Install pptp vpn under CentOS7

Source: Internet
Author: User
Tags ssh port

Install pptp vpn under CentOS7

Install pptp vpn in Centos 7

1. Check whether the system kernel supports MPPE.
Modprobe ppp-compress-18 & echo OK
If "OK" is displayed, MPPE is supported.
2. Check whether TUN/TAP support is enabled.

Cat/dev/net/tun

Cat:/dev/net/tun: The file descriptor is in the error state.

If the command displays the following text, it indicates that

3. Check whether PPP supports MPPE.

Strings '/usr/sbin/pppd' | grep-I mppe | wc-l
43

If the output of the preceding command is "0", this parameter is not supported. If the output is "30" or a larger number, this parameter is supported.

4. Install ppp and iptables # PPTP requires these two packages. Generally, centOS comes

Yum install-y ppp iptables

5. Install PPTP

Yum install epel-release
Yum install pptpd

6. Configure PPTP

(1) vi/etc/ppp/options.ppt pd # edit and save

Name pptpd # name of the self-defined VPN Server, which can be any

# Refuse-pap # reject pap Authentication

# Refuse-chap # reject chap authentication

# Refuse-mschap # reject mschap Authentication

Require-mschap-v2 # for maximum security, we use the mschap-v2 authentication method

Require-mppe-128 # encrypted with 128-bit MPPE

Ms-dns 8.8.8.8 # Set DNS

Ms-dns 8.8.4.4

Proxyarp # enable ARP proxy. If the IP address assigned to the client is the same as the subnet of the ENI

# Debug # Disable debug

Lock

Nobsdcomp

Novj

Novjccomp

# Nologfd # Do not enter the running information to stderr

Logfile/var/log/pptpd. log # store the logs for running the pptpd Service

(2) vi/etc/ppp/chap-secrets # edit and save

Kuaile pptpd 666666 * # Set Username: test password: 123456

Or

Vpnuser add kuaile 666666

(3) vi/etc/pptpd. conf # edit and save

Option/etc/ppp/options.ppt pd

Logwtmp

Localip 10.0.6.1 # Set the virtual IP address of the VPN Server

Remoteip 10.0.6.101-200 # dynamically allocate 10.0.6.101 ~ IP addresses between 10.0.0.200 and 10.0.200

7. enable the system routing Mode

Sysctl net. ipv4.ip _ forward
Net. ipv4.ip _ forward = 0

Vi/etc/sysctl. conf # Edit

Net. ipv4.ip _ forward = 1 # Find this line to start #, change 0 to 1 to enable routing mode. If not, add

/Sbin/sysctl-p # Make the settings take effect immediately

Sysctl net. ipv4.ip _ forward
Net. ipv4.ip _ forward = 1

7. Configure Firewall NAT forwarding

By default, the firewalld dynamic firewall is used in centos 7. I prefer iptables.

Yum install iptables-services

Systemctl stop firewalld. service
Systemctl disable firewalld. service
Yum erase firewalld

Systemctl enable iptables. service
Systemctl start iptables. servic

Enable packet forwarding

Iptables-t nat-a postrouting-s 10.0.6.0/24-o eth0-j MASQUERADE

Modify the packet sent out. Modify the source address to the host address and vPN address for the packet sent from the device eth0 and the source address is 10.0.6.0/24.

Iptables-t nat-L # Check whether the NAT table has taken effect.

Note that the network port of the server is not necessarily eth0. Use netstat-I to view the port.

Service iptables save # save firewall settings

Service restart # restart Firewall

For hosts that have enabled iptables filtering, open the VPN service ports: 1723 and gre.

Run the following command to add

Open pptp port 1723 and gre Protocol

iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1723 -j ACCEPTiptables -A INPUT -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Iptables-t nat-a postrouting-s 10.0.6.0/24-o eth0-j MASQUERADE

Or (These two items should be equivalent. If one cannot be used, try another one.)

Iptables-t nat-a postrouting-s 10.0.6.0/24-o eth0-j SNAT -- to your host IP Address

iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

######################################## ######################################## ######################################## ######

If the iptables rule has the deny option, you must note that you must accept the deny option.

The default iptables rules for Centos 7 are as follows:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

The rules to be added must be before this rule. Therefore, use the insert method to add rules.

iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 47 -j ACCEPT
iptables -I INPUT 7 -p gre -m state --state NEW -j ACCEPT
iptables -I FORWARD 2 -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPTiptables -I FORWARD 3 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o eth0 -j MASQUERADE
Run the iptalbes command to check the configuration.

[root@Centos7 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination 
DROP all -- anywhere anywhere state INVALID 
ACCEPT icmp -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh 
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:pptp 
ACCEPT gre -- anywhere anywhere state NEW,RELATED,ESTABLISHED 
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT)
target prot opt source destination 
DROP all -- anywhere anywhere state INVALID 
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED 
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
DROP all -- anywhere anywhere state INVALID 

[root@Centos7 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination 
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination 
MASQUERADE all -- 10.0.6.0/24 anywhere 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 

You can save it if there is no problem.

Service iptables save

This is all the commands for setting iptables for your reference.

888 is the ssh port number I modified

/sbin/iptables -F/sbin/iptables -Z/sbin/iptables -P INPUT ACCEPT/sbin/iptables -A INPUT -m state --state INVALID -j DROP/sbin/iptables -A INPUT -p icmp -j ACCEPT/sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 888 -j ACCEPT/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1723 -j ACCEPT/sbin/iptables -A INPUT -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited/sbin/iptables -P FORWARD ACCEPT/sbin/iptables -A FORWARD -m state --state INVALID -j DROP/sbin/iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited/sbin/iptables -P OUTPUT ACCEPT/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP/sbin/iptables -F -t nat/sbin/iptables -Z -t nat/sbin/iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o seth0 -j MASQUERADE

This is my iptabls rule File

[root@Centos7 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 28 15:27:36 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [67:9660]
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 888 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1723 -j ACCEPT 
-A INPUT -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A OUTPUT -m state --state INVALID -j DROP 
COMMIT
# Completed on Fri Nov 28 15:27:36 2014
# Generated by iptables-save v1.4.7 on Fri Nov 28 15:27:36 2014
*nat
:PREROUTING ACCEPT [7:1301]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.6.0/24 -o seth0 -j MASQUERADE 
COMMIT
# Completed on Fri Nov 28 15:27:36 2014

8. Set PPTP startup

Service pptpd start # start pptpd

Systemctl enabled pptpd # Set startup

The pptpd service uses port 1723, which is allocated by the system. You can check the running status of the pptpd service by checking the port.

Command: netstat-ntpl

[Root @ Centos7 ~] # Netstat-ntpl

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN 1423/cupsd

Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 1693/master

Tcp 0 0 0.0.0.0: 44666 0.0.0.0: * LISTEN 1358/rpc. statd

Tcp 0 0 0.0.0.0: 1723 0.0.0.0: * LISTEN 2020/pptpd

Tcp 0 0 0.0.0.0: 66 0.0.0.0: * LISTEN 1579/sshd

Tcp 0 0 0.0.0.0: 111 0.0.0.0: * LISTEN 1310/rpcbind

Tcp 0 0: 1: 631: * LISTEN 1423/cupsd

Tcp 0 0: 1: 25: * LISTEN 1693/master

Tcp 0 0: 66: * LISTEN 1579/sshd

Tcp 0 0: 33794: * LISTEN 1358/rpc. statd

Tcp 0 0: 111: * LISTEN 1310/rpcbind


Now, the VPN Server has been built.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.