Thursday, 7 February 2013

Setting up a VPN server (PPTP) on Amazon Linux AMI

I finally decided to give Amazon EC2 a go a few days ago, thinking to myself that it would be a nice way of keeping my Linux skills afresh, long term followers of this blog (hello mum), would have noticed the recent dearth of Linux posts in this blog.

Amazon Linux AMI is based on RHEL, so the instructions below work for RHEL 6 ( I didn't realize that RHEL images were not included in the free tier, D'Oh), so without further ado this what you need to do:

I'm assuming that you have already launched an AMI instance.
  1. Get the PPTP deamon from sourceforge and Install it
  2. wget
    sudo yum -y install pptpd-1.3.4-2.el6.x86_64.rpm
  3. Set Server IP address and Client IP Address ranges by editing /etc/pptpd.conf
  4. localip
  5. Add allowed users by editing /etc/ppp/chap-secrets
  6. myuser pptpd myuserpassword *
  7. Add DNS servers (I've used Google DNS servers) by editing /etc/ppp/options.pptpd
  8. ms-dns
  9. Set up port forwarding (to allow connections to escape the server)
  10. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    sudo service iptables save
  11. Allow system to forward packets. Edit /etc/sysctl.conf
  12. net.ipv4.ip_forward=1 
  13. Start VPN service
  14. sudo service pptpd start
  15. Set VPN service to start with the system.
  16. sudo chkconfig pptpd on
The firewall configuration was completely empty, relying on the Amazon EC2 firewall instead. If you don't really trust Amazon, it's probably worthwhile setting up appropriate rules to drop all traffic apart from port 22 (SSH) and 1723 (PPTD). I've simply decided to use the amazon firewall or security groups as amazon calls it.

Do note that protocol ID 47 also needs to be open, probably something like this is needed (not tested)
iptables -A INPUT -p 47 -j ACCEPT
The main problem with using amazon is that the IP address changes with every reboot, which means that you either look it up every time or you use some sort of DDNS.

There are free DDNS services but I've not used them and obviously looking it up is a bit of pain, I'm going to investigate whether this information can be obtained programmatically from the console and the VPN connection edited programmatically, so watch this space.

Alternatively, an elastic IP address could be used, which is free while the instance is powered on.

No comments:

Post a Comment