Continuing the VPN series, today we cover Poptop, or pptpd. It is easier to configure than other VPN software, but MS-CHAP-v2 encryption that it uses is not really secure, as we come to expect from Microsoft software. Nevertheless, I have experienced situations where Poptop succeeds where other VPNs like OpenVPN and Softether fail, so this article might be useful to some people.
So let's start, poptop is in epel repository, so we will add it and install ptppd package.
yum -y install epel-release
yum -y install ppp pptpd net-tools iptables-services
Next, we need to configure it. The easiest way is to back up the old configuration file and just paste a new one which I will provide in the article. So lets do just that.
mv /etc/pptpd.conf /etc/pptpd.conf.orig
echo 'option /etc/ppp/options.pptpd
logwtmp
localip 10.0.10.1
remoteip 10.0.10.2-254' > /etc/pptpd.conf
This means that your poptop interface will be 10.0.10.1 and the clients will get assigned private ip on the same subnet, from 2 through 254. Public IP will, of course, be the same as the server's, that is why we are running the VPN.
Next, we get to the options.pptpd file which might or might not exist, but anyways we will create it. Of course, we will first backup it if exists.
mv -f /etc/ppp/options.pptpd /etc/ppp/options.pptpd.orig
echo 'name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 8.8.8.8
ms-dns 8.8.4.4' > /etc/ppp/options.pptpd
You can have many accounts and there is set to limit the number, but we will add just one for testing, with username linoxide and password linoxide:
mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.orig
echo 'linoxide pptpd linoxide *' > /etc/ppp/chap-secrets
The asterisk means that the user can be connected from any IP which is useful if you are going to connect from different devices and computers. If you want to bind an account to one IP, you can type that IP there instead of *. If you want one more account, repeat the previous command, only this time use >> instead > because we want to append rather than overwrite the entire file. So something like this
echo 'geek pptpd geek *' >> /etc/ppp/chap-secrets
So there you go, we actually have two users now. Next, we need to setup forwarding, so those next two lines are for that:
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
Next let's just disable firewalls to keep things simple:
systemctl stop firewalld.service
systemctl disable firewalld.service
service iptables save
service iptables stop
chkconfig iptables off
iptables -F
chmod +x /etc/rc.d/rc.local
And then we need just to set up masquerading and post-routing and we are done.
echo "iptables -t nat -A POSTROUTING -o YOUR-NIC -j MASQUERADE" >> /etc/rc.d/rc.local
iptables -t nat -A POSTROUTING -o YOUR-NIC -j MASQUERADE
service pptpd restart
Instead of YOUR-NIC, you need to put the name of your network-facing interface if you don't know the name type ifconfig (that is why we installed net-tools at the start).