Show pagesourceOld revisionsBacklinksBack to top × Table of Contents PPPoSSH extras Introduction Extras References Web interface Dynamic connection Site-to-site Disable gateway redirection Split gateway DNS over VPN Kill switch Automated PPPoSSH extras This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the most common PPPoSSH tuning scenarios adapted for OpenWrt. Follow PPPoSSH client for client setup and PPPoSSH server for server setup. Follow PPPoSSH protocol for client configuration and Dropbear for server configuration. Follow DDNS client to use own server with dynamic IP address. Follow Random generator to overcome low entropy issues. Extras References PPPoSSH documentation Web interface If you want to manage VPN settings using web interface. Install the necessary packages. # Install packages opkg update opkg install luci-proto-pppossh /etc/init.d/rpcd restart Navigate to LuCI → Network → Interfaces to configure PPPoSSH. Dynamic connection Preserve default route to restore WAN connectivity when VPN is disconnected. # Preserve default route uci set network.wan.metric="1024" uci commit network /etc/init.d/network restart Site-to-site Implement plain routing between server side LAN and client side LAN assuming that: 192.168.1.0/24 - server side LAN 192.168.2.0/24 - client side LAN Add route to client side LAN on VPN server. cat << "EOF" > /etc/ppp/ip-up #!/bin/sh case ${IPREMOTE} in (192.168.5.2) ip route add 192.168.2.0/24 via ${IPREMOTE} dev ${IFNAME} ;; esac EOF chmod +x /etc/ppp/ip-up Consider VPN network as private and assign VPN interface to LAN zone on VPN client, add route to server side LAN. uci del_list firewall.wan.network="vpn" uci add_list firewall.lan.network="vpn" uci commit firewall /etc/init.d/firewall restart uci -q delete network.vpn_rt uci set network.vpn_rt="route" uci set network.vpn_rt.interface="vpn" uci set network.vpn_rt.target="192.168.1.0/24" uci set network.vpn_rt.gateway="192.168.5.1" uci commit network /etc/init.d/network restart Disable gateway redirection If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client. # Configure VPN service uci set network.vpn.defaultroute="0" uci commit network /etc/init.d/network restart Split gateway If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN network and VPN network assuming that: 192.168.1.0/24 - LAN network 192.168.1.2/24 - VPN gateway 192.168.5.0/24 - VPN network Add port forwarding for VPN server on LAN gateway. uci -q delete firewall.pppossh uci set firewall.pppossh="redirect" uci set firewall.pppossh.name="Redirect-PPPoSSH" uci set firewall.pppossh.src="wan" uci set firewall.pppossh.src_dport="22" uci set firewall.pppossh.dest="lan" uci set firewall.pppossh.dest_ip="192.168.1.2" uci set firewall.pppossh.family="ipv4" uci set firewall.pppossh.proto="tcp" uci set firewall.pppossh.target="DNAT" uci commit firewall /etc/init.d/firewall restart Add route to VPN network via VPN gateway on LAN gateway. uci -q delete network.vpn uci set network.vpn="route" uci set network.vpn.interface="lan" uci set network.vpn.target="192.168.5.0/24" uci set network.vpn.gateway="192.168.1.2" uci commit network /etc/init.d/network restart DNS over VPN Provide DNS for VPN clients in the point-to-point topology on OpenWrt server. Utilize DNS over VPN to prevent DNS leaks on VPN client. Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client. Modify the VPN connection using NetworkManager on Linux desktop client. nmcli connection modify id VPN_CON \ ipv4.dns-search ~. ipv4.dns-priority -50 \ ipv6.dns-search ~. ipv6.dns-priority -50 Kill switch Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone. uci -q delete firewall.vpn uci set firewall.vpn="zone" uci set firewall.vpn.name="vpn" uci set firewall.vpn.input="REJECT" uci set firewall.vpn.output="ACCEPT" uci set firewall.vpn.forward="REJECT" uci set firewall.vpn.masq="1" uci set firewall.vpn.mtu_fix="1" uci add_list firewall.vpn.network="vpn" uci del_list firewall.wan.network="vpn" uci -q delete firewall.@forwarding[0] uci -q delete firewall.lan_vpn uci set firewall.lan_vpn="forwarding" uci set firewall.lan_vpn.src="lan" uci set firewall.lan_vpn.dest="vpn" uci commit firewall /etc/init.d/firewall restart Automated Automated VPN server installation. URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/pppossh" cat << EOF > pppossh-server.sh $(uclient-fetch -O - "${URL}/server?codeblock=0") $(uclient-fetch -O - "${URL}/server?codeblock=1") $(uclient-fetch -O - "${URL}/server?codeblock=2") $(uclient-fetch -O - "${URL}/server?codeblock=3") EOF sh pppossh-server.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/03/18 13:44by vgaetera