User Tools

Site Tools


PPTP basic

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pptpd is server daemon which enables pptp clients to establish tunnel over IP network. As it is today PPTP with MS-CHAP-v2 encryption is not secure and should not be used1) 2). Please consider to use other VPN server. For alternative solutions, please visit overview. See → client to set up a client.



  • Study the documentation available in sourceforge.
  • Plan your networks. Remote clients can be in “lan”, but it is feasible to configure dedicated network for clients and set up routing accordingly.
  • Modify your firewall rules as described below.
  • If upgrading from previous OpenWrt version make backup from pptpd configuration files. 14.07 init script overwrites chap-secrets file.

Required Packages

  • pptpd
  • kmod-mppe
  • ppp

See OpenWrt log for other required packages.


 opkg install pptpd kmod-mppe

There are bugs in BARRIER BREAKER (14.07, r42625) init script. Modify /etc/init.d/pptpd to clean up temporary pptp.conf and chap-secrets. Original init script does not enable multiple simultaneous clients with fixed remote IP's. Following script and modified configuration file enables it:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006


setup_login() {
	local section="$1"
	config_get username "$section" username
	config_get password "$section" password
	config_get remoteip "$section" remoteip
	[ -n "$username" ] || return 0
	[ -n "$password" ] || return 0
	[ -n "$remoteip" ] || return 0

	echo "$username pptp-server $password $remoteip" >> $CHAP_SECRETS

setup_config() {
	local section="$1"

	config_get enabled "$section" enabled
	[ "$enabled" -eq 0 ] && return 1

	mkdir -p /var/etc
	cp /etc/pptpd.conf $CONFIG

	config_get localip "$section" localip
	[ -n "$localip" ] && echo "localip  $localip" >> $CONFIG
	return 0

start_pptpd() {
	[ -f $DEFAULT ] && . $DEFAULT
	mkdir -p $RUN_D
	for m in arc4 sha1_generic slhc crc-ccitt ppp_generic ppp_async ppp_mppe; do
		insmod $m >/dev/null 2>&1
	ln -sfn $CHAP_SECRETS /etc/ppp/chap-secrets
	service_start $BIN $OPTIONS -c $CONFIG

start() {
	config_load pptpd
	setup_config pptpd || return
	config_foreach setup_login login

stop() {
	service_stop $BIN
	rm -rf $CHAP_SECRETS $CONFIG /etc/ppp/chap-secrets


Server configuration

There is no need to modify server configuration files /etc/pptpd.conf /etc/ppp/options.pptpd, however some parameters needs to be adjusted depending from clients and network configuration ( such as mtu, mru, ms-dns, proxyarp). See documentation and tips below.

Clients configuration is located in /etc/config/pptpd. Modify it to enable pptpd and configure clients and network. Following is example for two clients. You can add multiple config 'login'.

config service 'pptpd'
	option 'enabled' '1'
	option 'localip' ‘xxx.yyy.www.zzz’

config 'login' 
	option 'username' ‘foo’
	option 'password' ‘bar’
	option 'remoteip' 'xxx.yyy.zzz.1’

config 'login' 
	option 'username' ‘foo’
	option 'password' ‘bar’
	option 'remoteip' 'xxx.yyy.zzz.2’

Network configuration

If you are using different subnet for VPN clients you need to add route to /etc/network:

config route
	option interface 'lan'
	option target 'xxx.yyy.zzz.0'
	option netmask ''
	option gateway 'xxx.yyy.www.zzz'

Firewall configuration

Accept traffic from wan

In order to accept pptp traffic in wan to router you need to open following protocols and ports. Add following to /etc/config/network:

config rule
	option target 'ACCEPT'
	option name 'pptp'
	option src 'wan'
	option proto 'tcp'
	option dest_port '1723'

config rule
	option target 'ACCEPT'
	option name 'gre'
	option src 'wan'
	option proto '47'
Accept VPN traffic

In order to enable traffic inside VPN to enter, leave and pass trough router you need to add following. Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration is insecure and shall be modified. You can add it to /etc/firewall.user:

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT

As a safer way you can automate these rules by creating /etc/ppp/ip-up


if [[ ${ifname} != *"wan"* ]]
	iptables -A forwarding_rule -i "$ifname" -j ACCEPT

and /etc/ppp/ip-down


if [[ ${ifname} != *"wan"* ]]
	iptables -D forwarding_rule -i "$ifname" -j ACCEPT

Start service

/etc/init.d/pptpd enable
/etc/init.d/pptpd start

Set-up and configuration for historic versions (pre 14.07)

opkg install pptpd kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

pptpd will be running, and will be running on boot. Add a user to /etc/ppp/chap-secrets (see below). Optionally add proxyarp to /etc/ppp/options.pptpd. Then try to connect from a client.

The kernel module kmod-mppe is needed for encryption. If you are on trunk, you might need to update your firmware to latest before installing kernel modules, as the kernel sometimes changes, thus the trunk repository modules will not match the older kernel.

OpenWrt Generic

Instructions that are not specific to any particular version of OpenWrt.


The default IP address of the server end of the tunnel is, and is set in the file /etc/ppp/options.pptpd, with a colon after it, like this:

Change this if you want a different IP address. There is no need to restart pptpd if you change this file, because it is used by pppd as soon as the next connection arrives. The file contains options for pppd, see man pppd on a Linux system for more information on the options available.

/!\ ppp has obsoleted this option (as of v2.4.3-7). In order to assign the local IP address of the server end of the tunnel, include the localip option in your /etc/pptpd.conf. For example:


The easiest way to get LAN access is to make sure the localip is in the LAN ip range. To dynamicly assign IP addresses to clients, you can add the following which dynamicly assigns an IP to the client.


Tunnel Remote IP Addresses

Add lines to /etc/ppp/chap-secrets for each client. The format is:

username provider password ipaddress

Add an IP address for every client. An example chap-secrets looks like this:

vpnuser pptp-server vpnpassword

See man pppd on a Linux system for more information on this file. Take care that the provider field matches the name option in /etc/ppp/options.pptpd. The default is pptp-server.

/!\ If you have x-wrt installed and use it to edit the chap-secrets file, it will create every entry with the provider of pptpd. Also, every time the router is rebooted the file will be rewritten so that the provider is pptpd. The easiest way to deal with this is to set the default provider in /etc/ppp/options.pptpd to pptpd.

/!\ For the bin and pptp builds of OpenWrt, the file will start out being a symbolic link to a template in /rom, so remove the link, copy the template, and make sure it is chmod 600.

/!\ It is important to set an IP address rather than use the default asterisk. If you use an asterisk, the peer may propose it's own address, which could cause a routing loop. This results in very large transmit counters on ifconfig ppp0 and a badly performing router, as it spends all it's time trying to move packets through the loop.


For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces. If your client is to connect on the WAN interface, edit the /etc/firewall.user file and add the following:

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT

See the Firewall Documentation for help. Be aware that $WAN might not be defined. If that is the case, insert the interface name instead. I.e. replace $WAN by eth1.

Alternatively you can configure the firewall using UCI in “/etc/config/firewall”:

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'pptpd'
	option 'proto' 'tcp'
	option 'dest_port' '1723'
	option 'family' 'ipv4'
	option 'src' 'wan'

Configure Routing

While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there's another way. In our example we have a LAN network on the LAN port of our router. We want multiple clients to connect to the pptpd server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the pptpd tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use proxyarp for that purpose and add the following line to /etc/ppp/options.pptpd:


When the next client connection arrives you should see something like:

found interface vlan0 for proxy arp

in the logs. The kernel will now answer arp requests for the clients connected through the PPTP tunnel and thus the packets are routed correctly to either the ppp+ device or vlan0. We will have to add additional iptables rules.

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT

Setup for Windows filesharing

If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the IP addresses of the PPTP clients to be on the same subnet as the LAN. This is because of a limitation in proxyarp. They also cannot be on the same subnet as the local addresses of the PPTP clients. For example, if your PPTP clients have addresses in the subnet, you can set you LAN to be with DCHP assigning, but be careful that your PPTP clients' subnets are not in the range. You would be better off selecting something in the range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. You can set the IP address of the PPTP server to be by adding the following line to /etc/ppp/options.pptpd:

You can then assign the client IP address beginning with Use the following settings for VPN in /etc/firewall.user.

iptables        -A forwarding_rule -s -d -j ACCEPT
iptables        -A output_rule     -o ppp+ -s -d -j ACCEPT
iptables        -A input_rule      -i ppp+ -s -d -j ACCEPT
# allow VPN connections to get out WAN interface (to internet)
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

You will now be able to access file shares by IP address. For example, you can type


into the address bar of Windows Explorer. Network neighborhood still doesn't detect available computers. If anyone knows how to make this work please post the instructions here. The desired configuration would have automatic detection and population, so there is no need to edit host files. I tried following instructions for setting up samba to run as a WINS server but I couldn't get it to work. Perhaps this is because OpenWrt is running an older version of samba that was selected because it has a smaller memory footprint.

⇒ In general the way for computers to appear in Net-Hood is to have server (master browser) to populate browse list across networks + have hosts or lmhosts file setup on client machines(that is only way I discovered so far). For samba servers you need to have config options in smb.conf: (ip address of router/name of workgroup), but I'm not sure how it works on wrt (as it only have cups I couldn't get them installed due to space limitation) remote announce = and hosts file in windoze (c:\Windows\System32\drivers\etc\hosts) like mypc ..

⇒ Other way way for computers to appear in Net-Hood is to use on router side utility called bcrelay. Bcrelay turns on broadcast relay mode, sending all broadcasts received on the server's internal interface to the clients. Default pptpd package on WhiteRussian 0.9 contains pptpd version 1.3.0 compiled without bcrelay support. Good discussion about this problem can be found at


1. Recompile pptpd with bcrelay support or get compiled by simba87 package from 2. Backup /etc/pptpd.conf and all files in /etc/ppp/. Uninstall old pptpd package. 3. I put pptpd_1.3.4-1_mipsel.ipk to my hosting, then use wget on the router and use ipkg install pptpd_1.3.4-1_mipsel.ipk. 4. Add bcrelay br0 to /etc/pptpd.conf and proxyarp to /etc/ppp/options.pptpd.


Test Connection

Tell a client to connect to the PPTP server, using the username and password you set in chap-secrets.

The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN. See the routing section above .

Configure Debug Logging

If you have problems making a connection, increase the amount of information logged:

  • edit /etc/pptpd.conf and add the line debug, and restart pptpd using /etc/init.d/S50pptpd stop followed by /etc/init.d/S50pptpd start,
  • edit /etc/ppp/options.pptpd and add the line debug, and the line logfile “/tmp/pptpd.log” … these changes take effect on next client connection, there is no need to restart pptpd.

To understand the pppd debug log, read these key sections of the PPTP Client Diagnosis HOWTO:


If you can not ping router, host in lan or in internet from VPN client and there are no errors in pptpd log or system log, most likely packets get dropped in firewall.

If you can connect to the pptpd and can ping the client from the server and vice versa but are not able to ping anything else refer to this checklist for diagnosis

There is a Windows XP client HOWTO that may help.

There is also the PPTP Client for Linux or check the OpenWrt client.

If the PPTP clients are behind an Actiontec DSL Modem/Router, only one of them will be able to connect. This is do to a bug in the Actiontec. Apparently it locks the connection to one client. If the router is rebooted the first client to reconnect is locked in. Putting the Actiontec into bridged mode and using a different router will probably bypass the problem. Does anyone else have any experience with this?

Starting 18.06 version a lot of users report such error

Mon Jul 20 09:02:20 2020 kern.warn kernel: [  216.886288] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.

to resolve it install this package


everything after that starts work but maybe some other error comes out

Tue Jul 21 08:02:21 2020 kernel: [  215.914057] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

so if this is a problem. who can please help and add info here

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/pptp/basic.txt · Last modified: 2020/09/01 19:03 by vgaetera