PPTP VPN Server in LEDE

amanjuman · August 2, 2017, 8:09am

I was trying to setup PPT VPN Server in my Tl-MR3420v2 Router. I have extroot already. Trying to setup PPTP here as I need to keep my Pi always running for this, I thought running PPTPD in Router would be a good choice.

I followed this guide, Point-to-Point Tunneling Protocol (PPTP) Server

This guide works fine with me, but when I add rules in firewall.user, all of my open port got visible in WAN interface. Currently, I use https (LUCI SSL) with port forward to access my router from remote, and I disabled RFC. So I can access like https://wanip:port, also same like ssh, ssh -p port root@wanip.

I checked port scan; I saw all everything is fine without PPTP firewall user rules. But when did I activate, all ports are visible. Is there any way to fix this. One thing I forget to add, I use PPPoE as WAN.

Here is my whole configuration.
/etc/config/pptpd

config service 'pptpd'
	option 'enabled' '1'
	option 'localip' '192.168.3.1'

config 'login'
	option 'username' 'username1'
	option 'password' 'userpass1'
	option 'remoteip' '192.168.3.11'

config 'login'
        option 'username' 'useraccess1'
        option 'password' 'useraccess1'
        option 'remoteip' '192.168.3.12'

/etc/config/network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option delegate '0'
	option gateway '192.168.3.1'
	option broadcast '192.168.3.255'
	option ip6ifaceid '::26'
	option dns '208.67.222.123 208.67.220.123'

config interface 'wan'
	option ifname 'eth0'
	option _orig_ifname 'eth0'
	option _orig_bridge 'false'
	option proto 'pppoe'
	option username 'wanaccess'
	option password 'wanpass'
	option delegate '0'
	option peerdns '0'
	option dns '208.67.222.123 208.67.220.123'
	option ipv6 '0'

/etc/config/firewall
    config rule
    	option target 'ACCEPT'
    	option src 'wan'
    	option proto 'tcp'
    	option dest_port '1723'
    	option name 'PPTP'
    	option family 'ipv4'

    config rule
    	option name 'VPN GRE'
    	option target 'ACCEPT'
    	option src 'wan'
    	option proto 'gre'

    config zone
    	option name 'lan'
    	option input 'ACCEPT'
    	option output 'ACCEPT'
    	option forward 'ACCEPT'
    	option network 'lan'

    config zone
    	option name 'wan'
    	option input 'REJECT'
    	option output 'ACCEPT'
    	option forward 'REJECT'
    	option masq '1'
    	option mtu_fix '1'
    	option network 'wan'

    config forwarding
    	option src 'lan'
    	option dest 'wan'

/etc/pptpd.conf

#debug
speed 115200
stimeout 10
#localip & remoteip are not needed, ip management is done by pppd
localip 192.168.3.1
remoteip 192.168.3.11-20

/etc/ppp/options.pptpd

#debug
#logfile /tmp/pptp-server.log
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
proxyarp
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 8.8.8.8
#plugin radius.so
#radius-config-file /etc/radius.conf

/etc/ppp/options

#debug
logfile /dev/null
noipdefault
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1

/etc/ppp/chap-secrets

username1 pptp-server userpass1 192.168.3.11

triclonedave · August 3, 2017, 9:56am

Yes, I too have followed the thread you mention and have run into a problem, when using the Access Control Luci plugin, whereby the rules there are ignored when the PPTP firewall forwards are enabled.

Seems to me that these rules need to be locked down somehow, but I'm reluctant to move my subnet range for VPN/PPTP clients to do this.

I need to find some time to study the forwards, but for now, I've turned of the PPTP server and its rules.

amanjuman · August 4, 2017, 10:15am

Yeah, the Same situation like you.
I rather looking for setup OpenVPN Server on it. But I need to use OpenVPN client too in it. Don't know how to do this, as I got OpenVPN Server and like to use LAN and WIFI interface as OpenVPN Client and meantime use OpenVPN Server as home IP.