All Products
Search
Document Center

Elastic Compute Service:Set up PPTP VPN on an Ubuntu ECS instance

Last Updated:Jun 21, 2026

This topic shows how to set up a Point-to-Point Tunneling Protocol (PPTP) VPN on an Elastic Compute Service (ECS) instance running the Ubuntu operating system.

Prerequisites

  • This topic applies to Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04.

  • This topic uses an ECS instance that runs Ubuntu 18.04 as an example. For more information about how to create an ECS instance, see Create an instance by using the wizard.

  • The security group for the instance requires an inbound rule that allows traffic on port 1723 and the GRE protocol from the public IP address of the VPN client. For more information, see Manage security group rules.

VPN server configuration

Log on to the ECS instance that you want to use as the PPTP server and follow the steps to configure the PPTP server. For more information about how to log on to an ECS instance, see Connect to a Linux instance.

Configure the PPTP service

  1. Run the following commands to install pptpd.

    sudo apt-get update
    sudo apt-get -y install pptpd
  2. Configure the pptpd file. This file specifies the IP address range for PPTP clients, ensuring each device receives a unique IP address.

    1. Run the sudo vim /etc/pptpd.conf command and add the following configuration:

      localip 192.168.0.1
      remoteip 192.168.0.234-238
      Note
      • localip specifies the VPN server's address. We recommend using the server's private IP address. Adjust this value as required.

      • remoteip specifies the IP address range for PPTP clients. To avoid conflicts, ensure no other devices use this IP range. Adjust this value as required.

    2. After you add the configuration, the file content is as follows:

      # (Recommended)
      #localip 192.168.0.1
      #remoteip 192.168.0.234-238,192.168.0.245
      localip 192.168.0.1
      remoteip 192.168.0.234-238
  3. Configure DNS.

    1. Run the sudo vim /etc/ppp/pptpd-options command and add the following configurations:

      ms-dns 223.5.5.5
      ms-dns 223.6.6.6
      Note

      The IP addresses 223.5.5.5 and 223.6.6.6 are Alibaba Cloud public DNS server addresses. You can change them to other public DNS server addresses as needed.

    2. After you add the configuration, the file content is as follows:

      # specifies the secondary DNS address.
      #ms-dns 10.0.0.1
      #ms-dns 10.0.0.2
      ms-dns 223.5.5.5
      ms-dns 223.6.6.6
  4. Create a user. This user authenticates PPTP connections, ensuring only authorized clients can connect.

    1. Run the sudo vim /etc/ppp/chap-secrets command to add a username and password for pptpd. Add accounts as needed in the username pptpd password IP address format. Ensure that each item is separated by a space and add only one user account per line.

      Note

      Example: test pptpd 123456 *. The asterisk (*) indicates all IP addresses.

      test pptpd 123456 *

Enable IP forwarding

  1. Run the following command to enable IP forwarding.

    sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
  2. Run the following command to load the system parameters.

    sudo sysctl -p "/etc/sysctl.conf"

    After the command is successfully run, net.ipv4.ip_forward = 1 in the output indicates that IP forwarding is enabled.

    root@iZZ:~# sudo sysctl -p
    vm.swappiness = 0
    kernel.sysrq = 1
    net.ipv4.neigh.default.gc_stale_time = 120
    net.ipv4.conf.all.rp_filter = 0
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.default.arp_announce = 2
    net.ipv4.conf.lo.arp_announce = 2
    net.ipv4.conf.all.arp_announce = 2
    net.ipv4.tcp_max_tw_buckets = 5000
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_max_syn_backlog = 1024
    net.ipv4.tcp_synack_retries = 2
    net.ipv4.tcp_slow_start_after_idle = 0
    net.ipv4.ip_forward = 1

Configure iptables firewall forwarding rules

In Ubuntu, iptables rules are lost after an ECS instance restarts because the rules are temporary by default. Use the iptables-persistent package to save the iptables rules and automatically load them on system startup.

  1. Run the following command to install iptables-persistent.

    sudo apt-get install iptables-persistent -y

    When prompted to save the current rules during the installation, select yes.

  2. Add iptables rules.

    sudo iptables -A INPUT -p gre -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
    sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/29 -o eth0 -j SNAT --to-source XXX.XXX.XXX.XXX
    Note

    In this example, 192.168.0.234/29 specifies the private IP address range for the VPN client. You must modify this value based on your actual requirements. XXX.XXX.XXX.XXX is the public IP address of your ECS instance.

  3. Save the iptables rules to make them persistent.

    sudo netfilter-persistent save
  4. (Optional) View the iptables rules.

    # View detailed rules
    sudo iptables -L -v
    # View rules in the nat table
    sudo iptables -t nat -L -v

Restart the PPTP service

sudo /etc/init.d/pptpd restart
sudo systemctl enable pptpd.service

VPN client configuration

  1. Run the following commands to install the PPTP client software.

    sudo apt-get update
    sudo apt-get -y install pptp-linux
              
  2. Run the following command to initialize a VPN connection tunnel named test.

    sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
    Note
    • [$IP] is the public IP address of the ECS instance hosting the PPTP server.

    • [$User] is the username for the user created on the PPTP server. For information about how to obtain the username, see Create a user.

    • [$Password] is the password for the user created on the PPTP server. For information about how to obtain the password, see Create a user.

    If the connection is successful, the following output is displayed:

    Using interface ppp0
    Connect: ppp0 <--> /dev/pts/1
    CHAP authentication succeeded
    MPPE 128-bit stateless compression enabled
    local  IP address 192.168.0.234
    remote IP address 192.168.0.1