Continuing the VPN series, today we cover Poptop, or pptpd. It is easier to configure than other VPN software, but MS-CHAP-v2 encryption that it uses is not really secure, as we come to expect from Microsoft software. Nevertheless I have experienced situations where Poptop succeeds where other VPN like OpenVPN and Softether fail, so this article might be useful to some people.
So lets tstart, poptop is in epel repository, so we will add it and install ptppd package.
yum -y install epel-release yum -y install ppp pptpd net-tools iptables-services
Next we need to configure it. Easiest way is to backup old configuration file and just paste new one which I will provide in the article. So lets do just that.
mv /etc/pptpd.conf /etc/pptpd.conf.orig echo 'option /etc/ppp/options.pptpd logwtmp localip 10.0.10.1 remoteip 10.0.10.2-254' > /etc/pptpd.conf
This means that your poptop interface will be 10.0.10.1 and the clients will get assigned private ip on the same subnet, from 2 trough 254. Public IP will off course be same as server's, that is why we are running the VPN.
Next we get to the to the options.pptpd file which might or might not exist, but anyways we will create it. Off course we will first backup it if exists.
mv -f /etc/ppp/options.pptpd /etc/ppp/options.pptpd.orig echo 'name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 proxyarp lock nobsdcomp novj novjccomp nologfd ms-dns 18.104.22.168 ms-dns 22.214.171.124' > /etc/ppp/options.pptpd
You can have many accounts and there is setting to limit the number, but we will add just one for testing, with username linoxide and password linoxide:
mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.orig echo 'linoxide pptpd linoxide *' > /etc/ppp/chap-secrets
The asterisk means that user can be connected from any ip which is useful if you are going to connect from different devices and computers. If you want to bind account to one ip, you can type that ip there instead of *. If you want one more account, repeate the previous comand, only this time use >> instead > because we want to append rather than overwrite entire file. So something like this
echo 'geek pptpd geek *' >> /etc/ppp/chap-secrets
So there you go, we actually have two users now. Next we need to setup forwarding, so those next two lines are for that:
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf sysctl -p
Next lets just disable firewalls to keep things simple:
systemctl stop firewalld.service systemctl disable firewalld.service service iptables save service iptables stop chkconfig iptables off iptables -F chmod +x /etc/rc.d/rc.local
And then we need just to setup masquerading and post-routing and we are done.
echo "iptables -t nat -A POSTROUTING -o YOUR-NIC -j MASQUERADE" >> /etc/rc.d/rc.local iptables -t nat -A POSTROUTING -o YOUR-NIC -j MASQUERADE service pptpd restart
Instead YOUR-NIC you need to put name of your network facing interface, if you don't know the name type ifconfig (that is why we installed net-tools at the start).
Connecting to Poptop VPN server
Since Poptop is easy and article is not too long, we can include making the connection guide in same article with server guide. Best (and worst, depend how you look at it) thing about Poptop is that you don't need any certificates, only username and password, so connecting is straightforward. At the moment, I have at my disposal Android phone with Android 4.0 so I will use that to connect.
No need to write too much here, because pictures tell everything. I actually omitted the middle picture to conceive IP of my server, but adding credentials easy, just make sure you check the encryption check mark because we turned on encryption on server. You can also turn off the encryption on both server and client because it is not secure anyways, but for now it is on. Next thing, on your phone you need to go to some site that shows your ip address, like for example this one. And you should then see the IP address of the server, which means that all went well and you followed this guide correctly.
Poptop is probably easiest and most straightforward way to have VPN configured on your VPS. Despite that its encryption algorithm was declared insecure, usability of Poptop have been proven in numerous occasions and this VPN server has its uses. If nothing, it is good as staring point on your journey to world of Virtual Private Network software and after learning the basics you can better understand more complex solutions like OpenVPN, Softeter, StrongSWAN and the like.