Install pptp on centos6 with free-radius

Summary: We are going to install pptp vpn on centos 6.5 x86_64 server and will authenticate with freeradius remote server.

1. update your server and download the rpm of pptpd.

yum update

yum install wget

wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm

rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm

If you find the dependency issue of ppp and perl do the following.

yum install ppp

yum install perl

againg run the command rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm

Preparing…                ########################################### [100%]
1:pptpd                  ########################################### [100%]

You are good to go further.

2. yum install vim

vim /etc/pptpd.conf

add the below lines at the end of the file.

localip 10.0.0.1
remoteip 10.0.0.10-100

save and exit. :wq!

3. open the file /etc/ppp/options.pptpd

vim /etc/ppp/options.pptpd

uncomment the ms-dns lines (by removing the ‘#’ in front of them) and change them to the dns servers provided by your ISP or to public DNS servers like ones provided by Google DNS or OpenDNS.

ms-dns 8.8.8.8 ms-dns 8.8.4.4

:wq!

4. Enable IP forwarding open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1 on CentOS:
vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

5. To make the changes to sysctl.conf take effect, use the following command

sysctl -p

6. Next, configure iptables to do NAT.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

7. Next, we need to allow TCP port 1723 and the GRE protocol through iptables.

iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT

iptables -A INPUT -i eth0 -p gre -j ACCEPT

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.

iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

Save iptables.

service iptables save

8. Now start the PPTP server if you haven’t already.

service pptpd restart

Shutting down pptpd: [FAILED]
Starting pptpd: [ OK ]
Warning: a pptpd restart does not terminate existing
connections, so new connections may be assigned the same IP
address and cause unexpected results. Use restart-kill to
destroy existing connections during a restart.

———————————————————————

Now that should be it for PPTP, if you have problems browsing sites when connected to PPTP, you may need to change the MTU of the ppp interface. To do this open the /etc/ppp/ip-up file and just before the last line, add the following line.

/sbin/ifconfig $1 mtu 1400

Save the file after that and then restart the PPTP server.

service pptpd restart
————————————————————————-
Now we need to setup the radiusclient to have PPTP authenticate off Radius, lets grab the radius client package..

1. wget http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

rpm -i radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Now open up /etc/radiusclient/servers it should look like below, changing the values to your radius servers hostname or IP and it’s secret which is specified in /etc/raddb/clients.conf on your freeradius server:

#Server Name or Client/Server pair        Key
#—————-                —————
#portmaster.elemental.net            hardlyasecret
#portmaster2.elemental.net                donttellanyone
YOUR_RADIUS_SERVER_HOSTNAME_OR_IP  YOUR_RADIUS_SERVER_SECRET

Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below (I stripped all the remarks out):

auth_order    radius,local
login_tries    4
login_timeout    60
nologin /etc/nologin
issue    /etc/radiusclient/issue
authserver     RADIUS_SERVER_IP_OR_HOSTNAME:1812
acctserver     RADIUS_SERVER_IP_OR_HOSTNAME:1813
servers        /etc/radiusclient/servers
dictionary     /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile        /var/run/radius.seq
mapfile        /etc/radiusclient/port-id-map
default_realm
radius_timeout    10
radius_retries    3
login_local    /bin/login

Now save it, in the /etc/radiusclient directory there is a file called dictionary, add this line at the very bottom of it:

INCLUDE /etc/radiusclient/dictionary.microsoft

The file, dictionary.microsoft, is not included in the radius client package but not to worry i made one up and you can download it here, just upload this file into the /etc/radiusclient/ directory.

Next modify the CentOS: /etc/ppp/options.pptpd file, add the below two lines.

plugin radius.so
plugin radattr.so

Now restart PPTPD and you should now have PPTP authenticating off your FreeRADIUS server:

service pptpd restart

And make sure PPTPD starts at boot:

chkconfig pptpd on

Thanks to safesrv.net for help and support

Leave a Reply

Your email address will not be published. Required fields are marked *