Install and configure pptp on the CentOS Server
Note:
Server Operating System: 64-bit CentOS
Server IP Address: 192.168.1.100
Purpose: To install and configure pptp on the server and provide the vpn dialing service externally
Specific operations:
(1) download the installation package
1. ppp # This software package is required for pptpd Installation
Http://poptop.sourceforge.net/yum/stable/packages/ppp-2.4.5-33.0.rhel6.x86_64.rpm
2. pptpd # the latest version
Http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.4.0-1.rhel5.x86_64.rpm
Upload the downloaded files to the/usr/local/src directory, or directly go to the directory on the server and use wget to download the files.
(2) Check whether pptp vpn can be installed in the server system environment
1. Check whether the system kernel supports MPPE patches.
Modprobe ppp-compress-18 & echo success
Success indicates that the system supports the MPPE patch. If not, install kernel-devel first.
Yum-y install kernel-devel
2. Check whether TUN/TAP support is enabled.
Cat/dev/net/tun
If the result of this command is the following text, it indicates that:
Cat:/dev/net/tun: File descriptor in bad state
3. Check whether ppp support is enabled.
Cat/dev/ppp
If the result of this command is the following text, it indicates that:
Cat:/dev/ppp: No such device or address
The above three items must be met at the same time; otherwise, pptp vpn cannot be installed.
(3) install pptp
Cd/usr/local/src
Rpm-ivh ppp-2.4.4-14.1.rhel5.x86_64.rpm
# Install ppp
Rpm-ivh pptpd-1.4.0-1.rhel5.x86_64.rpm
# Install pptp
(4) Configure pptp
1. vi/etc/ppp/options.ppt pd
# Edit, add, and modify the following parameters
Name pptpd
Refuse-pap
Refuse-chap
Refuse-mschap
Require-mschap-v2
Require-mppe-128
Proxyarp
Lock
Nobsdcomp
Novj
Novjccomp
Nologfd
Ms-dns 8.8.8.8
# Add the primary DNS server address
Ms-dns 8.8.4.4
# Add a backup DNS server address
: Wq!
# Save and exit
2. vi/etc/ppp/chap-secrets
# Set pptp dial-up users and passwords (multiple users can be set, one per line)
# Client server secret IP addresses
Osgnu01 pptpd 123456 *
Osgnu02 pptpd 1234 *
Osgnu03 pptpd 12345678 *
Format: username pptpd password *
* Indicates that the client is automatically assigned an IP address.
: Wq! # Save and exit
3. vi/etc/pptpd. conf
# Set the pptp Server IP address and set the vpn to dial the Client IP address pool
Option/etc/ppp/options.ppt pd
Logwtmp
Localip 192.168.1.1
# Set the IP address of the pptp virtual dial-up server (Note: it is not the IP address of the server itself)
Remoteip 192.168.2-15
# Dynamically allocate 192.168.1.2 ~ to users who dial in the vpn ~ IP addresses between 192.168.1.15
: Wq!
# Save and exit
/Sbin/service pptpd start
# Start pptp
/Etc/init. d/pptpd stop
# Disable
Service pptpd restart
# Restart
Chkconfig pptpd on
# Set startup
(5) Enable the server system routing mode and support packet forwarding
Vi/etc/sysctl. conf
# Editing
Net. ipv4.ip _ forward = 1
# Set to 1
# Net. ipv4.tcp _ syncookies = 1
# Comment out
: Wq!
# Save and exit
/Sbin/sysctl-p
# Make the settings take effect immediately
(6) Set firewall forwarding rules
Yum install iptables
# Install a firewall
Service iptables start
# Start the Firewall
Iptables-t nat-a postrouting-s 192.168.1.0/255.255.255.0-j SNAT -- to-source 192.168.1.100
# Add Rules
Iptables-a forward-p tcp -- syn-s 192.168.1.0/255.255.255.0-j TCPMSS -- set-mss 1356
# Add Rules
/Etc/init. d/iptables save
# Save firewall settings
(7) Enable the pptp service port tcp 1723, set the vpn to dial the Client IP address pool 192.168.1.0/255.255.255.0 through the firewall
Vi/etc/sysconfig/iptables
# Edit and add the following code
-A RH-Firewall-1-INPUT-p tcp-m state -- state NEW-m tcp -- dport 1723-j ACCEPT
-A RH-Firewall-1-INPUT-s 192.168.1.0/255.255.255.0-j ACCEPT
: Wq! # Save and exit
Note:
#192.168.1.100 is the Server IP Address
#192.168.1.0/255.255.255.0 is the IP address segment of the pptp virtual dialing server set in step 4.
/Etc/init. d/iptables restart
# Restarting the Firewall
Chkconfig iptables on
# Set startup
Cat/etc/sysconfig/iptables
# View the firewall configuration file
# Generated by iptables-save v1.3.5 on Wed Dec 11 20:21:08 2013
* Nat
: Prerouting accept [4680: 60]
: Postrouting accept [4:258]
: Output accept [4:25
-A postrouting-s 192.168.1.0/255.255.255.0-j SNAT -- to-source 192.168.1.100
COMMIT-
# Completed on Wed Dec 11 20:21:08 2013-
# Generated by iptables-save v1.3.5 on Wed Dec 11 20:21:08 2013-
* Filter-
: Input accept [0: 0]-
: Forward accept [0: 0]-
: Output accept [94: 16159]-
: RH-Firewall-1-INPUT-[0: 0]-
-A input-j RH-Firewall-1-INPUT-
-A forward-j RH-Firewall-1-INPUT-
-A forward-s 192.168.1.0/255.255.255.0-p tcp-m tcp -- tcp-flags FIN, SYN, RST, ack syn-j TCPMSS -- set-mss 1356-
-A RH-Firewall-1-INPUT-I lo-j ACCEPT
-A RH-Firewall-1-INPUT-p icmp-m icmp -- icmp-type any-j ACCEPT
-A RH-Firewall-1-INPUT-p esp-j ACCEPT
-A RH-Firewall-1-INPUT-p ah-j ACCEPT
-A RH-Firewall-1-INPUT-d 224.0.0.20.- p udp-m udp -- dport 5353-j ACCEPT
-A RH-Firewall-1-INPUT-p udp-m udp -- dport 631-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp-m tcp -- dport 631-j ACCEPT
-A RH-Firewall-1-INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp-m state -- state NEW-m tcp -- dport 22-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp-m state -- state NEW-m tcp -- dport 1723-j ACCEPT
-A RH-Firewall-1-INPUT-s 192.168.1.0/255.255.255.0-j ACCEPT
-A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 07 20:21:08 2015
8. set to automatically create a ppp device node upon startup (this file may be lost after the system is restarted, resulting in an error 619 in the dialing of the pptp client)
Vi/etc/rc. d/rc. local # Edit
Mknod/dev/ppp c 108 0 # Add this line of code at the end of the file
: Wq! # Save and exit