This topic provides a guide for setting up a Point to Point Tunneling Protocol (PPTP) VPN on an elastic Compute Service (ECS) instance that runs an Ubuntu operating system.
Overview
This topic is applicable to Ubuntu 18.04 and later versions.
An ECS instance with Ubuntu 18.04 is used in this guide. For instructions on creating an ECS instance, see Create an instance on the Custom Launch tab.
In the security group, add the necessary port for PPTP VPN, which is TCP port 1723. For more information, see How to configure security groups after installing the VPN gateway on an ECS instance.
Configure the VPN server
Log on to the ECS instance that acts as the PPTP server and configure the PPTP server settings. For logon instructions, see Connect to a Linux ECS instance by using SSH.
Configure the PPTP service
Run the following commands to install pptpd:
sudo apt-get update sudo apt-get -y install pptpdEdit the pptpd configuration file to set the IP address range for PPTP clients, ensuring each device receives a unique IP.
Run the
sudo vim /etc/pptpd.confcommand and add the following settings:localip 192.168.0.1 remoteip 192.168.0.234-238Notelocalipis the VPN server's address for client connections, typically the server's private network IP. Adjust localip as needed.remoteipis the range of IP addresses allocated to PPTP clients. To avoid conflicts, ensure that there is no overlap with other devices.
The file content is shown in the figure below:
Set up DNS.
Run the
sudo vim /etc/ppp/pptpd-optionscommand and add the following DNS settings:ms-dns 223.5.5.5 ms-dns 223.6.6.6NoteUse the following IP addresses of Alibaba Cloud public DNS servers: 223.5.5.5 and 223.6.6.6. Alternatively, you can substitute with other public DNS servers based on your needs.
The file content is shown in the figure below:
Create a user for PPTP server authentication, allowing only authorized access.
Run the
sudo vim /etc/ppp/chap-secretscommand and add user credentials in the formatusername pptpd password IP address, separating each field with a space.NoteFor example: test pptpd 123456, where "*" represents all IP addresses.
test pptpd 123456 *The file content is shown in the figure below:
Enable routing forwarding
Run the following command to activate forwarding:
sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.confRun the following command to load the system parameters:
sudo sysctl -p "/etc/sysctl.conf"
Configure firewall forwarding rules
Edit the rc.local file with
sudo vim /etc/rc.localand add the following content:NoteSubstitute XXX.XXX.XXX.XXX with the public IP address of your ECS instance.
sudo iptables -A INPUT -p gre -j ACCEPT sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT sudo iptables -t nat -A P0STROUTING-s 192.168.0.0/24-0 -j SNAT --to-source XXX.XXX.XXX.XXXRestart the PPTP service and configure it to start automatically on boot.
sudo /etc/init.d/pptpd restart sudo systemctl enable pptpd.service
Configure the VPN client
Install the PPTP client software with the following commands:
sudo apt-get update sudo apt-get -y install pptp-linuxInitiate a VPN connection named test with the following command:
sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --startNote[$IP] is the PPTP server's public IP address on the ECS instance.
[$User] is the username for the PPTP server user account. For username retrieval, see Create a user.
[$Password] is the password for the PPTP server user account. For password retrieval, see Create a user.
If a command output similar to the one as shown below is returned, this indicates that you are connected to the PPTP VPN server.
Using interface ppp0 Connect: ppp0 <--> /dev/pts/1 CHAP authentication succeeded MPPE 128-bit stateless compression enabled local IP address 192.168.0.234 remote IP address 192.168.0.1