Setting up a VPN-server on Amazon EC2

Posted on by

Amazon has recently announced the new Micro Instances in their Elastic Cloud service. A so called Micro Instance is a virtual machine with 620 MB main memory and CPU power in the area of an 1 GHz Opteron processor. The advantage of the Micro Instance is its low cost of only $0.02 per hour of operation (be advised, there are some additional costs for traffic and storage).

The EC2 Micro Instance is an ideal way to operate your own VPN-server, when you need it only a couple of hours per month. Let’s assume, that you want to use it for about 50 hours per month with around 10 GB of traffic, this means $1.00 for computation time + $1.50 for 15 GB of storage + $1.50 for 10 GB outgoing traffic. So for $4 this is quite a good offer. Granted, you can find commercial VPN providers for $5 per month, but it is more fun to do it yourself. In this article I will describe, how to setup an EC2 instance as a VPN-server.

I choose to setup a PPTP server. PPTP is not the most secure type of VPN, but it has the big advantage, that it is the most compatible. Nearly every OS is able to open a PPTP connection without additional software and this includes mobile devices like iPhones/iPads.

First, you need to choose a base image to boot in the Micro Instance. I have selected an 32-bit Ubuntu 10.04 server image. The AMI-ID of this image is ami-6c06f305. Start this image in a Micro Instance and log in with your SSH-key. For more details on these steps, refer to the AWS documentation.

Once you are logged in, you can install the pptp-daemon:

sudo aptitude install pptpd

Configuring the pptp-daemon is a breeze. First you to define an IP address range which will be used for connected clients. This can be any IP range, but keep in mind, if you want to avoid routing problems, choose a private IP range. Uncomment and modify 2 lines at the end of /etc/pptpd.conf:

localip 192.168.240.1
remoteip 192.168.240.2-9

With the above settings, the pptpd server will get the address 192.168.240.1 and there are 8 possible client addresses 192.168.240.2 to 192.168.240.9.

It is also a good idea to specify the address of at least one DNS server. You can use the DNS server of amazon (172.16.0.23) or the Google Public DNS. I choose the latter. Open the file /etc/ppp/pptpd-options and make sure it contains the following settings:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

The last step for configuring the pptpd-daemon is to add a user account for the service:

sudo echo "USERNAME pptpd PASSWORD *" >> /etc/ppp/chap-secrets

Replace USERNAME and PASSWORD with whatever credentials you like. It is possible to add as many users as you like.

Now restart the pptp-daemon:

sudo /etc/init.d/pptpd restart

It is already possible to open a PPTP-connection to the server, although no traffic will be forwarded to the Internet. We still need to enable packet forwarding and network address translation on the server.

To enable packet forwarding, uncomment the following line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Now reload this config:

sudo sysctl -p

The last step is to enable network address translation:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This setting is reset on every reboot, so make sure that you add the following line above exit 0 in the file /etc/rc.local:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now the VPN server is fully functional. The only small problem is, that the server will get a new IP address every time you reboot it. I would recommend using a dynamic dns-provider to assign this machine a unique domain name. I am using DynDNS.

The ddclient is a great little tool to update the current IP address on a number of different dynamic DNS services. Installation is done as usual:

sudo aptitude install ddclient

Once installed, the configuration is done in the file /etc/ddclient.conf. It will already contain some usefull settings, because the installer will require you to enter some information about the DNS service you are using. In the end the configuration should look something like this:

protocol=dyndns2
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
server=members.dyndns.org
login=LOGINNAME
password='PASSWORD'
DOMAINNAME.dyndns.org

Replace LOGINNAME, PASSWORD and DOMAINNAME.dyndns.org with your own settings. The most important line is the one starting with use=. This defines that the registered IP-address is detected by DynDNS itself. This is neccessary, because the virtual machine is running with a private IP address.

That’s it! Now you have your own VPN-server up and running. Just start the instance in the AWS Management Console whenever you need it.

Update:

Here is a screenshot of the security groups setup I am using:

Update 2:

Please take a look at my follow up posting on how to connect to the VPN from an iOS or Android device.

60 thoughts on “Setting up a VPN-server on Amazon EC2

  2. Thanks for the tutorial. I’ve managed to get it working on a free tier instance. I’m just wondering about your security groups. Have you opened all ports for TCP and UDP? TCP 1723 should suffice shouldn’t it?

  4. Thanks for a great walk-through. I managed to get it working – mostly. :) When I connect via mobile broadband (ie using a public IP) it works smoothly, but not while I’m connected through my Wifi at home.

    I wonder, might it have something to do with the fact that my router has already handed me a 192.168.1.X-address, and that OS X is getting confused when the VPN is serving me another one of those? Can I change to something else, or how would I go about it?

    Thanks in advance!

    / J

  5. …okey, maybe I should have just tried first. ;) This did the trick:

    localip 172.20.0.1
    remoteip 172.20.0.100-150

    Thanks again for a great guide!

  6. Thank you for this excellent tutorial! Everything working smoothly with Ubuntu-11.04 (ami-b7509dde)

  7. Whats the root password of the EC2 Amazon Ubuntu Image.. I am kind of a newbie at this..

  8. There is no root user in the stock Ubuntu images. Just login as the “ubuntu” user and then sudo the commands you want to run as root.

  9. Thanks a lot for this great tutorial. I installed it and it worked even through my Wi-Fi router. However, I’m kind of disappointed with regard to the performance – somehow the VPN slows the connection tremendously down… any ideas?

  11. This tutorial needs a Donate button, its amazing how easy you made it for me.
    its like a…b…c…WORKS :)
    one of the best.
    KUDOS!

  12. Thanks for your kind words. I’m glad to be able to give something back to the internet community. I find so many great turials on the net, so this is my way to say thank you :)

  13. Pingback: 使用Amazon EC2 搭建VPN(pptp)全攻略 | 布拉丁日志

  14. There seems to be an issue with HTTPS sites. For example, when I go to skype and click on Sign Up, the page never loads up properly.

    Seems like some kind of HTTPS traffic is being blocked. I read somewhere about MTU and all, but cant make any sense out of it. If you have any suggestions then do let me know. Regards

  17. Hi and thanks for the post.
    I have a question re adding user/pass. I keep getting
    “-bash: /etc/ppp/chap-secrets: Permission denied”
    when running the command
    sudo echo “paulxxxxx pptpd xxxxxxx *” >> /etc/ppp/chap-secrets

    any ideas? I’ve used a fresh instance of the same AMI as mentioned in the top of the post.

    Thanks in advance

  18. Seems to be a permission problem. Try enabling write access via


    sudo chmod a+rw /etc/ppp/chap-secrets

    Keep in mind that the file will have read/write access for everyone after this change.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">