How to setup PPTP server on CentOS
My setup is cloudstack as below:
VM --------------------------VR (Virtual Router) -----------------------Public network (windows)
v1n1(pptp server) public interface 10.147.46.102
Configuring pptp server in the Centos VM (v1n1)
1. Install the pptp server in cents
#rpm -i http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
warning: /var/tmp/rpm-tmp.zgYGDb: Header V3 DSA/SHA1 Signature, key ID 862acc42: NOKEY
warning: /var/tmp/rpm-tmp.zgYGDb: Header V3 DSA/SHA1 Signature, key ID 862acc42: NOKEY
# yum -y install pptpd
2. Before updating the configuration take backup of the configuration.
Copy the below below configuration files into your pptp server.
[root@v1n1 ~]# cat /etc/*-release
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
[root@v1n1 ~]# cat /etc/pptpd.conf
#start of custom file
#logwtmp
option /etc/ppp/options.pptpd
localip 192.168.0.1 # local vpn IP
remoteip 192.168.0.234-238,192.168.0.245[root@v1n1 ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test1 * test1 *
test2 * test2 *
[root@v1n1 ~]#
#remoteip 192.168.0.100-200 # ip range for connections
listen 10.1.1.242 # eth0 my example public IP and network interface
#end of custom file
debug
[root@v1n1 ~]#
#start of custom file
#logwtmp
option /etc/ppp/options.pptpd
localip 192.168.0.1 # local vpn IP
remoteip 192.168.0.234-238,192.168.0.245[root@v1n1 ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test1 * test1 *
test2 * test2 *
[root@v1n1 ~]#
#remoteip 192.168.0.100-200 # ip range for connections
listen 10.1.1.242 # eth0 my example public IP and network interface
#end of custom file
debug
[root@v1n1 ~]#
[root@v1n1 ~]# cat /etc/ppp/options.pptpd
#custom settings for a simple fast pptp server
ms-dns 8.8.8.8
ms-dns 4.2.2.2
lock
name pptpd
#require-mschap-v2
require-chap
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
# require-mppe-128
[root@v1n1 ~]#
#custom settings for a simple fast pptp server
ms-dns 8.8.8.8
ms-dns 4.2.2.2
lock
name pptpd
#require-mschap-v2
require-chap
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
# require-mppe-128
[root@v1n1 ~]#
3. Add the below config in sysctl.conf and run using sysctl -p
net.ipv4.ip_forward = 1
4. Start your pptp server using below command
/etc/init.d/pptpd restart-kill && /etc/init.d/pptpd start5. make sure you have the below iptables configuration to allow the pptp and gre[root@v1n1 ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 604 packets, 57798 bytes)
pkts bytes target prot opt in out source destination
496K 47M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
39 2028 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
2 109 ACCEPT 47 -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
199 12913 ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
217 24050 ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4117 packets, 527K bytes)
pkts bytes target prot opt in out source destination
[root@v1n1 ~]#
[root@v1n1 ~]# iptables-save
# Generated by iptables-save v1.4.7 on Wed Aug 9 09:19:50 2017
*nat
:PREROUTING ACCEPT [190:16147]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [13:1119]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 9 09:19:50 2017
# Generated by iptables-save v1.4.7 on Wed Aug 9 09:19:50 2017
*filter
:INPUT ACCEPT [604:57798]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4130:529629]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
COMMIT
# Completed on Wed Aug 9 09:19:50 2017
[root@v1n1 ~]#Configurations with in the VR:1. Configure port forwarding to VM v1n1 on the VR and also configure firewall on 10.147.46.102 (FIREWALL_10.147.46.102 chain) to allow the pptp port TCP 1723. Here the public interface is eth3. 2. Insert the pptp modules in VR.root@r-123-JAY:~# modprobe nf_conntrack_pptp
root@r-123-JAY:~# modprobe nf_nat_pptp
root@r-123-JAY:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:1a:98:00:09 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:00:a9:fe:00:b6 brd ff:ff:ff:ff:ff:ff
inet 169.254.0.182/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:7f:00:00:27 brd ff:ff:ff:ff:ff:ff
inet 10.147.55.100/24 brd 10.147.55.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:01:00:00:0e brd ff:ff:ff:ff:ff:ff
inet 10.147.46.102/24 brd 10.147.46.255 scope global eth3
root@r-123-JAY:~# root@r-123-JAY:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 674 packets, 64448 bytes)
pkts bytes target prot opt in out source destination
507 36204 FIREWALL_10.147.46.102 all -- * * 0.0.0.0/0 10.147.46.102
0 0 VPN_10.147.46.102 all -- * * 0.0.0.0/0 10.147.46.102
4 304 VPN_10.147.55.100 all -- * * 0.0.0.0/0 10.147.55.100
0 0 FIREWALL_10.147.55.100 all -- * * 0.0.0.0/0 10.147.55.100
0 0 VPN_10.147.55.100 all -- * * 0.0.0.0/0 10.147.55.100
662 63576 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x2
0 0 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x3
0 0 MARK all -- * * 10.1.1.242 0.0.0.0/0 state NEW MARK set 0x3
0 0 CONNMARK all -- * * 10.1.1.242 0.0.0.0/0 state NEW CONNMARK save
Chain INPUT (policy ACCEPT 408 packets, 30668 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 777 packets, 70288 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 318 packets, 40691 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1095 packets, 111K bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
Chain FIREWALL_10.147.46.102 (1 references)
pkts bytes target prot opt in out source destination
507 36204 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "JAY"
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FIREWALL_10.147.55.100 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 255
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPN_10.147.46.102 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPN_10.147.55.100 (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
4 304 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
root@r-123-JAY:~#
root@r-123-JAY:~#
root@r-123-JAY:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 173 packets, 11501 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- eth0 * 0.0.0.0/0 10.147.46.102 to:10.1.1.242
29 1526 DNAT all -- * * 0.0.0.0/0 10.147.46.102 to:10.1.1.242
Chain INPUT (policy ACCEPT 42 packets, 3024 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 380 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 10.147.46.102 to:10.1.1.242
Chain POSTROUTING (policy ACCEPT 29 packets, 1526 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 10.1.1.0/24 10.1.1.242 to:10.1.1.1
126 8097 SNAT all -- * eth3 10.1.1.242 0.0.0.0/0 to:10.147.46.102
10 760 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.147.55.100
0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.147.46.102
root@r-123-JAY:~#
Configuration on the windows client:
ppp tunnel interface on pptp server after the client connection from the windows
[root@v1n1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:54:41:00:08 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.242/24 brd 10.1.1.255 scope global eth0
inet6 fe80::54ff:fe41:8/64 scope link
valid_lft forever preferred_lft forever
42: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.0.1 peer 192.168.0.234/32 scope global ppp0
[root@v1n1 ~]#
Common errors:
1. peer refused to authenticate: terminating link *
This error means your options.pptpd has configured for the mschap-v2 (require-mschap-v2) and user,password are configured in /etc/ppp/chap-secrets. But the client is trying to connect with chap.
Update your /etc/ppp/options.pptpd to require-chap and comment require-mppe-128
*Aug 9 09:38:49 v1n1 pptpd[20130]: CTRL: Client 10.147.38.153 control connection started
Aug 9 09:38:49 v1n1 pptpd[20130]: CTRL: Starting call (launching pppd, opening GRE)
Aug 9 09:38:49 v1n1 pppd[20131]: pppd 2.4.5 started by root, uid 0
Aug 9 09:38:49 v1n1 pppd[20131]: Using interface ppp0
Aug 9 09:38:49 v1n1 pppd[20131]: Connect: ppp0 <--> /dev/pts/1
Aug 9 09:38:52 v1n1 pppd[20131]: peer refused to authenticate: terminating link
Aug 9 09:38:52 v1n1 pppd[20131]: Connection terminated.
Aug 9 09:38:52 v1n1 pppd[20131]: Exit.
Aug 9 09:38:52 v1n1 pptpd[20130]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Aug 9 09:38:52 v1n1 pptpd[20130]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Aug 9 09:38:52 v1n1 pptpd[20130]: CTRL: Client 10.147.38.153 control connection finished
No comments:
Post a Comment