Sunday, October 28, 2012

PPTP VPN Routing Internet Traffic. (CentOS)

I recently setup up a personal VPN on CentOS 6.3 to cover myself from sniffers while connected to public hotspots. I read a few tutorials to see if much has changed on PPTP installations in the last few years as the last time I set one up was 2009. Not much had changed, but I noticed in the comments of most tutorials that lots of people out there where having trouble routing internet traffic through the VPN after the install. I will cover a couple things that could be causing this problem.

First I noticed that there are some tutorials out there that skip the IPTables rule to allow PPTP traffic to your server, in order to successfully connect you will need to unblock port 1723, and you can do so by adding the following rule to /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp --dport 1723 -J ACCEPT

Or from a command prompt enter:

# iptables -A INPUT -p tcp -m tcp --dport 1723 -J ACCEPT

Next you will also need to allow GRE protocol on your primary interface, add this rule to the INPUT chain in /etc/sysconfig/iptables:

-A INPUT -p gre -i eth0 -j ACCEPT

Or from the command prompt:

# iptables -A INPUT -p gre -i eth0 -j ACCEPT

These rules will allow your remote client to connect to PPTPD.

Second, sometimes fresh installs of an operating system such as CentOS have the iptables forward policy set to drop forwarding connections. This is needed to pass traffic from eth0 to your ppp connections. In order to allow this from the command line type:

# iptables -P FORWARD ACCEPT

This changes iptables forward policy to allow forwarding between interfaces.

Lastly are 2 important IPTables forwarding rules that allow traffic to be passed back and forth between eth0 and all ppp connections. I will use a wildcard of + for the ppp connections, this is important if you have multiple users of the VPN as it will tell iptables that all ppp connections should pass through eth0 and vice versa. You can add these 2 rules to the bottom of your INPUT chain in the file /etc/sysconfig/iptables :

-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT

Or from a command line:

# iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

This should have you successfully connecting and routing internet traffic from the VPN server to your remote clients!