All Products
Search

This Product

    Elastic Compute Service:Set up a PPTP VPN on an ECS instance that runs Ubuntu

    Document Center

    Elastic Compute Service:Set up a PPTP VPN on an ECS instance that runs Ubuntu

    Last Updated:Feb 05, 2026

    This topic describes how to set up a Point-to-Point Tunneling Protocol (PPTP) VPN on an Elastic Compute Service (ECS) instance that runs Ubuntu.

    Prerequisites

    • This topic applies to Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04.

    • This topic uses an ECS instance that runs Ubuntu 18.04 as an example. For more information about how to create an ECS instance, see Create an instance using the wizard.

    • An inbound rule is added to the security group of the instance to allow traffic on port 1723 and over the Generic Routing Encapsulation (GRE) protocol from the public IP address of the VPN client. For more information, see Add a security group rule.

    Configure the VPN server

    Log on to the ECS instance that serves as the PPTP server and configure the PPTP server on Ubuntu. For more information about how to remotely log on to an ECS instance, see Connect to a Linux instance.

    Configure the PPTP service

    1. Run the following commands to install pptpd.

      sudo apt-get update
sudo apt-get -y install pptpd

    2. Configure the pptpd file. This file assigns an IP address range for clients that connect to the PPTP server. This ensures that each connected device is assigned a unique IP address.

      1. Run the sudo vim /etc/pptpd.conf command and add the following configuration:

        localip 192.168.0.1
remoteip 192.168.0.234-238
        Note

        • localip specifies the address of the VPN server that clients connect to. Set this to the private IP address of the server. Adjust the localip value as needed.

        • remoteip specifies the range of IP addresses to allocate to PPTP clients. Make sure that no other devices use these IP addresses to avoid IP address conflicts. Adjust the remoteip value as needed.

      2. After you add the configuration, the file content is shown in the following figure:

        image

    3. Configure DNS.

      1. Run the sudo vim /etc/ppp/pptpd-options command and add the following configuration:

        ms-dns 223.5.5.5
ms-dns 223.6.6.6
        Note

        The IP addresses 223.5.5.5 and 223.6.6.6 are Alibaba Cloud public DNS servers. You can change them to other public DNS servers as needed.

      2. After you add the configuration, the file content is shown in the following figure:

        image

    4. Create a user. This user is used for identity verification when connecting to the PPTP server. This ensures that only authorized users can access the system through dial-up or network connections.

      1. Run the sudo vim /etc/ppp/chap-secrets command to add a username and password for pptpd. You can add accounts as needed in the username pptpd password IP_address format. Make sure that each item is separated by a space and that you add only one user account per line.

        Note

        Example: test pptpd 123456 *. The asterisk (*) indicates all IP addresses.

        test pptpd 123456 *

      2. After you add the configuration, the file content is shown in the following figure:image

    Enable IP forwarding

    1. Run the following command to enable forwarding.

      sudo echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf

    2. Run the following command to load the system parameters.

      sudo sysctl -p "/etc/sysctl.conf"

      image

    Configure iptables firewall forwarding rules

    In Ubuntu, rules that are directly run using iptables are lost after the ECS instance restarts because these rules are temporary by default. Use the iptables-persistent package to save iptables rules and automatically load them at system startup.

    1. Run the following command to install iptables-persistent.

      sudo apt-get install iptables-persistent -y

      During the installation, you are asked whether to save the current rules. Select yes.

    2. Add iptables rules.

      sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/29 -o eth0 -j SNAT --to-source XXX.XXX.XXX.XXX
      Note

      192.168.0.234/29 specifies the private IP address range of the VPN client. Modify it as needed. XXX.XXX.XXX.XXX is the public IP address of your ECS instance.

    3. Save the iptables rules.

      sudo netfilter-persistent save

    4. (Optional) View the iptables rules.

      # View detailed rules.
sudo iptables -L -v
# View the rules in the nat table.
sudo iptables -t nat -L -v

    Restart the PPTP service

    sudo /etc/init.d/pptpd restart
sudo systemctl enable pptpd.service

    Configure the VPN client

    1. Run the following commands to install the PPTP client software.

      sudo apt-get update
sudo apt-get -y install pptp-linux

    2. Run the following command to initialize a VPN connection channel named test.

      sudo pptpsetup --create test --server [$IP] --username [$User] --password [$Password] --encrypt --start
      Note

      • [$IP] is the public IP address of the ECS instance that serves as the PPTP server.

      • [$User] is the username of the user created on the PPTP server. For more information about how to obtain the username, see Create a user.

      • [$Password] is the password of the user created on the PPTP server. For more information about how to obtain the password, see Create a user.

      If the connection is successful, the following output is returned:

      Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local  IP address 192.168.0.234
remote IP address 192.168.0.1