How to install and configure pptp vpn server on CentOS 7 linux

In the series of vpn technologies tutorials, we reach to show you how to install and configure pptp vpn server on CentOS 7 linux.

pptp is a traditional point to point tunneling protocol for implementing vpn networks and due to know security issue, rarely uses by network administrators.

But implementing this type of VPN is more starighforward and easy on Cenots linux and if you want to setup a vpn with least configuration and time, you are in the right article.

Here is our environment:

OS: CentOS 7 linux on VMWare
Firewall: firewalld
SElinux: enforcing
IP address:

1- Install ppp

Creating pptp connections in linux, relies on ppp and pptpd packages. so first we install this package and then configure it to meet our needs. run the following commands one by one:

# yum install ppp
# cd /usr/local/src
# wget
# rpm -Uhv pptpd-1.4.0-1.el6.x86_64.rpm

2- Configure pptpd

now, we do some configuration on ppp. first rename original ppp configuration file:

# mv /etc/pptpd.conf /etc/pptpd.conf.orig

then open /etc/pptpd.conf with your desired editor. here we use Vim:

# vim /etc/pptpd.conf

and put these lines in it:

option /etc/ppp/options.pptpd

also rename options.pptpd original file:

# mv /etc/ppp/options.pptpd /etc/ppp/options.pptpd.orig

then open /etc/ppp/options.pptpd and put the following lines in it:

# vim /etc/ppp/options.pptpd
name pptpd

now we create username and password for our users. so open /etc/ppp/chap-secrets and put your desired username and password like this format:


3- Configure routing and firewall

to route ip packets correctly by our server, we must enable kernel ip forwarding. run this command:

# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

then make it permanent:

# sysctl -p

now we put some rules in our firewall to allow gre traffic and enabling NAT:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --add-port=1723/tcp
# firewall-cmd --reload

if you have CSF, create a file named /etc/csf/ and put these lines in it. then open port 1723 and reload csf:
Note: remember to change “eth0” with your own interface name.

# iptables -A INPUT -p gre -j ACCEPT
# iptables -A OUTPUT -p gre -j ACCEPT
# iptables -A FORWARD -s -j ACCEPT
# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT

if you have iptables, just run above commands and then open port 1723. finally make them permanent by iptables-save and restart iptables.

4- Configure SElinux

because we prefer to keep selinux in enforcing mode, if proper selinux policy has not been set, it denies pptp connections. so run this command:

# setsebool -P daemons_use_tty 1

5- Start services

finally start and enable service:

# systemctl start pptpd
# systemctl enable pptpd