PPTP extras

This article relies on the following:

This how-to describes the most common PPTP tuning scenarios adapted for OpenWrt.
Follow PPTP server for server setup and PPTP client for client setup.
Follow PPTP protocol for protocol-specific interface options.
Follow DDNS client to use own server with dynamic IP address.
Follow Random generator to overcome low entropy issues.

Poptop PPTP server documentation

If you want to manage VPN settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-proto-ppp
/etc/init.d/rpcd restart

Navigate to LuCI → Network → Interfaces to configure PPTP.

Preserve default route to restore WAN connectivity when VPN is disconnected.

# Preserve default route
uci set network.wan.metric="1024"
uci commit network
/etc/init.d/network restart

Provide PPTP passthrough for LAN clients over your router.

# Install packages
opkg update
opkg install kmod-nf-nathelper-extra
/etc/init.d/firewall restart

Provide static IP address allocation on VPN server.

# Configure VPN service
rm -f /tmp/etc/chap-secrets
uci set pptpd.client.remoteip="192.168.6.2"
uci commit pptpd
/etc/init.d/pptpd restart

Implement plain routing between server side LAN and client side LAN assuming that:

192.168.1.0/24 - server side LAN
192.168.2.0/24 - client side LAN

Set up static address allocation on VPN server, add route to client side LAN.

cat << "EOF" > /etc/ppp/ip-up
#!/bin/sh
case ${IPREMOTE} in
(192.168.6.2) ip route add 192.168.2.0/24 via ${IPREMOTE} dev ${IFNAME} ;;
esac
EOF
chmod +x /etc/ppp/ip-up

Consider VPN network as private and assign VPN interface to LAN zone on VPN client, add route to server side LAN.

uci del_list firewall.wan.network="vpn"
uci add_list firewall.lan.network="vpn"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.lan_vpn
uci set network.lan_vpn="route"
uci set network.lan_vpn.interface="vpn"
uci set network.lan_vpn.target="192.168.1.0/24"
uci set network.lan_vpn.gateway="192.168.6.1"
uci commit network
/etc/init.d/network restart

If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client.

# Configure VPN service
uci set network.vpn.defaultroute="0"
uci commit network
/etc/init.d/network restart

If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

192.168.1.0/24 - LAN network
192.168.1.2/24 - VPN gateway
192.168.6.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.pptp
uci set firewall.pptp="redirect"
uci set firewall.pptp.name="Redirect-PPTP"
uci set firewall.pptp.src="wan"
uci set firewall.pptp.src_dport="1723"
uci set firewall.pptp.dest="lan"
uci set firewall.pptp.dest_ip="192.168.1.2"
uci set firewall.pptp.family="ipv4"
uci set firewall.pptp.proto="tcp"
uci set firewall.pptp.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.6.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

Set up an IPv6 tunnel broker or IPv6 masquerading if necessary. Configure IPv6 on VPN server.

cat << "EOF" > /etc/ppp/ip-up
#!/bin/sh
ip address add fdf1:e8a1:8d3f:6::1/64 dev ${IFNAME}
EOF
chmod +x /etc/ppp/ip-up

Configure IPv6 on VPN client, redirect IPv6 gateway.

uci add_list firewall.wan.network="vpn6"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.vpn6
uci set network.vpn6="interface"
uci set network.vpn6.proto="static"
uci set network.vpn6.device="@vpn"
uci set network.vpn6.ip6addr="fdf1:e8a1:8d3f:6::2/64"
uci -q delete network.vpn6_rt
uci set network.vpn6_rt="route6"
uci set network.vpn6_rt.interface="vpn6"
uci set network.vpn6_rt.target="::/0"
uci commit network
/etc/init.d/network restart

Disable source routing on the server. Disable ISP prefix delegation to avoid IPv6 leak on the client.

Provide DNS for VPN clients in the point-to-point topology on OpenWrt server.

Utilize DNS over VPN to prevent DNS leak on VPN client.

Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify id VPN_CON \
ipv4.dns-search ~. ipv4.dns-priority -50 \
ipv6.dns-search ~. ipv6.dns-priority -50

Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart

Set up multi-client VPN server. Use unique credentials for each client.

# Configure VPN service
uci -q delete pptpd.client1
uci set pptpd.client1="login"
uci set pptpd.client1.username="USERNAME1"
uci set pptpd.client1.password="PASSWORD1"
uci commit pptpd
/etc/init.d/pptpd restart

Automated VPN server installation.

URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/pptp"
cat << EOF > pptp-server.sh
$(uclient-fetch -O - "${URL}/server?codeblock=0")
$(uclient-fetch -O - "${URL}/server?codeblock=1")
$(uclient-fetch -O - "${URL}/server?codeblock=2")
EOF
sh pptp-server.sh

PPTP extras

Introduction

Extras

References

Web interface

Dynamic connection

NAT traversal

Static addresses

Site-to-site

Disable gateway redirection

Split gateway

IPv6 gateway

DNS over VPN

Kill switch

Multi-client

Automated