How to: Install and Configure PPTP VPN on a cPanel server

This tutorial will show you how to easily install and configure a PPTP VPN server on a cPanel (RHEL/CentOS) server. A VPN server can be used to access geographically restricted websites if your cPanel server is located in a non-restricted country. Also you can use it to encrypt your data connection between your computer and cPanel server if for example you’re connected to a public WiFi hotspot and want to visit your web-banking account.

ppp & pptpd installation and configuration

The two packages needed to setup the VPN server are ppp and poptop.
To install ppp:

yum install ppp

To install poptop:
Go to http://poptop.sourceforge.net/yum/stable/, select rhel5 or rhel6 and i386 or x86_64 depending on which RHEL/CentOS release/architecture you have running on your cPanel server, and copy the URL to the pptpd rpm. In my case I was running CentOS 5.6 x64 so I used pptpd-1.3.4-2.rhel5.x86_64.rpm.

wget http://poptop.sourceforge.net/yum/stable/rhel5/x86_64/pptpd-1.3.4-2.rhel5.x86_64.rpm
rpm -ivh pptpd-1.3.4-2.rhel5.x86_64.rpm

When poptop has finished installing, open the file /etc/pptpd.conf for editing. I use nano.

[bash]nano /etc/pptpd.conf[/bash]

Using Ctrl + V go to the end of the file, and add the following two lines:

localip 10.22.222.1
remoteip 10.22.222.22-122

Local IP will be assigned to the ppp interface, and the Remote IP range is the range of IPs that will be assigned to VPN clients. Be creative and use private IPs that most probable won’t conflict with any other IPs if you’re in an Internet Cafe, or an airport WiFi. A list of possible IPs to use as well as some more info about numbering private subnets can be found at the OpenVPN documentation here.

Next open the /etc/ppp/options.pptpd file for editing.

nano /etc/ppp/options.pptpd

Go to the ms-dns lines, add a set of DNS servers below like this

ms-dns 8.8.8.8
ms-dns 8.8.4.4

and save/close the file. In my case I used Google DNS, but you can use anything you like ie. OpenDNS or your ISPs DNS servers.

Finally open the file /etc/ppp/chap-secrets to add some users.
Here’s a sample:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
vpnuser1 pptpd randompass1 *
vpnuser2 pptpd randompass2 *

Just change vpnuserX and randompassX to anything you like. Also if your clients have a static IP you can enter it instead of the * so that the particular VPN user will only be able to login from the specified IP.

Firewall configuration

Since you’re running cPanel, you’re most probably running csf. But before we get into the csf configuration, we first need to enable IP forwarding. So open /etc/sysctl.conf and at the very first lines you will see the parameter net.ipv4.ip_forward. Set it to 1, save the file, and run sysctl -p to apply the changes.

Now for the csf configuration, we will make use of two files that csf invokes before and after it runs. The two files are called csfpre.sh and csfpost.sh and are located in /etc/csf. If they don’t exist we’ll just go ahead and create them.

csfpre.sh

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

csfpost.sh

service pptpd stop
service pptpd start

Finally restart csf to apply the above rules and start the pptpd service.

csf -r

Setting up the client

Setting up a PPTP VPN connection is beyond the scope of this HOWTO, but you can read an excellent and comprehensive guide from Paul Stamatiou (@stammy) here. Paul has written step by step instructions on how to setup a PPTP VPN connection on Mac OS X, Windows 7 and Ubuntu. Just remember to use your own VPN server’s IP instead of his ones.

31 thoughts on “How to: Install and Configure PPTP VPN on a cPanel server

  1. Minas

    Hi George,

    Greetings from Athens, and excellent guide btw. However, I am facing a rather huge issue. For some inexplicable reason, it seems that there is no authentication process; that is, anyone can connect to the vpn service with blank credentials. I checked all my configuration files and chap-secrets file; everything is as it is supposed to.

    I am running a 64-bit OpenVZ VPS with Cpanel and Centos 5.7. I checked almost in every forum and i cannot come up with a solution (i guess i am the only one with this problem).

    Your help is greatly appreciated.

    Thanks,

    Minas

    Reply
    1. George Tasioulis Post author

      Hi Minas,

      Happy New year!

      Could you check if in the file /etc/ppp/options.pptpd the “name” option matches the second field in /etc/ppp/chap-secrets entries?

      eg:
      /etc/ppp/options.pptpd
      name pptdp

      /etc/ppp/chap-secrets
      vpnuser1 pptpd randompass1 *

      The two fields with the word “pptpd” must match.

      Reply
  2. Faraz

    I have installed PPTPd on Centos 5.6 and clients are connecting from windows XP. it was working fine , now from last 1 week My sessions are disconnecting after some time. I tried installing fresh pptpd but the issue is still there. Now i did capture PPP packets on client machines by Wireshark and got to know that when the disconnection occurs the PPP LCP protocol is showing Protocol reject messages where destination is the client IP. Any body encountered the same problem please share the solution.

    Reply
  3. siavash

    Hi
    i install and configure PPTPD on centos server and i can connect this too , but i want to browse internet through my server. how i can?!!

    Reply
  4. Salman

    Hi
    i install and configure PPTPD on centos server and i can connect this too , Further under connection, i have checked use default gateway but still it is not browsing via vpn.

    Can you please tell me what else i can do or how can i test what is wrong. I have tried reinstalling as well but still same.

    Looking forward for your detailed response.

    Regards

    Reply
    1. George Tasioulis Post author

      Do you have csf installed?
      Can you try connecting with csf disabled (csf -x)?

      I can only imagine it’s a firewall issue, or the net.ipv4.ip_forward entry under /etc/sysctl.conf hasn’t been applied.

      When you connect to the VPN can you ping 10.22.222.1? How about 208.67.222.222?

      Reply
      1. Aljaaly

        ping 10.22.222.1

        Pinging 10.22.222.1 with 32 bytes of data:
        Reply from 10.22.222.1: bytes=32 time=314ms TTL=64
        Reply from 10.22.222.1: bytes=32 time=362ms TTL=64
        Reply from 10.22.222.1: bytes=32 time=1247ms TTL=64
        Reply from 10.22.222.1: bytes=32 time=2143ms TTL=64

        Ping statistics for 10.22.222.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
        Approximate round trip times in milli-seconds:
        Minimum = 314ms, Maximum = 2143ms, Average = 1016ms

        C:\Users\M.Aljaaly>ping 208.67.222.222

        Pinging 208.67.222.222 with 32 bytes of data:
        Request timed out.
        Request timed out.

        ================
        I checked http://www.georgetasioulis.com/wp-content/uploads/2012/10/Windows-VPN-Client-Properties-Use-or-not-Use-Default-Gateway-on-Remote-Network.jpg
        until now no internet access available

        Reply
          1. Aljaaly

            root@news [/etc]# sysctl -p
            net.ipv4.ip_forward = 1
            net.ipv4.conf.default.rp_filter = 1
            net.ipv4.conf.default.accept_source_route = 0
            kernel.sysrq = 0
            kernel.core_uses_pid = 1
            net.ipv4.tcp_syncookies = 1
            error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
            error: “net.bridge.bridge-nf-call-iptables” is an unknown key
            error: “net.bridge.bridge-nf-call-arptables” is an unknown key
            kernel.msgmnb = 65536
            kernel.msgmax = 65536
            kernel.shmmax = 68719476736
            kernel.shmall = 4294967296

            ============

  5. Salman

    I have tried disabling csf as well. Same result. Today it did connect and browsing was working for few min. Then it got disconnected and whenever i try connecting again

    Get Error 619 : Could not connect because port was closed.

    Now even with csf enabled, it did connect before and now giving this error. Before it was connecting but there was browsing issue.

    Is there any permanent fix ?

    Reply
  6. Chris

    Some people will need to do this:-

    chkconfig pptpd on
    service pptpd start

    Also – if you do not have cfs – here is a different way (tested; working):

    Edit /etc/sysconfig/iptables

    Find the “*filter” line.

    ABOVE it – add this:-

    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT

    after you added the above, search down and find the following line:-

    -A FORWARD -j RH-Firewall-1-INPUT

    replace that line with all of this:-

    -A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
    -A INPUT -i eth0 -p gre -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -p gre -j ACCEPT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A FORWARD -i ppp0 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -o ppp0 -j ACCEPT
    -A OUTPUT -p gre -j ACCEPT

    save it, then run:-
    service iptables restart

    And you’re good to go.

    Reply
  7. Chris

    update – of course – don’t lick your monitor – instead of those smiley faces :P you need to use a colon and a capital P ( : P but without a space in the middle )

    Reply
  8. Chris

    Oops – you also need to add this down the bottom somwhere too (sorry I left it out in the above instructions)

    -A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 1723 -j ACCEPT

    Reply
  9. Ahmed

    Amazing tutorial, George thanks, one question though, everything worked just fine after refreshing csf, got out of testing mode, all was good, ldf was loading, everything seemed fine, until the server decided to stop working, i dont know what the issue is, but it seems to work for a while after i restart cpanel and csf… any ideas?

    Reply
  10. Sitebee

    Can you install a PPTP VPN package on any VPS? What I mean do I need to ask my provider beforehand. One last question would affect any of the hosting accounts on my VPS?

    Reply
    1. George Tasioulis Post author

      If your VPS is running on OpenVZ virtualization, your provider needs to have TUN/TAP active and working for VPN to work. Usually you need to open a ticket with them in order to enable it.

      I would suggest though that you try a KVM VPS provider; KVM offers full virtualization and as such has no limitations like this. Have a look at http://www.fusioned.net/virtual-servers :)

      Reply
  11. vix

    Hi George, this looks like a great guide! Was wondering if you can help me, I’ve been spoiled with all my other servers being on windows server 2008 so it was always very simple. I’ve never used cent before so I have no clue of how to even begin to connect to my new dedicated server I just bought with CentOS 6 and CPANEL.

    I run a vpn company and on all my other servers i use windows but now i want to learn how to use cent so i can use cpanel and automate alot of tasks.

    http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/

    Before I followed this guide above for all my servers, so I guess my main questions are:

    1) What is the best remote desktop alternative for CentOS because I can’t do these commands directly from cpanel right?

    2) My dedicated servers for example have around 60 unique ip addresses each, and normally when a user buys my service I simply go to remote desktop and give them a username and password and one unique ip address, how would I do this for centos?

    THANK YOU SO MUCH FOR YOUR HELP!!!

    Reply
  12. Alex

    Hello George!
    Very good tutorial. Real usefull! :)
    I have a small issue…

    I can only get internet via vpn with my first connection. For example, if i connect with my desktop (user1) and then another computer (user2) i can access the vpn server but from user2 i can only see the server. Nothing else on the internet.

    Local & Remote IP:
    localip 192.168.9.110-120
    remoteip 192.168.9.210-230

    Also tried to change localip to one ip only, but same problem. Interface is working fine, one user gets 192.168.9.110 with remote 192.168.9.210 and next user 111 with 211.

    Anyway, if you have time, drop me a line.

    In any case, it’s the best (and working) tutorial for VPN for cPanel :)

    Thanks,
    Alexandros

    Reply
    1. George Tasioulis Post author

      Hi Alex,

      Thanks for your kind words :) Nothing comes up on top of my head atm, but just to be sure, can you ping user1 from user2?
      Have you tried pinging an internet IP from user2 (just in case it’s a DNS issue) eg. 8.8.8.8?

      Reply
      1. Alex

        Yes, i tried it. It’s not a dns issue.
        Now I noticed something new: fireasll (csf/lfd) is blocking me from open vpn connection. My ip is in whitelist of course. Perhaps something changed in new version of csf :(

        Reply
  13. Yannis

    Amazing tutorial, George thanks,
    i install and configure PPTPD on my server and i can connect this too , but i want to browse internet through my server. how i can?!!

    Reply
  14. Marc Bressman

    I know this post is old, but I set up a PPTP VPN on my CentOS 6.5 VPS running cPanel and can connect to it via VPN, but all traffic except for the IP of the VPS itself is being blocked. I am running CSF on the VPS, and even disabling it doesn’t seem to help. Any thoughts/ideas? Thanks!

    Reply

Leave a Reply