At this moment, my designer encounter problem to access target.com, an online shopping website to see some of the stuff for their design work. Target.com only allowed connections from USA and Canada at this moment due to their website crash issue last couple of weeks. Since this is quite urgent, I need to setup a VPN server so they can use it as a jump point to access websites in USA and Canada. I will use my MySQL server to serve as VPN server as well.

In this tutorial, I will use pptp as protocol to connect to VPN server using a username and password, with 128 bit MPPE encryption. Variable as below:

OS: CentOS 6 64bit
VPN server:  209.85.227.26
VPN client IP: 209.85.227.27 – 209.85.227.30
VPN username: vpnuser
Password: myVPN$99

1. Install ppp via yum:

$ yum install ppp -y

2. Download and install pptpd (the daemon for point-to-point tunneling). You can find the correct package at this website http://poptop.sourceforge.net/yum/stable/packages/ :

$ cd /usr/local/src
$ wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm
$ rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm

3. Once installed, open /etc/pptpd.conf using text editor and add following line:

localip 209.85.227.26
remoteip 209.85.227.27-30

4. Open /etc/ppp/options.pptpd and add  authenticate method, encryption and DNS resolver value:

require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8

5. Lets create user to access the VPN server. Open /etc/ppp/chap-secrets and add the user as below:

vpnuser pptpd myVPN$99 *

The format is: [username] [space] [server] [space] [password] [space][IP addresses]

6. We need to allow IP packet forwarding for this server. Open /etc/sysctl.conf via text editor and change line below:

net.ipv4.ip_forward = 1

7. Run following command to take effect on the changes:

$ sysctl -p

8. Allow IP masquerading in IPtables by executing following line:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ service iptables save
$ service iptables restart

Update: Once you have done with step 8, check the rules at /etc/sysconfig/iptables. Make sure that the POSTROUTING rules is above any REJECT rules.

9. Turn on the pptpd service at startup and reboot the server:

$ chkconfig pptpd on
$ init 6

Once the server is online after reboot, you should now able to access the PPTP server from the VPN client. You can monitor /var/log/messages for ppp and pptpd related log. Cheers!

105 Responses to Install VPN PPTP Server on CentOS 6

  1. TomNo Gravatar says:

    Thank you! Just what I have been looking for. Working with Amazon EC2 instances (Basic 64-bit Amazon Linux AMI 2011.09 (AMI Id: ami-1b814f72.

  2. RobinhoNo Gravatar says:

    I think the correct is …
    $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    $ service iptables save
    $ service iptables restart

    []s

    • SecaGuyNo Gravatar says:

      Thanks Robinho, I have made correction to the post!

    • imranNo Gravatar says:

      dear Robinho,
      i am facing the issue of IPTABLES in my vzvps please guide.my network configuration are listed below:
      [root@server1 ~]# ifconfig
      lo Link encap:Local Loopback
      inet addr:127.0.0.1 Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING MTU:16436 Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

      venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
      UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
      RX packets:40146 errors:0 dropped:0 overruns:0 frame:0
      TX packets:35877 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:37909505 (36.1 MiB) TX bytes:3287533 (3.1 MiB)

      venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:xxx.xxx.xxx.xx P-t-P:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx Mask:255.255.255.255
      UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

      ……………
      while xxx.xxx.xxx.xxx is my server IP, when i am applying the IP Table rulls it prompt me with the following error.

      server# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      iptables: No chain/target/match by that name.

      server## iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
      iptables: No chain/target/match by that name.

      server## iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
      iptables: No chain/target/match by that name.

      if you can help i will be thankful to you.

      Regards:
      Imran

      • SecaGuyNo Gravatar says:

        For all VZ related problem, it usually cause by kernel module not enable or started. Please double check that all related kernel module is loaded correctly before you use pptp

  3. robinhoNo Gravatar says:

    How to configure the netmask and gateway of client ?

    • SecaGuyNo Gravatar says:

      Once you have connected to the PPTP server, the client will automatically being assigned with netmask and gateway based on the remote server network configuration

  4. SageNo Gravatar says:

    Can you tell me how to get the localip and remoteip?

    • SecaGuyNo Gravatar says:

      This server has 5 IPs: 209.85.227.26 – 209.85.227.30.

      The server main IP is 209.85.227.26. So this server has 4 free IPs left from 209.85.227.27 to 209.85.227.30. I used these IPs and assign to PPTP clients whenever they are tunnelling through this server.

      • VPNNo Gravatar says:

        I tried this but I still get this error.

        localip xx.100.23.171
        remoteip xx.100.23.172-xx.100.23.173

        Dec 25 03:46:04 server1 pptpd[1231]: MGR: Bad IP address (xx.100.23.172-xx.100.23.173) in config file!

        What could be the problem on this?

  5. blacksucreNo Gravatar says:

    I have a simple network with a Static IP from TimeWarner(ISP) in the form of 64.XX.XXX.XXY and a dns of 64.XX.XXY.XXY, I have a Centos 6 Machine Running in a VM, Would you say I meet the requirements to pull this off? I tried it but I get an Authentication error from windows 7 when I try to connect to it. During setup it passed the first steps but after entering my Username and password, it trys to connect via SSTP which it fails then it changes the prompt to PPTP and it still fails.
    Any help will be greatly appreciated.
    Thanks

    • SecaGuyNo Gravatar says:

      U will need to use PPTP for the Type of VPN options in Windows 7. Try investigate the /var/log/message when you are connecting into it, and see what is the rejecting error. I will try to help you the best as I can.

  6. DrAlaniNo Gravatar says:

    Hi,
    My log file says:
    Couldn’t open the /dev/ppp device: Permission denied
    Sorry – this system lacks PPP kernel support

    and then shuts down the connection.
    What seems to be the problem?

    • SecaGuyNo Gravatar says:

      Is the VPN server you are trying to configure is virtual server? What is the output of following command:
      $ lsmod | grep ppp

  7. saeidNo Gravatar says:

    iptables v1.3.5: can’t initialize iptables table `nat': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.

    • SecaGuyNo Gravatar says:

      Usually this error happen on virtual server like virtuozzo or openVZ. You can ask the server provider to enable ip_conntrack which include iptable_nat and ip_nat modules for the host

  8. GitleNo Gravatar says:

    I have some problems.. When I run “sysctl -p”, among other stuff I get these errors:

    error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
    error: “net.bridge.bridge-nf-call-iptables” is an unknown key
    error: “net.bridge.bridge-nf-call-arptables” is an unknown key

    When I run “iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE”, I get this:

    iptables: No chain/target/match by that name

    And I can’t find pptpd among running processes, I don’t know if it’s running.. Using “service pptpd start” Gives me “starting pptpd: ” without “failed” or “success”.

    And I only have one IP address. Can I use the same one for localip and remoteip?

    • SecaGuyNo Gravatar says:

      That key can be disabled according to RHEL support. Just open /etc/sysctl.conf and comment those line. You cant use 1 IP in remoteip. Please refer to pptpd manual page:
      remoteip ip-specification
      a list of IP addresses to assign to remote PPTP clients. Each connected client must have a different address, so there must be at least as many addresses as you have simultaneous clients, and preferably some spare, since you cannot change this list without restarting pptpd. A warning will be sent to syslog(3) when the IP address pool is exhausted. remoteip will be ignored if pptpd(8) was compiled with –with-pppd-ip-alloc.

  9. NathanNo Gravatar says:

    This is very helpful, thank you! I haven’t been able to connect yet, though. I may be putting in the incorrect information for localip and remoteip. Is the localip the public ip address and the remoteip the client’s ip address i want to connect from?

    • SecaGuyNo Gravatar says:

      localip = IP that client need to connect to
      remoteip = IP that client will be assigned to once authenticated

  10. MartinNo Gravatar says:

    hi, just for correct something,

    You can monitor /var/log/messages <—-

    message with a "s" at the end

    im trying your tuto , i want try make vpn at home

    have a nice day

  11. Jack SmithNo Gravatar says:

    Our VPN services are secure services that allow you to surf anonymously online in complete privacy. For more advanced features our Dedicated VPN service adds increased security and anonymity on to your existing internet connection.

  12. MartinNo Gravatar says:

    Hi, what is logicial module required before installing vpn server on centos 6.2
    because i have this error!

    Apr 7 09:20:10 centos-box acpid: waiting for events: event logging is off
    Apr 7 09:20:10 centos-box acpid: client connected from 1627[68:68]
    Apr 7 09:20:10 centos-box acpid: 1 client rule loaded
    Apr 7 09:20:11 centos-box automount[1644]: lookup_read_master: lookup(nisplus): couldn’t locate nis+ table auto.master
    Apr 7 09:20:12 centos-box abrtd: Init complete, entering main loop
    Apr 7 09:20:12 centos-box pptpd[1789]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
    Apr 7 09:20:12 centos-box pptpd[1790]: MGR: Manager process started
    Apr 7 09:20:12 centos-box pptpd[1790]: MGR: Maximum of 6 connections available
    Apr 7 09:20:12 centos-box qpidd[1801]: 2012-04-07 09:20:12 notice Listening on TCP port 5672
    Apr 7 09:20:12 centos-box qpidd[1801]: 2012-04-07 09:20:12 notice SSL plugin not enabled, you must set –ssl-cert-db to enable it.
    Apr 7 09:20:12 centos-box qpidd[1801]: 2012-04-07 09:20:12 notice Broker running

    Tanks

    • SecaGuyNo Gravatar says:

      Your logs is not explaining much on pptpd:
      Apr 7 09:20:12 centos-box pptpd[1789]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
      Apr 7 09:20:12 centos-box pptpd[1790]: MGR: Manager process started
      Apr 7 09:20:12 centos-box pptpd[1790]: MGR: Maximum of 6 connections available

      Those are not errors.

  13. AlbertNo Gravatar says:

    Hi, i have a doubt. Localip and remoteip, and eth0
    my vpn has 2 ip address venet0:0 -> 184.xx.yy.76 and venet0:1 184.xx.yy.77
    i do not have eth0.
    How do i need to setup the local y remote ip and also for this command what should i use?

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    Thank you

    • SecaGuyNo Gravatar says:

      You may need to replace eth0 to venet0 on the iptables command. AFAIK, virtual server like Virtuozzo and OpenVZ need to have TUN/TAP kernel module enabled to support VPN. Double confirm this with your server provider if u want to proceed.

  14. ChrisNo Gravatar says:

    Small problem man (thank for the great post)

    # rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm
    warning: pptpd-1.3.4-2.el6.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
    error: Failed dependencies:
    ppp = 2.4.5 is needed by pptpd-1.3.4-2.el6.x86_64
    rpmlib(FileDigests) <= 4.6.0-1 is needed by pptpd-1.3.4-2.el6.x86_64
    rpmlib(PayloadIsXz) <= 5.2-1 is needed by pptpd-1.3.4-2.el6.x86_64
    root@04001011820DF [/usr/local/src]#

  15. PatrickNo Gravatar says:

    Thanks for the great guide! I have setup a VPN server using this, but am having troubles connecting to it. Below is the print out of my log file. It looks like the issue is the read is returning zero. What would this indicate?

    Apr 16 15:13:17 violet pppd[10619]: pppd 2.4.5 started by root, uid 0
    Apr 16 15:13:17 violet NetworkManager[882]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
    Apr 16 15:13:17 violet NetworkManager[882]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
    Apr 16 15:13:17 violet pppd[10619]: Using interface ppp0
    Apr 16 15:13:17 violet pppd[10619]: Connect: ppp0 /dev/pts/3
    Apr 16 15:13:17 violet pptp[10621]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated
    Apr 16 15:13:17 violet pptp[10658]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 ‘Start-Control-Connection-Request’
    Apr 16 15:13:17 violet pptp[10658]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
    Apr 16 15:13:17 violet pptp[10658]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
    Apr 16 15:13:18 violet pptp[10658]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 ‘Outgoing-Call-Request’
    Apr 16 15:13:18 violet pptp[10658]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
    Apr 16 15:13:18 violet pptp[10658]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer’s call ID 128).
    Apr 16 15:13:18 violet pptp[10658]: anon log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed
    Apr 16 15:13:18 violet pptp[10658]: anon log[callmgr_main:pptp_callmgr.c:258]: Closing connection (shutdown)
    Apr 16 15:13:18 violet pptp[10658]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 ‘Call-Clear-Request’
    Apr 16 15:13:18 violet pptp[10658]: anon log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed
    Apr 16 15:13:18 violet pptp[10658]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
    Apr 16 15:13:18 violet pppd[10619]: Modem hangup
    Apr 16 15:13:18 violet pppd[10619]: Connection terminated.
    Apr 16 15:13:18 violet avahi-daemon[881]: Withdrawing workstation service for ppp0.
    Apr 16 15:13:18 violet NetworkManager[882]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
    Apr 16 15:13:18 violet pppd[10619]: Exit.
    Apr 16 15:13:23 violet pptp[8552]: anon warn[open_inetsock:pptp_callmgr.c:329]: connect: Invalid argument
    Apr 16 15:13:23 violet pptp[8552]: anon fatal[callmgr_main:pptp_callmgr.c:127]: Could not open control connection to 9.37.40.22
    Apr 16 15:13:23 violet pptp[8549]: anon fatal[open_callmgr:pptp.c:487]: Call manager exited with error 256

    • SecaGuyNo Gravatar says:

      Do you have ip_gre in your kernel module? You can check by using lsmod command

      • PatrickNo Gravatar says:

        It does not appear to be installed. My vpn OS is CentOS. How would I go about setting this up?

        The public network (eth1) is 9.x.x.x as seen in the log.
        The private network (eth0) is 10.x.x.x.

  16. AnupNo Gravatar says:

    I got following error,Any idea how to install this dependencies?

    error: Failed dependencies:
    libc.so.6()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.2.5)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.3.4)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.4)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libutil.so.1()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libutil.so.1(GLIBC_2.2.5)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libwrap.so.0()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64

  17. AnupNo Gravatar says:

    I have given :
    localip 172.18.171.201
    remoteip 172.18.171.202-204

    172.18.171.201 is ip of one of the interface and i created 172.18.171.202,172.18.171.203 and 172.18.171.204 as alias.

    While connecting from Windows7 i get 192.168.1.1 if i select “Obtain IP address automatically” and if i give “172.18.171.202” manually then it shows error 207 while connecting.

  18. JohnNo Gravatar says:

    Hi,

    I have done everything to the rules, I can connect to the pptpd fine, the logs look fine too. But for some reason I cannot browse, MTU has been set to 1400 and the iptables has been configured too. The only thing I can view is the httpd client of the main ip of the server. its not DNS either because if i type in IP of another server this doesnt work either…

  19. JohnNo Gravatar says:

    with regards to my previous comment, by changing the netmask of each ip it seems to work fine now

    • EricNo Gravatar says:

      I have the same problem you had… can you explain in more detail how you fixed it “by changing the netmask of each ip”

  20. artaxerxeNo Gravatar says:

    I can’t understand how to set localip and remoteip. They are specified in the /etc/pptpd.conf file. Can you explain me what they represent? On my server, I have a static IP (the WAN) set to aaa.aaa.aaa.aaa -on eth0-, let’s say. The LAN is set to bbb.bbb.bbb.0. That means that the server LAN IP is bbb.bbb.bbb.1 -on eth1-, the gateway where all clients from my LAN points to. The remote machine that I need to create a VPN with has a static IP, let’s say ccc.ccc.ccc.ccc. So, in that scenario, can you explain me how to set localip and remoteip? Thanks!

  21. RickNo Gravatar says:

    Hi i need some help with this :(.

    I get this error and cannot proceed:
    [root@VZ-ID-200 etc]# sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.tcp_syncookies = 1
    error: permission denied on key ‘net.bridge.bridge-nf-call-ip6tables’
    error: permission denied on key ‘net.bridge.bridge-nf-call-iptables’
    error: permission denied on key ‘net.bridge.bridge-nf-call-arptables’

    Also I have this:
    [root@VZ-ID-200 etc]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    FATAL: Module ip_tables not found.
    iptables v1.4.7: can’t initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.

  22. KKNo Gravatar says:

    I have a centos 6 running in a cloudserver. Most probably not an openvz or virtuozzo.

    This is what I have tested:
    I have a windows PPTP username and vpn setup in my friend’s home. He gave me a dynamic domain name like test123xxxx.dyndns.org. From my home windows7 I can connect to his VPN server and browse his local IP 192.168.1.10

    This is what now I want to do:
    Now what I want to do is setup the Centos6 server as a client to his vpn server and stay always connected. So I need to set it up as a client and I am guessing I do not need the pptpd daemon installed or running. I have installed and verified the following:

    [root@pagol1 ~]# rpm -q ppp
    ppp-2.4.5-5.el6.i686
    [root@pagol1 ~]# rpm -q pptp
    pptp-1.7.2-8.1.el6.i686

    The centos server will only allow connection from my public IP so I will add a firewall rule. And allow all traffic between me and him. When I am offsite or traveling overseas, I will add my IP and continue to do the same.

    Let me know how I can configure this server.

    Thanks,

    KK

  23. MihaiNo Gravatar says:

    If i have a server with only 1 IP and i`m running OpenVPN already onthat server, will this work ?
    I need to give pptp ability too.
    Openvpn uses pam for user/pass, can this work with that too ?

  24. md shiful islamNo Gravatar says:

    how to Install VPN PPTP Client on CentOS 6??

  25. masoud shalyNo Gravatar says:

    conect me to plus google with no filtering

  26. askarNo Gravatar says:

    Thanks for sharing i was able to configuring the vpn server on centos 6 64bit and connect using M$ 7. I wonder my ISP see the traffic (if they are using any sort of DPI) when i connect internet using PPTP VPN?

  27. SamNo Gravatar says:

    It was working for me on CentOS 5 but now on CentOS 6 (64bit) everything seems fine but i cannot browse websites.

    What should i check to fix it?

    ppp-2.4.5-5.el6.x86_64
    pptpd-1.3.4-2.el6.x86_64

    Please help.

  28. VladNo Gravatar says:

    Would I be able to setup a VPN with only 1 public ip address and no local?

  29. x86No Gravatar says:

    Can you please me? I am getting an error on Windows 7, the error is number 800.

    • x86No Gravatar says:

      Specifically the error is: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

  30. Steve JobsNo Gravatar says:

    Do you know how to disable /log/messages? I don’t want to log client activity — I’ve searched Google but I’ve had no luck in finding the answers.

  31. AnupNo Gravatar says:

    Can it forward UDP broadcast packet?

  32. AnupNo Gravatar says:

    When I connect to CentOS pptpd server from Windows7 client, after some time it disconnects automatically. /var/log/messages shows following
    pptpd[12003]: GRE: read(fd=7,buffer=80515c0,len=8260) from network failed: status = -1 error = Protocol not available
    pptpd[12003]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
    pppd[12004]: Modem hangup
    pppd[12004]: Connect time 2.9 minutes.
    pppd[12004]: Sent 388874 bytes, received 527985 bytes.
    pppd[12004]: Connection terminated.
    pppd[12004]: Exit.
    pptpd[12003]: CTRL: Client x.x.x.x control connection finished

    where x.x.x.x is ip of windows 7 client.

    May i know what might be the problem?

  33. Wouter XXLspotNo Gravatar says:

    I can make a connection to the server and i registered to the network.
    I can`t visit a website, no connection.
    Seems to be a DNS problem.
    I used the DNS server IP of the datacenter

  34. LiamNo Gravatar says:

    THANK YOU!

    I followed this & now my VPN works!!!!!

  35. BoonNo Gravatar says:

    i cant get any internet access after connected to vpn, more detail here:

    http://serverfault.com/questions/440103/vpn-pptpd-centos-masquerade-issue

  36. طراحی سایت و سئوNo Gravatar says:

    You Are Fantastic , Friend
    I have Installed Vpn Correctly

  37. jaFarNo Gravatar says:

    Hello,
    I’m install this and everything is okay,
    But I have one problem with this I can’t access to visit websites by VPN there some problem with this DNS I’m add this in /etc/ppp/options.pptpd
    require-mschap-v2
    require-mppe-128
    ms-dns 8.8.8.8

    so this someone help to fix about this

    Thanks

  38. Deep SahaNo Gravatar says:

    Is it possible to open a specific port ? If yes how ?

    Port like UDP 9501

  39. MattNo Gravatar says:

    I can run this command:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    Error:
    iptables: No chain/target/match by that name.

    what can i do to fix it

    • SecaGuyNo Gravatar says:

      Have you really checked what is your interface name? You can run following command to check:
      ip a | grep inet

      Some system had different interface name like venet and em.

  40. DanielNo Gravatar says:

    worked flawlessly on my linode.. thanks… setting up connection using my arch took less than few minutes…

    I only get some ‘martian source’ packets in ‘dmesg’ but I guess that’s because I’m routing the private subnet though the public interface …

  41. fcukinyahooNo Gravatar says:

    Followed it and had no errors. However, when I connect to it the first time it works, but when I try to connect to it the second time it doesn’t. More details and logs are in following two links,

    http://serverfault.com/questions/454578/vpn-pptp-can-connect-once-wont-connect-to-server-twice

    http://www.linuxquestions.org/questions/showthread.php?p=4843261#post4843261

    any ideas why? the setup of the server seems correct because I can connect to it the first time without any problems I can browse the web, browse the server farm, but second attempt to connect fails from any client, rebooting the pptp server helps but again for 1 time only. Interesting isn’t it?

    • fcukinyahooNo Gravatar says:

      I confirmed that it has something to do with the Linksys WRT54GL router. I setup the same server behind a different router and it worked like a charm. Does anybody know here what to do with the WRT54GL router so I can make it work?

  42. AaronNo Gravatar says:

    I’ve been trying to set this up and it seems that everytime I try it, I get this in my message log.

    Dec 6 13:48:41 backup pptpd[651]: CTRL: Starting call (launching pppd, opening GRE)
    Dec 6 13:48:41 backup pppd[653]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.
    Dec 6 13:48:41 backup pppd[653]: Couldn’t open the /dev/ppp device: No such device or address
    Dec 6 13:48:41 backup pppd[653]: Please load the ppp_generic kernel module.
    Dec 6 13:48:41 backup pptpd[651]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termina$
    Dec 6 13:48:41 backup pptpd[651]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)

    Any idea what is going on? Would appreciate the help a lot.

    BTW, yes I am running it on OpenVZ but I have quite a few extra IP’s available.

    • SecaGuyNo Gravatar says:

      As you can see the error: Please load the ppp_generic kernel module. You may need to run following command to add the ppp_generic kernel module as below:
      modprobe ppp_generic

      Once activated, please run lsmod | grep ppp_generic to check if it is activated. If you cant see it, your kernel may not support this module.

  43. vixNo Gravatar says:

    Hi, this looks like a great guide! Was wondering if you can help me, I’ve been spoiled with all my other servers being on windows server 2008 so it was always very simple. I’ve never used cent before so I have no clue of how to even begin to connect to my new dedicated server I just bought with CentOS 6 and CPANEL.
    I run a vpn company and on all my other servers i use windows but now i want to learn how to use cent so i can use cpanel and automate alot of tasks.
    http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/
    Before I followed this guide above for all my servers, so I guess my main questions are:
    1) What is the best remote desktop alternative for CentOS because I can’t do these commands directly from cpanel right?
    2) My dedicated servers for example have around 60 unique ip addresses each, and normally when a user buys my service I simply go to remote desktop and give them a username and password and one unique ip address, how would I do this for centos?
    THANK YOU SO MUCH FOR YOUR HELP!!!

    • SecaGuyNo Gravatar says:

      1) You may need to install CentOS with GUI enabled. Then you can use VNC client to remote desktop into it (you must enable VNC server inside CentOS box)
      2) As for this, I strongly recommend you to use CLI instead of GUI because its fairly easy once you know how to do it. VNC is not as smooth as RDC. You need to learn some CentOS stuff before you want to sell something related to it right?

      If you have a lot of IPs, and you want to assign it for each user, just replace “*” in step 5 to the IP address that you want to assign to. Its super easy right?

      • vixNo Gravatar says:

        Wow thank you so much for your help!!! I’m glad to see you reply to your readers thats awesome, I don’t have time to try it now but will try it this week and will ask you if I have any troubles.

        I’m not sure if your familiar with WHMCS but I use that for my website and I think after I follow the instructions above to initially install ptpp on the centOS. I think I might actually be able to create and suspend user accounts through WHMCS & CPANEL that would be awesome. Cause centos doesn’t look as user friendly.

  44. EhsanNo Gravatar says:

    I have setup pptpd and xl2tpd on centos server and everything is fine but there is a problem with connection of some clients which their NATed deevices are different from others.
    I think there should be a missing line in my options.pptpd and options.xl2tpd that solves my problem.
    As I have tried many times from these clients the followings happen:
    1.(PPTP Problem)a client behind router with public ip address works fine but for few adsl routers connects but disconnects after a webpage opening.(consider this is for very few adsl ISPs for the other it works).Maybe some routing misconfiguration in my iptables.
    2.(L2TP with IPSec and PSK)a client behind router with public ip address connects and no disconnecting here but no internet traffic routed.
    So i would be so thankful if anybody helps.

  45. vixNo Gravatar says:

    Hi, I got this error

    error: Failed dependencies:
    libc.so.6()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.2.5)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.3.4)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libc.so.6(GLIBC_2.4)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libutil.so.1()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libutil.so.1(GLIBC_2.2.5)(64bit) is needed by pptpd-1.3.4-2.el6.x86_64
    libwrap.so.0()(64bit) is needed by pptpd-1.3.4-2.el6.x86_64

    I see someone else also had this problem and you said

    “have u install glibc with dependencies?”

    where do i get that from and what are the commands to install it thanks

  46. vixNo Gravatar says:

    any suggestions?

    • SecaGuyNo Gravatar says:

      Have you make sure that all required lib is there? libutil, libc, libwrap? You can search the package provider by using following command:
      yum provides *libwrap.so.0*

      • vixNo Gravatar says:

        Yeah thats probably the problem, can you tell me all the commands for lib that I need to do this is what I get when I type what you said:

        [~]# yum provides *libwrap.so.0*
        Loaded plugins: fastestmirror, security
        Loading mirror speeds from cached hostfile
        * base: mirror.team-cymru.org
        * extras: mirror.5ninesolutions.com
        * updates: mirror.steadfast.net
        base | 3.7 kB 00:00
        extras | 3.5 kB 00:00
        updates | 3.5 kB 00:00
        updates/primary_db | 3.9 MB 00:01
        base/filelists_db | 4.9 MB 00:02
        extras/filelists_db | 13 kB 00:00
        updates/filelists_db | 3.0 MB 00:00
        tcp_wrappers-libs-7.6-57.el6.i686 : Libraries for tcp_wrappers
        Repo : base
        Matched from:
        Filename : /lib/libwrap.so.0.7.6
        Filename : /lib/libwrap.so.0
        Other : libwrap.so.0

        tcp_wrappers-libs-7.6-57.el6.i686 : Libraries for tcp_wrappers
        Repo : installed
        Matched from:
        Filename : /lib/libwrap.so.0.7.6
        Filename : /lib/libwrap.so.0
        Other : libwrap.so.0

  47. AsimNo Gravatar says:

    Hi
    I have set the localip 192.168.220.1 and remoteip 192.168.220.2-102
    When I am going to connect to the server several times it shows diffrent errors like 619, 809, 31 etc.

    I have executed the following command cat /var/log/messages

    here are the results

    Dec 18 06:48:47 kernel: PPP generic driver version 2.4.2
    Dec 18 06:48:54 pptpd[5973]: CTRL: Client 180.149.0.251 control connection started
    Dec 18 06:48:54 pptpd[5973]: CTRL: Starting call (launching pppd, opening GRE)
    Dec 18 06:48:54 pppd[6055]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
    Dec 18 06:48:54 pppd[6055]: The remote system is required to authenticate itself
    Dec 18 06:48:54 pppd[6055]: but I couldn’t find any suitable secret (password) for it to use to do so.
    Dec 18 06:48:54 pppd[6055]: (None of the available passwords would let it use an IP address.)
    Dec 18 06:48:54 pptpd[5973]: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Dec 18 06:48:54 pptpd[5973]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    Dec 18 06:48:54 pptpd[5973]: CTRL: Client 180.149.0.251 control connection finished

    IF SOMEONE COULD HELP ME TO SOLVE THE PROBLEM HOW TO?

    • SecaGuyNo Gravatar says:

      Kindly focus to following line:
      Dec 18 06:48:54 pppd[6055]: but I couldn’t find any suitable secret (password) for it to use to do so.
      Dec 18 06:48:54 pppd[6055]: (None of the available passwords would let it use an IP address.)

      Make sure the /etc/ppp/chap-secrets has correct IP assigned for every user. Try assign IP address instead of “*”

  48. vixNo Gravatar says:

    hi it seems that the package is not available? what should i do? thanks

    yum install tcp-wrappers-libs
    Loaded plugins: fastestmirror, security
    Loading mirror speeds from cached hostfile
    * base: mirror.steadfast.net
    * extras: mirrors.versaweb.com
    * updates: mirror.raystedman.net
    base | 3.7 kB 00:00
    extras | 3.5 kB 00:00
    updates | 3.5 kB 00:00
    updates/primary_db | 3.9 MB 00:09
    Setting up Install Process
    No package tcp-wrappers-libs available.
    Error: Nothing to do

    • SecaGuyNo Gravatar says:

      Just make sure all required library are installed. Then try to proceed with steps in this tutorial. If you still having problem to do that, you can get assistance from active communities in Fedora or CentOS forum.

      • vixNo Gravatar says:

        I think this is the last thing I need installed and then I shouldn’t have any more problems, could you please teach me how to download the needed libraries. I’d be willing to pay for your help in setting up a few other things to, not sure how to contact you though?

  49. NeoloNo Gravatar says:

    After this tutorial I had no internet access, so after 1 day of researching I found solution (CentOS6). Add following additional lines in your iptables:

    -A INPUT -i eth0 -p gre -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
    -A FORWARD -i eth0 -o ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i ppp0 -o eth0 -j ACCEPT

  50. سرورNo Gravatar says:

    tnx very good

  51. AnupNo Gravatar says:

    I have configured username, passowrd, ip in /etc/ppp/chap-secrets

    But sometimes when windows client disconnects, server still shows windows clients ip when i do ifconfig.

    and when windows client reconnects it shows two ppp interface with same ip . how can I solve this problem? Is there any command to disconnect particular ppp client?

    Here is the screenshot
    http://tinypic.com/r/2uqirz4/6

  52. samNo Gravatar says:

    How can change default port of pptp?

  53. Cris MooneyNo Gravatar says:

    Dying here…

    After a couple dozen hours, I’ve done my best to reduce to the most basic I can come up with, just to get a baseline to build from. But, I can’t get it to work. At the end, when I try and connect VPN to 172.16.0.216 from 172.16.0.228 using Win XP VPN, I see three incoming packets on the server side, and nothing more than the “Error 800: Unable to establish the VPN connection…” (traces at the end below). I get the impression PPTPd should log in /var/log/messages, and then reach out to ppp, but I see none of that and don’t know where to look deeper.

    Resources I used to get this far:

    http://blog.secaserver.com/2011/10/install-vpn-pptp-server-centos-6/
    http://docs.cslabs.clarkson.edu/wiki/Install_PPTP_on_CentOS_5
    http://freehostinganswers.com/blog/how-to-install-your-own-vpn-server-in-5-mins-pptp-on-centos-redhat-and-ubuntu/
    http://ripplesedge.com/wordpress/?p=217
    https://www.centos.org/modules/newbb/viewforum.php?forum=58

    Any ideas what I am doing wrong?

    ESXi 5.1, 5GB disk, 600MB RAM, CentOS 6.4 64 bit “Minimal: core” install. The “>>>” items below are text edited in vi.

    # vi /etc/sysconfig/network-scripts/ifcfg-eth0
    >>> ONBOOT=yes
    # reboot
    # yum update
    # reboot

    # uname -a
    Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
    # ifconfig -a
    eth0 … inet addr:172.16.0.216 Bcast:172.16.0.255 Mask:255.255.255.0 …
    # yum install ppp -y
    Installed:
    ppp.x86_64 0:2.4.5-5.el6
    Dependency Installed:
    libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6
    # yum install wget -y
    Installed:
    wget.x86_64 0:1.12-1.8.el6
    # yum install perl -y
    Installed:
    perl.x86_64 4:5.10.1-129.el6
    Dependency Installed:
    perl-Module-Pluggable.x86_64 1:3.90-129.el6
    perl-Pod-Escapes.x86_64 1:1.04-129.el6
    perl-Pod-Simple.x86_64 1:3.13-129.el6
    perl-libs.x86_64 4:5.10.1-129.el6
    perl-version.x86_64 3:0.77-129.el6
    # yum install tcpdump -y
    Installed:
    tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.el6

    # cd /usr/local/src
    # wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm
    # rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm
    # vi /etc/sysctl.conf
    >>> net.ipv4.ip_forward = 1
    # sysctl -p
    # vi /etc/pptpd.conf
    >>> localip 172.16.0.216
    >>> remoteip 172.16.0.80-85
    # vi /etc/ppp/options.pptpd
    >>> ms-dns 172.16.0.10
    >>> ms-dns 172.16.0.11
    # vi /etc/ppp/chap-secrets
    >>> foo * bar *
    # iptables -A INPUT -i eth0 -p gre -j ACCEPT
    # iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT
    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
    # iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
    # iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
    # service iptables save
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
    # service iptables restart
    iptables: Flushing firewall rules: [ OK ]
    iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
    iptables: Unloading modules: [ OK ]
    iptables: Applying firewall rules: [ OK ]
    # vi /etc/selinux/config
    >>> SELINUX=disabled
    # reboot

    # service pptpd start
    # tcpdump -i eth0 port 1723
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    23:40:44.507180 IP 172.160.238.52466 > 172.16.0.211.pptp: Flags [S], seq 4185254005, win 64240, options [mss 1402,nop,nop,sackOK], length 0
    23:40:47.436369 IP 172.160.238.52466 > 172.16.0.211.pptp: Flags [S], seq 4185254005, win 64240, options [mss 1402,nop,nop,sackOK], length 0
    23:40:53.451835 IP 172.160.238.52466 > 172.16.0.211.pptp: Flags [S], seq 4185254005, win 64240, options [mss 1402,nop,nop,sackOK], length 0
    # tail -f /var/log/messages
    [root@CentOS-6-template ~]# tail -f /var/log/messages
    Mar 20 23:21:37 CentOS-6-template abrtd: Init complete, entering main loop
    Mar 20 23:23:50 CentOS-6-template pptpd[1928]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
    Mar 20 23:23:50 CentOS-6-template pptpd[1929]: MGR: Manager process started
    Mar 20 23:23:50 CentOS-6-template pptpd[1929]: MGR: Maximum of 6 connections available
    Mar 20 23:25:11 CentOS-6-template kernel: device eth0 entered promiscuous mode
    Mar 20 23:26:08 CentOS-6-template kernel: device eth0 left promiscuous mode

    # cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Wed Mar 20 22:55:17 2013
    *nat
    :PREROUTING ACCEPT [20:1864]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Thu Mar 21 17:39:56 2013
    # Generated by iptables-save v1.4.7 on Thu Mar 21 17:39:56 2013
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [4:480]
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A INPUT -i eth0 -p gre -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -i ppp+ -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -o ppp+ -j ACCEPT
    COMMIT

    Last resort: my 400MB OVF at http://forus.com/forus/tmp/VPNTestClean64.zip

    Any help will be very much appreciated.

    Thank you for considering,
    Cris Mooney

  54. Cris MooneyNo Gravatar says:

    A base Cent OS 6 install (at least 6.4) has the following relevant “iptables” firewall rules in place:


    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited

    Without enabling traffic ABOVE these, likely using “iptables -I” (insert) instead of commonly cited “iptables -A” (append), you will see an “icmp destination unreachable (host administratively prohibited)” response from your server in a client side trace with WireShark (LAN testing encouraged).

    Recommendation:

    While testing/learning, disable the OS firewall with “service iptables save”, until you have confirmed things work. Unintuitively, or at least I find it to be, you can disable the “iptables” firewall and PPTP will work (I would have expected it be required for the “POSTROUTING -o eth0 -j MASQUERADE” directive).

    You can use a windows client within your LAN for testing the VPN connection (harder with Windows Remote Access as noted below, and thus not intuitive to some). But note that LAN access to that client station will go down if it does connect, so you will need to have access to the console (or kill the server connection side to get back).

    During testing, also try and remember that “service pptpd start” will not hold over reboot (until you do “chkconfig pptpd on”), and neither will “service iptables stop” (and I do not recommend “chkconfig iptables off” since you may forget to set up your “iptables” firewall once basic testing is done).

    With PPTP working open and internally, properly enabling the “iptables” firewall you will have to add rules. Be sure all your iptables rules, not just the “POSTROUTING”, show above the “REJECTS”. Using “-I” instead of “-A” may do this properly. You can then go after opening TCP port 1723, and GRE, in your public firewall.

    My iptable rule additions:


    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -I INPUT -i eth0 -p gre -j ACCEPT
    # iptables -I INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
    # iptables -I FORWARD -i ppp+ -o eth0 -j ACCEPT
    # iptables -I FORWARD -i eth0 -o ppp+ -j ACCEPT
    # service iptables save

    Also, “localip” clarification: this is your simple/normal Cent OS VPN server machine LAN address. Counterintuitively to the gurus, this is not obvious to those of us coming from Windows Remote Access setup, where as I understand it one is required to have a separate card and subnet for the “incoming VPN” service to listen on (for incoming port 1723 and GRE). With this Cent OS PPTP implementation all can happen in your normal single subnet, with “localip” unlikely to be the sometimes given example like “10.10.10.1” (since “1” is quite often the “special” gateway router address, confusing newbie interpretation of what “localip” is). Your simple PPTP VPN server LAN address like “10.10.10.2” is the “localip”, seen as “eth0″ in “ipconfig -a” (and perhaps assigned on boot by DHCP during testing…once you figure out to enable “ONBOOT=yes”, but I digress). The “remoteip” address(es) are LAN assigned DHCP style to connecting clients (like “10.10.10.20-29″).

    Finally, remember, your “test” client can be something in the same LAN like “10.10.10.30”. Connecting will make the client networking a bit wonky as noted above, so it is just for testing it “works”, and using Windows WireShark to diagnose.


    # cat /etc/sysconfig/iptables
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [54:7776]
    -A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
    -A INPUT -i eth0 -p gre -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -i eth0 -o ppp+ -j ACCEPT
    -A FORWARD -i ppp+ -o eth0 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Fri Mar 22 14:27:25 2013
    # Generated by iptables-save v1.4.7 on Fri Mar 22 14:27:25 2013
    *nat
    :PREROUTING ACCEPT [161:16636]
    :POSTROUTING ACCEPT [1:96]
    :OUTPUT ACCEPT [2:153]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT

  55. Cris MooneyNo Gravatar says:

    Typos in previous post:

    > while testing/learning, disable the OS firewall with “service iptables save”,

    Should be “service iptables stop”.

    My actual notes of what I did:

    ESXi 5.1, 5GB disk, 600MB RAM, CentOS 6.4 64 bit “Minimal: core” install. The “>>>” is text edited in vi.

    # vi /etc/sysconfig/network-scripts/ifcfg-eth0
    >>> ONBOOT=yes
    # reboot
    # yum update
    # reboot

    # uname -a
    Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
    # ifconfig -a
    eth0 ... inet addr:172.16.0.216 Bcast:172.16.0.255 Mask:255.255.255.0 ...
    # yum install ppp -y
    Installed:
    ppp.x86_64 0:2.4.5-5.el6
    Dependency Installed:
    libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6
    # yum install wget -y
    Installed:
    wget.x86_64 0:1.12-1.8.el6
    # yum install perl -y
    Installed:
    perl.x86_64 4:5.10.1-129.el6
    Dependency Installed:
    perl-Module-Pluggable.x86_64 1:3.90-129.el6
    perl-Pod-Escapes.x86_64 1:1.04-129.el6
    perl-Pod-Simple.x86_64 1:3.13-129.el6
    perl-libs.x86_64 4:5.10.1-129.el6
    perl-version.x86_64 3:0.77-129.el6
    # yum install tcpdump -y
    Installed:
    tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.el6

    # cd /usr/local/src
    # wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm
    # rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm
    # vi /etc/sysctl.conf
    >>> net.ipv4.ip_forward = 1
    # sysctl -p
    # vi /etc/pptpd.conf
    >>> localip 10.10.10.2
    >>> remoteip 10.10.10.3-9
    # vi /etc/ppp/options.pptpd
    >>> ms-dns 10.10.10.10
    >>> ms-dns 10.10.10.11
    # vi /etc/ppp/chap-secrets
    >>> foo * bar *
    # service pptpd start
    # service iptables stop

    -- should work here --

    # iptables -I INPUT -i eth0 -p gre -j ACCEPT
    # iptables -I INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -I FORWARD -i ppp+ -o eth0 -j ACCEPT
    # iptables -I FORWARD -i eth0 -o ppp+ -j ACCEPT
    # service iptables save
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
    # service iptables start
    iptables: Flushing firewall rules: [ OK ]
    iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
    iptables: Unloading modules: [ OK ]
    iptables: Applying firewall rules: [ OK ]

    -- should work here --

    # chkconfig pptpd on
    # reboot

    # tcpdump -i eth0 port 1723
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    14:37:19.620105 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [S], seq 2505425961, win 64512, options [mss 1460,nop,nop,sackOK], length 0
    14:37:19.620199 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [S.], seq 3664049741, ack 2505425962, win 14600, options [mss 1460,nop,nop,sackOK], length 0
    14:37:19.620544 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [P.], seq 1:157, ack 1, win 64512, length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT)
    14:37:19.620587 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [.], ack 157, win 15544, length 0
    14:37:19.634287 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [P.], seq 1:157, ack 157, win 15544, length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
    14:37:19.634570 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [P.], seq 157:325, ack 157, win 64356, length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(9813) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
    14:37:19.644849 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [P.], seq 157:189, ack 325, win 16616, length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)
    14:37:19.648549 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [P.], seq 325:349, ack 189, win 64324, length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
    14:37:19.687998 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [.], ack 349, win 16616, length 0
    14:37:21.661412 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [P.], seq 349:373, ack 189, win 64324, length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff)
    14:37:21.661443 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [.], ack 373, win 16616, length 0
    14:37:29.875543 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [P.], seq 373:397, ack 189, win 64324, length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
    14:37:29.875595 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [.], ack 397, win 16616, length 0
    14:37:33.134480 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [F.], seq 189, ack 397, win 16616, length 0
    14:37:33.134626 IP 10.10.10.30.4632 > 10.10.10.2.pptp: Flags [F.], seq 397, ack 190, win 64324, length 0
    14:37:33.134643 IP 10.10.10.2.pptp > 10.10.10.30.4632: Flags [.], ack 398, win 16616, length 0

    # tail -f /var/log/messages
    Mar 22 14:36:26 CentOS-6-template pptpd[2072]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
    Mar 22 14:36:26 CentOS-6-template pptpd[2073]: MGR: Manager process started
    Mar 22 14:36:26 CentOS-6-template pptpd[2073]: MGR: Maximum of 6 connections available
    Mar 22 14:37:11 CentOS-6-template kernel: device eth0 entered promiscuous mode
    Mar 22 14:37:19 CentOS-6-template pptpd[2132]: CTRL: Client 10.10.10.30 control connection started
    Mar 22 14:37:19 CentOS-6-template pptpd[2132]: CTRL: Starting call (launching pppd, opening GRE)
    Mar 22 14:37:19 CentOS-6-template pppd[2133]: Warning: can't open options file /root/.ppprc: Permission denied
    Mar 22 14:37:19 CentOS-6-template pppd[2133]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.
    Mar 22 14:37:19 CentOS-6-template pppd[2133]: pppd 2.4.5 started by root, uid 0
    Mar 22 14:37:19 CentOS-6-template pppd[2133]: Using interface ppp0
    Mar 22 14:37:19 CentOS-6-template pppd[2133]: Connect: ppp0 /dev/pts/2
    Mar 22 14:37:19 CentOS-6-template pptpd[2132]: GRE: Bad checksum from pppd.
    Mar 22 14:37:21 CentOS-6-template pptpd[2132]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
    Mar 22 14:37:21 CentOS-6-template pppd[2133]: MPPE 128-bit stateless compression enabled
    Mar 22 14:37:24 CentOS-6-template pppd[2133]: found interface eth0 for proxy arp
    Mar 22 14:37:24 CentOS-6-template pppd[2133]: local IP address 10.10.10.2
    Mar 22 14:37:24 CentOS-6-template pppd[2133]: remote IP address 10.10.10.3
    Mar 22 14:37:29 CentOS-6-template pppd[2133]: LCP terminated by peer (BE8t^@<M-Mt^@^@^@^@)
    Mar 22 14:37:29 CentOS-6-template pppd[2133]: Connect time 0.1 minutes.
    Mar 22 14:37:29 CentOS-6-template pppd[2133]: Sent 96 bytes, received 2010 bytes.
    Mar 22 14:37:32 CentOS-6-template pppd[2133]: Connection terminated.
    Mar 22 14:37:33 CentOS-6-template pppd[2133]: Modem hangup
    Mar 22 14:37:33 CentOS-6-template pppd[2133]: Exit.
    Mar 22 14:37:33 CentOS-6-template pptpd[2132]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Mar 22 14:37:33 CentOS-6-template pptpd[2132]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    Mar 22 14:37:33 CentOS-6-template pptpd[2132]: CTRL: Client 10.10.10.30 control connection finished

    Hope this helps someone else, or someone else corrects me here.
    Cris

  56. Cris MooneyNo Gravatar says:

    Yet one more noticed typo:

    > eth0 … inet addr:172.16.0.216 Bcast:172.16.0.255 Mask:255.255.255.0 …

    Should be the following to be consistent with my example:

    eth0 … inet addr:10.10.10.2 Bcast:110.10.10.255 Mask:255.255.255.0 …

    This was a typo in my trying to make it generic, with “10.10.10.x” indicating the LAN side addresses. You put in your own LAN IP stuff in place of “10.10.10”. I point this typo out since I see many folks asking the same question I had about “localip”, which I’ve not found clearly discussed anywhere, and this is the info the “inet addr:” line is trying to confirm. On my Win 2003 server Remote PPTP setup, I have two “localip” LAN addresses. One like “10.10.20.2” for the public “incoming” side, and another like “10.10.10.2” for the local LAN address which made me arrive here with one more confused bias. It is possible I set up Windows “overkill”, having a a local isolated LAN on the public side behind my firewall, and that there is a simpler setup there too – but questions indicate I may not be alone. Windows does also have the “remoteIP” range as well, there is just one extra interface possible (or required) on the “localip” front.

  57. DrewNo Gravatar says:

    Hey Secaguy,

    Thanks for the post, just thought I’d share a script that automates the installation of PPTP VPN on CentOS if you’re interested in taking a look:

    http://drewsymo.com/networking/vpn/install-ptpp/

    Thanks!
    drewsymo.com

  58. zgNo Gravatar says:

    Hi Secaguy;

    I need some help. There are the logs:
    Feb 24 23:05:10 VM_20_106_centos pptpd[9867]: CTRL: Starting call (launching pppd, opening GRE)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: pppd options in effect:
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: debug#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: nologfd#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: dump#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: require-mschap-v2#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: refuse-pap#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: refuse-chap#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: refuse-mschap#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: name pptpd#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: remotenumber 114.246.93.239#011#011# (from command line)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: 115200#011#011# (from command line)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: lock#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: record /tmp/pppoe-log#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: local#011#011# (from command line)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: novj#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: novjccomp#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: ipparam 114.246.93.239#011#011# (from command line)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: ms-dns xxx # [don't know how to print value]#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: proxyarp#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: 172.16.36.1:172.16.36.2#011#011# (from command line)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: nobsdcomp#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: require-mppe-128#011#011# (from /etc/ppp/options.pptpd)
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: pppd 2.4.5 started by baadmin, uid 0
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: Using interface ppp0
    Feb 24 23:05:10 VM_20_106_centos pppd[9868]: Connect: ppp0 /dev/pts/5
    Feb 24 23:05:40 VM_20_106_centos pppd[9868]: LCP: timeout sending Config-Requests
    Feb 24 23:05:40 VM_20_106_centos pppd[9868]: Connection terminated.
    Feb 24 23:05:40 VM_20_106_centos pppd[9868]: Modem hangup
    Feb 24 23:05:40 VM_20_106_centos pppd[9868]: Exit.
    Feb 24 23:05:40 VM_20_106_centos pptpd[9867]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Feb 24 23:05:40 VM_20_106_centos pptpd[9867]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    Feb 24 23:05:40 VM_20_106_centos pptpd[9867]: CTRL: Client 114.246.93.239 control connection finished

    Erro 619 when conneting from win7. I don’t know how to solve it.
    Can you give me some advise? Thanks in advance!

    • imranNo Gravatar says:

      Hi,

      Check your server MTU, It look like an mtu error. or check back your option.pptpd.

      Let us know if you have any other issue.

      Regards:
      Imran

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>