PPPoE Server – How To Do It Yourself

Today I noticed that one of my neighbors is using my wireless connection. One way to forbid him from using my really low bandwidth internet connection would be to encrypt the wireless connection, but that will also affect the transfer speed between the computers connected to the LAN and my cheap router will fail at some point (This did happen before…).

Another way was to use MAC address based access control to the wireless device, but since the MAC address can be easily spoofed I decided that it is a bad idea also.

The only thing remaining was to implement a user/password based authentication and I remembered that I did install a PPPoE server a few years ago. So this is how it works:

On the Linux box that splits the internet connection I have 2 network cards (eth0 – WAN, eth1 – LAN).

You will need ppp and rp-pppoe server from Roaring Penguin.

1. Make sure you have an active internet connection. If not, set it up by using your favorite text editor (I use vim):

vim /etc/network/interfaces 
auto lo
iface lo inet loopback

iface eth0 inet static
address 89.xxx.yyy.zzz     #Your public IP address
netmask 255.255.255.240  #Your subnet mask
gateway 89.xxx.xxx.xxx    #Your gateway

iface eth1 inet static
address 192.168.1.254
netmask 255.255.255.0

Set up one or more nameservers (I use the free ones provided by Google):

echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf

Ping some website to make sure your internet connection is working:

[email protected]:~$ ping google.com
PING google.com (209.85.229.147) 56(84) bytes of data.
64 bytes from ww-in-f147.1e100.net (209.85.229.147): icmp_req=1 ttl=52 time=83.0 ms

2. Install ppp daemon:

sudo apt-get install ppp

3. Now get rp-pppoe from here.

wget http://www.roaringpenguin.com/files/download/rp-pppoe-3.10.tar.gz

And extract it

 tar -zxvf  rp-pppoe-3.10.tar.gz

Now compile it

cd rp-pppoe-3.10/src/
./configure
make && make install

4. Now, we shall edit the PPPoE server options:

vim /etc/ppp/pppoe-server-options
require-chap
login
lcp-echo-interval 10
lcp-echo-failure 2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
netmask 255.255.255.0
defaultroute
noipdefault
usepeerdns

5. Add usernames and passwords:

vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses

#USERNAME           SERVER              PASSWORD                     CLIENT IP ADDRESS
"cristanhuza"         *           "My_s3cret_pa$$w0rd"                  192.168.1.1
"friend1"             *           "My_friend's_s3cret_pa$sW0rd"         192.168.1.2

6. Set up the IP addresses pool:

echo "192.168.1.1-20" > /etc/ppp/allip

This will assign the future clients one IP address from the 192.168.1.1 until 192.168.1.20 range.

7. Start the PPPoE server:

pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1

8. Enable packet forwarding between network interfaces:

echo 1 > /proc/sys/net/ipv4/ip_forward

9. Set up NAT in order to provide internet access to the LAN computers:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Congratulations! You have just set up a PPPoE server and you can be worry free now that nobody else will be able to use your internet connection without permission.

69 thoughts on “PPPoE Server – How To Do It Yourself”

  1. Hello hochel,

    What are you trying to obtain? Authenticate users over a wireless network?

    You have 2 options:
    1. Set the linux machine to act as a Wireless Acess Point and then configure the pppoe server (I have never tested this before, but theoretically it should work). The downside of this is the fact that you will still have to provide them access to the wireless network before they can connect to the pppoe server.
    2. Set up a captive portal ( http://en.wikipedia.org/wiki/Captive_portal ). Most likely this is what you are trying to achieve, the captive portal is a common way of controlling who can access your network and is mostly used in hotels, bars, clubs, etc.

    PS: If you have any kind of security (WEP/WPA) the whole pppoe idea is kind of pointless. Your users need to know the secret key in order to authenticate and you may use multiple unique keys.

    If you need extra information let me know.

    Reply
    • It depends on what operating system or distribution you are using.
      In Microsoft Windows, you set up a pppoe connection from network settings, in GNU/Linux you can do it from the network manager if you have a GUI, or from the console using sudo pppoeconf

      Reply
  2. i have created pppoe server but i want to block some websites to pppoe clients using iptables or anything but i can’t do it. Can you help me with this.

    Reply
    • You can use iptables for this, for example:
      iptables -A FORWARD -s 192.168.1.X -d forbiddensite.com -j DROP
      Though, I would recommend you to check all IP addresses for site and block by IP instead of domain.
      Other options are using a proxy or force all clients to use custom DNS server.

      Reply
  3. pourriez vous m’aider j’ai pas compris le rôle de ce code

    configuration du serveur ssh
    – Se placer sous le repertoire if-up.d : /etc/network/if-up.d
    – Ouvrir le fichier /etc/network/if-up.d/openssh-serveur, puis ajouter les lignes du
    codes :
    if [`expr substr $IFACE 1 3 ‘ = ‘’lo :’’] ;then
    exit 0
    fi

    Reply
    • Hi, I do not understand French, but I assume you want to know what that code does. Where did you get it from? It basically checks if the interface you’re trying to bring up is “lo” (local interface).
      Can’t help you with this unless you tell me at least what you’re trying to obtain.

      Reply
  4. About filtering traffic for pppoe or others clients that forward traffic to other sites use FORWARD filter not INPUT … input filter it is apply to your local machine (router, concentrator)
    if u use forward rule .. is from clinet to website that you wana filtrer and traffic pass tru (pppoe-server)

    Reply
  5. Thank you,another question,can i enable pppoe-server “pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1” on boot ? without writing this command each time i make reboot? thank you

    Reply
    • What do you mean by defaultroute details (what do you want to obtain exactly)? The default route is passed by using the “defaultroute” option in pppoe server config file.

      Reply
      • Its working now . The client was not getting default gw info from pppoe server which is the ip address assigned to eth1 in my case . Thought we have to explicitly type defaultroute details in server config file

        Reply
        • Glad to hear it was sorted out for you, usually the issue with default gateway comes on Windows systems due to stupid UAC, a workaround is to disable UAC and re enable it after you create the PPPoE connection.

          Reply
  6. I am using pap-secrets for my work . I am getting “PAP peer authentication failed for user123” . I have entered same details in pap-secrets file as shown for chap in this website . Any configuration to be added in /etc/ppp/options or any other file ?

    Reply
  7. Hi,

    Thanks for the gr8 post. PPPoE server starts working within 5 minutes.

    One query how can we have service based authentication along with username and password within this setup?

    Reply
  8. hi i am new to this world so i need some help
    i have an ubuntu virtual machine using vmware which i set up the pppoe server on…
    on the client side i have my other laptop connected by a network cable to the laptop that has the server but i didnt figure out how to do the connection
    do i just need to connect and use a username and password from those i filled in the secret file?

    Reply
    • Hello, yes, that’s basically all you have to do. You have to set up a regular PPPoE connection and use the right credentials.
      Make sure you set up the vmware network adapter as bridge to the network interface your other laptop is connected to, otherwise PPPoE will not work.

      Reply
  9. Nice tutorial ……………….

    How to manage bandwidth or how to create user profile?????????????

    Thanks

    Reply
    • For bandwidth management you can easily do that with TC or HTB tools. I think there is also a nice web interface called webhtb or something similar.

      Reply
  10. Hey guys,
    I’ve encotered some issues with this. For some reason the only valid login user/password is test/1234567. Below you can see the content of the chap file.
    is there someting that i may have missed?
    I must specify that if I rename the “test” user none will work. If i only change the password for user “test” then i can login via ppoe with the new password. still i caanot use any usernames beside “test”.

    #------------------------------------------------------------
    # Secrets for authentication using CHAP
    # client server secret IP addresses
    "testaa" * "1234567" *
    "test" * "1234567" *
    "user" * "1234567" *
    "user1" * "1234567" *
    #------------------------------------------------------------

    Reply
  11. Hi just forgot the endif statement on line 25!! or just implement a radius server or enable it on the openwrt or ddwrt firmware; this is for backend implementation of the service not the implementation. Thanks thou; end if instructions are unrelated!!

    Reply
  12. Hi!.need help

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
    iptables v1.4.21: can’t initialize iptables table `nat’: Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.

    thanks

    Reply
    • Hi, are you running these commands as root? is this a physical machine or a virtual machine?
      If not, first try to run the commands as root (or using sudo in front of each). If you still encounter issues, please provide more details about the environment.

      Reply
  13. Hi Cristian,

    After a very long I stuck up with one situation. Basically I want to simulate the situation where PPPoE session should reconnect after every 24 hours. Right now it stays connected for long till I reconnect it.

    So how we can do that?

    Reply
  14. hi christian, thanks for you tutorial. For the last few days i am trying to implement pppoe server but unfortunately i am not able to run it. I have followed this tutorial as well as some other but there is no success and the issue is same with all these tutorials i guess. When u try to start the server using this command “pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1” nothing shows up,, just the command runs without any errors …nothing shows up in the system log if the pppoe service has started or not thanks. I am using linux version 14.04 and pppoe version 3.11

    Reply
  15. Hi Cristian and all,

    Could you please tell me if there is any way to configure PPPoE server with unsecured mode? – That mean client can receive IP address without username/password.

    I have some routers that have PPPoE as default settings but without username/password on it. I want to verify if PPPoE function works well or not without touch PPPoE configuration on router.

    So how we can do that.

    Reply
  16. Hi Cristian,

    Below is my setup details,

    PC —— Cisco Switch —— PPPoE (Server) ——– Internet link

    In the above test setup, when PC is initiating the PPPoE request the request is not broadcast to PPPoE server is this an issue with the switch.? or any other special configuration needs to be updated for this to work.?

    Reply
    • Pugazhenthi switches pass PPPoE frames like any other traffic, did you try to connect a PC/Laptop directly to the server and see if you can connect over PPPoE? this is the simplest method of debugging at this point.

      Reply
      • HI Cristian,

        In the above topology, PPPoE Server is running on the Ubuntu VM which is running on the XenServer 6.5 machine.

        Reply
  17. The steps are very clear but it seems the article is missing extra information to make it complete. Please answer these questions in your article, but maybe first as a reply to my comment,

    (0)
    So whats the end result? What have you achieved? How do you connect now? What does your neighbor see now?

    (1)
    Does your wifi stealing neighbor still see the SSID? Can they connect to it like before? If they do, I assume they cant get thru your PPPoE because they dont know the username and password that you setup for CHAP.
    Is this correct?

    (2)
    Also how do you connect? Do you connect to your SSID and then run your PPPoE client? Which in windows you can use “Network Settings” and from GNU you can use “sudo pppoeconf” per your other comment.

    (3) step 6 has some html char conversion garbage
    this: echo "192.168.1.1-20" > /etc/ppp/allip
    should be: echo “192.168.1.1-20” > /etc/ppp/allip

    Reply
  18. I’m sorry if this has been said this thing has a lot of comments! But I think I’m missing something. How is this secure? The LAN interface is configured to forward/NAT on the IP level. So can someone not simply associate with the AP then do something like:
    > ifconfig wlan0 192.168.1.19 255.255.255.0 gw 192.168.1.254
    And the machine will happily forward the packets?
    I mean sure they’d have to play around and guess the addresses a bit but…
    What am i missing? How does this force someone to authenticate?

    Reply
    • Hi Bogdan,

      Most likely you need to change the device on which the outbound (aka client download) limit is set. PPPoE creates a pppoe0 device on the server, it’s not normal eth0 or eth1 that you’re used to.

      Reply
  19. Hey Cristian, I’m trying to become a small rural wisp and ive never really use pppoe before but it seems like it would be a great security measure to my network. My question would be how would a accomplish allowing the server assigning public ip address’s? I dont know if its possible but i would to be able to authenticate customer access point with pppoe and assign them a public ip as well. I do have blocks of ip address from my bandwidth provider.

    Reply
    • Christopher, you just need to exclude the iptables SNAT/MASQUERADE rules, and set the IP address provided to customers to be part of your assigned range.
      You will basically be doing simple routing and not NATing over PPPoE.

      Reply
  20. one thing it’s not clear, if we use step 9: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
    every PC with manual IP address setting from that pool will get internet without our control, this is not good.

    Reply
    • Marian, you are doing something wrong then, no client that is not authenticated over PPPoE should have internet access, that range is assigned over the ppp interface only.
      So if the client is not authenticated, it can’t communicate with the system, though should not have access.
      Please dump here in the CODE tags the output of ifconfig -a and iptables -t nat -nvL

      Reply
  21. Thank you, I have one question,can i set -L 192.168.1.254 option same as ip address of users. i.e want same ip address at the both end of tunnel is it possible?

    Thanks.

    Reply
    • There are 2 different things here, a diagram of your network might help, but from my understanding, it’s something like this:

      INTERNET — (your adsl modem) —> your linux box <---switch/router ---- clients Take the step by step approach: 1. Make sure your linux box has internet access (I believe you need to use pppoe CLIENT for this - see pppoe-conf in ubuntu, not sure exactly how it's called) 2. Once you have internet on the linux box, do an ip link or ifconfig -a and post the output here. Your OUT interface might have a different name than eth0 as it's described in this tutorial - I'm referring to this line - you might need to replace eth0 with ppp0 or ppp1: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
      3. Try to bring up the pppoe SERVER – check the logs and see what happens exactly, do your best to understand what you’re doing!

      Reply
  22. Hi, its an excellent tutorial, my PPPoE is working fine, is there any way to bind MAC address along with the usernames defined in the chap-secrets.

    Thanks

    Reply
  23. works same way with Centos 7.4
    I commented the authentication at server configuration.
    with centos use: yum install rp-pppoe-3.11-7.el7.x86_64

    Reply
  24. Hi Christian,
    I am having both PAP and CHAP and I am using a tool to test the server . The tool basically sends PADI packets with PAP and CHAP both.
    I don’t see PADO being sent from the server. Can you please help me out here ASAP ?

    Reply
    • What’s the tool name? Run a tcpdump/wireshark on the interface and make sure this is actually the case, maybe the packets have the wrong format or are corrupted?

      Reply
  25. Hi Cristian,

    Really hoping you’re still checking out this page, I’m trying to connect 2 lans using pppoe, as such I want to set the destination for my ppp0 interface to be the same subnet as my client address. where do I add this? Also how do I set the client I.P’s as static.

    Regards,
    Darren,

    p.s If I could email you and get talking to you directly I’d love a chance to pick your brain on this one

    Reply
  26. Hi Cristian,

    I’m trying to connect 2 lans using pppoe, I’m struggling with finding where to set my remote i.p, I’m also looking to setup freeradius for authentication can I talk to you sometime just to pick your brain on this?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.