All Products
Search

This Product

    Elastic Compute Service:Set up a PPTP VPN on an Ubuntu ECS instance

    Document Center

    Elastic Compute Service:Set up a PPTP VPN on an Ubuntu ECS instance

    Last Updated:Apr 21, 2025

    This topic provides a guide for setting up a Point to Point Tunneling Protocol (PPTP) VPN on an Elastic Compute Service (ECS) instance that runs an Ubuntu operating system.

    Prerequisites

    • An ECS instance that runs Ubuntu 18.04, 20.04, or 22.04 is created. In the following example, an ECS instance that runs Ubuntu 18.04 is used. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

    • In the security groups of the ECS instance, inbound rules are added to allow traffic on port 1723 and over the Generic Routing Encapsulation (GRE) protocol from the public IP address of the VPN client. For more information, see Manage security group rules.

    Configure the VPN server

    Log on to the ECS instance that acts as the PPTP server and configure the PPTP server settings. For logon instructions, see Connect to a Linux ECS instance by using SSH.

    Configure the PPTP service

    1. Run the following commands to install pptpd:

      sudo apt-get update
sudo apt-get -y install pptpd

    2. Edit the pptpd configuration file to set the IP address range for PPTP clients, ensuring each device receives a unique IP.

      1. Run the sudo vim /etc/pptpd.conf command and add the following settings:

        localip 192.168.0.1
remoteip 192.168.0.234-238
        Note

        • localip is the VPN server's address for client connections, typically the server's private network IP. Adjust localip as needed.

        • remoteip is the range of IP addresses allocated to PPTP clients. To avoid conflicts, ensure that there is no overlap with other devices.

      2. The file content is shown in the figure below:

        image

    3. Set up DNS.

      1. Run the sudo vim /etc/ppp/pptpd-options command and add the following DNS settings:

        ms-dns 223.5.5.5
ms-dns 223.6.6.6
        Note

        Use the following IP addresses of Alibaba Cloud public DNS servers: 223.5.5.5 and 223.6.6.6. Alternatively, you can substitute with other public DNS servers based on your needs.

      2. The file content is shown in the figure below:

        image

    4. Create a user for PPTP server authentication, allowing only authorized access.

      1. Run the sudo vim /etc/ppp/chap-secrets command and add user credentials in the format username pptpd password IP address, separating each field with a space.

        Note

        For example: test pptpd 123456, where "*" represents all IP addresses.

        test pptpd 123456 *

      2. The file content is shown in the figure below: image

    Enable routing forwarding

    1. Run the following command to activate forwarding:

      sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf

    2. Run the following command to load the system parameters:

      sudo sysctl -p "/etc/sysctl.conf"

      image

    Configure iptables firewall forwarding rules

    In Ubuntu, iptables rules are temporary rules that cannot survive an instance restart. This section describes how to use the iptables-persistent package to save iptables rules and automatically load the rules on instance startup.

    1. Run the following command to install the iptables-persistent package:

      sudo apt-get install iptables-persistent -y

      When you are prompted to confirm whether to save the current rules, select yes.

    2. Add iptables rules.

      sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/29 -o eth0 -j SNAT --to-source <XXX.XXX.XXX.XXX>
      Note

      Replace 192.168.0.234/29 with the actual private IP address range of the VPN client. Replace <XXX.XXX.XXX.XXX> with the actual public IP address of the ECS instance.

    3. Save iptables rules.

      sudo netfilter-persistent save

    4. (Optional) View iptables rules.

      # View rule details.
sudo iptables -L -v
# View NAT table rules.
sudo iptables -t nat -L -v

    Restart the PPTP service

    sudo /etc/init.d/pptpd restart
sudo systemctl enable pptpd.service

    Configure the VPN client

    1. Install the PPTP client software with the following commands:

      sudo apt-get update
sudo apt-get -y install pptp-linux

    2. Initiate a VPN connection named test with the following command:

      sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
      Note

      • [$IP] is the PPTP server's public IP address on the ECS instance.

      • [$User] is the username for the PPTP server user account. For username retrieval, see Create a user.

      • [$Password] is the password for the PPTP server user account. For password retrieval, see Create a user.

      If a command output similar to the one as shown below is returned, this indicates that you are connected to the PPTP VPN server.

      Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local  IP address 192.168.0.234
remote IP address 192.168.0.1