PPTP Server Installation in CentOS 5

51 Comments

I am writing this document on how to build a Linux Point to Point Tunneling Protocol (PPTP) server using Poptop. This allows roaming users to connect to their corporate network from anywhere on the Internet securely and inexpensively. It supports Windows 95/98/Me/NT/2000/XP PPTP clients and Linux PPTP clients. The requirements are: -

CentOS 5
kernel-2.6.18-8.el5
ppp-2.4.4-1.el5

Kernel version 2.6.15 or above has MPPE built-in which is required for MSCHAPv2. CentOS 5 kernel version is 2.6.18 that means you do not need to install the MPPE module. CentOS 5 comes with ppp-2.4.4-1.el5 and it is MPPE support enabled.

1. Run the command below to test if your kernel supports MPPE and you should get a return an “ok”: -

modprobe ppp-compress-18 && echo ok

2. Download the RPM file pptpd-1.3.4-1.rhel5.1.i386.rpm from: -

http://poptop.sourceforge.net/yum/stable/packages/

3. Install the RPM by running this command: -

rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm

4. Change the following file /etc/ppp/options.pptpd as below: -

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd

5. Change the following file /etc/pptpd.conf as below: -

option /etc/ppp/options.pptpd
logwtmp
localip 192.168.2.1
remoteip 192.168.2.11-15

6. Add the following username (johndie) and password (passwrd) in /etc/ppp/chap-secrets as below: -

# Secrets for authentication using CHAP
# client server secret IP addresses
johndoe pptpd passwrd *

7. Run the following command to enable the pptpd to start automatically in runlevel 3 and 5 as below: -

chkconfig --level 35 pptpd on

8. Now, you can start the pptpd service as below: -

service pptpd start

9. For pptpd to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf and change the line to below: -

net.ipv4.ip_forward = 1

10. To enable it immediately, run the following command below: -

sysctl -p

If you found these helpful, please contribute to help:

51 Comments (+add yours?)

  1. Planet Malaysia
    Nov 06, 2007 @ 23:11:58

    What is localip 192.168.2.1 & remoteip 192.168.2.11-15?

  2. wingloon
    Nov 06, 2007 @ 23:39:26

    Planet Malaysia, localip is the PPTP server IP address and remoteip is the PPTP client IP address.

  3. Planet Malaysia
    Nov 06, 2007 @ 23:57:14

    Client connected using roaming or oversea. How do you know the range of IP address? So open for all range of IP? hehhe

  4. wingloon
    Nov 07, 2007 @ 00:13:55

    Yes, it is needed to allow any IP addresses to connect. It’s kind of a headache if you are going to enter the IP addresses of your roaming users.

  5. Bart
    Nov 26, 2007 @ 23:54:41

    In your article, you forgot the yum install pptpd part, didn’t you ? You only install the yum repository description.

  6. wingloon
    Nov 27, 2007 @ 23:21:14

    Bart, thanks for visiting my blog, this article is not based on yum for the installation. Please read carefully…thanks, :)

  7. Gatekeeper
    Apr 13, 2009 @ 12:59:32

    If you for example have a server at a colo, how could you make it so that the data uses the primary ip ? similar to windows VPN that routes all traffic through the VPN server.

  8. wingloon
    Apr 13, 2009 @ 21:38:52

    Gatekeeper, with this setup in this blog post, your traffic is all routed through this PPTP VPN server.

  9. newbie
    Apr 20, 2009 @ 05:56:14

    hi wingloon.. i already make as u post in ur blog but..its not work for me. it can connect to the server from windows to centos server but it seems there no internet connection..how ? can u help me ? hu hu

  10. wingloon
    Apr 20, 2009 @ 20:01:38

    Gatekeeper & newbie, if you need to route Internet traffic, you need to add in a line from iptables as below: -

    iptables -t nat A POSTROUTING -o -j MASQUERADE

  11. newbie
    Apr 21, 2009 @ 01:40:25

    when i type that it says like this:

    [root@PTY12193 ~]# iptables -t nat -A POSTROUTING -o -j MASQUERADE
    Warning: wierd character in interface `-j’ (No aliases, :, ! or *).
    Bad argument `MASQUERADE’
    Try `iptables -h’ or ‘iptables –help’ for more information.
    [root@PTY12193 ~]#

    lol..any suggestion? im realy2 noob in linux..sry,

  12. wingloon
    Apr 21, 2009 @ 10:11:12

    newbie, my bad mistake. below is the command but replace the ‘eth0′ with your output interface.

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  13. Behzad
    Apr 30, 2009 @ 07:05:39

    Hello,

    I have installed the service but when I try to connect to it from my computer , I see error 619 on my VPN connection page, what is wrong with it?

    thank you

  14. Ali
    May 02, 2009 @ 01:26:10

    I did exactly as this but when I try to connect xp disconnect during verifying username and password. PPTPD prints this in log:

    This system lacks kernel support for PPP. This could be because the PPP kernel module could not be loaded, or becaus e PPP was not included in the kernel configuration. If PPP was included as a module, try `/sbin/modprobe -v ppp’. If that fails, check that ppp.o exists i n /lib/modules/`uname -r`/net. See README.linux file in the ppp distribution for more details.

    I googled so much but I couldn’t find anything helpful!

  15. erick
    Jun 09, 2009 @ 15:48:07

    HI,

    I can connect to vpn linux server from windows vpn client but can’t browsing internet,let me know what cause this ?

    thanks,

  16. wingloon
    Jun 09, 2009 @ 21:54:41

    Behzad, did you start the PPTPd daemon?

    Ali, may I know which Linux distro are you using?

    erick, to browse the Internet you need to run the following command (replace the ‘eth0′ with your output interface): -

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  17. Kashif Haroon
    Jun 13, 2009 @ 19:04:17

    Thanks It works for me.

  18. Kashif Haroon
    Jun 13, 2009 @ 19:06:54

    I have a question, Can a user be bound to acquire Static IP?

  19. Kashif Haroon
    Jun 13, 2009 @ 19:11:54

    I found the answer,

    by editing

  20. Jay
    Jun 27, 2009 @ 07:52:44

    I have done everything and I can connect… but it will not browse.

    I have even done the iptables. My distro is CentOS 5.3.

  21. Alexander
    Jul 07, 2009 @ 14:58:16

    Concerning error 619: the probable cause of this issue can be NAT on the client’s side. I have two internet connections via different providers. With one of them, which uses non-routed ip-addresses and NAT, the vpn-connection attempt from WinXP gives exactly the same error (619), while with another provider which gives the routed ip-address and does not use NAT, the vpn-connection establishes successfully. Server settings are the same in both cases.

  22. kk
    Aug 25, 2009 @ 04:32:32

    re error 619:
    in my case , i saw the system log “/usr/lib/pptpd/pptpd-logwtmp.so: wrong ELF class: ELFCLASS32″
    that cause connection closed, i comment ‘logwtmp’ in /etc/pptpd.conf and my prob solved.

  23. wingloon
    Aug 27, 2009 @ 14:11:05

    Kashif Haroon, that’s awesome.

    Alexander, you have to work on the DNAT or incoming port forwarding on the other Internet connection.

    kk, thanks for sharing the tip.

  24. Mehdi
    Oct 16, 2009 @ 03:32:03

    Hi,

    I did as you said but no connection established !
    It seems there is a an unopened door in my server :)
    I try to connect to my server by WinXP VPN connection but there is no response from my server !!!

  25. Sudatta
    Oct 20, 2009 @ 20:20:27

    Hello wingloon
    Does this support vista clients….I tried to connect from a vista machine …it connects fine but the connection drops in 3-4 mins.
    Thanks in advance

  26. Jay
    Nov 16, 2009 @ 12:03:45

    I am having an issue. I am using a CentOS 5.3 OpenVZ VPS.

    I cannot start the PPTPD server and when I type ‘sysctl -p’ I get this error:
    ===========================
    [root@jay ~]# sysctl -p
    net.ipv4.ip_forward = 1
    error: “Operation not permitted” setting key “net.ipv4.tcp_syncookies”
    ===========================

    Thanks in advanced!

  27. jolan
    Dec 22, 2009 @ 14:54:22

    pretty much got it work :) thanks

    except for youtube.com, which is blocked by the chinese government.
    However i thought with an VPN this should be solved.

    any idea what the problem is?

    ( for the ones that need to know how to connect to it: http://doc.m0n0.ch/handbook/pptp-windows.html )

  28. kenby
    Jan 26, 2010 @ 00:46:42

    Hi, thanks for the nice article! I did everything and the vpn is fine except one problem! after connecting the ping is fine, but the browser could not open any page! is trying to open page but stay in loading page for ever! I think there is some firewall inbound-outbound package issue ! let me solve the problem !

  29. arif.zaman
    Apr 05, 2010 @ 17:41:36

    Hi,
    I have the same problem. The browser couldn’t open any page. please help me out.

  30. wingloon
    Apr 06, 2010 @ 22:11:26

    To all, if you need to route Internet access, you need to run this command below (replace the ‘eth0′ with your output interface): -

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  31. MM
    Apr 24, 2010 @ 00:17:19

    sry but I dont know
    what is my output interface?

  32. Nasir
    May 11, 2010 @ 03:04:36

    @MM type ifconfig on prompt to know about the interfaces.

  33. wingloon
    May 11, 2010 @ 23:37:58

    MM, you may follow Nasir suggestion.

    Nasir, thank you.

  34. ejg06
    May 17, 2010 @ 03:26:00

    Thanks a lot and unfortunately do not have these settings in the VPS

  35. arif.zaman
    May 20, 2010 @ 19:19:50

    Hello,
    I can initiate only one connection at a time. When I try to initiate another connection, it shows “Verifying username and password…”. I am not sure, where I am doing wrong. Please help me out of this issue. Here is my configuration details:

    $ cat /etc/ppp/options.pptpd
    name pptpd
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    #proxyarp
    lock
    nobsdcomp
    novj
    novjccomp
    nologfd

    $ cat /etc/pptpd.conf
    option /etc/ppp/options.pptpd
    #logwtmp
    localip 10.1.0.1
    remoteip 10.1.0.2-15

    $ cat /etc/ppp/chap-secrets
    # Secrets for authentication using CHAP
    # client server secret IP addresses
    arif pptpd zaman *
    ####### redhat-config-network will overwrite this part!!! (begin) ##########
    ####### redhat-config-network will overwrite this part!!! (end) ############

    Thanks,
    ARIF

  36. arif.zaman
    May 24, 2010 @ 15:30:10

    Hi,
    I have built PPTP server using poptop as per the instruction provided by wingloon. But, I can do only one connection at a time. Next connection shows message “Verifying username and password…” message. I am not sure, where I am doing wrong.

    Here is my config details:

    $ cat /etc/ppp/options.pptpd
    name pptpd
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    #proxyarp
    lock
    nobsdcomp
    novj
    novjccomp
    nologfd

    $ cat /etc/pptpd.conf
    option /etc/ppp/options.pptpd
    #logwtmp
    localip 10.1.0.1
    remoteip 10.1.0.2-12

    $ cat /etc/ppp/chap-secrets
    # Secrets for authentication using CHAP
    # client server secret IP addresses
    arif pptpd zaman *
    ####### redhat-config-network will overwrite this part!!! (begin) ##########
    ####### redhat-config-network will overwrite this part!!! (end) ############

    $ sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    kernel.shmmax = 4294967295
    kernel.shmall = 268435456

    Please help me out of this issue.

    Thanks,
    ARIF

  37. Mike
    May 29, 2010 @ 09:58:35

    Hi wingloon,
    I have a VPS running Centos 5
    Tring to set up VPN server
    but when i type modprobe ppp-compress-18 && echo ok
    i get
    FATAL: Could not load /lib/modules/2.6.18-164.15.1.el5.028stab068.9/modules.dep: No such file or directory
    i think MPPE not installed , may i know how do i install it?

  38. ali
    Jun 05, 2010 @ 03:58:10

    Hi wingloon
    I have problem similar Mike.
    I have VPS with CentOS 5 and when i type modprobe ppp-compress-18 && echo ok, this error was appeared: FATAL:
    Could not load /lib/modules/2.6.18-164.15.1.el5.028stab068.9/modules.dep: No such file or directory
    And this error Appended to /var/log/messages when i try to connect to server using pptpd:
    Jun 4 15:42:00 vps pppd[22429]: This system lacks kernel support for PPP. This could be because the PPP kernel module could not be loaded, or beca$
    Jun 4 15:42:00 vps pptpd[22427]: GRE: read(fd=6,buffer=610d00,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by $
    Jun 4 15:42:00 vps pptpd[22427]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)

    Please help me

  39. Muhammad Sergani
    Jul 05, 2010 @ 01:49:39

    Thx for the writeup wingloon… i’m working on the installation on one of our CentOS 5 servers, and most definitely will say how it went through.
    but i just wanted to point out that there’s an error with the link you supported from which to download pptpd, and the correct one is as follows:

    http://sourceforge.net/projects/poptop/files/

    once again, thanks!

  40. Muhammad Sergani
    Jul 05, 2010 @ 02:54:01

    tried and failed to get it to work…
    server is CentOS 5
    client is Fedora 11

  41. Ken
    Jul 16, 2010 @ 10:57:32

    Hello,

    The page is really helpful. I tried to connect my iPhone to the PPTP server and the similar errors were returned. Any idea?

    Jul 16 10:54:27 hostname pppd[9336]: /usr/lib/pptpd/pptpd-logwtmp.so: wrong ELF class: ELFCLASS32
    Jul 16 10:54:27 hostname pppd[9336]: Couldn’t load plugin /usr/lib/pptpd/pptpd-logwtmp.so
    Jul 16 10:54:27 hostname pptpd[9335]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Jul 16 10:54:27 hostname pptpd[9335]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)

  42. wingloon
    Jul 19, 2010 @ 00:59:07

    Ken, you may try comment out “logwtmp” in /etc/pptpd.conf file.

  43. iDaemon
    Aug 02, 2010 @ 00:43:46

    wingloon

    thanks for nice article

    but i’ve problem, not vpn is run on server
    my client windows 7 can connect to server

    but website or other internet connection can’t reach inter ?
    it can only connect to local

    do u get my answer? ex. i’ve live in Thailand, and I can only browse website that server locate in Thailand, but can’t browse yahoo cnet etc.

    could you please suggest me.

  44. bish
    Aug 11, 2010 @ 12:44:05

    @ken: the GRE “PTY read” message makes me think there’s a firewall issue there. Set up a tcpdump (maybe “tcpdump -i any proto gre”) and see if GREs are making it through. If not, it’s a simple firewall fix.

    If you fixed it, then ignore me! I just had that exact problem, and a firewall rule allowing GREs (and adding in the GRE NAT kernel mod) fixed it. All firewall, though, and not a PPTP config thing.

  45. Dragos
    Aug 13, 2010 @ 06:55:59

    kk @ Aug 25, 2009 @ 04:32:32
    re error 619:

    Thank you very much -

  46. Dragos
    Aug 13, 2010 @ 06:57:36

    I do have a question myself: when I connect to my VPN at home and I uncheck the “set this a default gateway”, I cannot access internet any more on the other windows interface.

    Did anyone faced this before?

  47. wingloon
    Aug 14, 2010 @ 13:23:58

    iDaemon, have you tried running iptables to masquerade your Internet sharing in the VPN server.

    bish, thank you for pointing to Ken.

    Dragos, you should be able to access Internet. Pls check ur IP addresses.

  48. peyman
    Aug 26, 2010 @ 20:02:07

    tnx mr wingloon to the answers

    i install every thing
    i get erro 691
    whould you plz help me
    tnx

  49. Ross
    Aug 27, 2010 @ 05:47:36

    Hi, i have configured everything and i still have a internet problem. I can ping thru the vpn to any ip and even traceroute tells me im using the vpn. But when i try to browse the internet it dosnt let me i dunno why. something is preventing me from resolve domains dunno why. Does some one whats going on. On a older machine it works. And firewall is all cleaned up just with the masq rule for vpn addresses

    Any help will be great thanks

Leave a Reply