Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:pptp:server [2020/10/16 13:48] – update vgaetera | docs:guide-user:services:vpn:pptp:server [2023/03/14 13:32] – consolidate variable naming vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== PPTP server ====== | ====== PPTP server ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| - | * Follow [[docs: | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| - | {{section> | + | {{section> |
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages | + | Specify |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install pptpd | + | opkg install pptpd kmod-nf-nathelper-extra |
| + | |||
| + | # Configuration parameters | ||
| + | VPN_POOL=" | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| </ | </ | ||
| ==== 2. Firewall ==== | ==== 2. Firewall ==== | ||
| - | Consider VPN network as private | + | Enable conntrack helper to allow related GRE traffic. |
| + | Consider VPN network as private. | ||
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| <code bash> | <code bash> | ||
| + | # Configure kernel parameters | ||
| + | cat << EOF >> / | ||
| + | net.netfilter.nf_conntrack_helper=1 | ||
| + | EOF | ||
| + | / | ||
| + | |||
| # Configure firewall | # Configure firewall | ||
| + | uci rename firewall.@zone[0]=" | ||
| + | uci rename firewall.@zone[1]=" | ||
| + | uci del_list firewall.lan.device=" | ||
| + | uci add_list firewall.lan.device=" | ||
| uci -q delete firewall.pptp | uci -q delete firewall.pptp | ||
| uci set firewall.pptp=" | uci set firewall.pptp=" | ||
| Line 34: | Line 50: | ||
| uci set firewall.pptp.proto=" | uci set firewall.pptp.proto=" | ||
| uci set firewall.pptp.target=" | uci set firewall.pptp.target=" | ||
| - | uci -q delete firewall.gre | ||
| - | uci set firewall.gre=" | ||
| - | uci set firewall.gre.name=" | ||
| - | uci set firewall.gre.src=" | ||
| - | uci set firewall.gre.proto=" | ||
| - | uci set firewall.gre.target=" | ||
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| </ | </ | ||
| - | ==== Server configuration | + | ==== 3. VPN service |
| - | There is no need to modify server configuration files / | + | Configure VPN service. |
| - | See documentation and tips below. | + | |
| - | + | ||
| - | Clients configuration is located in / | + | |
| - | Modify it to enable pptpd and configure clients and network. | + | |
| - | Following is example for two clients. | + | |
| - | You can add multiple config ' | + | |
| <code bash> | <code bash> | ||
| - | # / | + | # Configure VPN service |
| - | + | uci set pptpd.pptpd.enabled="1" | |
| - | config | + | uci set pptpd.pptpd.logwtmp=" |
| - | option | + | uci set pptpd.pptpd.localip=" |
| - | option localip 'xxx.yyy.www.zzz' | + | uci set pptpd.pptpd.remoteip=" |
| - | + | uci -q delete pptpd.@login[0] | |
| - | config login | + | uci set pptpd.client=" |
| - | option username ' | + | uci set pptpd.client.username=" |
| - | option password ' | + | uci set pptpd.client.password=" |
| - | option remoteip 'xxx.yyy.zzz.1' | + | uci commit pptpd |
| - | + | /etc/init.d/pptpd restart | |
| - | config | + | |
| - | option | + | |
| - | option | + | |
| - | option remoteip 'xxx.yyy.zzz.2' | + | |
| </ | </ | ||
| - | ==== Network configuration | + | ===== Testing ===== |
| - | If you are using different subnet for VPN clients you need to add route: | + | {{section> |
| - | <code bash> | + | ===== Troubleshooting ===== |
| - | # / | + | Collect and analyze the following information. |
| - | + | ||
| - | config route | + | |
| - | option interface ' | + | |
| - | option target 'xxx.yyy.zzz.0' | + | |
| - | option netmask ' | + | |
| - | option gateway ' | + | |
| - | </ | + | |
| - | ===== Set-up and configuration for historic versions (pre 14.07) ===== | ||
| <code bash> | <code bash> | ||
| - | opkg install pptpd kmod-mppe | + | # Restart services |
| - | </code> | + | /etc/ |
| - | pptpd will be running, | + | # Log and status |
| - | Add a user to ''/ | + | logread |
| - | Optionally add // | + | |
| - | Then try to connect from a client. | + | |
| - | The kernel module kmod-mppe is needed for encryption. | + | # Runtime configuration |
| - | If you are on trunk, you might need to update your firmware to latest before installing kernel modules, as the kernel sometimes changes, thus the trunk repository modules will not match the older kernel. | + | pgrep -f -a pptpd |
| + | ip address show; ip route show table all | ||
| + | ip rule show; ip -6 rule show; nft list ruleset | ||
| + | sysctl net.netfilter.nf_conntrack_helper | ||
| - | ==== OpenWrt Generic ==== | + | # Persistent configuration |
| - | Instructions that are not specific to any particular version of OpenWrt. | + | uci show network; uci show firewall; uci show pptpd |
| - | + | grep -v -e "^#" -e " | |
| - | === Configuration === | + | |
| - | The default IP address of the server end of the tunnel is '' | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # /etc/ppp/ | + | |
| - | 172.16.1.1: | + | |
| </ | </ | ||
| - | |||
| - | Change this if you want a different IP address. | ||
| - | There is no need to restart //pptpd// if you change this file, because it is used by //pppd// as soon as the next connection arrives. | ||
| - | The file contains options for //pppd//, see //man pppd// on a Linux system for more information on the options available. | ||
| - | |||
| - | /!\ //ppp// has obsoleted this option (as of v2.4.3-7). | ||
| - | In order to assign the local IP address of the server end of the tunnel, include the //localip// option in your /// | ||
| - | For example: | ||
| - | |||
| - | <code bash> | ||
| - | localip 172.16.1.1 | ||
| - | </ | ||
| - | |||
| - | The easiest way to get LAN access is to make sure the localip is in the LAN ip range. | ||
| - | To dynamicly assign IP addresses to clients, you can add the following which dynamicly assigns an IP to the client. | ||
| - | |||
| - | <code bash> | ||
| - | remoteip 172.16.1.100-109 | ||
| - | </ | ||
| - | |||
| - | === Tunnel remote IP addresses === | ||
| - | Add an IP address for every client, e.g.: | ||
| - | |||
| - | <code bash> | ||
| - | # / | ||
| - | # username provider password ipaddress | ||
| - | vpnuser pptp-server vpnpassword 172.16.1.2 | ||
| - | </ | ||
| - | |||
| - | See //man pppd// on a Linux system for more information on this file. | ||
| - | Take care that the provider field matches the //name// option in /// | ||
| - | The default is // | ||
| - | |||
| - | /!\ If you have x-wrt installed and use it to edit the // | ||
| - | Also, every time the router is rebooted the file will be rewritten so that the provider is //pptpd//. | ||
| - | The easiest way to deal with this is to set the default provider in /// | ||
| - | |||
| - | /!\ For the //bin// and //pptp// builds of OpenWrt, the file will start out being a symbolic link to a template in ///rom//, so remove the link, copy the template, and make sure it is //chmod 600//. | ||
| - | |||
| - | /!\ It is important to set an IP address rather than use the default asterisk. | ||
| - | If you use an asterisk, the peer may propose it's own address, which could cause a routing loop. | ||
| - | This results in very large transmit counters on //ifconfig ppp0// and a badly performing router, as it spends all it's time trying to move packets through the loop. | ||
| - | |||
| - | === Firewall === | ||
| - | For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces. | ||
| - | If your client is to connect on the WAN interface, edit the /// | ||
| - | |||
| - | <code bash> | ||
| - | iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT | ||
| - | iptables | ||
| - | iptables | ||
| - | iptables | ||
| - | </ | ||
| - | |||
| - | See the [[docs: | ||
| - | Be aware that $WAN might not be defined. | ||
| - | If that is the case, insert the interface name instead. | ||
| - | I.e. replace $WAN by eth1. | ||
| - | |||
| - | Alternatively you can configure the firewall: | ||
| - | |||
| - | <code bash> | ||
| - | # / | ||
| - | |||
| - | config ' | ||
| - | option ' | ||
| - | option ' | ||
| - | option ' | ||
| - | option ' | ||
| - | option ' | ||
| - | option ' | ||
| - | </ | ||
| - | |||
| - | ==== Configure Routing ==== | ||
| - | While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. | ||
| - | Of course we can alway give appropriate routes to server and clients but there' | ||
| - | In our example we have a LAN network '' | ||
| - | We want multiple clients to connect to the //pptpd// server and be able to connect to the LAN without the need of client routes. | ||
| - | This is especially useful for Windows machines as they either route everything through the //pptpd// tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. | ||
| - | We will use // | ||
| - | |||
| - | <code bash> | ||
| - | # / | ||
| - | proxyarp | ||
| - | </ | ||
| - | |||
| - | When the next client connection arrives you should see something like: | ||
| - | |||
| - | < | ||
| - | found interface vlan0 for proxy arp | ||
| - | </ | ||
| - | |||
| - | in the logs. | ||
| - | The kernel will now answer arp requests for the clients connected through the PPTP tunnel and thus the packets are routed correctly to either the ppp+ device or vlan0. | ||
| - | We will have to add additional iptables rules. | ||
| - | |||
| - | <code bash> | ||
| - | # Allow all traffic in and out of the ppp interface | ||
| - | / | ||
| - | / | ||
| - | # This rule will allow traffic towards internet | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Setup for Windows filesharing ==== | ||
| - | If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the IP addresses of the PPTP clients to be on the same subnet as the LAN. | ||
| - | This is because of a limitation in proxyarp. | ||
| - | They also cannot be on the same subnet as the local addresses of the PPTP clients. | ||
| - | For example, if your PPTP clients have addresses in the 192.168.0.0/ | ||
| - | You would be better off selecting something in the 172.16.0.0/ | ||
| - | You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line: | ||
| - | |||
| - | <code bash> | ||
| - | # / | ||
| - | 192.168.30.200: | ||
| - | </ | ||
| - | |||
| - | You can then assign the client IP address beginning with 192.168.30.201. | ||
| - | Use the following settings for VPN in . | ||
| - | |||
| - | <code bash> | ||
| - | cat << EOF >> / | ||
| - | iptables | ||
| - | iptables | ||
| - | iptables | ||
| - | # allow VPN connections to get out WAN interface (to internet) | ||
| - | iptables | ||
| - | EOF | ||
| - | </ | ||
| - | |||
| - | You will now be able to access file shares by IP address. | ||
| - | For example, you can type | ||
| - | |||
| - | < | ||
| - | \\192.168.30.50 | ||
| - | </ | ||
| - | |||
| - | into the address bar of Windows Explorer. | ||
| - | Network neighborhood still doesn' | ||
| - | If anyone knows how to make this work please post the instructions here. | ||
| - | The desired configuration would have automatic detection and population, so there is no need to edit host files. | ||
| - | I tried following [[http:// | ||
| - | Perhaps this is because OpenWrt is running an older version of samba that was selected because it has a smaller memory footprint. | ||
| - | |||
| - | => In general the way for computers to appear in Net-Hood is to have server (master browser) to populate browse list across networks + have hosts or lmhosts file setup on client machines(that is only way I discovered so far). | ||
| - | For samba servers you need to have config options in smb.conf: | ||
| - | |||
| - | => Other way way for computers to appear in Net-Hood is to use on router side utility called // | ||
| - | //Bcrelay// turns on broadcast relay mode, sending all broadcasts received on the server' | ||
| - | Default pptpd package on WhiteRussian 0.9 contains pptpd version 1.3.0 compiled without //bcrelay// support. | ||
| - | Good discussion about this problem can be found at [[http:// | ||
| - | |||
| - | Decision: | ||
| - | - Recompile pptpd with bcrelay support or get compiled by simba87 package from [[http:// | ||
| - | - Backup /// | ||
| - | - I put // | ||
| - | - Add //bcrelay br0// to / | ||
| - | |||
| - | ===== Troubleshooting ===== | ||
| - | ==== Test Connection ==== | ||
| - | Tell a client to connect to the PPTP server, using the username and password you set in // | ||
| - | |||
| - | The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN. | ||
| - | See the routing section above . | ||
| - | |||
| - | ==== Configure Debug Logging ==== | ||
| - | If you have problems making a connection, increase the amount of information logged: | ||
| - | * edit /// | ||
| - | * edit /// | ||
| - | |||
| - | To understand the //pppd// debug log, read these key sections of the PPTP Client Diagnosis HOWTO: | ||
| - | * [[http:// | ||
| - | * [[http:// | ||
| - | |||
| - | ====Notes==== | ||
| - | If you can not ping router, host in lan or in internet from VPN client and there are no errors in pptpd log or system log, most likely packets get dropped in firewall. | ||
| - | |||
| - | If you can connect to the //pptpd// and can ping the client from the server and vice versa but are not able to ping anything else refer to this [[http:// | ||
| - | |||
| - | There is a [[http:// | ||
| - | |||
| - | There is also the [[http:// | ||
| - | |||
| - | If the PPTP clients are behind an Actiontec DSL Modem/ | ||
| - | This is do to a bug in the Actiontec. | ||
| - | Apparently it locks the connection to one client. | ||
| - | If the router is rebooted the first client to reconnect is locked in. | ||
| - | Putting the Actiontec into bridged mode and using a different router will probably bypass the problem. | ||
| - | Does anyone else have any experience with this? | ||
| - | |||
| - | Starting 18.06 version a lot of users report such error | ||
| - | |||
| - | < | ||
| - | Mon Jul 20 09:02:20 2020 kern.warn kernel: [ 216.886288] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. | ||
| - | </ | ||
| - | |||
| - | to resolve it install this package | ||
| - | |||
| - | < | ||
| - | kmod-nf-nathelper-extra | ||
| - | </ | ||
| - | |||
| - | everything after that starts work but maybe some other error comes out | ||
| - | |||
| - | < | ||
| - | Tue Jul 21 08:02:21 2020 kern.info kernel: [ 215.914057] nf_conntrack: | ||
| - | </ | ||
| - | |||
| - | so if this is a problem. who can please help and add info here | ||