I installed kmod-nf-nathelper-extra on my Archer C7 V5 running 18.06.4 but it didn't make any difference. I still can't connect to VPN using Windows 7 unless I take the router out of the circuit and connect my Windows box directly to the ISP's modem. Then I can connect easily, so I surmise something about the router is the problem.
Otherwise the router is working great under pretty heavy loads.
Which kind of VPN? Something Windows-specific, OpenVPN, WireGuard, IPSec, ... ?
Edit:
So still need a bit more information as to which flavor of PPTP you're using. A bit of a challenge as well as Windows 7 was EOLed for mainstream customers in 2015.
Reading that it uses GRE, have you enabled forwarding of GRE (proto 47) through the router?
Other info: optional encryption, allowed protocols are unencrypted password (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAP v2, IPV6, IPV4. I'm not sure which of the foregoing are actually used.
I only need this VPN for one occasional purpose -- rebuilding a remote server -- and I'm attempting to avoid the Microsoft Tax as long as possible. The remote server owner says only Microsoft will work (not sure about that).
How, exactly, does one enable forwarding of GRE? I bet that's the problem.
Ah. I changed the title per your suggestion (thanks). I'm guessing that host-specific GRE forwarding instructions might work, but it would be nicer if it could be made to work for any LAN host, or for multiple LAN hosts.
Add a new port forward (traffic redirection) rule. Set source zone to wan, destination zone to lan, destination ip to your internal lan vpn client.
Set the protocol to "-- custom --" and then enter "gre" as value, hit save & apply.
I think you may need the "reverse" of that, where GRE can be forwarded from any host in the LAN zone to any host in the WAN zone (no source/destination IP needed).
Edit: I don't know the direction of the initiation of the connection. My comment above assumes that your "inside" Windows box initiates the GRE tunnel.
By default all traffic from LAN to WAN should be allowed. This means that outgoing pptp connections will work (tcp/1723 and ip/47)
Can you verify that the connection is outbound?
Have you changed anything in the firewall settings? (paste here the output of uci show firewall )
Well, that didn't work, but it was interesting. The original error report was:
"Disconnected" Error 619 (in Windows-land)
When I forwarded WAN:1723 to [LAN host]:1723, the error became:
Connecting to [IP] using "WAN Miniport (PPTP)'... Error 807 (in Windows-land)
#The following stanza from /overlay/upper/etc/config/firewall made that difference:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
proto '47'
option src_dport '1723'
option dest_ip '192.168.4.88'
option dest_port '1723'
option name 'sybilwl0-pptp'
## The following stanza made the router unable to handle ordinary web traffic (I don't know why):
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
proto 'udp'
option src_dport '1701'
option dest_ip '192.168.4.88'
option dest_port '1701'
option name 'sybilwl1-pptp'