For roaming mobile clients PPTP (Point-to-Point Tunneling Protocol) is still the quickest way to get VPN connections to tunnel traffic over a secure link.


I always prefer installation via a yum repository as this will ensure patches are applied during regular system updates

sudo rpm --import
sudo rpm -Uvh
sudo yum install ppp pptpd -y


Note: replace $USERNAME and $PASSWORD with actual values

IP configuration
echo "localip" >> /etc/pptpd.conf
echo "remoteip" >> /etc/pptpd.conf

DNS configuration
echo "ms-dns" >> /etc/ppp/options.pptpd
echo "ms-dns" >> /etc/ppp/options.pptpd

Authentication configuration
echo "$USERNAME pptpd $PASSWORD *" >> /etc/ppp/chap-secrets

Firewall config
service iptables start
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables restart
service iptables save
chkconfig iptables on

Start ppptd
chkconfig pptpd on
service pptpd start

Leo Gaggl

ict business owner specialising in mobile learning systems. interests: sustainability, internet of things, ict for development, open innovation, agriculture

This Post Has 11 Comments

  1. Eric

    This is the best tutorial I’ve seen thus far. Thanks a bunch, sir.

  2. Travis

    Extremely useful. Thanks.

  3. نیما

    Hi,thanks for tutorial…i did all configuration right and i can connect to vpn but i dont have network access for connecting to internet…what should i do?

  4. Luke

    On CentOS 6.3 you should also check the iptables FORWARD rules. I has a rule that was dropping forward packets and this was on a clean CentOS install. Once I fixed that rule the Internet connection worked fine when connected to the VPN.

  5. leogaggl

    @luke thanks for the update. appreciated!

  6. Matthew

    Since MASQUERADE doesn’t work on OpenVZ I used 2 other rules:

    iptables -t nat -A PREROUTING -i “venet0:0” -j DNAT –to-destination 78.129.**.**
    iptables -t nat -A POSTROUTING -o “venet0:0” -j SNAT –to-source 78.129.**.**

    However I can’t connect to the VPN, any suggestions anyone?

  7. Drew

    Thanks for the post!

    Just wanting some clarification on what ‘localip’ and ‘remoteip’ are.

    For instance, my servers address is, so would this be my remote IP?

  8. Leo Gaggl

    Yes – RemoteIP is the external facing public IP.

  9. fyc

    but the auth-up and auth-down files were disappeared (/etc/ppp/auth-up), ip-up and ip-down script files will not be called too
    I want to use auth-up file refuse a account login more than one times. code file pathnames.h
    #define _PATH_AUTHUP _ROOT_PATH “/etc/ppp/auth-up”
    .. in code file auth.c
    auth_state = s_up;
    if (auth_script_state == s_down && auth_script_pid == 0) {
    auth_script_state = s_up;
    auth_script(_PATH_AUTHUP);//——-why auth-up file could not be called

    Can you help me?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.