PPTP Passthru on 18.06.1

hojnikb · January 8, 2019, 10:20pm

So i'm using the latest stable and i want to setup a PPTP VPN from my local server.

i've followed this tuturial to setup PPTP server https://www.howtogeek.com/51237/setting-up-a-vpn-pptp-server-on-debian/ and this tuturial to setup PPTP support on OpenWRT
http://corz.org/network/routers/OpenWrt/VPN-Passthrough-in-OpenWRT.php

In addition to that, i've added "net.netfilter.nf_conntrack_helper = 1" option to /etc/sysctl.conf

After all this, i still can't get VPN working on a remote machine (locally, i can connect just fine).

What am i doing wrong here ? Honestly, i haven't had such issue before switching to openwrt

trendy · January 9, 2019, 10:41am

Did you restart firewall and sysctl after the changes?
Could you post the /etc/config/firewall and /etc/config/network

mpa · January 9, 2019, 12:48pm

You might want to enable logging of dropped/rejected packets in your OpenWrt firewall and use wireshark/tcpdump to watch the traffic.

However, please keep in mind that the security provided by PPTP is fairly low. The tutorial on corz.org also mentions this fact.

What are your requirements regarding VPN throughput, client support and user account management?
What is your router hardware?
Do you have a spare public address (IPv4 or IPv6) you could assign to the VPN server?
Would you consider setting up the VPN on the OpenWrt router itself?
Would it be feasible for you to use a different VPN technology such as IPsec, OpenVPN or wireguard?

hojnikb · January 9, 2019, 2:53pm

Yes, I've restarted the whole device a number of times, no luck.


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '22'
	option dest_ip '192.168.1.2'
	option dest_port '22'
	option name 'SSH'
	option proto 'tcp udp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.2'
	option name 'Torrent'
	option src_dport '60444'
	option dest_port '60444'

config redirect
	option name 'VPN GRE'
	option dest_ip '192.168.1.2'
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'gre'

config redirect
	option name 'VPN'
	option dest_ip '192.168.1.2'
	option src_dport '1723'
	option dest_port '1723'
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde7:6642:acb1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	option dns '8.8.8.8 8.8.4.4'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '50:c7:bf:96:21:8e'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option hostname 'hojnikb'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '50:c7:bf:96:21:8f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

Here are my network and firewall settings.

hojnikb · January 9, 2019, 2:58pm

I'm trying to setup a connection to my home network, so i don't have to configure each device i want to access for external access. It's mostly file sharing, settings (various web interfaces) and whatnot.

I'd like to stick with PPTP, while it being low on security, it's universally available on pretty much every client i happen to use while not at home. Sometimes, installing an extra app for VPN just isn't an option or is an inconvenience i'd like to avoid. Obviously, if any other type of server is easier to configure, i'd make that compromise.

In all honestly, it's pretty retarded, that openwrt makes you jump to such hoops just to get something so simple setup. In the past, all it took is a tick in a box and forwarded port. But this is the cost of going this route

trendy · January 9, 2019, 3:24pm

Looks correct. Can you verify that you receive packets properly both in router and server with tcpdump?
tcpdump -i pppoe-wan -vvvn "proto gre or port 1723"
Change pppoe-wan with your wan interface as shown in ifconfig.
Check if you see some hits when you try to connect on the router from the internet.
If you see some hits run the same on the pptp server, just change the interface name.

mpa · January 9, 2019, 4:16pm

Since you want to access multiple devices in your home network, I recommend setting up the PPTP server on the OpenWrt router. You will have less trouble with routing and firewall configuration this way.

But for PPTP passthrough to a separate server, you should set option helper like this:

config redirect
	option name 'VPN'
        ...
        option helper 'pptp'

instead of globally enabling the net.netfilter.nf_conntrack_helper sysctl.
Either one should work, though, so I guess you'll have some more debugging to do.

hojnikb · January 9, 2019, 4:28pm

I've opted for L2PT/IPSec instead, works flawlessly.
Thanks for all the help anyway

cezary · January 9, 2019, 5:37pm

Read: [Solved] Ar71xx Kernel 4.9 PPTP Passthrough not working (TL-WR942N v1)