Trouble configuring PPTP client

I followed every step of this guide:

https://openwrt.org/docs/guide-user/services/vpn/pptp/client

Then, when I check my vpn client in the interfaces it looks is connected but I am not getting my vpn ip.
Any ideas of how I can solve this issue?

Any help is appreciated :slight_smile:

This is my interface vpn
Imgur

We'll need more info to help out. In particular, please post your config files in a </> code block to retain the formatting (redact any usernames/passwords and public IP addresses).
/etc/config/network
/etc/config/firewall

Also, please describe how you know your VPN client is connected -- are you getting an IP address on the interface? Or some other indication?

Meanwhile, if your VPN supports it, I'd recommend avoiding PPTP if at all possible PPTP is considered extremely insecure (super easy to hack) and has been deprecated in many systems. Instead, WireGuard is really high performance and modern, or OpenVPN also a good option but may be processor limited in terms of maximum bandwidth.

2 Likes

Also post the following:
ip -4 addr; ip -4 ru; ip -4 ro ls tab all; ip -4 ro

Thank you for the reply.
What do you mean by getting an IP address on the interface? you mean luci?
I am aware pptp is insecure but using openvpn gets extremely low and I am using the vpn only for streaming purposes, nothing else.

Also I have to mention, this is a router that is working as a switch(it is connected to a modem router) so that I am not using its wan port.

here is my config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:ce0a:8b16::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        option dns '192.168.2.1'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '88:57:EE:29:64:38'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '88:57:EE:29:64:38'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 3 2 1 0'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'lollipop'
        option proto 'pptp'
        option username 'myusr'
        option ipv6 'auto'
        option password 'PWD'
        option server 'serveraddress'

Here is my config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'lollipop_fw'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option network 'lollipop'

config forwarding
        option dest 'lollipop_fw'
        option src 'lan'

here is my ip -4 addr; ip -4 ru; ip -4 ro ls tab all; ip -4 ro output

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.2/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
70: pptp-lollipop: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.10.52.99 peer 192.168.88.1/32 scope global pptp-lollipop
       valid_lft forever preferred_lft forever
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
ip: invalid argument 'ls' to 'ip'
default via 192.168.88.1 dev pptp-lollipop
162.251.160.50 via 192.168.2.1 dev br-lan
192.168.2.0/24 dev br-lan scope link  src 192.168.2.2
192.168.88.1 dev pptp-lollipop scope link  src 10.10.52.99

and finally this is how my log looks after connecting to the VPN server.

Tue Apr 14 21:18:02 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Tue Apr 14 21:18:02 2020 daemon.info pppd[24169]: Plugin pptp.so loaded.
Tue Apr 14 21:18:02 2020 daemon.info pppd[24169]: PPTP plugin version 1.00
Tue Apr 14 21:18:02 2020 daemon.notice pppd[24169]: pppd 2.4.7 started by root, uid 0
Tue Apr 14 21:18:06 2020 kern.info kernel: [ 2838.710050] pptp-lollipop: renamed from ppp0
Tue Apr 14 21:18:06 2020 daemon.info pppd[24169]: Renamed interface ppp0 to pptp-lollipop
Tue Apr 14 21:18:06 2020 daemon.info pppd[24169]: Using interface pptp-lollipop
Tue Apr 14 21:18:06 2020 daemon.notice pppd[24169]: Connect: pptp-lollipop <--> pptp (vpnserver)
Tue Apr 14 21:18:07 2020 daemon.notice pppd[24169]: CHAP authentication succeeded
Tue Apr 14 21:18:07 2020 daemon.notice pppd[24169]: MPPE 128-bit stateless compression enabled
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: local  IP address 10.10.52.99
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: remote IP address 192.168.88.1
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: primary   DNS address 192.168.88.1
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: secondary DNS address 74.82.42.42
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: local  LL address fe80::71a1:fe9f:9607:4e26
Tue Apr 14 21:18:08 2020 daemon.notice pppd[24169]: remote LL address fe80::0000:0000:00f1:42b5
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Network device 'pptp-lollipop' link is up
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Interface 'lollipop' is now up
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Network alias 'pptp-lollipop' link is up
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Interface 'lollipop_6' is enabled
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Interface 'lollipop_6' has link connectivity
Tue Apr 14 21:18:08 2020 daemon.notice netifd: Interface 'lollipop_6' is setting up now

Looks fine, where is the issue exactly?

I cannot get my wireless and lan devices to get the vpn's ip.... Do I have to do something manually?
The devices have internet but still my home's ip.

From the luci gui I can see this menu, I thought probably I should attach it to my vpn network?

image

This is why your devices aren’t using the vpn. You need to configure them with a different gateway (192.168.2.2) - by default (based on the existing router’s dhcp server), they will use the main router as the gateway. The are currently unaware of your vpn router as a gateway.

2 Likes

Thank you for your response.
I understand what you are explaining me but I do not know how to do it.
Could you please point me how I can achieve this in openwrt?

It is a bit difficult because the default gateway is the router of your ISP.(the 2.1)
If you want all your hosts to go through VPN, you can try to change the gateway option in the dhcp server of the ISP router.
In case that is not possible (most likely) you'll have to disable the dhcp server of the ISP router and enable the dhcp of the OpenWrt for the lan. This is more configurable as you can assign per host each option, like gateway or dns.
Last resort is to use static settings and assign yourself the 2.2 gateway for the hosts that need to go through VPN.

2 Likes

Thank you for your reply :slight_smile:

Looks that 2nd option, disabling the dhcp server of my ISP router and enabling it in my OpenWrt for the lan is the best option. Could you point me what would be the next steps? of course after turning off the dhcp server in my isp router.

Below are some images of my ISP router dhcp settings(in case your first option is possible).

No, there is no option for custom gateway.
In Network Interfaces enable the dhcp server for lan and force the hosts to ask for IP from the new dhcp server.

This is going to be a silly question but at this point wan port should not be used correct?

It is up to you to use it or not.
If you connect the wan port of OpenWrt to the lan of the ISP router and connect the hosts on the lan of OpenWrt it will work more easily that what you have now.

Thank you for taking your time to explain.
By turning off the DHCP server in my modem router, then it will start working more like a modem only?
If that is the case I just should follow the guides out there of how to set an openwrt as a common router?

I can't mess with my ISP router right now because I am working at the same time.
I will be working on this issue at nights where I live and post my progress here :slight_smile:

If the modem+router supports bridge mode, you can make the openwrt router the primary router and then the vpn connection will “just work”. But if you cannot do this, the modem+router will still be a router, it just won’t automatically hand out addresses to your network if dhcp is disabled.

As it stands now, though, if you set the openwrt router as the gateway for your various devices, it will work while the vpn is running. However, when the vpn is not active, your devices will not be able to get to the internet.

In the first option, what do you mean by it will "just work"? In this the ideal scenario?

Looking here:
https://forum.huawei.com/enterprise/en/how-to-use-hg8245q-as-a-bridge-for-a-second-router/thread/467425-100181

It looks my modem router supports bridge mode.

The ideal situation is that the openwrt router is the primary (only) router for your network. If the modem is bridged, it will pass the address provided by the isp directly to the wan port on your openwrt router and your openwrt router will be the router/gateway for your network and will perform dhcp and often dns functions. Once this is the case, you don’t need to do anything special to the client devices to get them to pass traffic through the vpn - the router would handle that for the entire network, automatically.

1 Like

I understood every step that has to be done. Thank you!
As many of the config has to be done through ssh, do you know if there is any manual out there?

For now I have found this thread:

It looks it can help me to get me started.

Just had loop to my modem router and it looks my ISP locked that function(bridge).
The other option is to set the openwrt router as the gateway for my devices. How can I achieve this?

Apologies for asking many questions. I do appreciate your help! :slight_smile:

You can do much of the stuff directly using LuCI (the web interface). There are only a few things you need to do via the command line (using ssh to login to the router).

The resources on the OpenWrt site (wiki, tutorials, etc.) are likely going to be the most accurate, up-to-date, and best-practice techniques, but there are other great tutorials out there (just be aware, though, that they aren't always the right way to do things, or there may be assumptions that are not stated and that don't apply to your network).

You might want to look at the quick start guide to get you going.

Are there specific things you need help with right now, or just looking for general info?