OpenWrt Project

User Tools

Site Tools

You are here: Welcome to the OpenWrt Project » Documentation » User guide » Additional Services » VPN (aka Virtual Private Network) » PPTP » PPTP server
en
 ?

Sidebar

Learn about OpenWrt

Contributing

Project

docs:guide-user:services:vpn:pptp:server

Table of Contents

PPTP server

This article relies on the following:

Introduction

  • This how-to describes the method for setting up PPTP server on OpenWrt.
  • Follow PPTP client to set up PPTP server and PPTP extras for additional tuning.

Goals

  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Instructions

1. Preparation

Set up DDNS client if required. Install the packages and specify the VPN server configuration parameters. 

# Install packages
opkg update
opkg install pptpd kmod-nf-nathelper-extra
 
# Configuration parameters
PPTP_USER="PPTP_USERNAME"
PPTP_PASS="PPTP_PASSWORD"
PPTP_POOL="192.168.7.128-254"

2. Firewall

Enable conntrack helper to allow related GRE traffic. Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. 

# Configure kernel parameters
cat << EOF >> /etc/sysctl.conf
net.netfilter.nf_conntrack_helper=1
EOF
/etc/init.d/sysctl restart
 
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="ppp+"
uci add_list firewall.lan.device="ppp+"
uci -q delete firewall.pptp
uci set firewall.pptp="rule"
uci set firewall.pptp.name="Allow-PPTP"
uci set firewall.pptp.src="wan"
uci set firewall.pptp.dest_port="1723"
uci set firewall.pptp.proto="tcp"
uci set firewall.pptp.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

3. VPN service

Configure VPN service. 

# Configure VPN service
while uci -q delete pptpd.@login[0]; do :; done
uci set pptpd.pptpd.enabled="1"
uci set pptpd.pptpd.logwtmp="0"
uci set pptpd.pptpd.localip="${PPTP_POOL%.*}.1"
uci set pptpd.pptpd.remoteip="${PPTP_POOL}"
uci set pptpd.login="login"
uci set pptpd.login.username="${PPTP_USER}"
uci set pptpd.login.password="${PPTP_PASS}"
uci commit pptpd
/etc/init.d/pptpd restart

Testing

Establish the VPN connection. Verify your client traffic is routed via VPN gateway. 

traceroute openwrt.org
traceroute6 openwrt.org

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.

Troubleshooting

Collect and analyze the following information. 

# Restart services
/etc/init.d/log restart; /etc/init.d/pptpd restart; sleep 10
 
# Log and status
logread -e pptpd; netstat -l -n -p | grep -e pptpd
 
# Runtime configuration
pgrep -f -a pptpd
ip address show; ip route show table all
ip rule show; ip -6 rule show; iptables-save; ip6tables-save
sysctl net.netfilter.nf_conntrack_helper
 
# Persistent configuration
uci show network; uci show firewall; uci show pptpd
grep -v -e "^#" -e "^$" /etc/sysctl.conf
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/pptp/server.txt · Last modified: 2020/10/18 05:26 by vgaetera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki