Centos6.5 configure pptpd to build a VPN Service

Source: Internet
Author: User

Centos6.5 configure pptpd to build a VPN Service

I. check:

1. Check whether the system kernel supports MPPE patches.

Modprobeppp-compress-18 & echosuccess

Success indicates that the system supports the MPPE patch. If not, install kernel-devel first.

Yuminstallkernel-devel

2. Check whether TUN/TAP support is enabled.

Cat/dev/net/tun

If the result of this command is the following text, it indicates that:

Cat:/dev/net/tun: Filedescriptorinbadstate

3. Check whether ppp support is enabled.

Cat/dev/ppp

If the result of this command is the following text, it indicates that:

Cat:/dev/ppp: Nosuchdeviceoraddress

The preceding three conditions must be met at the same time; otherwise, pptpvpn cannot be installed.

Ii. installation:

System Environment: centos6.5x64 dual-nic Internet IP: 210. xxxxx Intranet IP: 172.16.7.10

Install ppp and the required

Yum-yinstallmakelibpcapiptablesgcc-c ++ logrotatetarcpioperlpamtcp_wrappersdkmskernel_ppp_mppeppp

Download PPTPd, need to correspond to the ppp version of the system, the version of the system is the ppp-2.4.5

Wgethttp: // poptop.sourceforge.net/yum/stable/packages/pptpd-1.4.0-1.el6.'uname-m'

. Rpm

Rpm-Uvhpptpd-1.4.0 -*

Iii. Configuration:

Vim/etc/pptpd. conf

Find the "locapip" and "remoteip" configuration items

Localip 172.16.7.10 # Server IP Address
Remoteip 172.16.7.11-15 (up to four connections allowed) # ip address segment of the vpn Client

Configure DNS:

# Vim/etc/ppp/options.ppt pd

Ms-dns202.106.0.20
Ms-dns8.8.8.8

Debug enables pptpd logs. The default logs are in/var/log/messages.

Create an account:

Edit/etc/ppp/chap-secrets:
Format: "User Name" server name "password" allows IP addresses. Write multiple lines for multiple accounts and one line for each account:

"Hitman" * "fuckyou "*

Iv. Network Configuration:

Forward:

Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

Enable Firewall:

Iptables-tfilter-AINPUT-ptcp-mmultiport -- dport22, 1723-jACCEPT;

Iptables-AFORWARD-ptcp -- syn-s172.16.7.0/24-jTCPMSS -- set-mss1356; # solve the problem of slow Internet access, modify the MTU Value

Iptables-tnat-APOSTROUTING-oeth1-s172.16.7.0/24-jMASQUERADE; # address disguise, so that the client Intranet can pass

Iptables-tnat-APOSTROUTING-oeth0-s172.16.7.0/24-jSNAT -- to-source Internet ip address; # SNAT, enable the client to access the Internet

Start:

Servicepptpdstart

./Iptables. sh

Start chkconfigpptpdon

Chkconfigiptableson

Problem summary:

If error 619 is prompted when your vpn is configured for Dial-Up, enter the following command:

Mknod/dev/pppc1080
After the installation is complete, 619 is displayed. After the above command is executed, I don't know why it didn't take effect. Only the vps is restarted. After the restart, the dial-up Internet access is successful!

If the message "Warning: apptpdrestartdoesnotterminateexisting" is displayed
Connections, sonewconnectionsmaybeassignedthesameIP
Addressandcauseunexpectedresults. Userestart-killto
Destroyexistingconnectionsduringarestart. "error message, run the following command:

Servicepptpdrestart-kill
Servicepptpdstart
The vpn proxy built in pptp is slow to access the Internet.
Pptp is used to build a vpn Server on the linux platform. After dial-in, the Intranet ftp is accessed, and files downloaded are extremely slow. Using pptp as a gateway for accessing the Internet, most websites are very slow and almost inaccessible except baidu. Solution: add the * filter table in iptables of the linux service where pptp is located
-IFORWARD-ptcp-syn-ippp +-jTCPMSS-set-mss1356
Or:
/Sbin/iptables-IFORWARD-ptcp-syn-ippp +-Cause Analysis of jTCPMSS-set-mss1356
===== When the vpn connection is disconnected:
In windowsXP with ping-f-lXXXXXX192.168.0.1 step by step test (xxxxxxx mtu size, can start from 1500, gradually reduced, know can ping)
We can obtain that the maximum pinging MTU is 1426;
===== When connecting to a vpn
In windowsXP with ping-f-lXXXXXX192.168.0.1 step by step test (xxxxxxx mtu size, can start from 1500, gradually reduced, know can ping)
We can see that the maximum pinging MTU is 1372. If the number is exceeded,
==== Dial the vpn and use netstat-I to view the interface on the server.
IfaceMTUMetRX-OKRX-ERRRX-DRPRX-OVRTX-OKTX-ERRTX-DRPTX-OVRFlg
Eth015000102528561000194391413000BRU
Eth11500051982053595411553924208798037000BRU
Lo16436015000020001500002000lru
Ppp013960190008000OPRU we know that the maximum mtu of ppp is 1396, of course, the corresponding mss should be (mtu-20 byte IP header + 20 byte TCP Header =) 1356 [Knowledge 1] in the computer network MSS:
MSS: MaximumSegmentSize Maximum Segment Size
The abbreviation of the Maximum Transmission size of MSS is a concept in TCP.
MSS is the maximum data segment that TCP data packets can transmit each time. In order to achieve optimal Transmission Performance, TCP usually needs to negotiate the MSS value of both parties when establishing a connection, this value is often replaced by the MTU value when the TCP protocol is implemented (the size of the IP packet header must be reduced by 20 Bytes and the packet header of the TCP data segment is 20 Bytes). Therefore, the MSS is usually 1460. Both parties will determine the maximum MSS value for this connection based on the MSS value provided by both parties.
Note:

Specify forwarding rules for multiple ip servers

Iptables-tnat-APOSTROUTING-s192.168.8.0/24-jSNAT-to-source192.168.8.1

Or

Iptables-tnat-APOSTROUTING-s192.168.8.0/24-jSNAT-to-source server Internet ip

If an iphone or other device can be connected, the access to the webpage or youtube is very slow, you need to make the following changes:

Vim/etc/ppp/ip-up

Add a row

/Sbin/ifconfig $1mtu1400

Or modify iptables rules.

Iptables-AFORWARD-ptcp-syn-s192.168.8.0/24-jTCPMSS-set-mss1356

The value of 1356 may need to be adjusted to the maximum value that can ensure normal network usage.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.