All Products
Search

This Product

    :How do I configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance?

    Document Center

    :How do I configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance?

    Last Updated:Apr 03, 2023

    This topic describes how to configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance.

    Background information

    Point to Point Tunneling Protocol (PPTP) is a network tunneling technology developed based on the Point to Point Protocol (PPP) to use in virtual private networks (VPNs). You can connect to a VPN over PPTP. To connect to a VPN over PPTP, dial up to the PPTP server to establish a PPP connection, perform PPTP negotiation to create a tunnel between your client and the server, and then perform PPP Network Control Protocol (NCP) negotiation to assign an IP address from the IP address range of the VPN to your client. You can use this assigned IP address to communicate within the VPN. This way, you can establish a secure tunnel or connection to a VPN over the Internet.

    Warning

    This topic provides examples and instructions on the preceding procedure. Operations may vary based on actual conditions. PPTP has many well-known security issues. We recommend that you evaluate these issues and their impacts on your business before you use it. For more information, see PPTP Client.

    Prerequisites

    • An Elastic Compute Service (ECS) instance is created. For more information, see Create an instance by using the wizard.

      The example in this topic uses an ECS instance that has the following configurations. To prevent command errors caused by operating system version issues, we recommend that you use the same operating system that is used in the example.

      • Instance type: ecs.c6.large

      • Operating system: CentOS 7.2 public image

      • Network type: Virtual Private Cloud (VPC)

      • IP address: a public IP address

    • A rule is configured in a security group of the instance to allow traffic on TCP port 1723. This port is required to configure PPTP VPNs. For more information, see Add a security group rule.

    Configure a PPTP VPN server

    Perform the following steps to configure a PPTP VPN server:

    1. Connect to the instance.

      For more information, see Connection methods.

    2. Run the following command to install a PPTP VPN server: 

      yum install -y ppp pptpd

      If a command output similar to the one in the following figure is returned, it indicates that the PPTP server is installed.

    3. Edit the pptpd configuration file.

      1. Run the vi /etc/pptpd.conf command to edit the pptpd configuration file. Then, delete the number sign (#) from the following commands to allow them to run. Run the :wq command to save and close the file. 

        #localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245

        If a command output similar to the one in the following figure is returned, it indicates that the pptpd configuration file is edited.

        Note

        localip specifies the IP address of the VPN gateway, and remoteip specifies the IP address range that is obtained after a dial-up to a VPN. You can set these parameters based on your needs.

      2. Run the vi /etc/ppp/options.pptpd command and then set ms-dns to 223.5.5.5 and 223.6.6.6. Run the :wq command to save the modification and exit. 

        #ms-dns 10.0.0.1
#ms-dns 10.0.0.2
ms-dns 223.5.5.5
ms-dns 223.6.6.6
        Note

        223.5.5.5 and 223.6.6.6 are the IP addresses of Alibaba Cloud public DNS servers. You can set ms-dns to the IP addresses of other DNS servers based on your needs.

        If a command output similar to the one in the following figure is returned, it indicates that ms-dns is set.

      3. Run the vi /etc/ppp/chap-secrets command to configure usernames and passwords for the PPTP daemon (pptpd). Add accounts based on your needs. Separate each account with a line break. Add account information in the <Username> pptpd <Password> <IP address> format, and separate the variables with spaces. Run the :wq command to save the modification and exit.

        Note

        Example: test pptpd 123456 *. The asterisk (*) indicates all IP addresses. 

        # Secrets for authentication using CHAP
# client server secret IP addresses
test pptpd 123456 *

        If a command output similar to the one in the following figure is returned, it indicates that a username and password are configured for pptpd.

      4. Run the vi /etc/ppp/ip-up command to set the maximum transmission unit (MTU). Below the [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" line, add ifconfig ppp0 mtu 1472. 

        /etc/ppp/ip-up. ipv6to4 ${LOGDEVICE}
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
ifconfig ppp0 mtu 1472

        If a command output similar to the one in the following figure is returned, it indicates that the MTU is set.

    4. Configure kernel parameters.

      1. Run the vi /etc/sysctl.conf command to edit the sysctl configuration file. Add the net.ipv4.ip_forward parameter, set it to 1, and then run the :wq command to save and close the file.

        If a command output similar to the one in the following figure is returned, it indicates that the parameter is added and set.

      2. Run the sysctl -p command to make the parameter take effect.

    5. Add firewall rules.

      1. Run the following command to add an iptables forwarding rule: 

        iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

      2. Run the following command to add a NAT forwarding rule. Replace XXX.XXX.XXX.XXX with the public IP address of your instance. 

        iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source XXX.XXX.XXX.XXX

      3. Run the following command to save the rules: 

        service iptables save

        • If a command output similar to the one in the following figure is returned, it indicates that the rules are saved. 

          iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

        • If a command output similar to the one in the following figure is returned, it indicates that the command failed to run. 

          The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
          Note

          This issue occurs because the iptables service is not installed on the ECS instance. You must install the iptables service before you run the service iptables save command. Perform the following operations.

    6. (Optional) Install and configure the iptables service.

      1. Run the following commands in sequence to disable the firewall: 

        systemctl stop firewalld
systemctl mask firewalld

      2. Run the following command to install the iptables service: 

        yum install iptables-services

      3. Run the following command to configure the iptables service to start on instance startup: 

        systemctl enable iptables

      4. Run the following command to restart the iptables service: 

        systemctl restart iptables

      5. Run the service iptables save command to check whether the rules are saved.

    Configure PPTP

    1. Run the following command to restart PPTP.

      Note

      Since PPTP is not running, you are prompted with the Shutting down pptpd [FAILED] message and an alert when you try to restart PPTP. You can ignore the message and alert and run this command again to restart PPTP. No messages or alerts appear this time. 

      systemctl restart pptpd

    2. Run the following command to restart iptables: 

      systemctl start iptables

    3. Run the following commands in sequence to configure pptpd and iptables to start on instance startup: 

      systemctl enable pptpd.service
systemctl enable iptables.service

    After you complete the preceding steps, the PPTP VPN server is installed. You can configure new connections or networks in the Network and Sharing Center of your Windows client and then use the VPN to access the networks.

    Configure a PPTP VPN client

    1. Run the following command to install PPTP: 

      yum install -y ppp pptp pptp-setup

      If a command output similar to the one in the following figure is returned, it indicates that PPTP is installed.

    2. Run the following command to connect to the PPTP VPN server: 

      pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
      Note

      Set [$IP], [$User], and [$Password] to the IP address, username, and password of the PPTP VPN server.

      If a command output similar to the one in the following figure is returned, it indicates that you are connected to the PPTP VPN server.

    3. When you are prompted that 192.168.0.234 is assigned to your client, run the following command. You can find the ppp0 network interface controller (NIC) in the command output. 

      ifconfig | grep -A 10 ppp

      If a command output similar to the one in the following figure is returned, it indicates that the command is run.

    4. Run the following command to add a default route: 

      ip route replace default dev ppp0

      If a command output similar to the one in the following figure is returned, it indicates that the command is run.

    5. After the default route is added, you can access the PPTP VPN server.

    FAQ

    What do I do if I cannot open a website in a browser?

    After you set up a PPTP VPN, establish a connection, and successfully ping the domain name of the website, but still cannot open the website in your browser, your MTU settings may be invalid. You can use one of the following methods to resolve this issue.

    • Method 1

      1. Connect to the CentOS server on which the VPN is configured.

      2. Run the ifconfig ppp0 mtu 1472 command.

      3. Check whether the website can be opened in your browser.

        Note

        Method 1 can only resolve the issue temporarily. To resolve the issue permanently, use method 2.

    • Method 2

      1. Connect to the CentOS server on which the VPN is configured.

      2. Run the vi /etc/ppp/ip-up command to open the /etc/ppp/ip-up file.

      3. Add the ifconfig ppp0 mtu 1472 command to the /etc/ppp/ip-up file.

        If a webpage in the following figure is displayed, it indicates that the issue is resolved. image

      4. Check whether the website can be opened in your browser.

    What do I do if an incorrect IP address is obtained?

    After you connect to a VPN from a client, you obtain the internal NIC IP address of your instance, instead of an IP address assigned by the VPN server. Assume that your VPN client is named testvpn. Perform the following operations to resolve this issue.

    Procedure

    1. Connect to the CentOS server on which the VPN is configured.

    2. Run the vi /etc/ppp/peers/testvpn command to open the /etc/ppp/peers/testvpn configuration file of the PPP client. Add the noipdefault parameter, as shown in the following figure.

    3. Run the following commands to restart the client. After you reconnect to the VPN, you can obtain the correct IP address. 

      poff testvpn
pon testvpn
      Note

      When you restart the client, the noipdefault parameter may be overwritten by a parameter that is passed in from the server. If the noipdefault parameter is overwritten, you must check the configurations of the server.