NOTE: This article uses Amazon Linux AMI (32 bit)

I used to host this website on an Amazon EC2 instance. But in fact, that EC2 instance had been mainly used as a VPN server.

And here is how it was setup.

First of all, you need to install pptpd, with the following commands:

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm
$ yum localinstall pptpd-1.3.4-2.el6.i686.rpm

(for 64 bit instances, get the package at http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm)

And update pptpd configurations in file /etc/pptpd.conf, by adding the following lines:

localip     192.168.9.1
remoteip    192.168.9.11-30

The localip field determines the IP address of your EC2 instance on the VPN, while remoteip field determines the IP address of connected clients. Because there may be potentially many clients connecting to this VPN, the remoteip is a range of 20 IP addresses.

Optionally, you might want need to tell your clients to use some specific DNS server. This could be done by editing /etc/ppp/options.pptpd, and add the following lines:

ms-dns    8.8.8.8
ms-dns    8.8.4.4

We are using Google’s public DNS servers here.

Now you want to setup VPN username and password in /etc/ppp/chap-secrets. Each line in the file has the format:

<username> pptpd <passwd> *

Next step is to enable IP forwarding. Edit /etc/sysctl.conf, use the following config:

net.ipv4.ip_forward = 1

You need to reload the configuration by /sbin/sysctl -p.

And we also need to enable iptables NAT configuration:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To ensure the NAT configuration be loaded when the machine boots, it might be a good idea to add in your /etc/rc.local the command iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

OK, it’s nearly finished! You need to start the pptpd service, and set it to automatically start when the machine boots:

$ /sbin/service pptpd start
$ chkconfig pptpd on

ONE FINAL THING: be sure to enable port 1723 of your EC2 instance, otherwise the firewall will prevent your VPN from working!

If the VPN server is not working correctly, check /var/log/message for error messages.

UPDATE ON 2014-09-07

I recently setup an instance again and could not connect to it. The server side error log /var/log/message says the following:

/usr/lib/pptpd/pptpd-logwtmp.so: wrong ELF class: ELFCLASS32
Couldn't load plugin /usr/lib/pptpd/pptpd-logwtmp.so
GRE: read(fd=6,buffer=8059660,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

I found a solution from http://www.lidaren.com/archives/1229 (in Chinese). That is, comment out the following line from /etc/pptpd.conf:

logwtmp

Restart pptpd and it should start working.

Client side configuration

For Mac, make sure you added PPTP VPN connection. Besides that you only need to setup server address, account name, and password in authentication settings. No pain here.

image

image

(Thanks to Slavomir J for the Mac screen shots)

For Linux, I used NetworkManager to add VPN connections. Make sure you added PPTP VPN connection. And the configuration I use is here:

image

And for Windows:

image