All notes


A Point-To-Point Tunneling Protocol (PPTP) allows you to implement your own VPN very quickly, and is compatible with most mobile devices. Even though PPTP is less secure than OpenVPN, it is also faster and uses less CPU resources.


Set up pptp vpn

  1. Select one server to be responsible for handling out IPs to others and authenticating all of your servers into your VPN. This will become your PPTP Server.
  2. edit /etc/pptpd.conf (for more on it, use "man pptpd.conf") and add the following lines:
    Where localip is IP address of your server and remoteip are IPs that will be assigned to clients that connect to it.
  3. Adding users and passwords. Simply add them to /etc/ppp/chap-secrets. Client is the username, server is type of service - pptpd for our example, secret is the password, and IP addresses specifies which IP address may authenticate. By setting '*' in IP addresses field, you specify that you would accept username/password pair for any IP.
  4. Add DNS servers to /etc/ppp/pptpd-options ("man pppd" for commands help) to provide primary and secondary DNS's to windows clients
  5. Now you can start PPTP daemon: service pptpd restart.
  6. It is important to enable IP forwarding on your PPTP server. This will allow you to forward packets between public IP and private IPs that you setup with PPTP. Simply edit /etc/sysctl.conf and add the following line if it doesn't exist there already: net.ipv4.ip_forward = 1. To make changes active, run sysctl -p.
  7. Create a NAT rule for iptables: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
  8. If you would also like your PPTP clients to talk to each other, add the following iptables rules: (Arch wiki ref.)
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    iptables -I INPUT -s -i ppp0 -j ACCEPT
    iptables -A FORWARD -i eth0 -j ACCEPT
    # The following from Arch Wiki.
    # Accept all packets via ppp* interfaces (for example, ppp0)
    iptables -A INPUT -i ppp+ -j ACCEPT
    iptables -A OUTPUT -o ppp+ -j ACCEPT
    # Accept incoming connections to port 1723 (PPTP)
    iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
    # Accept GRE packets
    iptables -A INPUT -p 47 -j ACCEPT
    iptables -A OUTPUT -p 47 -j ACCEPT
    # Enable IP forwarding
    iptables -F FORWARD
    iptables -A FORWARD -j ACCEPT
    # Enable NAT for eth0 и ppp* interfaces
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
    sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s -j TCPMSS  --clamp-mss-to-pmtu
    Now your PPTP server also acts as a router. sudo iptables -t nat -A POSTROUTING -s ! -d -j SNAT -to-source

Client setting

  1. On your client servers,
    # Install PPTP client:
    yum -y install pptp
    # Add necessary Kernel module
    modprobe ppp_mppe
  2. Create a new file /etc/ppp/peers/pptpserver and add the following lines, replacing name and password with your own values:
    pty "pptp --nolaunchpppd"
    name box1
    password 24oiunOi24
    remotename PPTP
  3. called our file pptpserver: pppd call pptpserver.
  4. On your PPTP client, setup routing to your private network via ppp0 interface: ip route add dev ppp0.
Your interface ppp0 should come up on PPTP client. Now you can ping your PPTP server and any other clients that are connected to this network.


Set up CA (Certificate Authority)

Establish PKI (public key infrastructure), which consists of

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).


For PKI management, we will use easy-rsa, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you're using OpenVPN 2.3.x, you need to download easy-rsa separately from here.

# On CA:
./easyrsa init-pki
./easyrsa build-ca

# On the system that is requesting a certificate
./easyrsa init-pki
./easyrsa gen-req EntityName
# Req file will be in pki/reqs, and key in pki/private.

# Transport the request (.req file) to the CA system and import it.
./easyrsa import-req /tmp/path/to/import.req EntityName

# CA sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
# Other types are: server, ca. See easyrsa3/x509-types/.
# Signed crt will be in pki/issued.

# Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert.
# The entity now has its own keypair, and signed cert, and the CA.


After initializing a PKI, any entity can create DH params that needs them. This is normally only used by a TLS server. While the CA PKI can generate this, it makes more sense to do it on the server itself to avoid the need to send the files to another system after generation.
DH params can be generated with:

./easyrsa gen-dh
# Usually generated as pki/dh.pem.

Showing details of requests or certs

To show the details of a request or certificate by referencing the short EntityName, use one of the following commands. It is an error to call these without a matching file.

./easyrsa show-req EntityName
./easyrsa show-cert EntityName

Changing private key passphrases

RSA and EC private keys can be re-encrypted so a new passphrase can be supplied with one of the following commands depending on the key type:

./easyrsa set-rsa-pass EntityName
./easyrsa set-ec-pass EntityName


The example config of openvpn is under /usr/share/doc/openvpn/sample/sample-config-files. server.conf will be a good start.



Bridging vs Routing


In short, routing is more efficient and scalable, allows for better tuning of MTU. But routing doesn't support broadcasts traverse the VPN.

Log in ppp/pptpd

将debug前的# 去掉或加上debug。

daemon.*            /var/log/ppp.log

执行:servie syslog restart

logfile /var/log/ppp.log

sudo iptables -t nat -A POSTROUTING -s -j SNAT --to-source sudo iptables -t nat -A POSTROUTING -p all -o eth0 -s -j SNAT -to $ETH0IP 假如我有三台机器,一台能上外网,另外二台却不可以.不能上网的机器可以伪装成可上网的那机器的IP iptables -t nat -I POSTROUTING 1 -j SNAT -s --to-destination iptables -t nat -I POSTROUTING 1 -j SNAT -s --to-destination这个IP段是不可以上网的,108这台机器是可以上网的.