Tuesday, 11 September 2012

Running a VPN on Ubuntu (Amazon EC2)

A few months ago I documented how to install a Virtual Private Network (VPN) on a Linux AMI (Amazon EC2). Here is the same procedure, but now for an Ubuntu LTS server (my specific version was Ubuntu 12.04.1 LTS).

I admit that there are a gazillion HOWTO documents and wikis available that explain this, but many are extremely out-dated, just plain weird or even completely wrong. Apparently most of the writers also want to impress Slashdot users with an ID below 200.000, and therefor stuff the  pptpd-options configuration with an abundance of esoteric options only known to the in-crowd. Little do these wanna-bees know that The Elder Slashers are perfectly aware that those esoteric options where only valid for a manually patched Slackware v1.00 to work around a bug in an illegal copy of Windows 3.11.  After that, you here them scream “RTFM”.

But where is that manual anyway? And do you really want to read them? Who has time for that anyway? You might miss a tweet about a trending topic, that could have warned you that something completely irrelevant had happened, but that mindless paid shills want you to read so they can proof the reason for their existence. 

Aha, time for a quote from the Hitchhikers Guide to the Galaxy. This wonderful guide describes the Marketing Department of the Sirius Cybernetics Corporation as "a bunch of mindless jerks who'll be the first against the wall when the revolution comes." Curiously, an edition of the Encyclopedia Galactica which conveniently fell through a rift in the time-space continuum from 1000 years in the future describes the Marketing Department of the Sirius Cybernetics Corporation as “a bunch of mindless jerks who were the first against the wall when the revolution came."

OK, no manual today, but hopefully a short and efficient procedure to get your VPN running in no time.

After you created your Ubuntu instance, sign-on to the server as the ‘ubuntu’ user using SSH.

Execute the following commands to make certain that your system is up-to-date:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get clean



Install the needed software:

sudo apt-get install pptpd



Use your favourite editor (in the example I use ‘nano’) to modify the following config-files:

sudo nano /etc/pptpd.conf

Modify the configuration file to read:

localip 192.168.66.1
remoteip 192.168.66.60-69




The above sets the addresses of the systems that will connect (in the example there are 10 possible addresses).


Do not forget to save the file (with ‘nano’ this is done by the Ctrl-0 key combination). Now the next configuration file. Most of it are the default options, but check anyway.

sudo nano /etc/ppp/pptpd-options



Verify that the following options are set:

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp

The above will set the DNS servers to the Google servers. If you feel that this is a privacy issue, simply delete the lines. On the other hand, they might help you to circumvent certain filtering measures of your ISP or government.


A few more files to go:

sudo nano /etc/sysctl.conf



Uncomment a line to read:

net.ip4.ip_foward=1



Add at least one user, by editing the /etc/ppp/chap-secrets file:

sudo nano /etc/ppp/chap-secrets

Make a line to read like this:

Zaphod pptpd Beeblebrox *

The above will allow a user “Zaphod” to sign-on from any IP address to your VPN, as long as he or she uses the password “Beeblebrox”. Do not use this example in real life.


And now the last file to edit by hand (/etc/rc.local)

sudo nano /etc/rc.local

Add the following lines before the one that reads “exit 0”.

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE





Save the file, and execute the following commands:

sudo sysctl -p
sudo shutdown -r now

That’s it! Do not forget to  configure your EC2 firewall to allow incoming VPN connections at port 1723 and 47.


Please refer to my earlier post for a quick way to configure your Windows-7 laptop.


Have fun!

1 comment: