Edwin & Xinyu's Blog  

查无此人,查有此地

PPTP VPN on Amazon EC2


From http://www.yzhang.net/blog/2013-03-07-pptp-vpn-ec2.html

I used to host this website on an Amazon EC2 instance. But in fact, that EC2 instance had been mainly used as a VPN server.

And here is how it was setup.

First of all, you need to install pptpd, with the following commands:

<span class="pln">$ wget http</span><span class="pun">:</span><span class="com">//poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm</span><span class="pln">
$ yum localinstall pptpd</span><span class="pun">-</span><span class="lit">1.3</span><span class="pun">.</span><span class="lit">4</span><span class="pun">-</span><span class="lit">2.el6.i686.rpm</span>`</pre>
</div>
(for 64 bit instances, get the package at [http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm](http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm))

And update pptpd configurations in file `/etc/pptpd.conf`, by adding the following lines:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">localip     </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">9.1</span><span class="pln">
remoteip    </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">9.11</span><span class="pun">-</span><span class="lit">30</span>`</pre>
</div>
The `localip` field determines the IP address of your EC2 instance on the VPN, while `remoteip` field determines the IP address of connected clients. Because there may be potentially many clients connecting to this VPN, the `remoteip` is a range of 20 IP addresses.

<del>Optionally</del>, you <del>might want</del> need to tell your clients to use some specific DNS server. This could be done by editing`/etc/ppp/options.pptpd`, and add the following lines:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">ms</span><span class="pun">-</span><span class="pln">dns    </span><span class="lit">8.8</span><span class="pun">.</span><span class="lit">8.8</span><span class="pln">
ms</span><span class="pun">-</span><span class="pln">dns    </span><span class="lit">8.8</span><span class="pun">.</span><span class="lit">4.4</span>`</pre>
</div>
We are using Google’s public DNS servers here.

Now you want to setup VPN username and password in `/etc/ppp/chap-secrets`. Each line in the file has the format:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="tag">&lt;username&gt;</span><span class="pln"> pptpd </span><span class="tag">&lt;passwd&gt;</span><span class="pln"> *</span>`</pre>
</div>
Next step is to enable IP forwarding. Edit `/etc/sysctl.conf`, use the following config:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">net</span><span class="pun">.</span><span class="pln">ipv4</span><span class="pun">.</span><span class="pln">ip_forward </span><span class="pun">=</span> <span class="lit">1</span>`</pre>
</div>
You need to reload the configuration by `/sbin/sysctl -p`.

And we also need to enable `iptables` NAT configuration:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">$ iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A POSTROUTING </span><span class="pun">-</span><span class="pln">o eth0 </span><span class="pun">-</span><span class="pln">j MASQUERADE</span>`</pre>
</div>
To ensure the NAT configuration be loaded when the machine boots, it might be a good idea to add in your`/etc/rc.local` the command `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE`.

OK, it’s nearly finished! You need to start the `pptpd` service, and set it to automatically start when the machine boots:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">$ </span><span class="pun">/</span><span class="pln">sbin</span><span class="pun">/</span><span class="pln">service pptpd start
$ chkconfig pptpd on</span>`</pre>
</div>
**ONE FINAL THING**: be sure to enable port 1723 of your EC2 instance, otherwise the firewall will prevent your VPN from working!

If the VPN server is not working correctly, check `/var/log/message` for error messages.

**UPDATE ON 2014-09-07**

I recently setup an instance again and could not connect to it. The server side error log `/var/log/message` says the following:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="str">/usr/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">pptpd</span><span class="pun">/</span><span class="pln">pptpd</span><span class="pun">-</span><span class="pln">logwtmp</span><span class="pun">.</span><span class="pln">so</span><span class="pun">:</span><span class="pln"> wrong ELF </span><span class="kwd">class</span><span class="pun">:</span><span class="pln"> ELFCLASS32
</span><span class="typ">Couldn</span><span class="str">'t load plugin /usr/lib/pptpd/pptpd-logwtmp.so
GRE: read(fd=6,buffer=8059660,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs</span>`</pre>
</div>
I found a solution from [http://www.lidaren.com/archives/1229](http://www.lidaren.com/archives/1229) (in Chinese). That is, comment out the following line from`/etc/pptpd.conf`:
<div class="highlighter-rouge">
<pre class="highlight">`<span class="pln">logwtmp</span>
Restart pptpd and it should start working.

Client side configuration

For Mac, make sure you added PPTP VPN connection. Besides that you only need to setup server address, account name, and password in authentication settings. No pain here.

image

image

(Thanks to Slavomir J for the Mac screen shots)

For Linux, I used NetworkManager to add VPN connections. Make sure you added PPTP VPN connection. And the configuration I use is here:

image

And for Windows:

image

validate