on 02 Mar 2008 at 12:07 pm #
This implementation works best if you are doing everything at layer 2 using proxyarp. And yes, I did stuff up the iptables rule. This has now been fixed.
Thanks for being so kind…
keilo on 02 Mar 2008 at 1:43 pm #
Hi Ryan,
I actually find a solution. As the VPN server is on a seperate box than the router/firewall, i didnt mess with the IPtables at all.
Khaemi, i dont think this tutorial sucks at all. Its very well written by a responsible person. You may want to give a shot to what i have tried, if you dont run the firewall/router on the same box as VPN.
In Centos 5 (but i believe it’ll work on others too);
——
nano /etc/sysctl.conf
change the line net.ipv4.ip_forward = 0
to 1
Ctrl+X save and exit
and to execute this config on the current context;
sysctl -p /etc/sysctl.conf
this will re-parse the .conf file and you’ll have IP routing enabled. And voila, i can ping to other computers on the network!
Again, I didnt play with iptables at all. As i have SipX running on the same box and it doesnt like iptables to be running, so i had to stop the service iptables.
Hopefully what i’m doing is right, as it works for me currently. Do i really need to add “proxy arp enabled in my /etc/ppp/options.pptpd file” or enabling IP routing is sufficient?
And THANK YOU Ryan for the pptpd yum repo, i wouldnt be able to install it without your repo file, and this article.
cheers!
ryan on 02 Mar 2008 at 1:56 pm #
Hi Keilo
That is a good point. I installed pptp on my router which already had IP fowarding enabled, which is probably why I forgot to mention this.
Thanks for your appreciation.
Cheers
Ryan
Rahmat on 02 Mar 2008 at 8:25 pm #
Hi, help me please. I can’t install ppp at centos 5 box. Is this invalid my yum repo or what?
yum install ppp
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Nothing to do
ryan on 03 Mar 2008 at 12:23 am #
Hi Rahmat
PPP is required for poptop to work. The output that you are getting means that PPP is already installed on your system. PPTPD is the actual pptp server. After you make sure that PPP is installed (which it should be according to your output), do “yum install pptpd”
Ashok on 13 Mar 2008 at 5:52 am #
i got it right once but then kernel froze, then after upgrading kernel, i tried to connect, it disconnects automatically after verifying user & pass. any suggestions >?
ryan on 13 Mar 2008 at 12:01 pm #
Hi Ashok
You need to make sure that MPPE and MPPC support is enabled in the kernel you are using. I am using the kernel from the centos plus repo which has this support. I haven’t used the stock centos kernel, but I do think I remember that it didn’t have this enabled. I am using the following kernel as a reference: 2.6.18-8.1.14.el5.centos.plus
M on 13 Mar 2008 at 7:12 pm #
Hello there, i still confuse with the gateway thing. All i want is all traffic go to the tunnel. That means i must tick that gateway option rite? but if i do that, it seems all traffic from client dont get reply (icmp or others). I cant ping the LAN, cant browse..
but if i un tick it, it will work normal… I can ping and browse, when it ping the LAN it use the tunnel, when it browse it use the client inet connection.
All i want is i can connect to the LAN and also browse the inet through the tunnel, how can i do that? can you help me with this?
khaemi on 14 Mar 2008 at 10:18 am #
Wow,
i never thought that i would get reply here.
First of all, sorry for my “sucks” word.
I’d successfuly install poptop, i’m running xen on that time, i got stuck when trying to route@masquerade all vpn client to get internet access. Ip4_forward is set to 1, and network is restarted. Iptables is run. Your tutorial look like you want to create client vpn to server, maybe can be used to create samba access. You uncheck “use default gteway on remote network” which will make not all ippackact on client to be routed to server, or not giving your client access to internet.
I give up on poptop, and find a solution on openvpn instead. openvpn is working well, and i got 2nd openvz(tun enabled) vps to test on.
so would you mind sharing with us how to use pptpd for providing client internet access?
khaemi on 14 Mar 2008 at 10:30 am #
of forgot,
I’m running 2.6.18-53.1.6.el5.028stab053.6ent #1 SMP i686 CentOs 5 on openvz.
M on 14 Mar 2008 at 11:55 am #
Khaemi, would you mind to share to us about your OpenVPN? Coz i also interest to it also.
varanda from Brazil on 16 Mar 2008 at 6:02 am #
Thank you Ryan !
I installed on CentOS 5.1 with kernel 2.6.18-53.1.14.el5
Sometimes it works, registering on LOG:
CTRL: Starting call (launching pppd, opening GRE)
Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd 2.4.4 started by root, uid 0
Using interface ppp0
Connect: ppp0 /dev/pts/1
CTRL: Ignored a SET LINK INFO packet with real ACCMs!
MPPE 128-bit stateless compression enabled
found interface eth1 for proxy arp
local IP address 192.168.0.253
remote IP address 192.168.0.211
But, some minutes after, it doesn’t work:
CTRL: Client 201.20.201.206 control connection started
CTRL: Starting call (launching pppd, opening GRE)
Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd 2.4.4 started by root, uid 0
Using interface ppp0
Connect: ppp0 /dev/pts/1
GRE: read(fd=7,buffer=80515e0,len=8260) from network failed: status = -1 error = Protocol not available
CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
Modem hangup
Connection terminated.
Exit.
CTRL: Client 201.20.201.206 control connection finished
Nothing was change during first and second connection
so, suddenly, works again ! ????
Have you seen this before ?
khaemi on 20 Mar 2008 at 8:56 pm #
never see any reply.
ryan on 21 Mar 2008 at 12:26 am #
Hi khaemi
You could try adding a static route to your LAN network on your VPN client machine. If your internal VPN network is 192.168.1.0/24, try the following once the VPN session has been established on a Windows box
“route add 192.168.1.0 mask 255.255.255.0 192.168.1.3″
Where .3 is the IP address of the VPN server specified in the /etc/pptpd.conf file
Let me know how this goes
Ryan
ryan on 21 Mar 2008 at 12:30 am #
Hi varanda
Are you getting any connectivity? Can you ping the VPN server at all?
It almost looks like the GRE tunnel is not being established. Have you forwarded GRE into the VPN server? Also, some routers don’t pass through GRE on the client side. From the connection you are using on the client, you will need to make sure that the router supports “vpn passthrough” or something simmilarly named.
Ryan
D1L4 on 29 Mar 2008 at 3:50 pm #
I have a problem to connect my poptop server with XP. I can not login from XP.
Here my configuration:
options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
my pptpd.conf same with your sample.
Here my poptop message:
Mar 29 12:22:09 server pptpd[7844]: CTRL: Starting call (launching pppd, opening GRE)
Mar 29 12:22:09 server pppd[7845]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.
Mar 29 12:22:09 server pppd[7845]: pppd 2.4.4 started by root, uid 0
Mar 29 12:22:09 server pppd[7845]: Using interface ppp0
Mar 29 12:22:09 server pppd[7845]: Connect: ppp0 /dev/pts/1
Mar 29 12:22:39 server pppd[7845]: LCP: timeout sending Config-Requests
Mar 29 12:22:39 server pppd[7845]: Connection terminated.
Mar 29 12:22:39 server pppd[7845]: Modem hangup
Mar 29 12:22:39 server pppd[7845]: Exit.
Mar 29 12:22:39 server pptpd[7844]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/outp
ut error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Mar 29 12:22:39 server pptpd[7844]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
please help me.
Error number ini my XP is 619.
I am using Centos 5 64 bit.
Thank you
Jazzmaster on 06 Apr 2008 at 2:40 am #
Hi Ryan!
Thanks for this page and your efforts – greatly appreciated thus far.
I have a problem with connection to my work LAN.
My home system is CentOS 5.1 having an ADSL router into ISP (Talktalk in the UK) then to the internet therefore ppp, pptp, pptpd are all installed. The output of “uname -a” is:
Linux localhost.localdomain 2.6.18-53.1.14.el5xen #1 SMP Wed Mar 5 12:39:19 EST 2008 i686 athlon i386 GNU/Linux
I noticed that my newly installed CentOS system does not have /etc/pptp.config and /etc/ppp/options.pptpd file. Can you please list the files that is needed to be modified together with other needed configurations.
I need to get to work at all cost, please help!
Jazzmaster
ryan on 06 Apr 2008 at 2:54 pm #
Hi Jazzmaster
The pptp.config and options.pptpd files are installed once you have installed the pptpd RPM package. Ensure that you have installed this package either through my yum repo as outlined in the begining of the tutorial or by getting it off the poptop soriceforge site.
Cheers
Ryan
ryan on 06 Apr 2008 at 3:00 pm #
Hi D1L4
This looks like an error with GRE tunnel being setup. Can you verify that GRE is correctly forwarded to you VPN server from the Internet?
Cheers
Ryan
Joe on 17 Apr 2008 at 8:20 am #
Hi
Can someone please explain to me how to configure POPTOP VPn Server on a vps linux.
This is my first time having to use Linux
I don’t understand that IP address bit what IP address do I need to use.
On my VPS I got only 2 IP address
Please advice
Thank you
ryan on 20 Apr 2008 at 1:52 am #
Hi Joe
The IP address to use should be in a private address range. When a client connects to the VPN server, it will make a new interface ppp0 on the server with an address specified in the “local-ip” line.
I’m not exactly sure what you are trying to achieve with your setup to be honest. Having a VPN server outside of your network will only give you a secure connection to that server. You would normally use a VPN server as a gateway into the private network. If you are after setting up an encrypted tunnel between the VPS and yourself, there are other solutions around such as using SSH tunnels. Unless you are using the VPS as a server to connect several clients from remote sites together, but keep in mind that PPTP is really only really meant for a road-warrior to connect back to HQ. There are better solutions around to create tunnels between branch offices etc… Maybe have a look at freeSWAN
rahul on 10 May 2008 at 9:34 pm #
Hello Everyone,
I would like to tell u that, first time i am using POPTOP
In centos 5.1,But my ppp0 interfce can’t enable,when i using ‘route -n ‘ command thay not showing my ppp0 interface ,Please solve my problem,i realy thankfull to you
Rahul sagar
ryan on 11 May 2008 at 8:23 pm #
Hey Rahul
The ppp0 interface will come up when a client connects. If this isn’t happening when a client is connecting, post the logs relating to poptop in /var/log/messages.
Cheers
Ryan
Shawon on 11 Jun 2008 at 9:18 am #
Is it possible to use Poptop to route all the traffic to outside world? That means can i use the PPTP server as my internet gateway? Or its just for accessing the private network securely?
Thanks.
ryan on 11 Jun 2008 at 9:34 pm #
Hi Shawon
You can route everything through the PPTP server and throught your personal Internet connection if you wish. You need to first setup the PPTP server on your gateway device to NAT the addresses you are using for your VPN clients. If it is in the same subnet, then this shouldn’t be an issue. Secondly, instead of unticking “Use default gateway on remote network”, leave that ticked.
Chris on 22 Jun 2008 at 10:08 am #
Hmmm. I run into this with a Core2 Duo system running Centos5.1 x86_64, kernel 2.6.18-53.1.21.el5
The Windows client immediately terminates the connection with a 619 error.
Is there a 64 bit specific version?
Jun 21 11:10:55 www pptpd[1205]: CTRL: Client 1.2.3.4 control connection started
Jun 21 11:10:55 www pptpd[1205]: CTRL: Starting call (launching pppd, opening GRE)
Jun 21 11:10:55 www pppd[1206]: /usr/lib/pptpd/pptpd-logwtmp.so: wrong ELF class: ELFCLASS32
Jun 21 11:10:55 www pppd[1206]: Couldn’t load plugin /usr/lib/pptpd/pptpd-logwtmp.so
Jun 21 11:10:55 www pptpd[1205]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Jun 21 11:10:55 www pptpd[1205]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Jun 21 11:10:55 www pptpd[1205]: CTRL: Client 1.2.3.4 control connection finished
Chris on 22 Jun 2008 at 10:32 am #
Dang,
Hate following up on my own post, but turning off the wtmp logging in /etc/pptp.conf fixed it.
Jeff on 19 Jul 2008 at 4:17 pm #
Hi Ryan,
Thanks for great info.
I have installed pptpd on a VPS server through a host. Do you know how I find and configure my local IP address. I am stumped.
Cheers
Jeff on 23 Jul 2008 at 1:57 am #
# ifconfig
returns 127.0.0.1 only
can I use this a the local server address
Steven on 14 Aug 2008 at 10:08 am #
Hi,
Sure I have missed something obvious I ran yum install ppp and rhamat got above so i have assumed I already have ppp installed- a “yum list installed|grep ‘ppp’ confirmed it is in the installed list. So i continued with your instructions but the changes to iptables wouldn’t work, interface ppp0 not found or something to that effect. Sure enough when I check ifconfig I only have two interfaces eth0 and lo. is there soemthing I need to do to get the ppp service running?
Steven
agit on 28 Aug 2008 at 1:53 pm #
nice article, and all works fine for me
and just add some iptables rules like this
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/etc/init.d/iptables save
and then change the /etc/sysctl.conf with like this.
net.ipv4.ip_forward=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
net.ipv4.conf.default.rp_filter=1
kernel.sysrq=0
net.ipv4.conf.default.accept_source_route=0
kernel.shmall=4294967296
net.ipv4.tcp_syncookies=1
kernel.core_uses_pid=1
one more, thanks Ryan for good article ^_^
DennyHalim.com: Linux Basics on 29 Aug 2008 at 6:20 pm #
[...] poptop/pptpd on centos http://blog.doylenet.net/?p=17 [...]
ryan on 01 Sep 2008 at 12:25 am #
Sorry for some of the late replies guys.
First, Jeff, depending on how your hosting provider provides their VPS, you might not be able to run a VPN. I know a lot of hosts run Virtuosso virtualisation and I don’t this this will work for you unfortunately. Also from your ifconfig output, it looks like you can’t modify your ethernet interface.
Steven, the ppp0 interface will only be up once you connect to the VPN. As long as the address range that you are using on your VPN is already trusted or you don’t actually use iptables on the server anyway, you can omit that section.
Agit, cheers. Glad you found it helpful and thanks for the additions.
Ryan
Ash on 01 Oct 2008 at 6:06 am #
Hi ryan, I can’t access the internet through the VPN server. I have set up localip to be that of eth0 which is a public IP(X.20.4.26). And remoteip is that of eth0:1 which is also a public IP(X.20.26.209). I have allowed tcp port 1723 and protocol 47 through iptables. And yet I can’t access the internet through the VPN. After i connect to it all I can ping is the eth0 ip. Cant ping other (public)IPs like x.20.26.210 which are assigned to eth0:2 etc. Is there anything else I need to do to, to be able to access the internet through the VPN? Please let me know. Thanks.
walterwn on 25 Oct 2008 at 11:24 am #
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD-i ppp0 -o eth0 -j ACCEPT
the accept connections multiples
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD-i ppp+ -o eth0 -j ACCEPT
Shahab on 22 Jan 2009 at 6:32 am #
Thanks Ryan, this is a really good guide!
I’ve used this to give internet access to my clients:
http://www.aminehaddad.com/2008/11/how-to-setup-poptop-pptpd-vpn-server-on-linux
I’m now happy with my very own vpn server
Admin on 22 Jan 2009 at 7:42 pm #
The same problem with Ash
Lord Analyst on 28 Feb 2009 at 12:49 am #
Hello, I’ve searched over the internet for a solution and posted on many websites but no one awnsers my question so i was wondering if you could shed any light. Im running CentOS on a VPS i followed your tutorial yet when i start pptp and attempt to collect i get these errors in /var/log/messages
Feb 19 15:24:56 SERV pptpd[32764]: CTRL: Client 87.132.61.71 control connection started
Feb 19 15:24:56 SERV pptpd[32764]: CTRL: Starting call (launching pppd, opening GRE)
Feb 19 15:24:56 SERV pppd[32765]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Feb 19 15:24:56 SERV pppd[32765]: This system lacks kernel support for PPP. This could be because the PPP kernel module could not be loaded, or because PPP was not included in the kernel configuration. I$
Feb 19 15:24:56 SERV pptpd[32764]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and$
Feb 19 15:24:56 SERV pptpd[32764]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Feb 19 15:24:56 SERV pptpd[32764]: CTRL: Client 87.132.61.71 control connection finished
Can you shed any light?
ryan on 28 Feb 2009 at 1:39 am #
Hi Lord Analyst
This is because PPP has (probably intentionally) not been compiled into the kernel and not available as a kernel module. As far as I am aware Virtuosso has a single kernel that is shared on all virtual machines – so you won’t be able to touch that unfortunately. Virtuosso seems to be one of the main VPS solutions that I see around so check if your provider is using that. If you have complete control over your VPS and its kernel, then you would be able to install or build the required PPP module for it.
Fahim on 02 May 2009 at 1:23 pm #
Hi Ryan,
I get this error, do I need to recompile my kernel, is there any way to avoid this?
—
pptpd[9807]: CTRL: Starting call (launching pppd, opening GRE)
pppd[9818]: This system lacks kernel support for PPP. This could be because#012the PPP kernel module could not be loaded, or because PPP was not#012included in the kernel configuration. If PPP was included as a#012module, try `/sbin/modprobe -v ppp’. If that fails, check that#012ppp.o exists in /lib/modules/`uname -r`/net.#012See README.linux file in the ppp distribution for more details.
pptpd[9807]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[9807]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
—
Can you help?
Thanks!
Fahim
ryan on 02 May 2009 at 2:33 pm #
Hi Fahim
You shouldn’t need to completely recompile your kernel. Firstly, try what pppd says, do a
modprobe pppand thenlsmod | grep pppto see if its loaded. If it is not loaded, depending on your ditribution, you might be able to download the ppp kernel module for your running kernel. Finally if your distribution does not have a precompiled kernel module, you can download the kernel-devel for your running kernel (this should be available using your package manager) and manually compiling the kernel module. Hope this info helpsCheers
Ryan
Fahim on 03 May 2009 at 3:40 pm #
Hi Ryan,
Thanks for help, modprobe says its not found. Its a CentOS 5.2 VPS.
# modprobe ppp
FATAL: Module ppp not found.
# uname -r
2.6.18-028stab060.8
Its a VPS will that affect anything in my compilation of module for kernel?
Thanks!
Fahim
ryan on 04 May 2009 at 1:24 pm #
Hi Fahim
There have been others that have had problems using a VPS for their VPN. Virtualisation software such as Virtuosso uses a single kernel for all the virtual machines that are on that physical server. If this is the case, then I doubt that you will be able to install kernel modules, let alone recompile the running kernel. If the virtualisation technology used does not have a shared kernel and you have root access for every aspect of the VPS, then you should be able to recompile the kernel with ppp support. Seening as the default CentOS 5 kernel does normally include PPP, I’m guessing that you might be running Virtuosso.
Fahim on 05 May 2009 at 6:06 am #
Hi Ryan,
Yes my VPS doesn’t support loading module into kernel and gives permission denied message. What are my other options in such a case will openvpn work? I just want to have my all traffic goes through that VPS, irrespective of type of traffic web/ssh/ftp everything.
Thanks!
Fahim
kenby on 04 Jun 2009 at 10:55 pm #
Hi,
every thing if fine, I can also connect to my vpn using windows client, but the problem is that if I uncheck the “use default gateway on remote computer” then my internet is without tunnel and if I check then I’ve no internet connection, by the way I cant not run the following commands:
iptables -A INPUT -i $external_interface -p tcp –dport 1723 -j ACCEPT
iptables -A INPUT -i $external_interface -p gre -j ACCEPT
should I’ve to replace “$external_interface” with anything else?
Thanks
kenby on 04 Jun 2009 at 11:11 pm #
by the way the error is :
iptables -A INPUT -i $external_interface -p tcp –dport 1723 -j ACCEPT
Warning: wierd character in interface `-p’ (No aliases, :, ! or *).
Bad argument `tcp’
Try `iptables -h’ or ‘iptables –help’ for more information.
ryan on 05 Jun 2009 at 12:14 am #
Hi Kenby
The $external_interface refers to the interface that will be accepting connections to your server (EG: eth0 / eth1). This guide was originally written with the intention of using the VPN to tunnel only into the remote network and not to tunnel your entire internet connection through it. It can be done though if you enable IP fowarding and NAT to your VPN servers external IP address. To enable IP fowarding, type the following into the terminal:
echo 1 > /proc/sys/net/ipv4/ip_forward. To NAT the IP of the PPTP client (the computer which you are VPNing from) you can do this via iptables. EG:iptables -t nat -A POSTROUTING -o $external_interface -j MASQUERADE. You may also have to allow some forwarding rules depending if your iptables policies are setup to drop.kenby on 16 Jun 2009 at 11:41 pm #
@ryan thanks for you help, but still I’ve no internet tunnel on VPN,vpn is connecting but no tunnel for internet, actually I’ve still internet but the internet is not private and my IP is not changing to server’s ip! what do you think about this issue?
Michal on 29 Jun 2009 at 4:00 am #
Hi,
I followed this article and got it working but can’t access internet from this connection.
1-my primary goal out of this is to connect via VPN to my VPS server in different country
Linux SERVER 2.6.18-92.1.18.el5 #1 SMP Wed Nov 12 09:30:27 EST 2008 i686 i686 i386 GNU/Linux
this part is working and i’m able to connect to it.
2-i need this specifically to route all traffics from the remote computer via this and make this REMOTE SERVER act as an GATEWAY. I have a root access and can’t make any changes. Currently this is a VPS server running with one public static IP.
I’m sure my issue is somewhere in iptables not forwarding packets from the internal virtual ppp addapter out to the world. When i do ipconfig on the remote windows when i’m connected i get an IP , subnet but as a default gateway i’m getting 0.0.0.0.
Can anyone please help me to figure out how to route traffic out via this VPN connection ? I need all traffic routed out. ( on the windows remote PC connecting via VPN i have the use this connection gateway checked!)
Thanks
ryan on 29 Jun 2009 at 9:21 pm #
Hi, this guide was not initially indended to route the Internet on the PPTP server, but as long as you have got IP forwarding enabled and NAT setup, you should be able to route through the server. To enable IP forwarding at the terminal type:
echo 1 > /proc/sys/net/ipv4/ip_forward. To NAT your internal IP address to the servers external IP address use the following IP tables command:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. This assumes thateth0is the interface with the external IP address.Also, in the options of the Windows PPTP client, you need to make sure that Use default gateway on remote network is ticked.
Ryan
sipster on 04 Jul 2009 at 4:19 pm #
Ryan,
Is this still maintained. I notice most of the posts are old and when I run yum I get an error 404 that it can’t find the repo.
“Could not retrieve mirrorlist http://pptpclient.sourceforge.net/yum/stable/mirrorlist-pptp-stable-rhel$release ver error was
[Errno 14] HTTP Error 404: Not Found
Error: Cannot find a valid baseurl for repo: pptp-stable
Maybe it’s not current any longer?
ryan on 09 Jul 2009 at 1:26 am #
Hi sipster
I’m pretty sure it is still maintained. Although not needed for this tutorial unless you want to use a linux PC to connect to the VPN, I use pptp-client with Network Manager in Ubuntu and it works fine. Maybe you could try just entering the base repo line in instead of using the mirror list and see how you go
Bish on 06 Aug 2009 at 9:13 am #
Ryan & Sipster,
Looks like Sipster’s mirrorlist request isn’t dereferencing the variable $release . Should that not be $releasever ? From what I see in Sipster’s error message, I think there’s an added space there.
Ryan,
Kudos for even TRYING to debug everyone’s PPTP setup issues; it’s a big, ugly task, and all you did was provide a good walkthrough for us to duplicate what you did. You never signed on for this!
Please do provide more walkthroughs of this nature, and don’t fear being the one-eyed man in the land of the blind (who never gets a moment’s rest). Extra kudos for maintaining your post/walkthrough in light of discovered omissions and errors — far too few ever revisit blog posts and correct them! Yay!
I despise ‘bump’ posts like Khaemi’s in http://blog.doylenet.net/?p=17#comment-260 , and I’m surprised you answered; many find the “Solve my problem, slave” tone offensive and ignore them.
Enough public gushing. Thanks++,
– bish
ryan on 06 Aug 2009 at 1:22 pm #
Hi Bish
Appreciate the comments, thanks.
lin on 13 Sep 2009 at 12:41 am #
Thanks for all your help!
I’ve got an authentication problem: (Error Code:619).
Could you please help me? thanks!
my logs:
Sep 12 23:52:19 localhost pptpd[8651]: CTRL: Client 60.240.134.99 control connection started
Sep 12 23:52:19 localhost pptpd[8651]: CTRL: Starting call (launching pppd, opening GRE)
Sep 12 23:52:19 localhost pppd[8652]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Sep 12 23:52:19 localhost pppd[8652]: pppd 2.4.4 started by root, uid 0
Sep 12 23:52:19 localhost pppd[8652]: Using interface ppp0
Sep 12 23:52:19 localhost pppd[8652]: Connect: ppp0 /dev/pts/1
Sep 12 23:52:49 localhost pppd[8652]: LCP: timeout sending Config-Requests
Sep 12 23:52:49 localhost pppd[8652]: Connection terminated.
Sep 12 23:52:49 localhost pppd[8652]: Modem hangup
Sep 12 23:52:49 localhost pppd[8652]: Exit.
Sep 12 23:52:49 localhost pptpd[8651]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Sep 12 23:52:49 localhost pptpd[8651]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Sep 12 23:52:49 localhost pptpd[8651]: CTRL: Client 60.240.134.99 control connection finished
ryan on 21 Sep 2009 at 11:01 am #
Hi lin, you might have some issues with GRE packets not flowing between your client and the server. Make sure that the GRE protocol is allowed between the server and the client. It could be at either end, so maybe use tcpdump to check the traffic between the client and the server. If you use
tcpdump -i eth0 -s 0 -w /tmp/tcpdump.pcapthis will dump the contents to a file that you can view with Wireshark later.Michael on 22 Oct 2009 at 6:55 am #
Hi, just wanted to say thanks for the helpful article and I wanted to see if anyone else has had this issue. The VPN works great except for when a client disconnects. These errors appear in the log right after the disconnect.
My Log:
Oct 21 13:04:36 DEV pptpd[19781]: CTRL: EOF or bad error reading ctrl packet length.
Oct 21 13:04:36 DEV pptpd[19781]: CTRL: couldn’t read packet header (exit)
Oct 21 13:04:36 DEV pptpd[19781]: CTRL: CTRL read failed
Oct 21 13:04:36 DEV pppd[19784]: Modem hangup
Oct 21 13:04:36 DEV pppd[19784]: Connection terminated.
Oct 21 13:04:36 DEV pppd[19784]: Exit.
Any thoughts ? Thanks in advance
ryan on 24 Oct 2009 at 11:46 am #
Hi Michael, does this cause pptpd to die or can it still accept VPN clients after the client closes the connection? Also, which VPN client are you using, the default Windows client? It looks like it is terminating the connection successfully but not gracefully. To be honest, I haven’t used poptop for a while (I use 2k8 RRAS now) so I can’t confirm if this is correct.
Kay Dub on 28 Oct 2009 at 1:31 pm #
Hey Ryan,
I’ve got your setup but I’ve never been able to get past a stubborn timeout issue. I can’t nail down exactly how much time needs to elapse, but if you don’t send any network traffic through the VPN (on my configuration) for somewhere between 2-5 min, the next time you try to access something in the VPN it just times out. Is there any setting the the VPN I can try or does it have to be something else in my configuration (i.e. maybe a router in the path of the VPN is misconfigured, etc.)
As a brutal hack, I just do:
ping -t some_server_in_VPN
to “keepalive” the connection…ugh.
Any thoughts?
Thanks…
ryan on 21 Dec 2009 at 10:29 pm #
Hi Kay
Sorry its been a while since I’ve gone through my comments. My initial guess would be that a router doing any kind of stateful inspection may not properly support a PPTP VPN.
Michael Auerswald » VPN on VPS on 04 Feb 2010 at 9:53 am #
[...] Installing PPTPD on CentOS 5 http://blog.doylenet.net/?p=17 [...]
Need help with PPTPD on centos 5 server - Hosting Blog on 13 Feb 2010 at 9:43 am #
[...] The installation guide is located here: http://blog.doylenet.net/?p=17 [...]
Will on 16 Mar 2010 at 4:50 am #
Thanks so much! I finally got my VPN server working.
Just wanted to add that the VPN client might have trouble connected if they are running a local firewall like symantec.
Setting up PPTP/GRE Gateway behind NAT using IPTables | HeXagon's Hut on 27 Mar 2010 at 12:54 pm #
[...] you need help getting ppp and pptpd installed, check out this blog post, however substitute the networking rules for the ones listed here. VN:F [1.8.6_1065]please [...]
Kristjan on 21 Oct 2010 at 11:58 pm #
Thanks so much! This did help me a lot.
How to install PPTP VPN Server on CentOS on 28 Oct 2010 at 3:42 am #
[...] If you Google a bit harder, you would have found an updated tutorial plus a post on apparently a less common issue in setting it up too. Not trying to be mean. Just [...]
uunmenet on 13 Apr 2011 at 7:06 pm #
HI all,
Trying to work pptp with pam. But stuck can anyone help. Using pap and chap authentication files it work fines. But doesn’t work with pam. does those below version supports pam authentications.
pppd version: 2.4.5
pptp Version: 1.7.2
OS: Centos 5.5 i386
Jaime Vidal on 12 May 2011 at 8:04 am #
Ryan:
Thanks for this great manual!!
Works perfectly!!!
I try differents “how to’s” with relative results, but your manual explain step by step and i know how much work significan that.
Greetings from Santiago – Chile!!!
JV
Sam on 27 Jul 2011 at 5:24 am #
Hello Ryan,
I have installed pptpd
I even confirmed with this command
[root@host init.d]# rpm -qa | grep pptpd
pptpd-1.3.4-1
But I cannot find the pptp.conf file to edit.
I even tried searching.
[root@host pptpd]# find / -name “pptp.conf”
[root@host pptpd]#
What can cause this?
Please help.
I am novice.
Sam
Sam on 27 Jul 2011 at 5:31 am #
Just to clarify. I even did the repo thing but still cannot find the config.
Sam on 27 Jul 2011 at 5:33 am #
Please forgive me.
I found it.
Sam on 27 Jul 2011 at 6:04 am #
Hello Ryan,
I want to use my VPN for tunneling so that all my internet traffic is passed through my server. This will help me by pass the restrictions by the local ISP in UAE.
My problem is that when I am connected to the VPN it does not change my ip-address from my local ip address to the internet while browsing.
I can open webpages if i UNCHECK “use default gateway on remote network”
But then my ip address remains same of my computer.
I cannot open webpages if i UNCHECK “use default gateway on remote network”.
Please help in this point. Rest i figured out
Thanks
Sam
Amjad Iqbal on 30 Jul 2011 at 4:10 am #
wow thts awsum post
i am using redhat5 on Vmware
pptpd working fine but same account Id amjad Pass amjad123 if i tried to another xp on vmware then its got connect means 1 id is working on my every vmware xp. may i ask the reason why?
another issue is if i tried to connect pptp from my HTC Cell phone device then it shows this error
GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
my iptables
iptables -t nat -A PREROUTING -i ppp+ -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns Xx.XX.XxX.XX
ms-dns XX.Xx.XX.XX
thanx in advance for the help
Waiting . . . ..