The following are my notes of installing PoPToP on **example.com** (RHEL5, i386) ## Pre-Flight Check Check if your kernel supports MPPE (Microsoft Point to Point Encryption). [root@example ~]# modprobe ppp-compress-18 && echo OK OK Usually, kernels 2.6.15 and above support MPPE ## Install the necessary packages First install PPP: yum install ppp Next install PoPToP: rpm -ivH http://poptop.sourceforge.net/yum/stable/rhel5/i386/pptpd-1.3.4-1.rhel5.1.i386.rpm Check if everything went well with rpm -qa pptpd -d ## Configure PPTPD You'll configure the behaviour of your PPTP server in two locations: * All passwords and connection params will be in `/etc/ppp`. * The behaviour of the server itself will be controlled with `/etc/pptpd.conf` ### Edit /etc/ppp/options.pptpd to use DNS and require encryption Configuring `/etc/ppp/options.pptpd` is rather easy. I only checked the file to make sure that MPPE was required for the connection, that the old-style (and insecure) PAP and CHAP was not enabled, and added the following lines: ms-dns 19.27.17.20 ms-dns 19.27.12.21 ### Edit /etc/ppp/chap-secrets to manage users This is very simple too. To add a new user, add a line that looks like: # Secrets for authentication using CHAP # client  server  secret  IP addresses tomc * C@saVa\t * In this case, the user `tomc` would have the password `C@saVa\t`. ### Edit /etc/pptpd.conf to disburse IP addresses I only edited/added the following lines. They tell the server to sustain a maximum of 30 connections and use the remote (client) IP range `10.9.0.2` to `10.9.0.31`. connections 30 localip 19.27.18.14 remoteip 10.9.0.2-31 ## Configure logging Before starting the PPTPD daemon (how's that for a tautology), it would be nice to log things to a file to keep track of users and diagnose connection problems. For this, we can use `syslogd`. Add this to **daemon** facility in `/etc/syslogd.conf`: daemon.*  /var/log/pptpd.log Then restart the syslog daemon: killall syslogd /sbin/syslogd ## Configure the local system to allow connectiong and IP forwarding ### Configure iptables rules I have a very restrictive set of iptables rules and needed all of these. Your mileage may vary. PPTPD uses port 1723 and *protocol* 47. In this snippet, my `$EXTERNAL_INTERFACE` variable is set to `eth1`. # Allow PPTP. Note: it's not _port_ 47 but _protocol_ 47 ("GRE", by Cisco) iptables -A INPUT -i ppp+ -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j ACCEPT iptables -A INPUT  -p tcp --dport 1723 -j ACCEPT iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT iptables -A INPUT  -p 47 -j ACCEPT iptables -A OUTPUT -p 47 -j ACCEPT iptables -A FORWARD -i ppp+ -o $EXTERNAL_INTERFACE -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE ### IP forwarding You might also have to enable IP forwarding. Check if this is already enabled by issuing: [root@example ~]# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 or [root@example ~]# cat /proc/sys/net/ipv4/ip_forward 0 If you see a **1**, you're good. If not, you can enable it on the fly like so: [root@example ~]# sysctl -w net.ipv4.ip_forward=1 or [root@example ~]# echo 1 > /proc/sys/net/ipv4/ip_forward If you do this, make sure that `/etc/sysctl.conf` has `net.ipv4.ip_forward` set to **1**. Then restart the network service: [root@example ~]# sysctl -p /etc/sysctl.conf or [root@example ~]# service network restart ## Start the PPTPD service (finally!) service pptpd start And you should be good to go. Diagnose network problems with nmap, traceroute, etc. You may also want to start it at reboot chkconfig --level 345 pptpd on ## Resources [Poptop Installation guide](http://poptop.sourceforge.net/dox/howto1.html)