With this tip you will be able to work from home using VPN and that too from Linux / FreeBSD system for the proprietary Microsoft Point-to-Point vpn server.
Different organization uses different VPN connection options such as SSL, PPTP or IPSEC. When you need to access corporate network and its services, you need to login using VPN.
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. It works on Data link layer (#2 layer) on TCP/IP model. Personally I prefer IPSEC. PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers.
But many originations use PPTP because it is easy to use and works with Windows, Mac OS X, Linux/*BSD and other handled devices.
Compatibility note
I’ve tested instructions and pptp on:
[a] CentOS / RHEL / Fedora Core Linux running 2.6.15+ kernel
[b] Ubuntu and Debian Linux running 2.6.15+ kernel
[c] FreeBSD etc
I’ve found that pptp client is 100% compatible with the following servers/products:
[a] Microsoft Windows VPN Server
[b] Linux PPTP Server
[c] Cisco PIX etc
How do I install PPTP client under Linux?
By default most distro installs PPTP client called PPTP-linux which is the client for the proprietary Microsoft Point-to-Point Tunneling. Use apt-get or yum command to install pptp client:
$ sudo apt-get install pptp-linux network-manager-pptp
Fedora Core user can install client using rpm command:
# rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm
# yum --enablerepo=pptp-stable install pptpconfig
[a] network-manager-pptp or pptpconfig – A gui network management framework (PPTP plugin) for network-admin tool (frontend)
[b] pptp-linux – Point-to-Point Tunneling Protocol (PPTP) command line client
How do I configure client using command line (cli)?
You need to edit / create following configuration files
- /etc/ppp/chap-secrets – Add your login name / password for authentication using CHAP. Pppd stores secrets for use in authentication in secrets files.
- /etc/ppp/peers/myvpn-name – A dialup connection authenticated with PAP / CHAP configuration file. You need to add your dialup server name and other information in this file.
Sample configuration data
- PPTP server name: pptp.vpn.nixcraft.com
- VPN User Name : vivek
- VPN Password: VpnPassword
- Connection name: delhi-idc-01
Open /etc/ppp/chap-secrets file:
# vi /etc/ppp/chap-secrets
OR
$ sudo vi /etc/ppp/chap-secrets
Append line as follows:
vivek PPTP VpnPassword *
Save and close the file.
Create a connection file called /etc/ppp/peers/delhi-idc-01 (replace delhi-idc-01 with your connection name such as office or vpn):
# vi /etc/ppp/peers/delhi-idc-01
Append configuration data as follows:
pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd"
name vivek
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam delhi-idc-01
Close and save the file. Where,
- pty “pptp pptp.vpn.nixcraft.com –nolaunchpppd”: Specifies that the command script is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The script will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the record option is used in conjunction with the pty option, the child process will have pipes on its standard input and output.). In this case we are using pptp client to establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). pptp.vpn.nixcraft.com is my host name (or IP address) for the PPTP server. –nolaunchpppd option means do not launch pppd but use stdin as the network connection. Use this flag when including pptp as a pppd connection process using the pty option.
- name vivek: VPN username
- remotename PPTP: Set the assumed name of the remote system for authentication purposes to name. If you don’t know name ask to network administrator
- require-mppe-128: Require the use of MPPE, with 128-bit encryption. You must encrypt traffic using encryption.
- file /etc/ppp/options.pptp: Read and apply all pppd options from options.pptp file. Options used by PPP when a connection is made by a PPTP client.
- ipparam delhi-idc-01 : Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts (optional).
Route traffic via ppp0
To route traffic via PPP0 interface add following route command to /etc/ppp/ip-up.d/route-traffic
# vi /etc/ppp/ip-up.d/route-traffic
Append following sample code (modify NET an IFACE as per your requirments):
#!/bin/bash
NET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
Save and close the file:
# chmod +x /etc/ppp/ip-up.d/route-traffic
Task: connect to PPTP server
Now you need to dial out to your office VPN server. This is the most common use of pppd. This can be done with a command such as:
# pppd call delhi-idc-01
If everything is went correctly you should be online and ppp0 should be up. Remote server will assign IP address and other routing information. Here is the message from my /var/log/messages file:
# tail -f /var/log/messages
Output:
Jun 11 23:38:00 vivek-desktop pppd[30088]: pppd 2.4.4 started by root, uid 0 Jun 11 23:38:00 vivek-desktop pppd[30088]: Using interface ppp0 Jun 11 23:38:00 vivek-desktop pppd[30088]: Connect: ppp0 <--> /dev/pts/4 Jun 11 23:38:03 vivek-desktop pppd[30088]: CHAP authentication succeeded Jun 11 23:38:03 vivek-desktop kernel: [37415.524398] PPP MPPE Compression module registered Jun 11 23:38:03 vivek-desktop pppd[30088]: MPPE 128-bit stateless compression enabled Jun 11 23:38:05 vivek-desktop pppd[30088]: local IP address 10.5.3.44 Jun 11 23:38:05 vivek-desktop pppd[30088]: remote IP address 10.0.5.18
Task: Disconnect PPTP server vpn connection
Simply kill pppd service, enter:
# killall pppd
OR
# kill {pppd-PID}
How do I configure PPTP client using GUI tools?
If you are using Debian / Ubuntu, just click on Network configuration Icon on taskbar > VPN Connection > Configure VPN > Add:
Click forward :
(click to enlarge)
Select PPTP tunnel > Forward:
(click to enlarge)
Enter Connection Name, VPN Server / Gateway hostname/IP address > Click on diffrent tabs to configure other parameters > Forward >
(click to enlarge)
Save and close the dialog box. To connect via VPN click on Network Icon > Select VPN Connection > Connection name (Mumbai VSNL IDC) > Enter your VPN username and password and click on Ok
If you are using Fedora core Linux, run pptpconfig as root and just follow on screen instructions:
# pptconfig &
Troubleshooting hints
If the connection fails, you might need to gather more information and try out following troubleshooting tips.
Q. I’m authenticated successfully but cannot route traffic..
A. Use route command to add route manually:
# ip route add {NETWORK} dev ppp0
# ip route add 10.0.0.0/8 dev ppp0
Or use route command:
# route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0
Q. I’m authenticated successfully, I can ping to remote gateway but cannot access host by name…
A. Setup correct DNS server names in /etc/resolv.conf file:
# cat /etc/resolv.conf
Output:
search nixcraft.com
nameserver 10.0.6.1
nameserver 10.0.6.2
nameserver 208.67.222.222
Q. How do I open my local network (laptop, desktop and other system) to talk with any computer behind VPN server via this local Linux ppp0 interface (i.e. act this computer as router)…?
A. Append following two rules in your existing iptables rules to turn on routing (adjust IP address range as per your setup):
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
Q. Point-to-Point Encryption is not working and I’m not able to connect to remote PPTP server…
A. Make sure you are using 2.6.15 or above kernel. If you are using old kernel version upgrade to latest version and compile support for ppp_mppe kernel module. If you are using latest version, load driver using modprobe:
# modprobe ppp_mppe
# pppd call myoffice
Note: You can always get more information by reading pptp diagnosis howto here.
A note to readers
As I said earlier I prefer to use open source solution such as OpenVPN or IPsec as they are more secure. The PPTP is not secure enough for some information security policies. Next time I will write about OpenVPN and IPsec.
Further readings
- Please read pppd, pptp, iptables man pages.
- Official pptp client home page
ADVERTISEMENTS
59 comment
Obligitory post to point out that Microsoft’s PPTP was, as initially implimented, very insecure. It may be that Microsoft has completely rewritten it since then and fixed every problem, I don’t know. Wikipedia says it can be compromized if MSCHAP-V2 is used and user’s choose weak passwords, so you’d want to try to avoid MSCHAP-V2. It appears to me that this article configures PPTP with MSCHAP-V2. You’d also need to check all your Microsoft Windows machines to be sure they’re not using a broken implimentation.
An easy alternative is OpenVPN, which has a MS Windows installer and is all-around easy to impliment.
Dear all fellows,
i have installed Linux i.e ubuntu 10.04 on my PC in which i have installed pptp client and able to connect it successfully but problem is that it unable to browse internet. in windows it works fine.
Kindly help me out.
Regard,
Syed Zaigham Ali
Check u r gateway using “route -n” command.Try to post u r output.
Yes mahesh it was a gateway problem. My service provider didn’t want to tell the gateway and network address and said that install windows we did’t provide services on Linux. But Finally i knew it and using internet on UBUNTU…:)
Kari,
The PPTP is not secure enough for some information security policies and I personally like to use OpenVPN. PPTP is known to be a faulty protocol and your link in FAQ proves the same. This tutorial is for those who can’t switch to OpenVPN.
Appreciate your post!
Great guide! This helped me get beyond my problems using the GUI tools, which don’t report all the info. Also, the “fault tree” link on the pptpclient page is a good debugging resource.
I appreciate the command line tool approach, as that shows you more what is happening under the covers, and to test your config step by step.
Hi,
I need to connect my linux centos4.4 server to VPN windows 2003. I tried to install pptpclient while I do not have apt-get and use
yum –enablerepo=pptp-stable install pptpconfig with independencies error
Error: Missing Dependency: libxml.so.1 is needed by package php4-pcntl-gtk
Error: Missing Dependency: libglade.so.0 is needed by package php4-pcntl-gtk
Please help me I will be thankfull
Regards
Adnan
I have this problem….
Try to install rpm pptp instead of pptpconfig and use command line for further configuring.
Hi
My Lan is connected to internet using the Linux firewall and ADSL Modem.
My Lan Architecture:
vpnclient–>Linux–>ADSL MODEM–>net–>VPNSERVER
From ADSL modem asigned public IP.
Now My Question??
How I will connect my LAN(VPN client) to server.
Please help me out.
I will be thankfull
Arul
If your ADSL modem is in the bridge mode, and Linux firewall performs NAT for vpnclient, you should connect to VPNSERVER without problems. However, you may need to tune the firewall on the linux box (FORWARD chain) and load ip_nat_pptp kernel module (via modprobe command).
Hello !
I set up pptpd on ubuntu 6.10
i did manage to connect to the pptpd server
but I am having issues with my default gateways.
my clients are windows boxes.
I connect to the VPN and this is what i see in my
PPP adapter ramsam:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . .:00-53-45-00-00-00
Dhcp Enabled. . . . : No
IP Address. . . . . . : 192.168.1.50
Subnet Mask . . . . . : 255.255.255.255
Default Gateway . . . : 192.168.1.50
DNS Servers . . . . . : 192.168.1.1
4.2.2.2
How do I make sure my vpn clients get the default gateway of 192.168.1.1 and why is it taking the ipaddress assigned to it as the gw.
my DHCP runs on my router 192.168.1.1
It’s because windows considers that VPN-connection route is more preferable than your default route. To avioid this problem try to uncheck
the option “use default gateway in remote network” in TCP-IP options of VPN-connection (“Advanced…” button).
It simply does not work
No default route set, no connection at all
I had to go back to WindowsXP
I know this is a very old thread, but I had the same problem with the local campus network. No Default Route to x.x.x.x.
The fix turned out to be really easy.
sudo route add default gw 10.25.10.1
and bingo it started working, hope this helps someone in the future.
p.s. replace the 10.25.10.1 with the address of YOUR gateway.
in my system there is no item by this name “pptp tunnel”
pls help me!!
I’m using Arch Linux (all current), and it worked perfectly. Thanks for the help!
Excellent article! I was able to setup this one without much difficulty on CentOS 5. Thanks a lot!
Worked perfectly on my Ubuntu system.
Vivek – you can add a note in your excellent article – ‘10.0.0.0/8’ this is the network at the work place. For example the VPN server that I am trying to connect to is on the network ‘192.168.17.0/24’.
I just had to make that change to the config file – route-traffic – and everything worked fine.
Thanks Sandip.
I didnt realise this one…now my VPN connection its working great!
hello.
Thanks for the tutorial! worked great!
I have come across a problem though. The connection times out every 1000 minutes or so.
Does anyone have any ideas on what could be causing this?
Thanks!
There is an OpenSource alternative to Microsoft PPTP Server, and is called PopTop. Runs on Linux, however works only with 128 bits encryption and MS CHAP v2 authentication that are the least insecure PPTP options.
Best Regards.
And one more alternative is pptpd (vpn-server implementing PPTP protocol)
I know this is an old thread, but I followed these instructions and my VPN connection worked great. Then later on it stopped working and I couldn’t determine why for the longest time. I thought Firestarter may have been the culprit, so I uninstalled it. Didn’t help. Finally last night I uninstalled other vpn software I had loaded, but wasn’t using: OpenSwan, IKE and probably a couple others. And viola, my PPTP VPN connection began working again.
Very good explanation, but the repository appears not to be valid. I have not been able to find a new one, so I am in dependancy hell trying to get it to work. If anybody knows the door out let me know. 🙂
Could you please update the GUI settings for the Jaunty?
Hi,
I have small problem ,i already using ppptd and now running but i have ip still using DHCP (old ISP/IP Private) not from ip vpn (new ISP/IP Public) ,what cause this ?
i tried to ping from network-tools.com and the message is ” Timed out ” but i can ping the vpn gateway also got reply quickly.
log message :
May 24 12:28:30 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
May 24 12:28:30 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 ‘Outgoing-Call-Request’
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
May 24 12:28:31 cpe-134-112 pptp[15920]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer’s call ID 27914).
May 24 12:28:31 cpe-134-112 pppd[15906]: CHAP authentication succeeded
May 24 12:28:31 cpe-134-112 pppd[15906]: CCP terminated by peer (No compression negotiated)
May 24 12:28:31 cpe-134-112 pppd[15906]: Compression disabled by peer.
May 24 12:28:31 cpe-134-112 pppd[15906]: local IP address 202.147.201.119
May 24 12:28:31 cpe-134-112 pppd[15906]: remote IP address 202.147.205.1
Let me know about this..
thanks,
Please send me the ppt of following configuration
Users of KDE 4 can’t use gui tools to connect over pptp vpn. If anybody needed this feature, please register and vote for it.
https://bugs.kde.org/show_bug.cgi?id=174439
No luck here. I have tried both commandline and gui on ubuntu jaunty and no luck. via the gui it says that I am connected to my work VPN, however i can not login to my machine or ping anything on the network.
Any ideas? I am at my wits end.
Also.. What is the proper NET and IFACE?
#!/bin/bashNET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
$NET – the network you wish to be routed via VPN-connection. If you want all your trafic go via VPN-tunnel, use “0.0.0.0/0” as value for $NET variable. $IFACE – is that network interface which appeares after VPN-connection established (usually ppp0).
hi friends i have some problem for inretnet I want install a net hub so how to install Please help me I will be thankfull
Thank you Vivek for sharing the information!
where can i edit /etc/ppp/ip-up.d/route-traffic?
it’s not available in my centos 5.3 server
Hi!
How to make script to auto connect to vpn server when I got disconnected?
Thanks!
***
#!/bin/bash
NET=”192.168.1.0/24″ # set me
IFACE=”ppp0″ # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
***
I receive the following error after saving route-traffic file with the aforementioned excerpt.
“/etc/ppp/ip-up.d/route-traffic”
“/etc/ppp/ip-up.d/route-traffic” E212: Can’t open file for writing
Kindly help !!!
@Nawab
i think you should set the permission.
# chmod +x /etc/ppp/ip-up.d/route-traffic
Thanks Michael, I tried changing permission with this command it says:
“chmod: cannot access `/etc/ppp/ip-up.d/route-traffic’: No such file or directory”
@Nawab,
I just created the ip-up.d (directory) and create the file route-traffic..
Since no one answered my question, out of luck it works!
Excellent & simple to follow.
They worked for me.
There is another way to do this, by using pptpsetup command…
e.g.
pptpsetup –create –server server_ip_addr –username –password
I want to delete my VPN and I can’t 🙁
I can’t use my real ip or to open any browser without VPN.
Hi
I am trying to use your setup. I think I got most of the setup fine except the “IFACE” thing. What is it supposed to be?
thanks
sending information for e-mail ; thank you
i tried the CLI to configure
and got the following output
OS is RH 5.3
Jan 25 13:12:25 vis pptp[8755]: anon log[ctrlp_disp:pptp_ctrl.c:781]: Received Stop Control Connection Request.
Jan 25 13:12:25 vis pptp[8755]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 4 ‘Stop-Control-Connection-Reply’
Jan 25 13:12:25 vis pptp[8755]: anon log[callmgr_main:pptp_callmgr.c:253]: Closing connection
Jan 25 13:12:25 vis pptp[8755]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 ‘Call-Clear-Request’
Jan 25 13:12:25 vis pppd[8749]: Modem hangup
Jan 25 13:12:25 vis pppd[8749]: Connection terminated.
Jan 25 13:12:25 vis pptp[8755]: anon log[pptp_read_some:pptp_ctrl.c:537]: read returned zero, peer has closed
Jan 25 13:12:25 vis pppd[8749]: Exit.
Jan 25 13:12:27 vis pptp[8755]: anon log[pptp_read_some:pptp_ctrl.c:537]: read returned zero, peer has closed
Jan 25 13:12:29 vis pptp[8755]: anon log[call_callback:pptp_callmgr.c:77]: Closing connection
In CENTOS 5 there is no ip-up.d but you can instead add the route commands to
/etc/ppp/ip-up.local
use chmod to make it executable and then it will work.
Just a quick question, I run Ubuntu 10.04 – Lucid Lynx, is there any way of firing a script or scripts when the VPN Connects / disconnects from the campus VPN.
I’d like to add my success to this.
For anyone who doesn’t want to force all traffic over the VPN, but rather just traffic bound to that interface, use the following script in /etc/ppp/if-up.d/route-traffic:
IF1=ppp0
IP1=VPN_CLIENT_IP
P1=VPN_GATEWAY_IP
P1_NET=VPN_NETWORK_IP
ip route add $P1_NET dev $IF1 src $IP1 table extra
ip route add default via $P1 table extra
ip route add $P1_NET dev $IF1 src $IP1
ip rule add from $IP1 table extra
Be sure to:
echo “10 extra” >> /etc/iproute2/rt_tables
Tested on countless Debian/Ubuntu servers. Enjoy!
The if-up.d does not exist after installation, are we supposed to create this directory, or have things changed in recent versions?
I’m on RHEL though…
don’t worry, found it
I have set up PPTP VPN server on linux
But accounts are open for concurrent simultaneous connections. means there can be many users using one account at the time.
i need to limit that to one user at the time.
anybody knows how it can be done?
Hello there. Thanks for very nice PPTP VPN manual. I got just one question. IS it possible to monitor users traffic on VPN ? Give users quota for VPN ? Problem is on my server is users making too mutch traffic and i need to stop this. Thanks for any help. lu
Lukas, yes, you can monitor VPN users trafic. The most simplier solution – is IP-address -based traffic accounting via iptables. This approach requires that each vpn-user have it’s oun unique IP-address. For example:
iptables -N ACCOUNT
iptables -A ACCOUNT -s 10.10.10.2 -j RETURN
iptables -A ACCOUNT -s 10.10.10.3 -j RETURN
……………
iptables -A FORWARD -j ACCOUNT
Then you can get packets and bytes counters with the command:
iptables -nL ACCOUNT -vx
and probably graph the stats via cacti/munin/etc…
Hi Vivek and everybody here,
does anybody here have any experiences with setting up the client VPN against Microsoft PPTP VNP server, which use the client certificates. I already patched my ppp using this patch. But I am not able to set this connection up.
Thanks for some example of configuration.
Information about live connection I gathered from the Windows client are following:
I use following command to initiate connection, but without any success:
I do exactly as u write and
I receive this on my centos LCP: timeout sending Config-Requests.
I have already try to connect from windows 7 and vpn succesfully connected
What went wrong on the 2nd command? anyone who will lead on this. thanks.
Hi
can anybody help me out with Suse linux PPTP client ? no matter what configurations i use it always gives me MS-Chap authentication error.. any help???
Whoops… pasted the whole damn thing…
I ment to paste:
root@raspberrypi:~# tail -f /var/log/messages
Nov 27 20:44:19 raspberrypi pppd[19337]: pppd 2.4.5 started by root, uid 0
Nov 27 20:44:19 raspberrypi pppd[19337]: Using interface ppp0
Nov 27 20:44:19 raspberrypi pppd[19337]: Connect: ppp0 /dev/pts/2
Nov 27 20:44:20 raspberrypi pppd[19337]: Connection terminated.
Nov 27 20:44:20 raspberrypi pppd[19337]: Exit.
Nov 27 20:47:59 raspberrypi pppd[19492]: pppd 2.4.5 started by root, uid 0
Nov 27 20:47:59 raspberrypi pppd[19492]: Using interface ppp0
Nov 27 20:47:59 raspberrypi pppd[19492]: Connect: ppp0 /dev/pts/2
Nov 27 20:48:00 raspberrypi pppd[19492]: Connection terminated.
Nov 27 20:48:00 raspberrypi pppd[19492]: Exit.