CentOS PPTP VPN

PPTP Server
1) We need to add the Poptop repository to our system so we'll do a "rpm -Uvh http://poptop.sourceforge.net/yum/stable/fc7/pptp-release-current.
noarch.rpm".
2) Let's install the pptp daemon "yum install pptpd"
3) "nano /etc/pptpd.conf" to open the configuration file.
4) we remove the # before "bcrelay eth1" and configure the last 2 lines (local-ip and remote-ip) to be the wanted ip ranges
5) "nano /etc/ppp/chap-secrets" and we add a new user "newuser pptpd password *"
6) "service pptpd start" and your pptp server is online!

PPTP Client
1) We need to add the Poptop repository to our system so we'll do a "rpm -Uvh http://poptop.sourceforge.net/yum/stable/fc7/pptp-release-current.
noarch.rpm".
2) "yum install pptp"
3)

pptpsetup --create VPN --username yourusername --password yourpassword --server

yourserver --encrypt --start

4) "ping ip of the server" to be sure

This tutorial assume your kernel has the MPPE (Microsoft Point-to-Point Encryption) encryption module built in (but generally most kernel
nowadays include it) for security sake so that all the data would be encrypted when sent through internet.
5) Create routes

route add default ppp0 # default route

route add -net 172.16.0.0 netmask 255.255.0.0 gw 172.16.80.1 # All local network

Disconnect VPN
#!/bin/sh
killall -TERM pppd

Options.pptp
Server
Server
###############################################################################

# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $

#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40
# enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3

#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)

Client

Client
###############################################################################
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from http://ppp.samba.org/
# and the kernel MPPE module available from the CVS repository also on
# http://ppp.samba.org/, which is packaged for DKMS as kernel_ppp_mppe.
###############################################################################
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose which of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
#
# Note that using PPTP with MPPE and MSCHAP-V2 should be considered
# insecure:
# http://marc.info/?l=pptpclient-devel&m=134372640219039&w=2
# https://github.com/moxie0/chapcrack/blob/master/README.md
# http://technet.microsoft.com/en-us/security/advisory/2743314
# http://ppp.samba.org/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# If the kernel is booted in FIPS mode (fips=1), the ppp_mppe.ko module
# is not allowed and PPTP-MPPE is not available.
# {{{
# Require MPPE 128-bit encryption
#require-mppe-128
# }}}
# http://mppe-mppc.alphacron.de/ fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
#mppe required,stateless
# }}}