How to install and configure pptp vpn server on CentOS 7 linux
In the series of vpn technologies tutorials, we reach to show you how to install and configure pptp vpn server on CentOS 7 linux.
pptp is a traditional point to point tunneling protocol for implementing vpn networks and due to know security issue, rarely uses by network administrators.
But implementing this type of VPN is more starighforward and easy on Cenots linux and if you want to setup a vpn with least configuration and time, you are in the right article.
Here is our environment:
OS: CentOS 7 linux on VMWare
Firewall: firewalld
SElinux: enforcing
IP address: 192.168.3.128
1- Install ppp
Creating pptp connections in linux, relies on ppp and pptpd packages. so first we install this package and then configure it to meet our needs. run the following commands one by one:
# yum install ppp # cd /usr/local/src # wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.4.0-1.el6.x86_64.rpm # rpm -Uhv pptpd-1.4.0-1.el6.x86_64.rpm
2- Configure pptpd
now, we do some configuration on ppp. first rename original ppp configuration file:
# mv /etc/pptpd.conf /etc/pptpd.conf.orig
then open /etc/pptpd.conf with your desired editor. here we use Vim:
# vim /etc/pptpd.conf
and put these lines in it:
option /etc/ppp/options.pptpd logwtmp localip 10.10.10.1 remoteip 10.10.10.2-254
also rename options.pptpd original file:
# mv /etc/ppp/options.pptpd /etc/ppp/options.pptpd.orig
then open /etc/ppp/options.pptpd and put the following lines in it:
# vim /etc/ppp/options.pptpd
name pptpd proxyarp lock nobsdcomp novj novjccomp nologfd ms-dns 8.8.8.8 ms-dns 8.8.4.4 noauth
now we create username and password for our users. so open /etc/ppp/chap-secrets and put your desired username and password like this format:
USERNAME test PASSWORD test
3- Configure routing and firewall
to route ip packets correctly by our server, we must enable kernel ip forwarding. run this command:
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
then make it permanent:
# sysctl -p
now we put some rules in our firewall to allow gre traffic and enabling NAT:
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT # firewall-cmd --permanent --zone=public --add-masquerade # firewall-cmd --permanent --add-port=1723/tcp # firewall-cmd --reload
if you have CSF, create a file named /etc/csf/csfpre.sh and put these lines in it. then open port 1723 and reload csf:
Note: remember to change “eth0” with your own interface name.
# iptables -A INPUT -p gre -j ACCEPT # iptables -A OUTPUT -p gre -j ACCEPT # iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT # iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE # iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
if you have iptables, just run above commands and then open port 1723. finally make them permanent by iptables-save and restart iptables.
4- Configure SElinux
because we prefer to keep selinux in enforcing mode, if proper selinux policy has not been set, it denies pptp connections. so run this command:
# setsebool -P daemons_use_tty 1
5- Start services
finally start and enable service:
# systemctl start pptpd # systemctl enable pptpd
How to make all clients communicate with each other, including the clients within the local network?