I was trying to setup PPT VPN Server in my Tl-MR3420v2 Router. I have extroot already. Trying to setup PPTP here as I need to keep my Pi always running for this, I thought running PPTPD in Router would be a good choice.
I followed this guide, Point-to-Point Tunneling Protocol (PPTP) Server
This guide works fine with me, but when I add rules in firewall.user, all of my open port got visible in WAN interface. Currently, I use https (LUCI SSL) with port forward to access my router from remote, and I disabled RFC. So I can access like https://wanip:port, also same like ssh, ssh -p port root@wanip.
I checked port scan; I saw all everything is fine without PPTP firewall user rules. But when did I activate, all ports are visible. Is there any way to fix this. One thing I forget to add, I use PPPoE as WAN.
Here is my whole configuration.
/etc/config/pptpd
config service 'pptpd'
option 'enabled' '1'
option 'localip' '192.168.3.1'
config 'login'
option 'username' 'username1'
option 'password' 'userpass1'
option 'remoteip' '192.168.3.11'
config 'login'
option 'username' 'useraccess1'
option 'password' 'useraccess1'
option 'remoteip' '192.168.3.12'
/etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.3.1'
option delegate '0'
option gateway '192.168.3.1'
option broadcast '192.168.3.255'
option ip6ifaceid '::26'
option dns '208.67.222.123 208.67.220.123'
config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'wanaccess'
option password 'wanpass'
option delegate '0'
option peerdns '0'
option dns '208.67.222.123 208.67.220.123'
option ipv6 '0'
/etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'
option name 'PPTP'
option family 'ipv4'
config rule
option name 'VPN GRE'
option target 'ACCEPT'
option src 'wan'
option proto 'gre'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
/etc/pptpd.conf
#debug
speed 115200
stimeout 10
#localip & remoteip are not needed, ip management is done by pppd
localip 192.168.3.1
remoteip 192.168.3.11-20
/etc/ppp/options.pptpd
#debug
#logfile /tmp/pptp-server.log
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
proxyarp
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 8.8.8.8
#plugin radius.so
#radius-config-file /etc/radius.conf
/etc/ppp/options
#debug
logfile /dev/null
noipdefault
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1
/etc/ppp/chap-secrets
username1 pptp-server userpass1 192.168.3.11