PPTP VPN behind CGNAT; routing issue

I use Starlink and therefore sit behind a CGNAT without a public IP address.
I have a subscription to PureVPN with a fixed IP via PPTP and port forwarding (all ports are open here).
I use a gl.inet GL-MT300N-V2 / Mango as VPN router.

I managed to set up the VPN connection in OpenWRT with these instructions here https://www.youtube.com/watch?v=-TvsuDtBnBQ. However, from "outside" I can only reach the GUI of the VPN router but not my other servers in my network although I have created port forwarding rules for them in OpenWRT.

Pptp is no longer considered safe to use on the modern internet. You should see if your provider supports wireguard, and if so, change to a new, much more secure vpn protocol.

Regarding the specific issue you have asked about, let’s see the config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

I know about the security issue. I use a SSL connection in addition. PureVPN only supports PPTP, L2TP, SSTP an IPSec with deicated IP. They do not support OpenVPN with fixed IP.

cat /etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '**:/48'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '***'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '***'

config interface 'PureVPN'
        option proto 'pptp'
        option server 'de-ded-11.pointtoserver.com'
        option username '<user>'
        option password '<password>'
        option ipv6 '0'

config interface 'LAN_DHCP'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'LAN'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'VPN_Router'
        option delegate '0'

# I have added this in the hope that he will route to the server
config route
        option target '192.168.2.56'
        option gateway '192.168.2.1'
        option interface 'LAN'
cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config zone 'LAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'LAN'
        list network 'LAN'
        list network 'LAN_DHCP'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config rule
        option target 'ACCEPT'
        option src 'VPN'
        option dest 'LAN'
        option family 'ipv4'
        option enabled '0'
        option name 'Allow VPN'
        list proto 'all'

config zone 'WAN'
        option masq '1'
        option output 'ACCEPT'
        option name 'VPN'
        list network 'PureVPN'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config redirect
        option src 'VPN'
        option name 'NAS - DSM'
        option target 'DNAT'
        option dest 'LAN'
        list proto 'tcp'
        option dest_port '1001'
        option dest_ip '192.168.2.56'
        option src_dport '1001'

You appear to be using the gl-inet provided firmware. This is based on openwrt, but it is distinctly different due to the extensive customization they have done.

You have two options:

  • use an official openwrt version (22.03.0 was just released) and try again. You can then get relevant help on this forum.
  • continue using the stock firmware and ask for help from the gl-inet support or community forum. They will know the nuances of configuring and troubleshooting that specific firmware.
2 Likes

So now I directly installed OpenWrt on the router

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '***::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'LAN_DHCP'
        option proto 'static'
        option device 'eth0.1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'LAN'
        option proto 'dhcp'
        option device 'eth0.2'

config interface 'PureVPN'
        option proto 'pptp'
        option server 'de-ded-11.pointtoserver.com'
        option username 'user'
        option password 'pass'
        option ipv6 '0'


cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'PureVPN'
        option masq '1'

config zone
        option name 'LAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'LAN'
        list network 'LAN_DHCP'

config forwarding
        option src 'LAN'
        option dest 'VPN'

config redirect
        option target 'DNAT'
        option name 'NAS - DSM'
        list proto 'tcp'
        option src 'VPN'
        option src_dport '1001'
        option dest_ip '192.168.2.56'
        option dest_port '1001'
        option dest 'LAN'

For now it seems that the VPN router itself is exposed and its web gui directly reachable via the external IP on port 443, but not my rule using the port 1001

You should connect to your vpn provider over ipv6 so that you avoid tunneling through the cgn. If the vpn provider doesn't do ipv6, then you should consider switching to a vpn provider that does. Tunneling through a cgn will make your vpn service brittle.

1 Like

Starlink itself only works with IPv4 for now.
I hope the tunnel will stay stable. But the routing problem is still not solved for me. I can't reach my own server.

A quick search shows that starlink does indeed do v6. Any isp that uses a cgn will have v6 deployed to reduce the demand on the cgn. Only isps in dirt poor countries run cgn without v6 because they can't afford to replace their outdated v4 only equipment. I suggest you get v6 working so that you can get the best of service from starlink.

As for your routing problem, I'm not sure. The vpn zone should have option input set to REJECT or DROP so that the router itself isn't exposed. The redirect rule looks ok to me, so I don't know why it isn't working. Maybe you need to restart the firewall, or maybe someone else can offer some insight.

Assign a static address to this interface and configure 192.168.2.56 to use the assigned address as default gateway or enable masquerading on the LAN zone.

PureVPN is a known MTU black hole (source: I am a customer, and also have a static-ip account). In the firewall settings, could you please confirm that you enable MSS clamping on the zone that has the PPtP interface?

I activated this option now. -> no change so far!
But thanks for the advice concerning the MTU :+1:

Wuhuwww, Pavel!
This was the click. I activated the masquerading on the LAN zone!

If you prefer this option, make it more elegant.
Disable masquerading and create a SNAT rule.

config nat
        option name 'SNAT-to-LAN'
        option src 'LAN'
        option target 'SNAT'
        option snat_ip '192.168.2.X' # The LAN interface IP address
        option dest_ip '192.168.2.56'
        option proto 'tcp'
        option dest_port '1001'

Note that the IP address of the LAN interface must be permanent, so you better create a static lease in the main router.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.