Connect to PSO2 with JP Amazon EC2, Free(12mo) & Private SSH Tunnel and IP!

[FotoPhinish]

I decided to just buy proxy cap

[mysticalre]

Has anyone tried to set up the Windows host with Putty? Followed OP's instructions to get the linux one working, but couldn't get a Windows instance to work.

The AWS account lets you run 2 instances (1 Linux/1 Windows for free), which looks pretty useful, except I keep getting an error/"Network error: Connection timed out" when connecting with Putty to RDP port 3389.

I tried a few other guides online, but not sure what else I can try at this point. Any chance of having OP updated for a Windows guide?

The Windows instance settings were:
- Instance firewall, SSH port 22 TCP open, RDP TCP 3389 open
- added the private key .ppk file to putty
- set a tunnel "Local/IPV4" with dest = InstanceIP:3389 and source port = 3390
- putty session to connect to InstanceIP:22

[Ana-Chan]

Has anyone tried to set up the Windows host with Putty? Followed OP's instructions to get the linux one working, but couldn't get a Windows instance to work.

The AWS account lets you run 2 instances (1 Linux/1 Windows for free), which looks pretty useful, except I keep getting an error/"Network error: Connection timed out" when connecting with Putty to RDP port 3389.

I tried a few other guides online, but not sure what else I can try at this point. Any chance of having OP updated for a Windows guide?

The Windows instance settings were:
- Instance firewall, SSH port 22 TCP open, RDP TCP 3389 open
- added the private key .ppk file to putty
- set a tunnel "Local/IPV4" with dest = InstanceIP:3389 and source port = 3390
- putty session to connect to InstanceIP:22

You don't use putty to connect to a Windows instance. You use the built in Remote Desktop client. This should hopefully be easy to find in the Start Menu/Start Screen. It should look something similar to this when you first load it. As for getting the password, you must press the connect button at the top. It will then give you a chance to use the pem file in a connect to your instance window that you used to get the administrator password, and you then use that to log in via remote desktop.

[Ana-Chan]

Because there isn't a good guide to setting up a VPN server on AWS, I think that it is a good idea to make this guide available.
Because it is the easiest, I'm only writing the steps to set up a PPTP VPN. Be warned, while for PSO2 this isn't likely to be an issue, PPTP is not really secure. To make this more secure you would need a security certificate with the related private key.

Warning, Image heavy under the spoiler tags.

Anyway, there are three major steps. The first is setting up the Amazon Web Services instance.

Spoiler!

First, make an account at the Amazon Web Services site. When you have your account, sign in and go to your management console.
Once there, you must make an instance in the Tokyo region.



Make sure Tokyo is selected as the region, if it isn't just click on the region. A drop down list should appear, make sure that you select Tokyo in there. You must then click on EC2.



Click the Launch Instance button to start making an instance.



Find the Windows Server 2012 Base image and then click on the Select button.



Make sure that the t2.micro type is selected and then click Next.



You want to make sure that the VPC and Subnet are properly. This allows you to change the instance internal IP address. While you are at it, make a note of the IP address shown in Network. This is the prefix of the IP addresses you have available in the AWS network, so any addresses we use will start with the first two numbers. The screenshot shown above has 172.31.0.0/16, so any IP addresses I use for the VPN will start with 172.31.



With everything properly filled in, the Network Interfaces section should be available. Expand it if necessary and in the Primary IP box, fill in a nice easy to remember address that starts with the two numbers given above. I use 172.31.1.1 for mine. As you can see, this starts with 172.31 from the range above. I recommend .1.1 if you don't know much about IP addresses.
When that is filled in, at the top is a link to the Security Group settings, click this. I skip the other pages because there are no settings that really do much. You can look through them if you want though.
The next thing you need to add is the rules to allow the VPN traffic through, this is on the Security Group page.



Make sure that the Create a new security group option is selected, then click the Add Rule button. Make sure that Custom TCP rule is selected in the Type column. In port range, enter the number 1723. In source select Anywhere.
Click the Add Rule button again to add another rule. This time select Custom Protocol in the Type column, and in protocol enter the number 47. Again, in source select anywhere.



It is possible to make this more secure by changing the source to your IP address. This will then block any attempts to access it from people who are not accessing the VPN from your home IP address. If you do this and your ISP only provides a dynamic IP address, then you will have to update the security group settings every time you reconnect your home internet connection.
When you are done, click the Review and Launch button.



On the review page, you can double check that you have all the settings correct, and then click the Launch button.



The Window to select a key pair will appear next. Select Create a new key pair, and name it anything you want. You must then click the Download Key Pair button to download the file. This will download your private key, keep it safe since it is important. Click the Launch Instance button next to start the instance.



Hopefully everything went ok and you are presented with the above page. If it failed, go back through the instance settings, fix the problem and try again. Click the View Instances button to take you to the instances page where you can get the connection information to connect to the instance.



You are presented with the Instances page. Ignore the fact that I have multiple instances, I was doing this guide by creating a new, throw away instance. (So if anyone gets the funny idea to try and hack this instance, you will fail because I terminated it after I finished writing the guide. This is also why I am not concerned about showing the public IP address.)
Your instance should be running by now. However, to get the password, you need to wait a few minutes before it will give it to you. So take this time to go and get a drink or something. You should take note of the Public IP address since you need this to connect to the instance. Make sure that your running instance is selected and then click Connect.



Click the Get Password button. If you were too impatient then you will get a message saying that you have to wait a few minutes to get your password here. Seriously, go and get a drink or something.



This is where you use the private key file you downloaded earlier. Click the browse button and select the .pem file that you downloaded earlier. Once it is selected, a lot of weird looking stuff will appear in the box below, ignore that. Click the Decrypt Password button.



This will take you back to Connect To Your Instance. Take a note of your password and keep this safe, also be sure to take a note of the user name. If you want, you can download the remote desktop file. If you double click on this, you can have remote desktop run with the public IP address already configured.
Click the close button to close this. You can then close the web browser.
As a note, to shut down the instance, you can either shut down through remote desktop or select the instance, and in Actions choose Stop. If the instance is stopped, to start the instance again don't select Launch Instance. This will create a new instance. To start the instance again, select the instance, click on Actions and then select Start.

The second major step is configuring Windows Server. Because this requires a lot to be done, I have split this into a couple of smaller steps.

Spoiler!

First connect to the instance. If you downloaded the remote desktop file, double click on it. Otherwise run Remote Desktop Connection. This should be under Start->Accessories or Start->Windows Accessories depending on your version of Windows.



Fill in the public IP address of the instance that you made note of. Then click Connect.



It will ask you for your credentials, enter the username and password that you got from the AWS Connect To Your Instance page, then click OK.



If a warning about the certificate not being trusted appears. Just click Yes to connect anyway.

Once you are connected, you should now be on the Windows Server desktop. To get back to your own computer, you can minimise or close from the blue bar at the top. Remember, closing remote desktop will not log you out or shut down the instance, so you can close it when you don't need it any more. Once it is set up, you don't even have to log in through remote desktop. You can just start the instance and then connect to the VPN. To shut down the instance, right click on the start button in the bottom left. In the menu that appears, hover over Shut down or sign out, and then select shut down. The shutdown event tracker window will appear, you can just continue the shutdown regardless. This is only to allow a company to keep track of what is going on with the servers.

Configuring Windows Server as a VPN server.

Spoiler!

Click the server manager icon on the task bar and wait for Server Manager to load.



Wait for it to finish loading, once it has click Add roles and features.
Keep clicking next on the next screens unless I say otherwise.









On this page of the wizard, select Remote Access and then click next.







You want to add both DirectAccess and VPN (RAS) and Routing here. Both are required for the VPN to allow incoming connections and allow internet access through the VPN.



If this window appears select Add Features. Windows is adding all of the dependencies automatically. Then click next.









That is it, it is now installing. You can click Close to close the wizard. Things will still be installed in the background.



If you do close it, the status will be available in the Notification section. Just click on it to pull up the status.



It will be similar to this if it is still installing.



It will look like this when it has finished. Once it has finished, you can just close Server Manager.

Next we configure the user account. This sets up a user account to connect to the server via the VPN and enable remote sign in.

Spoiler!

First we need to go to administrative tools. To get there, go through control panel.



If you are not familiar with Windows 8, hover the mouse in the top or bottom right corner, the little bar will appear to the right. Click on settings.



Click control panel.



Select System and Security.



Select Administrative Tools.



Double click on Computer Management.



Select Local Users and Groups, and then double click on Users.



You should now see the above. In the middle part of the screen, right click and select New User.



In this window, enter the User name and password you want. It doesn't have to be the unimaginative VPN. Deselect User must change password at next logon and select User cannot change password and Password never expires.
Windows server by default likes complex passwords. It likes a mix of three out of four of capital letters, lowercase letters, numbers and special symbols. Click the Create button, then click Close.
Right click on the user you just created and select Properties.



This window appears. Select the Dial-in tab.



Select allow access and then click OK. This enables the user to connect to the instance via VPN. If you don't do this, or use a more complex method, then you can't connect using the users by default. So now make a note, the user that you just entered will be your credentials when connecting to the VPN.
You can close Computer Management, but don't close Administrative Tools yet.

Now that the users that you want to use to connect are created. you can now configure Routing and Remote Access. This is the VPN server.

Spoiler!

In Administrative Tools, find and double click on Routing and Remote Access.



The above window should appear. Right click on the server name and then select Configure Server.





You need to select Custom configuration here. While there are seemingly more obvious choices, these options require a specific setup first, and the instance of Windows Server doesn't have this setup. Click Next.



Select both VPN access and NAT. Both of these are required for the VPN to work. VPN access allows you to connect to the instance, NAT allows the internet traffic. Click Next.





This window should appear, click Start service.



Once the configuration has completed, right click on the computer name and select Properties.



Go to the IPv4 tab.



Click Static address pool. Otherwise you would require a more complex layout. These are the IP addresses assigned to VPN clients when they connect to the server.



This window appears. Notice that the Start IP address and End IP address starts with the first two numbers from our address range earlier. So enter a range of addresses that you want client computers to use when they connect. If you don't know what this means, the .1.100 to .1.120 work well. Click OK.



That is all that needs to be done, so select OK to close the window.
This step is optional, but by default, RRAS comes with a lot of ports for clients to use. You don't need all of them.



Right click on ports and select Properties.



This window will appear. Select WAN Miniport (PPTP) click Configure.



In the Maximum ports option, set it to 20. Then choose OK.



If this message appears, choose Yes.
For WAN Miniport (L2TP) (IKEv2) and (SSTP) set them to 0. You can't change (PPPOE). It should look like the following screenshot.



Once that is done, click OK.



Select NAT. You now need to enable NAT to allow internet traffic to flow from the VPN to the internet on the server. In the right part of the screen, right click and select New Interface.



You need to do this twice to add both of the interfaces shown above. So first select Internal and click OK.



In the window that appears just click OK.
Add a second new interface and this time select Ethernet and click OK.



Select Public interface connected to the internet and click Enable NAT on this interface. Click OK.
Leave the RRAS window open for now, since we need to get the IP address that the internal interface uses later. This doesn't get assigned until there is at least one connection.
But to find out the address the internal interface uses.



Select General and look at the IP address next to the internal interface.

Finally we need to configure your system to connect to the VPN. I have Windows 8.1, but the general settings should be the same for Windows 7 too.

Spoiler!

On your local machine go to Control Panel.



Select Network and Internet.



Select Network and Sharing Centre.



Select Set up a new connection or network.



Select Connect to a workplace and click Next.



Select Use my Internet connection (VPN).



Enter the AWS public IP address into the Interned address field, then click Create.
That is the basic VPN connection created, but now there are a couple of settings to tweak.



Select Change adapter settings.



Right click on the VPN Connection adapter and click Properties.



In the window that appears, click on the Options tab.



Click PPP Settings.



Check Enable software compression and Negotiate multi-link for single-link connections. Click OK.



On the security tab, change the Type of VPN to Point to Point Tunnelling Protocol (PPTP). Under Authentication, make sure that Use Extensible Authentication Protocol (EAP) is selected and Microsoft: Secured password (EAP-MSCHAP v2) is selected.



On the Networking tab select Internet Protocol Version 4 (TCP/IPv4), then click Properties.



Click Advanced.



Deselect Use default gateway on remote network. Once that is unchecked, select Disable class based route addition. Click OK to close this window. Click OK to close the IPv4 Properties window. Click OK to close the VPN Connection Properties window.



In the Network Connections window, right click on the VPN Connection adapter and select Connect/Disconnect. Connect and enter the credentials that you created when setting up the VPN connection when prompted. Hopefully if everything went correctly then this will connect.
There is only one thing left to do now. Part of the VPN connection properties tweaking was to disable the route to the VPN. This was done because by default all internet traffic will be passed through the VPN. By disabling this, we are able to set up what is known as a split tunnel. Now that you have a connection to the VPN, go back to Remote Desktop (I hope you only minimised it earlier, not closed it.) Look at the Routing and Remote Access window that I also hope you left open.



In General look at the internal interface and take note of the IP address. You need this to finish setting up the split tunnel.

Open up an elevated command prompt. In the command prompt run the following command.

Code:

netsh interface ipv4 add route 210.189.0.0/16 "VPN Connection" 172.31.1.100 Metric=5

Where "VPN Connection" is the name of the VPN Connection adapter that you have in Network Connections, and the IP address 172.31.1.100 should be replaced with the IP address you just got from Routing and Remote Access on the server. The address range 210.189.0.0 contains all of the possible addresses that PSO2 uses, including the website.
Once you run this command, that is it, you should now be able to connect to PSO2.

There are two things to note about this. The AWS instance has a dynamic public IP address. So if you shut it down, when you start it again, you will need to update the VPN properties to target the new IP address. It is possible to get around this by using a Dynamic DNS service. If you use a free Dynamic DNS service like no-ip, and then use a program to update the IP address automatically when it starts up then things become almost seamless. You will be able to use a DNS address in the VPN connection settings instead of the IP address, and you will never have to manually update anything when you restart the AWS instance. An example of this is my VPN connection. Here you can see that in the VPN properties I have a URL instead of an IP address. This works as I said, by using a Dynamic DNS service. This allows me to just start the VPN instance, and once it has started, all I have to do is connect to the VPN, no editing involved.
The second thing is the final step, running the command to get the split tunnel to work is a one time thing. It the setting that it modifies is persistent, so it doesn't matter if you disconnect the VPN, or even restart your computer, that setting will stay set.

With the extra things in place, all I normally have to do to run PSO2 is:

1) If the AWS instance isn't running, go to the AWS site and start the instance.
2) Once the instance has started, connect the VPN.
3) Run PSO2.

If you don't set up the dynamic DNS service, this becomes:

1) If the AWS instance isn't running, go to the AWS site and start the instance. Make note of the public IP address.
2) Edit the VPN properties to update the new address.
3) Connect the VPN.
4) Run PSO2.

So the lack of the dynamic DNS is just an extra wrinkle.

One final note, this server and multiple users. The settings that I used allow for up to 20 people to use the VPN simultaneously. There are 21 IP addresses assigned to the VPN server, 1 for the server interface and 20 for the clients. There are also 20 PPTP ports available for incoming connections. This allows you to share the server if you want. It is possible to add more but I would suggest starting off a new server. Also, the users connecting will only ever have the credentials of a limited user account, so even if they manage to work things out, the default rules for Windows Server prohibit them from logging in to the VPN. I regularly use this VPN layout to connect a couple of people.
If you want to somehow customise the credentials per user, so they have their own user name and password, just add a new account per person, just remember to allow them to dial in. This is the second of the smaller tasks for setting up the server.

Hope this helps.

[mysticalre]

wow, thanks Ana! Going to try this out on Win 7

[Gama]

is there any way i can share my connection with someone thats not in my home?

[Shinamori]

This should work on Win7, right?

[Ana-Chan]

@Gama:
I bet that isn't the real question here, could you try describing the situation properly? If you want to provide PSO2 access to someone you know, then instead of sharing your connection, you could allow them to access the server instead.

@Shinamori:
Not just 7, Windows has had VPN support for a long time.

[Gama]

so the aws server can be used by more then 1 person?

im afraid i could break something.

[Misaki Ki]

so the aws server can be used by more then 1 person?

im afraid i could break something.

I know for sure you can have at least two people SSH Tunnel into the server, but that's giving them complete access to the server.

I do suggest trying some of the other things you can do with the server, such as PSO2 Proxy or PPTP.