Configure PPTP & Open VPN Server.




VPN (Virtual Private Network)-

A virtual private network extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. 

1- PPTP (Point-to-Point Tunneling Protocol) 
2- Open VPN


Configuration of PPTP VPN Server-

This post will help you setup a VPN server which uses the Point-to-Point Tunneling Protocol (PPTP) on a Linux machine (and optionally allow your clients to access the internet through the tunnel). The reason I prefer to use PPTP over all other protocols is simply because it is much easier to configure. At the end of this article, you will end up with a VPN server (PPTP) that encrypts all data (MPPE) and allows your clients to access the internet (using iptables forwarding).


Step-1 install 'ppp' and 'pptpd' Package- 

[root@server ~]# rpm --import http://poptop.sourceforge.net/yum/RPM-GPG-KEY-PPTP


[root@server ~]# rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm

[root@server ~]# yum install ppp pptpd -y

or

Download pptpd rpm package..

Click Here.

[root@server ~]# rpm -ivh pptpd-1.4.0-3.el6.i686.rpm
[root@server ~]# yum install ppp -y

Step-2 Edit IP setttings in '/etc/pptpd.conf'

 [root@server ~]# vim /etc/pptpd.conf
---------------------------------------------------------------------------------------------------------
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.0.1
remoteip 192.168.0.50-55,192.168.0.245

---------------------------------------------------------------------------------------------------------
*Note- The ‘localip‘ setting should be the IP address given to your server by your router (or if you do not have a router, it will be the IP given to you by your internet service provider).

The ‘remoteip‘ setting can contain multiple IP addresses (minimum 1). Every client that connects to your VPN server is assigned one of these IPs (one per client). The more you have, the more clients your server will be able to support. These IPs do not have to be in the same range as your localip. You can use 192.168.1.234-238 or 192.168.1.10-250, or anything else that fits your needs. 
 

Step-3 Create a user ...

 
 [root@server ~]# adduser user-1

 
 [root@server ~]# passwd user-1


Step-4 Add user account in '/etc/ppp/chap-secrets' (assign username and password)

[root@server ~]# vim /etc/ppp/chap-secrets
----------------------------------------------------------------------------------------------------------------
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user-1          pptpd   redhat *

---------------------------------------------------------------------------------------------------------------- 

Note- Do not change or remove ‘pptp’. Advanced users may replace the * with an IP or IP range to limit that user to connect from that IP. Most users need to leave this setting to *.

Step-5 Optional settings in '/etc/ppp/options.pptpd'

[root@server ~]#  vim /etc/ppp/options.pptpd
-------------------------------------------------------------------------------------------------------------
ms-dns 8.8.8.8
ms-dns 4.4.4.4
 

-------------------------------------------------------------------------------------------------------------

Step-6 Enable network forwarding in '/etc/sysctl.conf '

 [root@server ~]# vim /etc/sysctl.conf
-------------------------------------------------------------------------------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 1


-------------------------------------------------------------------------------------------------------------
Then,
Use the following command to apply the change-

  [root@server ~]# sysctl -p

Step-7 Configure firewall..

[root@server ~]# iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT  

[root@server ~]# iptables -A INPUT -i eth0 -p gre -j ACCEPT  

[root@server ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  

[root@server ~]# iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT  

[root@server ~]# iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT  

[root@server ~]# service iptables save  

[root@server ~]# service iptables restart


Step-8 Start pptpd service-

[root@server ~]# service pptpd start

[root@server ~]# chkconfig pptpd on

pptp vpn server configuratin has been completed...



Configuration of Open VPN Server....
 
OpenVPN is an open source VPN daemon by James Yonan. OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

 Step-1 Enable epel repository.. 

32 Bit-

[root@server ~]# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm

64 Bit- 

[root@server ~]# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm

[root@server ~]# yum repolist

[root@server ~]# yum install openvpn  -y


or 

[root@server ~]
# yum --enablerepo=epel -y install openvpn



Step-2 Copy sample openVPN configuration file to /etc/opnvpn

[root@server ~]# cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
 

Step-3 Edit file....

[root@server ~]# vim  /etc/openvpn/server.conf

---------------------------------------------------------------------------------------------------------
local XXX.XXX.XXX.XXX                 #Server External IP
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER.crt
key SERVER.key #keep file secret
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" #using Google Public DNS
push "dhcp-option DNS 8.8.4.4" #using Google Public DNS
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
 



:wq!
--------------------------------------------------------------------------------------------------------

Then we need to copy and edit client.conf file. ..

[root@server ~]# cp /usr/share/doc/openvpn-2.2.2/sample-config-files/client.conf /home/

[root@server ~]# vim /home/client.conf


Set the vpn server hostname and ip address...
 --------------------------------------------------------------------------------------------------------
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.0.1  1194
 

:wq!
--------------------------------------------------------------------------------------------------------
Note- 192.168.0.1 VPN Server IP.
Next copy the 'client.conf' file to your client system..

[root@server ~]# scp -r /home/client.conf root@192.168.0.5:/etc/openvpn


Step-4 Generate CA Certificate and CA Key..
 
[root@server ~]# mkdir -p /etc/openvpn/easy-rsa/keys


[root@server ~]# cd /tmp


[root@server tmp]#  wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
 
[root@server tmp]# tar -xvf easy-rsa-2.2.0_master.tar.gz


[root@server tmp]# cp /tmp/easy-rsa-2.2.0_master/easy-rsa/2.0/* /etc/openvpn/easy-rsa


[root@server tmp]# cd

[root@server ~]# vim /etc/openvpn/easy-rsa/vars 

-------------------------------------------------------------------------------------------------------------
#Set the country (KEY_COUNTRY)


 export KEY_COUNTRY="IN"

#state (KEY_PROVINCE)
 
export KEY_PROVINCE="IN"


#locality (KEY_CITY)


 export KEY_CITY="Delhi"

#organisation name (KEY_ORG)

 export KEY_ORG="Ashu"

#support email (KEY_EMAIL)
  export KEY_EMAIL="ashutoshsmaurya@gmail.com"
  export KEY_OU="server"
   

:wq!
 -------------------------------------------------------------------------------------------------------------

Step-5 Go to the '/etc/openvpn/easy-rsa/'


[root@server ~]# cd /etc/openvpn/easy-rsa/


[root@server easy-rsa]# cp openssl-1.0.0.cnf openssl.conf


[root@server easy-rsa]# source ./vars
[root@server easy-rsa]# ./clean-all
[root@server easy-rsa]#./build-ca

Output..
-------------------------------------------------------------------------------------------------------------
Generating a 2048 bit RSA private key
......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:            ----> Press Enter
State or Province Name (full name) [Delhi]: ----> Press Enter
Locality Name (eg, city) [New Delhi]:               ----> Press Enter
Organization Name (eg, company) [Ashu]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: --> Press Enter
Common Name (eg, your name or your server's hostname) [Ashu CA]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [
ashutoshsmaurya@gmail.com]: ----> Press Enter



-------------------------------------------------------------------------------------------------------------


Step-6 Create certificate for the server


[root@server easy-rsa]# ./build-key-server server


Output..
-------------------------------------------------------------------------------------------------------------

Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:  ----> Press Enter
State or Province Name (full name) [Delhi]:----> Press Enter
Locality Name (eg, city) [New Delhi]:    ----> Press Enter
Organization Name (eg, company) [Ashu]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [
ashutoshsmaurya@gmail.com]: ----> Press Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:         ----> Press Enter     
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'Delhi'
localityName          :PRINTABLE:'New Delhi'
organizationName      :PRINTABLE:'Ashu'
organizationalUnitName:PRINTABLE:'server'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'
ashutoshsmaurya@gmail.com'


Certificate is to be certified until Apr 01 14:21:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated


-------------------------------------------------------------------------------------------------------------



Step-7 Create certificate and key for VPN clients using the following command.

[root@server easy-rsa]# ./build-key client


Output..
-------------------------------------------------------------------------------------------------------------


Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:   ----> Press Enter
State or Province Name (full name) [Delhi]: ----> Press Enter
Locality Name (eg, city) [New Delhi]:    ----> Press Enter
Organization Name (eg, company) [Ashu]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [
ashutoshsmaurya@gmail.com]: ----> Press Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:         ----> Press Enter     
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'Delhi'
localityName          :PRINTABLE:'New Delhi'
organizationName      :PRINTABLE:'Ashu'
organizationalUnitName:PRINTABLE:'server'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'
ashutoshsmaurya@gmail.com'


Certificate is to be certified until Apr 01 14:25:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated

-------------------------------------------------------------------------------------------------------------


 Step-8 Create the Diffie Hellman files..

[root@server easy-rsa]# ./build-dh


Output..
-------------------------------------------------------------------------------------------------------------

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time


-------------------------------------------------------------------------------------------------------------


Step- 9 Copy crypto files


[root@server easy-rsa]# cd /etc/openvpn/easy-rsa/keys/

 

[root@server keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/ 

And then, you must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client. 

[root@server keys]# scp -r ca.crt client.crt client.key root@192.168.0.5:/etc/openvpn 

Note:
Copy the keys with caution. If anyone have chances to get the keys, they can easily intrude and get full access to your virtual private network.


Step-10 Enable IP Forwarding

[root@server keys]# cd
[root@server ~]#
 
 [root@server ~]# vim /etc/sysctl.conf
 -------------------------------------------------------------------------------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 1


-------------------------------------------------------------------------------------------------------------

Then,
Use the following command to apply the change-

[root@server ~]# sysctl -p

Step-11 Configure firewall..

[root@server ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 
Step-12 Start openvpn service-

[root@server ~]# service openvpn start
[root@server ~]# chkconfig openvpn on


Step-12 Verify if VPN interface(tun0) is created using ifconfig command

[root@server ~]# ifconfig


-------------------------------------------------------------------------------------------------------------

eth0   Link encap:Ethernet  HWaddr 74:27:EA:0D:B3:F8 
          inet addr:192.168.0.1 Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::7627:eaff:fe0d:b3f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3565841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1394279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1609238080 (1.4 GiB)  TX bytes:234574664 (223.7 MiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1852 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1852 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:178707 (174.5 KiB)  TX bytes:178707 (174.5 KiB)

tun0   Link encap:UNSPEC  HWadd 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

 -------------------------------------------------------------------------------------------------------------


VPN Client side configuration 

[root@client ~]# yum install openvpn


Start openvpn service-

[root@client ~]# service openvpn start
[root@client ~]# chkconfig openvpn on

Now, check if tun0(VPN interface) is created.

 
[root@client ~]#
ifconfig

-------------------------------------------------------------------------------------------------------------
eth0   Link encap:Ethernet  HWaddr 74:27:EA:0D:B4:F6 
          inet addr:192.168.0.5 Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::7627:eaff:fe0d:b3f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3565841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1394279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1609238080 (1.4 GiB)  TX bytes:234574664 (223.7 MiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1852 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1852 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:178707 (174.5 KiB)  TX bytes:178707 (174.5 KiB)

tun0   Link encap:UNSPEC  HWadd 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.6  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


-------------------------------------------------------------------------------------------------------------
As you see in the above output, the VPN server has automatically assigned IP address 10.8.0.6 to my VPN client.

Now Check if you can ping your VPN server from client system.

 [root@client ~]# ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=10.72 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=8.18 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=3.14 ms

Now the VPN server and client are ready. Connect to your VPN server securely. 
So Enjoy...

Difference Between openvpn and PPTP-

PPTP- 
1- A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality.

2- PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol.

3- PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers.

Openvpn-  
1- An advanced open source VPN solution backed by 'OpenVPN technologies' and which is now the de-facto standard in the open source networking space. Uses the proven SSL/TLS encryption protocol. 

2- When used in its default UDP mode on a reliable network OpenVPN should perform better than L2TP/IPSec.

3- OpenVPN can be easily configured to run on any port using either UDP or TCP. To bypass restrictive firewalls, OpenVPN can be configured to use TCP on port 443.


______________________________________________________________________________________
Click Back..                                Click Home..
https://docs.google.com/forms/d/1iNRZlJJO6rBFizzPcFmyOTEtfkdjhdVRmpM74IbiT3o/viewform