Wednesday, November 14, 2012

Your own VPN/proxy (pptpd config on Amazon AMI)

Update 2015: since pptp is not longer supported on Mac and is generally insecure, please follow this excellent guide for a similar l2tp setup

Simple steps to quickly configure your own vpn.

Intro - VPN means a virtual private network, a secure channel between two machines. As you can, thanks to the cloud, have the second machine running in any part of the world, and you also can forward all your internet traffic through that second machine, this could be useful in numerous cases - if you don't want your provider to know everything about you, or if your crazy government thinks it can decide for you what you can or can not see, or if you are tired with DMCA restrictions, list goes on.

Requirements - Amazon AWS (or any other cloud provider) account. Amazon now runs a promo, giving you free usage for one year on the basic tier, which would be enough for the task.

Go ahead and create a new t1.micro EC2 instance in amazon control panel. I use Amazon AMI images: it's a small headless linux similar to CentOS with no preinstalled software, just what we need here. Settings for your new instance: 64bit version, EBS backed, 2GB of root partition would be absolutely enough, generate a new keypair and save it in a safe place, create a new security group for your VPN. Everything else you can leave at default values.

First of all, let's open some ports in your cloud firewall - go to Security Groups and edit the group you assigned to your instance (or default if you don't remember assigning any groups). You should open TCP port 1723 and UDP port 500, as well as ssh port 22 :) You can either open these ports to the world (0.0.0.0/0), or specify your ip address there.

Login into your new box:

ssh -i your_key_file ec2-user@your_instance_address

Install ppp/pptpd:

sudo yum install ppp -y
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm
sudo rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm

Edit /etc/pptpd.conf, uncomment the lines with localip and remoteip. You can also add google's (8.8.8.8, 8.8.4.4) or amazon's () DNS servers, to avoid using your provider's DNS, edit /etc/ppp/options.pptpd and uncomment/edit ms-dns lines.

Create the VPN user - edit /etc/ppp/chap-secrets and add a line (you would want your own user and a secure password):

<USER> pptpd <PASSWORD> *

That's it for the VPN, time to setup our traffic forwarding so that we would be able to access the rest of the Internet from this server. Enable ipv4 forwarding, edit /etc/sysctl.conf and switch net.ipv4.ip_forward setting to 1.

Create iptable forwarding rule, persist it, enable pptpd and restart our server

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo service iptables save
sudo service iptables restart
sudo chkconfig pptpd on
sudo init 6

That's it. To test your new VPN, open your Mac network preferences, Create new service (click on + in the list of services):

After that, enter your Server Address, your Account name, select Encryption: Maximum (128bit), Authentication Settings - enter your password. In the Advanced dialog, don't forget to check Send all traffic over VPN connection. Click Connect, if all went well you should see this:

Enjoy. Some more things which are not necessary but can be helpful - as we created an EBS-backed instance, we can safely stop it and start when needed, as Amazon charges you per hour of a running instance. Ip address is dynamic and might change on restart, so it would make sense to assign an Elastic IP to your instance, or use DynDNS. Unless, of course, you need for some reason to complicate tracing you back, then dynamically assigned address will help a little.