Just edit the file /etc/proftpd/proftpd.conf and add these 2 lines:

UseReverseDNS off
IdentLookups off

Lesson learned: I should read manuals more often.

The EC2 Micro Instance is an ideal way to operate your own VPN-server, when you need it only a couple of hours per month. Let’s assume, that you want to use it for about 50 hours per month with around 10 GB of traffic, this means $1.00 for computation time + $1.50 for 15 GB of storage + $1.50 for 10 GB outgoing traffic. So for $4 this is quite a good offer. Granted, you can find commercial VPN providers for $5 per month, but it is more fun to do it yourself. In this article I will describe, how to setup an EC2 instance as a VPN-server.

I choose to setup a PPTP server. PPTP is not the most secure type of VPN, but it has the big advantage, that it is the most compatible. Nearly every OS is able to open a PPTP connection without additional software and this includes mobile devices like iPhones/iPads.

First, you need to choose a base image to boot in the Micro Instance. I have selected an 32-bit Ubuntu 10.04 server image. The AMI-ID of this image is ami-6c06f305. Start this image in a Micro Instance and log in with your SSH-key. For more details on these steps, refer to the AWS documentation.

Once you are logged in, you can install the pptp-daemon:

sudo aptitude install pptpd

Configuring the pptp-daemon is a breeze. First you to define an IP address range which will be used for connected clients. This can be any IP range, but keep in mind, if you want to avoid routing problems, choose a private IP range. Uncomment and modify 2 lines at the end of /etc/pptpd.conf:

localip 192.168.240.1
remoteip 192.168.240.2-9

With the above settings, the pptpd server will get the address 192.168.240.1 and there are 8 possible client addresses 192.168.240.2 to 192.168.240.9.

It is also a good idea to specify the address of at least one DNS server. You can use the DNS server of amazon (172.16.0.23) or the Google Public DNS. I choose the latter. Open the file /etc/ppp/pptpd-options and make sure it contains the following settings:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

The last step for configuring the pptpd-daemon is to add a user account for the service:

sudo echo "USERNAME pptpd PASSWORD *" >> /etc/ppp/chap-secrets

Replace USERNAME and PASSWORD with whatever credentials you like. It is possible to add as many users as you like.

Now restart the pptp-daemon:

sudo /etc/init.d/pptpd restart

It is already possible to open a PPTP-connection to the server, although no traffic will be forwarded to the Internet. We still need to enable packet forwarding and network address translation on the server.

To enable packet forwarding, uncomment the following line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Now reload this config:

sudo sysctl -p

The last step is to enable network address translation:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This setting is reset on every reboot, so make sure that you add the following line above exit 0 in the file /etc/rc.local:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now the VPN server is fully functional. The only small problem is, that the server will get a new IP address every time you reboot it. I would recommend using a dynamic dns-provider to assign this machine a unique domain name. I am using DynDNS.

The ddclient is a great little tool to update the current IP address on a number of different dynamic DNS services. Installation is done as usual:

sudo aptitude install ddclient

Once installed, the configuration is done in the file /etc/ddclient.conf. It will already contain some usefull settings, because the installer will require you to enter some information about the DNS service you are using. In the end the configuration should look something like this:

protocol=dyndns2
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
server=members.dyndns.org
login=LOGINNAME
password='PASSWORD'
DOMAINNAME.dyndns.org

Replace LOGINNAME, PASSWORD and DOMAINNAME.dyndns.org with your own settings. The most important line is the one starting with use=. This defines that the registered IP-address is detected by DynDNS itself. This is neccessary, because the virtual machine is running with a private IP address.

That’s it! Now you have your own VPN-server up and running. Just start the instance in the AWS Management Console whenever you need it.

Update:

Here is a screenshot of the security groups setup I am using:

Update 2:

Please take a look at my follow up posting on how to connect to the VPN from an iOS or Android device.

First you could try to install the default Debian package to check whether you need to recompile PureFTPD. This can be done via:

apt-get install pure-ftpd-common pure-ftpd

The following steps are needed to recompile the package with the necessary options to make it run on a virtual server. You only need to do these steps if you find the following message in your syslog when trying to connect to the ftp server:

 pure-ftpd: (?@?) [ERROR] Unable to switch capabilities : Operation not permitted

In that case, make sure that you have enabled the Debian source repositories in your /etc/apt/sources.list and fetch the source files via:

apt-get source pure-ftpd

The source files have now been downloaded to your current directory. There should now some new files and a directory pure-ftpd-1.0.21. Enter this directory and edit the file debian/rules you should change the line starting with optflags and add --without-capabilities to that line, so that it looks like:

optflags=--with-everything --with-largefile --with-pam --with-privsep --with-tls --without-capabilities

Now grab the dependencies needed to build the source and compile the Debian installation package:

apt-get build-dep pure-ftpd
dpkg-buildpackage -uc -b

The resulting Debian package should now have been built without errors and you can install it via:

dpkg -i ../pure-ftpd_1.0.1-8_i386.deb

The filename of the package might vary depending on the current patch level in the Debian repository.

When installing the package you will be asked whether to use a chrooted setup which you should do and if you prefer a standalone installation or inetd-based operation. For low volume sites I would prefer the inetd installation.

Now let’s get on to the configuration of PureFTPD. I prefer a setup using virtual users which are mapped to a central user account on the server. So I usually create a new account without a shell or home directory which belongs to the Apache user group to have access to hosted webs:

useradd -g www-data -d /dev/null -s /bin/false ftpuser

You can also use the existing user www-data instead. In that case you need to enable that user account (on Debian/Ubuntu it has the user id 33) in the PureFTP config:

echo 33 > /etc/pure-ftpd/conf/MinUID

The configuration of PureFTP is done via distinct files in the directory /etc/pure-ftpd/conf. Each file contains a single configuration setting and we can setup a decent configuration with the following commands:

cd /etc/pure-ftpd/conf
echo yes > ChrootEveryone
echo no > PAMAuthentication
echo no > UnixAuthentication
echo 1 > TLS
cd ../auth
ln -s ../conf/PureDB 50pure

With the above settings we disable all authentication methods except the internal PureFTPD user database. We also lock down each user into a chroot-environment and enable secure authentication via TLS. PureFTPD excepts a certificate in the file /etc/ssl/private/pure-ftpd.pem. You could copy your apache certificate to that file, or generate a new one via:

openssl req -new -x509 -days 4312 -nodes -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

The user administration and setup is now done with the PureFTPD tool pure-pw. You can add a new user via:

pure-pw useradd myusername -u ftpuser -d /path/to/homedir

The above command will ask you for a password and register the user which is mapped to the system user ftpuser within PureFTPD. Every time you modify the user database you need to rebuild the PureFTPD user configuration via:

pure-pw mkdb

Now you should be able to connect to your server with secure authorization with the newly created user.

The first step in setting up an OpenVZ server is to install a minimal setup of Ubuntu server 8.04. When installing Ubuntu you should select LVM in the partitioning options as this will enable backups of your OpenVZ containers without downtime while they are running. The only service that we will install is OpenSSH to access the installation remotely.

Once the base system is setup and you can login remotely via SSH you could update the whole system to make sure you have the latest versions of all installed applications:

sudo apt-get update
sudo apt-get dist-upgrade

The OpenVZ-Kernel does not work well with the AppArmor package, which is installed by default, so disable it:

sudo update-rc.d -f apparmor remove

Now it is time to install the OpenVZ-kernel:

sudo apt-get install linux-openvz

The above package is a meta package which will install the kernel, the kernel modules and any required header-files and libraries. Now take a look at the file /boot/grub/menu.lst and make sure that the new OpenVZ kernel is the default kernel when booting. Now reboot and check that the correct kernel is loaded:

uname -r

If you can see something like 2.6.24-18-openvz when running the above command, the correct kernel has been booted. If not, check your boot config.

The next step is to install the OpenVZ tools:

sudo apt-get install vzctl vzquota

Now you can run the OpenVZ daemon:

sudo /etc/init.d/vz start

Basically that’s it. OpenVZ is now running and you can setup your VZ containers. The OpenVZ project page has a lot of different container templates you can use as a starting point. Take a look at the list on http://wiki.openvz.org/Download/template/precreated and download all templates you want to use to /var/lib/vz/template/cache. You can choose from a wide selection of Linux distributions.

You can now start creating your virtual machine containers and run them:

sudo vzctl create 101 --ostemplate ubuntu-8.04-i386-minimal
sudo vzctl start 101

Of course you need to configure your containers, but this is a different topic which I will describe in a followup to this article.