How do I configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance? - Elastic Compute Service

This topic describes how to configure a connection between a PPTP VPN server and a PPTP VPN client on an Elastic Compute Service (ECS) instance that runs a CentOS 7 operating system.

Background information

Point to Point Tunneling Protocol (PPTP) is a network tunneling technology developed based on the Point to Point Protocol (PPP) for use in VPNs. You can connect to a VPN over PPTP by performing the following steps: dial up to the PPTP server to establish a PPP connection, perform PPTP negotiation to create a tunnel between your client and the server, and then perform PPP Network Control Protocol (NCP) negotiation to assign an IP address from the IP address range of the VPN to your client. You can use the assigned IP address to communicate within the VPN. This way, you can establish a secure tunnel or connection to a VPN over the Internet.

Warning

This topic provides examples and guidelines for the preceding procedure. Operations may vary based on the actual conditions. PPTP has security issues. We recommend that you evaluate the impacts of the issues on your business before you use PPTP. For more information, see PPTP Client.

Configure a PPTP VPN server

Connect to the CentOS ECS instance that you want to use as a PPTP VPN server and perform the following steps to configure the PPTP VPN server. For information about how to connect to an ECS instance, see Connect to an instance.

Prerequisites

An ECS instance is created. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
In the following sections that describe how to configure a PPTP VPN server, an ECS instance that has the following configurations is used. To prevent command errors caused by operating system version differences, we recommend that you use the operating system version in the prerequisites.
- Instance type: ecs.c6.large
- Operating system: CentOS 7.2 public image
- Network type: Virtual Private Cloud (VPC)
- IP address: public IP address
An inbound rule is added to a security group of the ECS instance to allow traffic on port 1723 and the Generic Routing Encapsulation (GRE) port. For more information, see Manage security group rules.

Configure PPTP

Install the PPTP VPN server.
Run the following command on the ECS instance that you prepared in the prerequisites to install the PPTP VPN server:
```
yum install -y ppp pptpd
```
Modify the configuration file of the PPTP daemon (pptpd).
Specify the CIDR block from which IP addresses can be assigned to the clients of the PPTP VPN server. This ensures that each device connected to the server can obtain a unique IP address.
1. Run the vim /etc/pptpd.conf command to open the configuration file and add the following configuration to the file:
```
localip 192.168.0.1
remoteip 192.168.0.230-238
```
  Note
  - For the localip parameter, specify the address of the PPTP VPN server. In most cases, we recommend that you specify the private IP address of the server. Configure the localip parameter based on your actual business scenario.
  - For the remoteip parameter, specify the CIDR block from which you want to assign IP addresses to the clients of the PPTP VPN server. To prevent IP conflicts, make sure that the IP addresses in the CIDR block are not used by other devices. Configure the remoteip parameter based on your actual business scenario.
2. Check the content of the configuration file. The following figure shows the content of the configuration file after you add the preceding configuration.
Configure Domain Name System (DNS) settings.
To ensure that the clients connected to the PPTP VPN server can resolve domain names, add a DNS server.
1. Run the vim /etc/ppp/options.pptpd command to open the /etc/ppp/options.pptpd file and add the following configuration to the file:
```
ms-dns 223.5.5.5
ms-dns 223.6.6.6
```
  Note
  223.5.5.5 and 223.6.6.6 are the IP addresses of Alibaba Cloud public DNS servers. You can set ms-dns to the IP addresses of other DNS servers based on your business requirements.
2. Check the content of the file. The following figure shows the content of the file after you add the preceding configuration.
Create a user.
Create a user for client identity authentication. When a client is connected to the PPTP VPN server, the server performs identity authentication for the client to ensure that only authorized users can access the system over dial-up or network connections.
1. Run the vim /etc/ppp/chap-secrets command to configure usernames and passwords for the pptpd process. Add accounts in the <Username> pptpd <Password> <IP address> format to the /etc/ppp/chap-secrets file based on your business requirements. Separate the items with spaces and add only one account on each line.
  Note
  Example: test pptpd 123456 *. The asterisk wildcard character (*) indicates all IP addresses.
```
test pptpd 123456 *
```
2. Check the content of the file. The following figure shows the content of the file after you add the preceding configuration.
Change the maximum transmission unit (MTU).
MTU is used to optimize network performance, reduce segments, and improve data transmission efficiency.
1. Run the vim /etc/ppp/ip-up command to open the /etc/ppp/ip-up file and add the following configuration to the file to change the MTU:
```
ifconfig ppp0 mtu 1472
```
2. Check the content of the file. The following figure shows the content of the file after you add the preceding configuration.
Start PPTP.
Run the following commands to start PPTP and configure PPTP to start on system startup:
```
systemctl start pptpd
systemctl enable pptpd.service
```

Enable IP forwarding

To allow the system to perform IP forwarding, perform the following steps:

Run the following command to enable IP forwarding:
```
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
```
Check the content of the sysctl.conf configuration file. The following figure shows the content of the configuration file after you add the preceding configuration.
Run the sysctl -p command for the configuration to take effect.

Configure the iptables firewall

You can use the iptables firewall to configure rules that control the inbound and outbound network traffic. For example, you can configure multiple computers to share a single IP address for Internet access.

Disable the firewall.

systemctl stop firewalld
systemctl mask firewalld

Install the iptables service.
```
yum install -y iptables-services
```
Start the iptables service and configure the service to start on system startup.
```
systemctl start iptables
systemctl enable iptables
```

Add rules to allow PPTP connections.

# Accept new TCP connection requests on port 1723.
iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT 

# Allow the GRE protocol. The IP protocol number of GRE is 47.
iptables -I INPUT -p gre -j ACCEPT

Add an iptables forwarding rule to implement source address masquerading. Replace 192.168.0.0/24 with the CIDR block from which IP addresses are assigned to PPTP VPN clients.
```
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
```
Add a NAT forwarding rule to translate the source IP address of packets from the client CIDR block to a specific public IP address. Replace 192.168.0.0/24 with the CIDR block from which IP addresses are assigned to PPTP VPN clients. Replace XXX.XXX.XXX.XXX with the public IP address of the ECS instance on which the PPTP VPN server resides.
```
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX
```
Save the configurations.
```
service iptables save
```
Restart the iptables service.
```
systemctl restart iptables
```

Configure a PPTP VPN client

CentOS

Prerequisites

An ECS instance is created. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab. In the following section, an ECS instance that has the following configurations is used. To prevent command errors caused by operating system version differences, we recommend that you use the operating system version in the prerequisites.

Instance type: ecs.c6.large
Operating system: CentOS 7.2 public image
Network type: VPC
IP address: public IP address

Procedure

Connect to the ECS instance. For more information, see Connect to an instance.
Run the following command on the ECS instance to install the PPTP package:
```
yum install -y ppp pptp pptp-setup
```
Run the following command to connect to the PPTP VPN server:
```
pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
```
Note
- Replace [$IP] with the public IP address of the ECS instance on which the PPTP VPN server resides.
- Replace [$User] with the username of the user that you created when you configured the PPTP VPN server. For information about how to obtain a username, see the Create a user step in the "Configure a PPTP VPN server" section of this topic.
- Replace [$Password] with the password of the user that you created when you configured the PPTP VPN server. For information about how to obtain the password of the user, see the Create a user step in the "Configure a PPTP VPN server" section of this topic.
The following figure shows that the PPTP VPN client is connected to the PPTP VPN server.
When you are prompted that 192.168.0.234 is assigned to your client, run the following command. You can find the ppp0 network interface controller (NIC) in the command output.
```
ifconfig | grep -A 10 ppp
```
The following figure shows that the command is run as expected.

Windows

Prerequisites

Instance type: ecs.c6.large
Operating system: Windows Server 2022 public image
Network type: VPC
IP address: public IP address

Procedure

Connect to the ECS instance. For more information, see Connect to an instance.
Click the Start icon in the lower-left corner of the desktop and select Settings. In the Windows Settings window, click Network & Internet. In the left-side navigation pane of the window that appears, click VPN. On the VPN page, click Add a VPN connection.
In the Add a VPN connection dialog box, configure and save the following parameters:
VPN provider: Select Windows (built-in).
Connection name: Specify a VPN connection name. Example: pptp.
Server name or address: Enter the public IP address or domain name of the PPTP VPN server.
VPN type: Select Point to Point Tunneling Protocol (PPTP).
Type of sign-in info: Select User name and password.
User name (optional): Enter the username of the user that you created on the PPTP VPN server.
Password: Enter the password of the user that you created on the PPTP VPN server.
In the Control Panel, choose Network and Internet > Network and Sharing Center > Change adapter settings. In the window that appears, find the VPN connection that you created.
Right-click the VPN connection and select Properties. On the Networking tab in the dialog box that appears, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
In the dialog box that appears, click Advanced. On the IP Settings tab, clear Use default gateway on remote network and click OK to save the settings.
Important
If you do not clear Use default gateway on remote network, the local default gateway settings are changed after the dial-up connection is established. As a result, you cannot access the Internet over the connection.
Click the Start icon and select Settings. In the Windows Settings window, click Network & Internet. In the left-side navigation pane of the window that appears, click VPN. On the VPN page, click Connect to establish the VPN connection. If the VPN connection is established, the configurations are correct.

FAQ

What do I do if I cannot open a website in a browser?

If you cannot open a website in your browser after you set up a PPTP VPN, establish a connection, and successfully ping the domain name of the website, your MTU settings may be invalid. You can use one of the following methods to resolve the issue:

Method 1
1. Connect to the CentOS server on which the VPN is configured.
2. Run the ifconfig ppp0 mtu 1472 command.
3. Check whether the website can be opened in your browser. If the website is opened, the issue is resolved.
  Note
  Method 1 is a temporary solution to the issue. To permanently resolve the issue, use Method 2.
Method 2
1. Connect to the CentOS server on which the VPN is configured.
2. Run the vim /etc/ppp/ip-up command to open the /etc/ppp/ip-up file.
3. Add the ifconfig ppp0 mtu 1472 command to the /etc/ppp/ip-up file.
  The following command output indicates that the command is added.
4. Check whether the website can be opened in your browser.
  If the website is opened, the issue is resolved.

What do I do if I obtained an incorrect IP address?

After you connect to a VPN from a client, you obtain the internal NIC IP address of your instance instead of an IP address assigned by the VPN server. For example, your VPN client is named testvpn. Perform the following operations to resolve the issue.

Procedure

Connect to the CentOS server on which the VPN is configured.
Run the vim /etc/ppp/peers/testvpn command to open the /etc/ppp/peers/testvpn configuration file of the PPP client. Add the noipdefault parameter, as shown in the following figure.
Run the following commands to restart the client. After you reconnect to the VPN, you can obtain the correct IP address.
```
poff testvpn
pon testvpn
```
Note
When you restart the client, the noipdefault parameter may be overwritten by a parameter that is passed in from the server. If the noipdefault parameter is overwritten, check the configurations of the server.