To set up a pptp vpn in CentOS, you need to install ppp and pptpd(NOT pptp or pptp-setup) packages:
yum -y install ppp
rpm -i http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
(For CentOS 7, rpm -Uvh https://mirror.i3d.net/pub/fedora-epel/7/x86_64/e/epel-release-7-9.noarch.rpm)
yum -y install pptpd
After intall pptpd, edit /etc/pptpd.conf to add localip(the private ip for vpn server) and remoteip(the private ip for vpn client)
Edit /etc/ppp/chap-secrets to add a vpn account.
# Secrets for authentication using CHAP
# client server secret IP addresses
clientname pptpd clientpassword *
Note that there are four fields to fill: vpn account name, the server(pptpd), the password used by the account, and the ip used by the vpn account(* means the account can connect to the vpn server from any ip address). This account information will be used by vpn client to connect the vpn server.
Edit /etc/ppp/options.pptpd to add the ip addresses of dns servers for this vpn server.
These are google’s dns servers. Of course you can use any other dns servers.
Change net.ipv4.ip_forward = 1 in /etc/sysctl.conf to let the vpn server to forward ip packets from the public network to your private network. Run sysctl -p to make the change active. You can check the settings using cat /proc/sys/net/ipv4/ip_forward.
Add an entry in the iptables:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
Note that this command is a little complex which we will explain in detail in another post. Now you should know that eth0 should be the name of your net adapter(you can find it with ifconfig command, and do not use the one like eth0:0). -s 192.168.0.0/24 is the ip address range for your private network.
restart pptpd service:
Now the vpn server is set up successfully, you can connect to it with a vpn client using the configured account information.
VPN errors and debug:
If pptpd service is down, you will get 800 error.
If you forget to add “iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE” in iptables, you will be able to connect to your VPN server, pass through the user account verification process, everything seems ok, but you just cannot access the websites.
If your iptables is not configured to allow 1723 port and gre protocol, you will get a 619 error.