All Products
Search

This Product

    Elastic Compute Service:Set up a PPTP VPN on an Ubuntu ECS instance

    Document Center

    Elastic Compute Service:Set up a PPTP VPN on an Ubuntu ECS instance

    Last Updated:Mar 20, 2026

    This topic provides a guide for setting up a Point to Point Tunneling Protocol (PPTP) VPN on an Elastic Compute Service (ECS) instance running Ubuntu.

    Prerequisites

    • This tutorial applies to Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04.

    • This tutorial uses an ECS instance running Ubuntu 18.04 as an example. To create an ECS instance, see Custom launch ECS instances.

    • Your instance's security group must have an inbound rule to allow traffic on TCP port 1723 and for the Generic Routing Encapsulation (GRE) protocol. The source for this rule must be the public IP address of your VPN client. For more information, see Manage security group rules.

    Configure the VPN server

    Log on to the ECS instance for your PPTP VPN server and follow these steps to configure it. For instructions on how to log in, see Connect to a Linux ECS instance by using SSH.

    Configure the PPTP service

    1. Run the following commands to install pptpd:

      sudo apt-get update
sudo apt-get -y install pptpd

    2. Configure the pptpd.conf file to specify the IP address range for clients. This ensures each connected device receives a unique IP.

      1. Run the sudo vim /etc/pptpd.conf command and add the following configuration:

        localip 192.168.0.1
remoteip 192.168.0.234-238
        Note

        • localip is the VPN server's address for client connections, typically the server's private network IP. Adjust localip as needed.

        • remoteip is the range of IP addresses allocated to PPTP clients. To avoid conflicts, ensure that there is no overlap with other devices.

      2. The file should now look like this:

        image

    3. Set up DNS.

      1. Run the sudo vim /etc/ppp/pptpd-options command and add the following DNS configuration:

        ms-dns 223.5.5.5
ms-dns 223.6.6.6
        Note

        The IP addresses 223.5.5.5 and 223.6.6.6 are Alibaba Cloud's public DNS servers. You can change them to other public DNS server addresses as needed.

      2. The file should now look like this:

        image

    4. Create a user for PPTP server authentication, allowing only authorized access.

      1. Run the sudo vim /etc/ppp/chap-secrets command and add user credentials in the format username pptpd password IP address, separating each field with a space.

        Note

        For example: test pptpd 123456, where "*" represents all IP addresses.

        test pptpd 123456 *

      2. The file should now look like this: image

    Enable IP forwarding

    1. Run the following command to enable forwarding.

      sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf

    2. Run the following command to load the system parameters.

      sudo sysctl -p "/etc/sysctl.conf"

      image

    Configure iptables firewall forwarding rules

    In Ubuntu, iptables rules are temporary rules that cannot survive an instance restart. This section describes how to use the iptables-persistent package to save iptables rules and automatically load the rules on instance startup.

    1. Run the following command to install iptables-persistent.

      sudo apt-get install iptables-persistent -y

      When prompted to save the current rules, select yes.

    2. Add iptables rules.

      sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/29 -o eth0 -j SNAT --to-source <XXX.XXX.XXX.XXX>
      Note

      Replace 192.168.0.234/29 with the actual private IP address range of the VPN client. Replace <XXX.XXX.XXX.XXX> with the actual public IP address of the ECS instance.

    3. Save iptables rules.

      sudo netfilter-persistent save

    4. (Optional) View iptables rules.

      # View rule details.
sudo iptables -L -v
# View NAT table rules.
sudo iptables -t nat -L -v

    Restart the PPTP service

    sudo /etc/init.d/pptpd restart
sudo systemctl enable pptpd.service

    Configure the VPN client

    1. Install the PPTP client software with the following commands:

      sudo apt-get update
sudo apt-get -y install pptp-linux

    2. Initiate a VPN connection named test with the following command:

      sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
      Note

      • [$IP] is the PPTP server's public IP address on the ECS instance.

      • [$User] is the username for the PPTP server user account. For username retrieval, see Create a user.

      • [$Password] is the password for the PPTP server user account. For password retrieval, see Create a user.

      The following output indicates a successful connection.

      Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local  IP address 192.168.0.234
remote IP address 192.168.0.1