This topic shows how to set up a Point-to-Point Tunneling Protocol (PPTP) VPN on an Elastic Compute Service (ECS) instance running the Ubuntu operating system.
Prerequisites
-
This topic applies to Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04.
-
This topic uses an ECS instance that runs Ubuntu 18.04 as an example. For more information about how to create an ECS instance, see Create an instance by using the wizard.
-
The security group for the instance requires an inbound rule that allows traffic on port 1723 and the GRE protocol from the public IP address of the VPN client. For more information, see Manage security group rules.
VPN server configuration
Log on to the ECS instance that you want to use as the PPTP server and follow the steps to configure the PPTP server. For more information about how to log on to an ECS instance, see Connect to a Linux instance.
Configure the PPTP service
-
Run the following commands to install pptpd.
sudo apt-get update sudo apt-get -y install pptpd -
Configure the pptpd file. This file specifies the IP address range for PPTP clients, ensuring each device receives a unique IP address.
-
Run the
sudo vim /etc/pptpd.confcommand and add the following configuration:localip 192.168.0.1 remoteip 192.168.0.234-238Note-
localipspecifies the VPN server's address. We recommend using the server's private IP address. Adjust this value as required. -
remoteipspecifies the IP address range for PPTP clients. To avoid conflicts, ensure no other devices use this IP range. Adjust this value as required.
-
-
After you add the configuration, the file content is as follows:
# (Recommended) #localip 192.168.0.1 #remoteip 192.168.0.234-238,192.168.0.245 localip 192.168.0.1 remoteip 192.168.0.234-238
-
-
Configure DNS.
-
Run the
sudo vim /etc/ppp/pptpd-optionscommand and add the following configurations:ms-dns 223.5.5.5 ms-dns 223.6.6.6NoteThe IP addresses 223.5.5.5 and 223.6.6.6 are Alibaba Cloud public DNS server addresses. You can change them to other public DNS server addresses as needed.
-
After you add the configuration, the file content is as follows:
# specifies the secondary DNS address. #ms-dns 10.0.0.1 #ms-dns 10.0.0.2 ms-dns 223.5.5.5 ms-dns 223.6.6.6
-
-
Create a user. This user authenticates PPTP connections, ensuring only authorized clients can connect.
-
Run the
sudo vim /etc/ppp/chap-secretscommand to add a username and password for pptpd. Add accounts as needed in theusername pptpd password IP addressformat. Ensure that each item is separated by a space and add only one user account per line.NoteExample:
test pptpd 123456 *. The asterisk (*) indicates all IP addresses.test pptpd 123456 *
-
Enable IP forwarding
-
Run the following command to enable IP forwarding.
sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf -
Run the following command to load the system parameters.
sudo sysctl -p "/etc/sysctl.conf"After the command is successfully run,
net.ipv4.ip_forward = 1in the output indicates that IP forwarding is enabled.root@iZZ:~# sudo sysctl -p vm.swappiness = 0 kernel.sysrq = 1 net.ipv4.neigh.default.gc_stale_time = 120 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_announce = 2 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.ip_forward = 1
Configure iptables firewall forwarding rules
In Ubuntu, iptables rules are lost after an ECS instance restarts because the rules are temporary by default. Use the iptables-persistent package to save the iptables rules and automatically load them on system startup.
-
Run the following command to install
iptables-persistent.sudo apt-get install iptables-persistent -yWhen prompted to save the current rules during the installation, select
yes. -
Add iptables rules.
sudo iptables -A INPUT -p gre -j ACCEPT sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/29 -o eth0 -j SNAT --to-source XXX.XXX.XXX.XXXNoteIn this example,
192.168.0.234/29specifies the private IP address range for the VPN client. You must modify this value based on your actual requirements. XXX.XXX.XXX.XXX is the public IP address of your ECS instance. -
Save the iptables rules to make them persistent.
sudo netfilter-persistent save -
(Optional) View the iptables rules.
# View detailed rules sudo iptables -L -v # View rules in the nat table sudo iptables -t nat -L -v
Restart the PPTP service
sudo /etc/init.d/pptpd restart
sudo systemctl enable pptpd.service
VPN client configuration
-
Run the following commands to install the PPTP client software.
sudo apt-get update sudo apt-get -y install pptp-linux -
Run the following command to initialize a VPN connection tunnel named test.
sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --startNote-
[$IP]is the public IP address of the ECS instance hosting the PPTP server. -
[$User]is the username for the user created on the PPTP server. For information about how to obtain the username, see Create a user. -
[$Password]is the password for the user created on the PPTP server. For information about how to obtain the password, see Create a user.
If the connection is successful, the following output is displayed:
Using interface ppp0 Connect: ppp0 <--> /dev/pts/1 CHAP authentication succeeded MPPE 128-bit stateless compression enabled local IP address 192.168.0.234 remote IP address 192.168.0.1 -