User Tools

Site Tools


PPTP NAT Traversal

By default, OpenWrt is not configured to allow through PPTP connections from LAN clients (local private network) to WAN (on the Internet) servers. This page explains how to establish PPTP tunnels passing through OpenWrt's network address translation (NAT). Thus this is often referred to as “PPTP pass through”.


PPTP utilizes the GRE (Generic Routing Encapsulation) protocol for its point-to-point tunnel. As a pure IP protocol GRE uses only IP addresses but no port numbers giving the router's NAT a tough time to track such a connection. In its base configuration OpenWrt Backfire is able to NAT a single PPTP connections but not multiple such connections concurrently. It is also unreliable when trying to establish consecutive single PPTP connections from different LAN clients in rapid succession. This limitation can be lifted (as far as I could make out so far) by installing the following package.

Required Packages

Packages Name Size in Bytes Description
kmod-ipt-nathelper-extra 55770 Extra Netfilter (IPv4) Conntrack and NAT helpers


See opkg for details on how to use this tool.

For the current versions of OpenWRT (since Chaos Calmer 15.05), you should install:

opkg install kmod-nf-nathelper-extra

For Kernel version 4.9 and 4.14 you will need to do an additional step, you can check which kernel you are using with:

uname -r

Then do:

echo "net.netfilter.nf_conntrack_helper = 1" >> /etc/sysctl.d/local.conf 

You should now be able to use multiple PPTP connections from LAN to WAN at the same time.

Old versions until Barrier Breaker 14.07 used 'kmod-ipt-nathelper-extra' instead:

opkg install kmod-ipt-nathelper-extra
docs/guide-user/services/vpn/pptp/nat_traversal.txt · Last modified: 2018/09/24 20:34 by vgaetera