First of all you need to download pptpd, and if you're running a GUI (e.g. Gnome or KDE) you may also wish to download pptpd-config. They can both be downloaded directly from http://pptpclient.sourceforge.net/.

You can also download by apt-get or rpm where available on your distribution. Alternatively the latest version is directly available from SourceForge.net in tarball format. This will need to be compiled and installed before using.

If you need to use MS-CHAP-V2 you will need to ensure your installed/running Kernel has MPPE included or compiled as a module. If you have installed from a modern distribution such as CentOS, Fedora, Ubuntu etc with a fairly new 2.6.X kernel then ppp_mppe will most likely be available, to include the modules in readiness for pppd run the following commands:

modprobe ppp_mppe
modprobe ppp-compress-18

If running setting up pppd as a server behind a NAT firewall, you will most likely also need to run modprobe ip_nat_pptp.

Now that you have the appropriate support for MPPE enabled you can start configuring your VPN client.

Firstly you will want to edit /etc/ppp/options.pptp. This is where you can enable or disable the authentication method used by pptp. In the example below we have disabled PAP, EAP and CHAP and specified that the VPN can be connected by MS-CHAP or MS-CHAP-V2 as both are accepted by the VPN server we are connecting to.

###############################################################################
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from http://ppp.samba.org/
# and the kernel MPPE module available from the CVS repository also on
# http://ppp.samba.org/, which is packaged for DKMS as kernel_ppp_mppe.
###############################################################################

# Lock the port
lock

# Authentication
# We don't need the tunnel server to authenticate itself
noauth

# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
#refuse-mschap
#refuse-mschap-v2

# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)

# http://ppp.samba.org/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# {{{
# Require MPPE 128-bit encryption
#require-mppe-128
# }}}

# http://polbox.com/h/hs001/ fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
#mppe required,stateless
# }}}

The next thing you need to configure is the peers file containing information on your connect, this file is /etc/ppp/peers/VPN_NAME, where VPN_NAME is the name you wish to associate with the connection, i.e. WORK. An example config is below:

pty "pptp VPN_SERVER --nolaunchpppd"
name USERNAME
remotename VPN_NAME
require-mppe-128
file /etc/ppp/options.pptp
ipparam VPN_NAME

In this configuration the following options are set:

VPN_SERVER is either the hostname or IP address of your VPN server, e.g. vpn.yourdomain.com
USERNAME is your assigned username for authentication purpose
VPN_NAME is the name for the connection as selected previously

The next step is to configure the authentication information, (i.e. USERNAME and PASSWORD) for your connection, this is done by editing the /etc/ppp/chap-secrets file.

# Secrets for authentication using CHAP
# client server secret IP addresses

USERNAME VPN_NAME "PASSWORD" *

Within the chap-secrets file, you need to define the following information:

USERNAME is your assigned username as used previously in /etc/ppp/peers/VPN_NAME
VPN_NAME is the name for the connection as selected previously, this needs to match the name used in the above steps
PASSWORD is your assigned password

When you have finished configuring your connection through the above steps, it is now time to try and connect to your VPN server. This can be performed by executing the following command, pppd call VPN_NAME. If successful, once connected you should noticed pppd and pptp running when you run ps aux. Alternatively you should see a ppp0 connection when running ifconfig.

Now that you're connected, you will need to route the appropriate subnet to the connection in order to access the network or hosts at the other end of the connection. For example, if your VPN server is connected to subnet of 10.0.0.0/8 then you will want to execute the following command route add -net 10.0.0.0/8 ppp0 (see below for a method of automating this when the connection is established).

If you wish to disconnect from the VPN, the quickest method is by executing killall pppd. You may also wish to execute ifconfig ppp0 down prior to this but it is not necessary.

Rather than manually routing to the network on the other end of your VPN each time you connect, you can automate this task by creating the /etc/ppp/ip-up.local file. An example config is as follows:

#!/bin/bash
NET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}

Once this file has been created you will need to make it executable by running the following command chmod +x /etc/ppp/ip-up.local. Now each time you call up pppd to connect to the VPN, upon successful connection to the remote server, this script will be executed and the routing table will be updated. You can also use this script to perform additional tasks automatically once connected to your VPN.

Another handy feature is the demand or persist option available through pppd, this can give you the ability to setup on-demand dialing or re-dialing by simply a line with demand to your /etc/ppp/peers/VPN_NAME. Alternatively you can do this via the initial command used to call your connection e.g. pppd <local_ip>:<remote_ip> demand call VPN_NAME. The persist options will prevent an exit after a connection is terminated; instead try to reopen the connection. For further details its recommended you take the time to read man pppd.

If you're having trouble connecting, you can connect with debugging enabled. This will give onscreen error logging such that you can determine more details on any problems that may be occurring:

pppd call VPN_NAME logfd 2 nodetach debug dump

Alternatively you can check /var/log/messages for any output relating to the pppd connection.

If your after the Process IP (PID) of a particular pppd session or ppp interface (i.e. ppp0 or ppp1), this can be found by the following command, cat /var/run/ppp0.pid. This can be particularly helpful if you want to end only a single interface pppd session in the case of multiple VPN tunnels, e.g. kill -9 `cat /var/run/ppp0.pid`