How do I configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance? - Elastic Compute Service

This topic describes how to configure a Point-to-Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) server and connect VPN clients to it on an Elastic Compute Service (ECS) instance that runs CentOS 7.

Background information

PPTP is a network tunneling protocol developed based on the Point-to-Point Protocol (PPP). It is designed for use in VPNs. Connecting to a VPN over PPTP involves the following steps:

Dial up to the PPTP server to establish a PPP connection.
Perform PPTP negotiation to create a tunnel between the client and the server.
Perform PPP Network Control Protocol (NCP) negotiation to assign the client an IP address from the VPN address range.

After the client receives an IP address, it can communicate with other devices within the VPN. This process establishes a secure tunnel over the Internet.

Warning

PPTP has known security vulnerabilities. The encryption and authentication mechanisms used by PPTP are considered weak by modern standards. Before you use PPTP, carefully evaluate the security impact on your business. For more information, see PPTP Client - Protocol Security. This topic provides examples and guidelines for the configuration procedure. Actual operations may vary depending on your environment.

Configure a PPTP VPN server

Connect to the CentOS ECS instance that you want to use as the PPTP VPN server and perform the following steps. For information about how to connect to an ECS instance, see Connect to an instance.

Prerequisites

An ECS instance is created. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

In the following sections, an ECS instance with the following specifications is used. To avoid command errors caused by operating system version differences, we recommend that you use the same operating system version.

Parameter	Value
Instance type	ecs.c6.large
Operating system	CentOS 7.2 public image
Network type	Virtual Private Cloud (VPC)
IP address	public IP address

An inbound rule is added to a security group of the ECS instance to allow traffic on port 1723 and the Generic Routing Encapsulation (GRE) protocol port. For more information, see Manage security group rules.

Step 1: Configure PPTP

The following table lists the configuration files you will modify in this step.

File	Purpose
`/etc/pptpd.conf`	PPTP daemon configuration (IP address ranges)
`/etc/ppp/options.pptpd`	PPP options including DNS settings
`/etc/ppp/chap-secrets`	User credentials for client authentication
`/etc/ppp/ip-up`	Script that runs when a PPP connection is established

Install the PPTP VPN server. Run the following command to install the required packages:
```
   yum install -y ppp pptpd
```
Modify the PPTP daemon (pptpd) configuration file. Specify the IP address range from which addresses are assigned to clients. This ensures that each connected device obtains a unique IP address. Run the vim /etc/pptpd.conf command to open the configuration file and add the following lines: Verify: After you save the file, confirm that the localip and remoteip entries appear at the end of the file.
Note
- The localip parameter specifies the address of the PPTP VPN server. In most cases, we recommend that you use the private IP address of the server. Set this value based on your actual scenario.
- The remoteip parameter specifies the IP address range from which addresses are assigned to PPTP VPN clients. To prevent IP address conflicts, make sure that the addresses in this range are not used by other devices. Set this value based on your actual scenario.
```
   localip 192.168.0.1
   remoteip 192.168.0.230-238
```
Configure Domain Name System (DNS) settings. Add DNS servers so that clients connected to the PPTP VPN can resolve domain names. Run the vim /etc/ppp/options.pptpd command to open the file and add the following lines: Verify: After you save the file, confirm that the ms-dns entries appear in the file.
Note
223.5.5.5 and 223.6.6.6 are Alibaba Cloud public DNS servers. You can replace them with other DNS server addresses based on your business requirements.
```
   ms-dns 223.5.5.5
   ms-dns 223.6.6.6
```
Create a user. Create user credentials for client authentication. The PPTP VPN server authenticates each client to ensure that only authorized users can access the VPN. Run the vim /etc/ppp/chap-secrets command to open the file. Add accounts in the following format, one account per line, with items separated by spaces: Verify: After you save the file, confirm that the user entry appears in the file.
Note
Example: test pptpd 123456 *. The asterisk (*) wildcard indicates that the user can connect from any IP address.
```
   <Username> pptpd <Password> <IP address>
```
```
   test pptpd 123456 *
```
Set the Maximum Transmission Unit (MTU). Adjusting the MTU optimizes network performance by reducing packet fragmentation and improving data transmission efficiency. Run the vim /etc/ppp/ip-up command to open the file and add the following line: Verify: After you save the file, confirm that the ifconfig ppp0 mtu 1472 entry appears in the file.
```
   ifconfig ppp0 mtu 1472
```
Start PPTP. Run the following commands to start the PPTP service and enable it to start automatically on system startup:
```
   systemctl start pptpd
   systemctl enable pptpd.service
```

Step 2: Enable IP forwarding

To allow the system to forward IP packets between network interfaces, perform the following steps:

Run the following command to enable IP forwarding:

   echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf

Verify: After you run the command, confirm that the /etc/sysctl.conf file contains the line net.ipv4.ip_forward = 1.
Run the following command to apply the configuration:
```
   sysctl -p
```

Step 3: Configure the iptables firewall

Use the iptables firewall to control inbound and outbound network traffic. For example, you can configure multiple computers to share a single IP address for Internet access.

Disable the default firewalld service.

   systemctl stop firewalld
   systemctl mask firewalld

Install the iptables service.
```
   yum install -y iptables-services
```
Start the iptables service and enable it to start on system startup.
```
   systemctl start iptables
   systemctl enable iptables
```

Add rules to allow PPTP connections.

   # Accept incoming TCP connections on port 1723 (PPTP control channel).
   iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT

   # Allow the GRE protocol (IP protocol 47), which PPTP uses for data tunneling.
   iptables -I INPUT -p gre -j ACCEPT

Add an iptables forwarding rule for source address masquerading. This rule uses masquerading to dynamically translate the source address of outgoing packets from the VPN client Classless Inter-Domain Routing (CIDR) block. Replace 192.168.0.0/24 with the CIDR block from which IP addresses are assigned to your PPTP VPN clients.
```
   iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
```
Add a Network Address Translation (NAT) forwarding rule to translate the source IP address. This Source NAT (SNAT) rule translates the source address of packets from the VPN client CIDR block to a specific public IP address. Replace 192.168.0.0/24 with your client CIDR block. Replace XXX.XXX.XXX.XXX with the public IP address of the ECS instance on which the PPTP VPN server is running.
```
   iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX
```
Save the iptables configuration.
```
   service iptables save
```
Restart the iptables service.
```
   systemctl restart iptables
```

Configure a PPTP VPN client

This section describes how to configure a PPTP VPN client on CentOS and Windows. Before you begin, make sure the following prerequisites are met:

An ECS instance is created to use as the client. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
The instance has a public IP address and is in a Virtual Private Cloud (VPC).
You can connect to the instance. For more information, see Connect to an instance.

To avoid command errors caused by operating system version differences, we recommend that you use the same operating system versions as shown in the following table.

Client OS	Instance type	Operating system
CentOS	ecs.c6.large	CentOS 7.2 public image
Windows	ecs.c6.large	Windows Server 2022 public image

CentOS client

Run the following command to install the PPTP client packages:
```
   yum install -y ppp pptp pptp-setup
```
Run the following command to connect to the PPTP VPN server: When the connection is established, the output confirms that the PPTP VPN client is connected to the server.
Note
- Replace [$IP] with the public IP address of the ECS instance on which the PPTP VPN server is running.
- Replace [$User] with the username you created when configuring the PPTP VPN server. For details, see the "Create a user" step in the "Configure a PPTP VPN server" section.
- Replace [$Password] with the password of that user. For details, see the "Create a user" step in the "Configure a PPTP VPN server" section.
```
   pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
```
When you are prompted that 192.168.0.234 is assigned to your client, run the following command to verify the connection. You should see the ppp0 network interface controller (NIC) in the output. If the output shows the ppp0 interface with an assigned IP address, the VPN connection is working correctly.
```
   ifconfig | grep -A 10 ppp
```

Windows client

Click the Start icon in the lower-left corner of the desktop and select Settings. In the Windows Settings window, click Network & Internet. In the left-side navigation pane, click VPN. On the VPN page, click Add a VPN connection.

In the Add a VPN connection dialog box, configure the following parameters and then save the settings:

Parameter	Value
VPN provider	Select Windows (built-in).
Connection name	Enter a VPN connection name. Example: pptp.
Server name or address	Enter the public IP address or domain name of the PPTP VPN server.
VPN type	Select Point to Point Tunneling Protocol (PPTP).
Type of sign-in info	Select User name and password.
User name (optional)	Enter the username you created on the PPTP VPN server.
Password	Enter the password of the user you created on the PPTP VPN server.

Open the Control Panel and navigate to Network and Internet > Network and Sharing Center > Change adapter settings. In the window that appears, find the VPN connection you created.
Right-click the VPN connection and select Properties. On the Networking tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
In the dialog box that appears, click Advanced. On the IP Settings tab, clear the Use default gateway on remote network checkbox and click OK to save the settings.
Important
If you do not clear Use default gateway on remote network, the local default gateway settings are overridden after the dial-up connection is established. This prevents you from accessing the Internet over the connection.
Click the Start icon and select Settings. In the Windows Settings window, click Network & Internet. In the left-side navigation pane, click VPN. On the VPN page, click Connect to establish the VPN connection. If the connection status changes to "Connected", the configuration is correct.

FAQ

What do I do if I cannot open a website in a browser?

If you cannot open a website in your browser after setting up the PPTP VPN and establishing a connection, but you can successfully ping the website's domain name, the issue is likely caused by invalid MTU settings. Use one of the following methods to resolve the issue:

Method 1 (temporary fix)
1. Connect to the CentOS server where the VPN is configured.
2. Run the following command:
```
ifconfig ppp0 mtu 1472
```
3. Check whether you can now open the website in your browser. If the website opens, the issue is resolved.
Note
Method 1 is a temporary solution. The setting is lost when the PPP connection is restarted. To make the fix permanent, use Method 2.
Method 2 (permanent fix)
1. Connect to the CentOS server where the VPN is configured.
2. Run the vim /etc/ppp/ip-up command to open the /etc/ppp/ip-up file.
3. Add the following line to the file:
```
ifconfig ppp0 mtu 1472
```
  After you save the file, the MTU is set automatically each time a PPP connection is established.
4. Check whether you can now open the website in your browser. If the website opens, the issue is resolved.

What do I do if I obtained an incorrect IP address?

After you connect to a VPN from a client, you may obtain the internal NIC IP address of your instance instead of an IP address assigned by the VPN server. For example, if your VPN client is named testvpn, perform the following steps to resolve the issue.

Connect to the CentOS server where the VPN is configured.
Run the vim /etc/ppp/peers/testvpn command to open the /etc/ppp/peers/testvpn configuration file of the PPP client. Add the noipdefault parameter to the file.
Run the following commands to restart the client. After you reconnect to the VPN, you should obtain the correct IP address.
Note
When you restart the client, the noipdefault parameter may be overwritten by a parameter passed from the server. If the noipdefault parameter is overwritten, check the server configuration.
```
   poff testvpn
   pon testvpn
```