Background:
It should be very easy to build a pptp vpn Server. However, many of my friends have turned to me for help after reading some articles and have taken many detours.
Therefore, I think it is necessary to write an article to explain it. After all, my habit of writing articles is to operate and record while writing articles, so you can do it step by step.
Related configuration:
OS: CentOS 6.4 x86_64 Minimal
1. Install the EPEL Extension Library
# Yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
2. Install the PPTP Extension Library
# Yum install http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
3. Install pptp vpn Server
# Yum install pptpd
4. Edit/etc/pptpd. conf.
# Vim/etc/pptpd. conf
######################################## #######################################
# $ Id: pptpd. conf, v 1.11 00:02:50 quozl Exp $
#
# Sample Poptop configuration file/etc/pptpd. conf
#
# Changes are valid when pptpd is restarted.
######################################## #######################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
# Ppp/usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
Option/etc/ppp/options.ppt pd
# TAG: debug
# Turns on (more) debugging to syslog
#
Debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
Stimeout 120
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# Done by default otherwise.
#
# Noipparam
# TAG: logwtmp
# Use wtmp (5) to record client connections and disconnections.
#
# Logwtmp
# TAG: vrf <vrfname>
# Switches PPTP & GRE sockets to the specified VRF, which must exist
# Only available if VRF support was compiled into pptpd.
#
# Vrf test
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
# Bcrelay eth1
# TAG: delegate
# Delegates the allocation of client IP addresses to pppd.
#
# Without this option, which is the default, pptpd manages the list
# IP addresses for clients and passes the next free address to pppd.
# With this option, pptpd does not pass an address, and so pppd may use
# Radius or chap-secrets to allocate an address.
#
# Delegate
# TAG: connections
# Limits the number of client connections that may be accepted.
#
# If pptpd is allocating IP addresses (e.g. delegate is not
# Used) then the number of connections is also limited by
# Remoteip option. The default is 100.
# Connections 100.
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# These options are ignored if delegate option is set.
#
# Any addresses work as long as the local machine takes care of
# Routing. But if you want to use MS-Windows networking, you showould
# Use IP addresses out of the LAN address space and use the proxyarp
# Option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# Specify ranges, or both. For example:
#
#192.168.0.234, 192.168.0.245-249,192.168 .0.254
#
# Important restrictions:
#
#1. No spaces are permitted between commas or within addresses.
#
#2. If you give more IP addresses than the value of connections,
# It will start at the beginning of the list and go until it
# Gets connections IPs. Others will be ignored.
#
#3. No shortcuts in ranges! Ie. 234-8 does not mean 234 to 238,
# You must type 234-238 if you mean this.
#
#4. If you give a single localIP, that's OK-all local IPs will
# Be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
# Localip 192.168.0.1
# Remoteip 192.168.0.234-238,192.168 .0.245
# Or
# Localip 192.168.0.234-238,192.168 .0.245
# Remoteip 192.168.1.234-238,192.168 .1.245
Localip 10.192.168.1
Remoteip 10.192.168.100-200
Note: In the preceding configuration file,
PPP configuration file path: option/etc/ppp/options.ppt pd
Debug log enabled: debug
Set the timeout time for establishing a connection to 120 seconds: stimeout 120
The local address of the pptp vpn Server, that is, the gateway address automatically obtained by the client: localip 10.192.168.1
The address range assigned to the client: remoteip 10.192.168.100-200
5. Edit/etc/ppp/options.ppt pd
######################################## #######################################
# $ Id: options.ppt pd, v 1.11 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file/etc/ppp/options.ppt pd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by/etc/pptpd. conf option keyword.
# Changes are valid tive on the next connection. See "man pppd ".
#
# You are expected to change this file to suit your system.
# Packaged, it requires PPP 2.4.2 and the kernel MPPE module.
######################################## #######################################
# Authentication
# Name of the local system for authentication purposes
# (Must match the second field in/etc/ppp/chap-secrets entries)
Name ec2-tokyo
# Strip the domain prefix from the username before authentication.
# (Applies if you use pppd with chapms-strip-domain patch)
# Chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# Choose with of the following sections you will use .)
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
#{{{
Refuse-pap
Refuse-chap
Refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
Require-mschap-v2
# Require MPPE 128-bit encryption
# (Note that MPPE requires the use of MSCHAP-V2 during authentication)
Require-mppe-128
#}}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe. o
#{{{
#-Chap
#-Chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
# + Chapms-v2
# Require MPPE encryption
# (Note that MPPE requires the use of MSCHAP-V2 during authentication)
# Mppe-40 # enable either 40-bit or 128-bit, not both
# Mppe-128
# Mppe-stateless
#}}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# Option allows pppd to supply one or two DNS (Domain Name Server)
# Addresses to the clients. The first instance of this option
# Specifies the primary DNS address; the second instance (if given)
# Specifies the secondary DNS address.
# Ms-dns 10.0.0.1
# Ms-dns 10.0.0.2
Ms-dns 172.31.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# Clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# Instance of this option specifies the primary WINS address;
# Second instance (if given) specifies the secondary WINS address.
# Ms-wins 10.0.0.3
# Ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# Table with the IP address of the peer and the Ethernet address of this
# System. This will have the effect of making the peer appear to other
# Systems to be on the local ethernet.
# (You do not need this if your PPTP server is responsible for routing
# Packets to the clients -- James Cameron)
Proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# Given the delegate option in pptpd. conf or the -- delegate command line
# Option, then pppd will use chap-secrets or radius to allocate
# Client IP address. The default local IP address used at the server
# End is often the same as the address of the server. To override this,
# Specify the local IP address here.
# (You must not use this unless you have used the delegate option)
#10.8.0.100
# Logging
# Enable connection debugging facilities.
# (See your syslog configuration for where pppd sends)
Debug
# Print out all the option values which have been set.
# (Often requested by mailing list to verify options)
Dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# Access.
Lock
# Disable BSD-Compress compression
Nobsdcomp
# Disable Van Jacobson compression
# (Needed on some networks with Windows 9x/ME/XP clients, see posting
# Poptop-server on 14th 10000l 2005 by Pawel Pokrywka and followups,
# Http://marc.theaimsgroup.com /? T = 111343175400006 & r = 1 & w = 2)
Novj
Novjccomp
# Turn off logging to stderr, since this may be redirected to pptpd,
# Which may trigger a loopback
Nologfd
# Put plugins here
# (Putting them higher up may cause them to sent messages to the pty)
Logfile/var/log/pptpd. log
Multilink
Note: In the preceding configuration file,
Service name: name ec2-tokyo that defines pptp vpn Server
The encryption rules are defined as follows:
Refuse-pap
Refuse-chap
Refuse-mschap
Require-mschap-v2
Require-mppe-128
Defines the DNS address pushed to the client: ms-dns 172.31.0.2 (I usually select the default DNS settings of the Server where the PPTP VPN Server is located)
Allow hosts on the same LAN to be visible to each other on the pptp vpn Server: proxyarp
Debug is enabled.
Some general settings are enabled as follows:
Dump
Lock
Nobsdcomp
Novj
Novjccomp
Nologfd
Location of the log file: logfile/var/log/pptpd. log
Allows you to bind multiple physical channels to a single logical channel: multilink
6. Edit the user account password file/etc/ppp/chap-secrets
# Vim/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# Client server secret IP addresses
"Username" * "password "*
7. Edit/etc/sysconfig/iptables-config
Modify IPTABLES_MODULES = "" to IPTABLES_MODULES = "ip_nat_pptp" to ensure that the module is automatically loaded when the iptables service is started.
8. Edit/etc/sysconfig/iptables (eth0 is the network port of the public IP address by default)
# Vim/etc/sysconfig/iptables
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-I lo-j ACCEPT
-A input-p gre-j ACCEPT
-A input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT
-A input-m state -- state NEW-m tcp-p tcp -- dport 1723-j ACCEPT
-A input-s 10.192.168.0/255.255.255.0-m state -- state NEW-m tcp-p tcp-j ACCEPT
-A input-j REJECT -- reject-with icmp-host-prohibited
-A forward-j REJECT -- reject-with icmp-host-prohibited
COMMIT
* Nat
: Prerouting accept [0: 0]
: Postrouting accept [0: 0]
: Output accept [0: 0]
-A postrouting-s 10.192.168.0/255.255.255.0-o eth0-j MASQUERADE
COMMIT
Note: In the above iptables script,
Allow all GRE protocol data packets;
Allow TCP port 1723;
Allow access to the LAN address segment 10.192.168.0/24 of the entire pptp vpn;
Map the LAN address segment 10.192.168.0/24 of the entire pptp vpn to the eth0 network port through NAT to achieve shared Internet access;
9. Enable data forwarding and edit/etc/sysctl. conf
Change net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1.
Run sysctl-p
10. Start pptp vpn Server
#/Etc/init. d/pptpd restart
#/Etc/init. d/iptables restart
11. Set pptp vpn Server and iptables service to start automatically
# Chkconfig pptpd on
# Chkconfig iptables on
12. Configure the client on the local PC and connect to the pptp vpn Server
13. End