Routing clients on PPTP Server in LEDE

gabrielflach · February 12, 2019, 12:40pm

I have a two routers, one TP-link wdr3600 with LEDE 17.01.6 and one TP-Link wr1043nd. The wdr3600 is a pptp server and a wr1043nd is a pptp client.
The wdr3600 have a two lan addresses, 192.168.1.0/26 and 192.168.2.0/24. The address of pptp clients range is 10.0.0.0/28.
The client connect fine on wdr3600, but it's can't connecting to a lan addresses.

/etc/config/pptpd

config service 'pptpd'
        option 'enabled' '1'
        option 'localip' '10.0.0.1'
        option 'remoteip' '10.0.0.2-14'

config 'login'
        option 'username' 'username1'
        option 'password' 'password1'
        option 'remoteip' '10.0.0.4'

/etc/ppp/options.pptpd

#debug
#logfile /tmp/pptp-server.log
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
#ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan2'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan2'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'lan2'

config forwarding
        option dest 'wan'
        option src 'lan2'

config rule
        option target 'ACCEPT'
        option name 'pptp'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1723'

config rule
        option target 'ACCEPT'
        option name 'gre'
        option src 'wan'
        option proto '47'

/etc/firewall.user

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.62'
        option netmask '255.255.255.192'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 5'

config interface 'lan2'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'

config route
        option target '192.168.4.0'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '10.0.0.4'

trendy · February 12, 2019, 2:25pm

config route
        option target '192.168.4.0'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '10.0.0.4'

This one should point to ppp interface and not lan. If you cannot assign a ppp interface, leave it empty.
Otherwise try to set a static route with a pptp-up script.
Do the pptp clients acquire the default route from server? If not, you'll have to activate the 192.168.X.Y subnets upon connection.

gabrielflach · February 12, 2019, 3:01pm

The pptp clients acquire the defult router from server, but on the wr1043nd, I disable the default router and set the static routes.
I remove lan interface on server and tested ping in the wr1043nd to the one computer on the 192.168.1.0/24 network and works fine, but on the one computer on lan 192.168.4.0/192, the ping not respondig.

The wr1043nd config files:

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.4.62'
        option netmask '255.255.255.192'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 'auto'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220 199.85.126.10 199.85.127.10 8.26.56.26 8.20.247.20 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto '6in4'
        option peeraddr 'ipv4'
        option ip6addr 'ipv6::2/64'
        option ip6prefix 'prefix::/48'
        option tunnelid 'tunnelid'
        option username 'username'
        option password 'password'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '2 5t'

config interface 'vpn'
        option proto 'pptp'
        option username 'username'
        option password 'password'
        option defaultroute '0'
        option keepalive '5 5'
        option peerdns '0'
        option server 'serverip'

config route
        option interface 'vpn'
        option target '192.168.1.0'
        option netmask '255.255.255.0'
        option gateway '10.0.0.1'

/etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

trendy · February 12, 2019, 3:17pm

Does the wdr3600 have a route to return traffic to 192.168.4.0/26 ?
Quick and easy solution is to enable masquerade on vpn firewall zone of wr1043nd.
Otherwise you need to setup a static route on wdr3600.

gabrielflach · February 12, 2019, 3:22pm

Yes, it's have a static route.

config route
        option target '192.168.4.0'
        option netmask '255.255.255.0'
        option gateway '10.0.0.4'

trendy · February 12, 2019, 3:25pm

I mean is it visible at run-time? ip -4 ro
If it is, verify with tcpdump that you can see the incoming and outgoing packets on the wdr3600.

gabrielflach · February 12, 2019, 4:48pm

I change the firmware to dd-wrt, and the pptp server works fine.
I'm going to create the lab scenario to test the pptp server on openwrt again.
When I run the ip -4 ro command, the route to the network does not appear. In the wiki openwrt, the interface is required, so it may not insert the route.

trendy · February 13, 2019, 8:32am

This is a problem.

The interface is not a mandatory option to create a static route. The issue is that when you create the static route, there is no interface ppp or there is no direct connectivity towards 10.0.0.4, hence the static route needs to be added after the ppp is up.

diizzy · February 13, 2019, 12:28pm

As a sidenote, unless you have other clients that need pptp I would advice you to switch from pptp to wireguard or openvpn. Softether(5) would be an option but it's most likely too demanding for the WR1043ND at least if you have v1.

trendy · February 13, 2019, 1:40pm

On top of what @diizzy mentioned, route advertisement will be much easier, not to mention security-wise.

gabrielflach · June 22, 2019, 12:27pm

Thanks for your help. I ended up deciding to use openvpn. I left an older router with dd-wrt and pptp server for windows and android clients.

lleachii · June 24, 2019, 3:25pm

Why not use OpenVPN for those clients too?

system · October 1, 2019, 12:02am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.