Configuring a PPTP VPN on iOS iPhone iPad and Android

Previously, we learnt about how to setup a Private PPTP VPN Server on AWS EC2 Ubuntu Redhat. This is a follow up to that posting which describes how to setup the VPN on an iOS or Android device.

Please note that some carriers might block PPTP traffic. I experienced problems with using the VPN connection via 3G, while connecting through Wifi works for me. On 3G I can connect to the server, but no data is being transferred. On the server I see a lot of messages of the type “Protocol-Reject”. So if your device seems to be connected to the VPN but you get no traffic, it might be blocked by your carrier. You then need to find a Wifi Hotspot to use the VPN.

iOS Devices

Setting up the VPN is pretty straight forward:

  1. Go to Settings and open the “General” settings
  2. Select “Network”
  3. Select “VPN”
  4. Choose “Add VPN Configuration”
  5. On this screen make sure you activate “PPTP”. Now you can name your VPN connection and enter the address of the server, your login and your password. Ensure that “Send All Traffic” is “ON”. Now save your settings.
  6. Now you can turn on the VPN connection. An active connection is indicated by a blue “VPN” icon in the status bar.

Android Devices

On Android, the steps are quite similar:

  1. Go to “Settings” and open “Wireless & networks”
  2. Select “VPN settings”
  3. Select “Add VPN”
  4. Choose “Add PPTP VPN”
  5. Enter the “VPN name” and the server address in “Set VPN server”. Encryption should be enabled and DNS search domains not set. Now pull up the menu and save your changes.
  6. Click on connect and enter your login and password.
  7. An active VPN connection is indicated by a key icon in the status bar.

Now you should have your very own private VPN running on your both iOS and Android Devices.

Create Own Private PPTP VPN Server on AWS EC2 Ubuntu Redhat

For Ubuntu Server,

$ sudo apt-get install pptpd ufw

For 32 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm
$ yum localinstall pptpd-1.3.4-2.el6.i686.rpm

For 64 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
$ yum localinstall pptpd-1.4.0-1.el6.x86_64.rpm

If you are using uwf, please allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don’t get kicked off.

$ sudo ufw allow 22
$ sudo ufw allow 1723
$ sudo ufw enable

Edit “/etc/ppp/pptpd-options”
Comment out (by placing a “#” at the beginning of the line) the following lines in “/etc/ppp/pptpd-options”:

#refuse-pap
#refuse-chap
#refuse-mschap

If you don’t want to require encryption, comment out “require-mppe-128” (might be good to disable it just for testing and re-enable it later)

Add the following:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

*You can use any DNS servers you like, the two above are Google’s public DNS servers.

Edit “/etc/pptpd.conf”
At the end of the file “/etc/pptpd.conf”, add:

localip 172.16.0.5
remoteip 172.16.0.11-19

 

The localip field determines the IP address of your EC2 instance on the VPN, while remoteip field determines the IP address of connected clients. Because there may be potentially many clients connecting to this VPN, the remoteip is a range of 10 IP addresses.

Same edit “/etc/pptpd.conf”, Comment out logwtmp by adding # at the beginning of the line

#logwtmp

Edit “/etc/ppp/chap-secrets”
The format for “/etc/ppp/chap-secrets” is: [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):

sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:

$ sudo /etc/init.d/pptpd restart

Edit “/etc/sysctl.conf”
Un-comment the following line in “/etc/sysctl.conf”:

net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):

$ sudo sysctl -p

And we also need to enable iptables NAT configuration:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To ensure the NAT configuration be loaded when the machine boots, it might be a good idea to add in your “/etc/rc.local” the command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

OK, it’s nearly finished! You need to start the pptpd service, and set it to automatically start when the machine boots:

$ /sbin/service pptpd start
$ chkconfig pptpd on

ONE FINAL THING:
Be sure to enable port 1723 of your EC2 instance, otherwise the firewall will prevent your VPN from working!