All Products
Search
Document Center

:How do I configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance?

Last Updated:Apr 03, 2023

This topic describes how to configure a connection between a PPTP VPN server and a PPTP VPN client on a CentOS 7 instance.

Background information

Point to Point Tunneling Protocol (PPTP) is a network tunneling technology developed based on the Point to Point Protocol (PPP) to use in virtual private networks (VPNs). You can connect to a VPN over PPTP. To connect to a VPN over PPTP, dial up to the PPTP server to establish a PPP connection, perform PPTP negotiation to create a tunnel between your client and the server, and then perform PPP Network Control Protocol (NCP) negotiation to assign an IP address from the IP address range of the VPN to your client. You can use this assigned IP address to communicate within the VPN. This way, you can establish a secure tunnel or connection to a VPN over the Internet.

Warning

This topic provides examples and instructions on the preceding procedure. Operations may vary based on actual conditions. PPTP has many well-known security issues. We recommend that you evaluate these issues and their impacts on your business before you use it. For more information, see PPTP Client.

Prerequisites

  • An Elastic Compute Service (ECS) instance is created. For more information, see Create an instance by using the wizard.

    The example in this topic uses an ECS instance that has the following configurations. To prevent command errors caused by operating system version issues, we recommend that you use the same operating system that is used in the example.

    • Instance type: ecs.c6.large

    • Operating system: CentOS 7.2 public image

    • Network type: Virtual Private Cloud (VPC)

    • IP address: a public IP address

  • A rule is configured in a security group of the instance to allow traffic on TCP port 1723. This port is required to configure PPTP VPNs. For more information, see Add a security group rule.

Configure a PPTP VPN server

Perform the following steps to configure a PPTP VPN server:

  1. Connect to the instance.

    For more information, see Connection methods.

  2. Run the following command to install a PPTP VPN server:

    yum install -y ppp pptpd

    If a command output similar to the one in the following figure is returned, it indicates that the PPTP server is installed.

  3. Edit the pptpd configuration file.

    1. Run the vi /etc/pptpd.conf command to edit the pptpd configuration file. Then, delete the number sign (#) from the following commands to allow them to run. Run the :wq command to save and close the file.

      #localip 192.168.0.1
      #remoteip 192.168.0.234-238,192.168.0.245

      If a command output similar to the one in the following figure is returned, it indicates that the pptpd configuration file is edited.

      Note

      localip specifies the IP address of the VPN gateway, and remoteip specifies the IP address range that is obtained after a dial-up to a VPN. You can set these parameters based on your needs.

    2. Run the vi /etc/ppp/options.pptpd command and then set ms-dns to 223.5.5.5 and 223.6.6.6. Run the :wq command to save the modification and exit.

      #ms-dns 10.0.0.1
      #ms-dns 10.0.0.2
      ms-dns 223.5.5.5
      ms-dns 223.6.6.6
      Note

      223.5.5.5 and 223.6.6.6 are the IP addresses of Alibaba Cloud public DNS servers. You can set ms-dns to the IP addresses of other DNS servers based on your needs.

      If a command output similar to the one in the following figure is returned, it indicates that ms-dns is set.

    3. Run the vi /etc/ppp/chap-secrets command to configure usernames and passwords for the PPTP daemon (pptpd). Add accounts based on your needs. Separate each account with a line break. Add account information in the <Username> pptpd <Password> <IP address> format, and separate the variables with spaces. Run the :wq command to save the modification and exit.

      Note

      Example: test pptpd 123456 *. The asterisk (*) indicates all IP addresses.

      # Secrets for authentication using CHAP
      # client server secret IP addresses
      test pptpd 123456 *

      If a command output similar to the one in the following figure is returned, it indicates that a username and password are configured for pptpd.

    4. Run the vi /etc/ppp/ip-up command to set the maximum transmission unit (MTU). Below the [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" line, add ifconfig ppp0 mtu 1472.

      /etc/ppp/ip-up. ipv6to4 ${LOGDEVICE}
      [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
      ifconfig ppp0 mtu 1472

      If a command output similar to the one in the following figure is returned, it indicates that the MTU is set.

  4. Configure kernel parameters.

    1. Run the vi /etc/sysctl.conf command to edit the sysctl configuration file. Add the net.ipv4.ip_forward parameter, set it to 1, and then run the :wq command to save and close the file.

      If a command output similar to the one in the following figure is returned, it indicates that the parameter is added and set.

    2. Run the sysctl -p command to make the parameter take effect.

  5. Add firewall rules.

    1. Run the following command to add an iptables forwarding rule:

      iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
    2. Run the following command to add a NAT forwarding rule. Replace XXX.XXX.XXX.XXX with the public IP address of your instance.

      iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source XXX.XXX.XXX.XXX
    3. Run the following command to save the rules:

      service iptables save
      • If a command output similar to the one in the following figure is returned, it indicates that the rules are saved.

        iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
      • If a command output similar to the one in the following figure is returned, it indicates that the command failed to run.

        The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
        Note

        This issue occurs because the iptables service is not installed on the ECS instance. You must install the iptables service before you run the service iptables save command. Perform the following operations.

  6. (Optional) Install and configure the iptables service.

    1. Run the following commands in sequence to disable the firewall:

      systemctl stop firewalld
      systemctl mask firewalld
    2. Run the following command to install the iptables service:

      yum install iptables-services
    3. Run the following command to configure the iptables service to start on instance startup:

      systemctl enable iptables
    4. Run the following command to restart the iptables service:

      systemctl restart iptables
    5. Run the service iptables save command to check whether the rules are saved.

Configure PPTP

  1. Run the following command to restart PPTP.

    Note

    Since PPTP is not running, you are prompted with the Shutting down pptpd [FAILED] message and an alert when you try to restart PPTP. You can ignore the message and alert and run this command again to restart PPTP. No messages or alerts appear this time.

    systemctl restart pptpd
  2. Run the following command to restart iptables:

    systemctl start iptables
  3. Run the following commands in sequence to configure pptpd and iptables to start on instance startup:

    systemctl enable pptpd.service
    systemctl enable iptables.service

After you complete the preceding steps, the PPTP VPN server is installed. You can configure new connections or networks in the Network and Sharing Center of your Windows client and then use the VPN to access the networks.

Configure a PPTP VPN client

  1. Run the following command to install PPTP:

    yum install -y ppp pptp pptp-setup

    If a command output similar to the one in the following figure is returned, it indicates that PPTP is installed.

  2. Run the following command to connect to the PPTP VPN server:

    pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
    Note

    Set [$IP], [$User], and [$Password] to the IP address, username, and password of the PPTP VPN server.

    If a command output similar to the one in the following figure is returned, it indicates that you are connected to the PPTP VPN server.

  3. When you are prompted that 192.168.0.234 is assigned to your client, run the following command. You can find the ppp0 network interface controller (NIC) in the command output.

    ifconfig | grep -A 10 ppp

    If a command output similar to the one in the following figure is returned, it indicates that the command is run.

  4. Run the following command to add a default route:

    ip route replace default dev ppp0

    If a command output similar to the one in the following figure is returned, it indicates that the command is run.

  5. After the default route is added, you can access the PPTP VPN server.

FAQ

What do I do if I cannot open a website in a browser?

After you set up a PPTP VPN, establish a connection, and successfully ping the domain name of the website, but still cannot open the website in your browser, your MTU settings may be invalid. You can use one of the following methods to resolve this issue.

  • Method 1

    1. Connect to the CentOS server on which the VPN is configured.

    2. Run the ifconfig ppp0 mtu 1472 command.

    3. Check whether the website can be opened in your browser.

      Note

      Method 1 can only resolve the issue temporarily. To resolve the issue permanently, use method 2.

  • Method 2

    1. Connect to the CentOS server on which the VPN is configured.

    2. Run the vi /etc/ppp/ip-up command to open the /etc/ppp/ip-up file.

    3. Add the ifconfig ppp0 mtu 1472 command to the /etc/ppp/ip-up file.

      If a webpage in the following figure is displayed, it indicates that the issue is resolved. image

    4. Check whether the website can be opened in your browser.

What do I do if an incorrect IP address is obtained?

After you connect to a VPN from a client, you obtain the internal NIC IP address of your instance, instead of an IP address assigned by the VPN server. Assume that your VPN client is named testvpn. Perform the following operations to resolve this issue.

Procedure

  1. Connect to the CentOS server on which the VPN is configured.

  2. Run the vi /etc/ppp/peers/testvpn command to open the /etc/ppp/peers/testvpn configuration file of the PPP client. Add the noipdefault parameter, as shown in the following figure.

  3. Run the following commands to restart the client. After you reconnect to the VPN, you can obtain the correct IP address.

    poff testvpn
    pon testvpn
    Note

    When you restart the client, the noipdefault parameter may be overwritten by a parameter that is passed in from the server. If the noipdefault parameter is overwritten, you must check the configurations of the server.