VPN PPTP Passthrough on OpenWrt router

I have a home site plus a mobile phone that I need to VPN into a central site so that they have full access to the central site's LAN. The central site was previously using OpenWRT running WireGuard. I was happy with this arrangement and the cell phone would connect from anywhere.

Unfortunately, a hacker got in and bricked the router. I bought a new one, a TP-LINK Archer AX1800, but it is not supported by OpenWRT. So I'm stuck with the factory firmware which does not support WireGuard. It supports OpenVPN, but this is too slow. So I'm stuck with PPTP.

The problem is that my OpenWRT router at my home site is blocking PPTP for some reason. If I use the cell phone on my data plan, it works fine. However, the same cell phone connected to the Home OpenWRT router will not connect. Windows reports that a port is being blocked.

I tried adding firewall traffic rules to forward port 1723 and port 47 from any zone to any zone, but it did not help.

So is there a way to enable PPTP passthrough on OpenWrt 19.07.7?

For older versions of OpenWrt, I recall I had to install the following package when I used to use PPTP to connect to VPN provider.

kmod-nf-nathelper-extra

If a hacker really got into your system, the last thing you want to do is use a VPN protocol that is completely insecure. It is not considered safe under any circumstances to use this protocol anymore and is unsuitable for the modern internet.

Are you sure that it is truly bricked? In the vast majority of cases, the router should be recoverable by means of failsafe mode and factory reset. If the hardware has failed, that is not likely the work of a hacker, as there is very little that can be done to kill the hardware from a purely software perspective (unless they managed to erase things like the boot loader and such)

Meanwhile, you could get a used router that supports OpenWrt and put that behind the main one as a VPN endpoint running WireGuard. This would be much more secure than trying to use PPTP, and you don't need a very powerful device to run WireGuard since it is so much more efficient that OpenVPN.

Thanks, that fixed it.

I hear you. I think you were the guy that helped me get wireguard working in the first place. I was very disappointed that a brand new router did not support wireguard. I do plan to get on their forum and ask if they can start including it.

The old router is a Netgear R6260. When this model router bricks, it takes a lot of soldering and JTAGing to bring it back. This is actually my second one and the first was returned to WalMart because it bricked while I was trying to get OpenWrt installed.

I tried to find an OpenWRT or DD-WRT compatible router at Walmart but failed.

In my case, I believe, from earlier logs, that the hacker got in through SSH. I noticed him hammering it. The version of SSH that OpenWRT uses does not block people for excessive wrong passwords. Once he got in, the wireguard keys were right there for the taking. My SSH password was only 8 characters which probably made it easier for him to get in. I moved my SSH to a non-standard port, but it only took him a few minutes to find it again.

I'm not sure why he is targeting me. I have several indoor cameras that are accessible by VPN, but we're just not that interesting to look at. There is nobody famous or with political clout here.

I don't like using PPTP, but its using some encryption these days so its not totally insecure. The fact that it uses TCP for connections is disturbing. That means the hacker is probably already trying to get in since the PPTP port is well known and fixed. This time my password is considerably longer than 8 characters so it will take him a while.

I tested the cameras with direct port forwarding and connection through the PPTP VPN. The result was that the direct port forwarding was 1-2 seconds slower than the VPN accessing the camera with a local IP. So using a second device to run wireguard isn't going to be any better than just using OpenVPN in the first place on the TPLink. The best solution is to get TP-Link to join us in the 21st century and make wireguard support standard.

IMO, your logic here is a bit flawed...

You got hacked, so your solution is to use a VPN that has been deprecated due to its completely inadequate security features. That's like saying that someone broke your regular door lock and burglarized your home, so instead of installing a proper deadbolt, you decide to secure your home with a screen door.

Two possible answers here...

  1. you, as an individual person, were targeted for because you were a valuable/worthwhile target for some reason (maybe someone holding a grudge, maybe where you work, or what you have in your home, etc.)
    or (more likely...)
  2. you, as some random person on the internet, were an easy or fun target (but the hacker doesn't know or care who you are as a person).

I'm still not entirely convinced that a hacker would have been able to (or felt it was worth) bricking your router at a hardware level. What are the symptoms? Have you tried failsafe mode?

Why was ssh open to the WAN if you had a VPN available? Once connected to the VPN, you can access the router directly if you desire (based on your firewall settings), so there's no need to have ssh open to the internet.

The more open ports that you have, the more attack surfaces you provide. And with PPTP, that is only magnified because it is so easy to crack. WireGuard is actually really cool in that it appears to be closed unless the cryptographic keys all match... it just doesn't respond to any attempts that are invalid.

Aside from exposing ssh to the internet, an 8 character password means that it was probably really easy to do a brute force attack (and the user 'root' means they didn't even have to try brute force on the user itself). Seems like this was a bad mistake.

It is about as effective as a screen door as a submarine hatch.

I think you've drawn a false equivalency here... I personally have a Ubiquiti Unifi Security Gateway as my main router...it has some VPN features, but IIRC PPTP was one of them, and OpenVPN is painful to use on this device. Behind that I have an old Ubiquiti RouterStation Pro that is my VPN endpoint. It is pretty fast even though it is old. You could easily pick up a used device that can support OpenWrt + WireGuard for <$25 US. Even a Raspberry Pi 3b (or maybe even a 2b in a pinch) could work quite well for this purpose.

Sure, but that's not likely to happen in a timeframe that works for your current needs. You got a wifi 6 router, which means it is pretty new. If they're a) still including PPTP, and b) not including WireGuard, think about how long it will take them to make those changes and provide firmware for users. Chances are that they will not release WG ever on your device... they may eventually do it for say wifi 7 or wifi 8... but in the meantime, you are putting yourself at considerable risk.

PPTP is not secure and will be a liability. To quote from the wikipedia article I linked earlier (emphasis added):

Most networks that use PPTP have to apply additional security measures or be deemed completely inappropriate for the modern internet environment.

Anyway, you have been warned.

Yeah, its a bad situation, but at this time, PPTP is the only workable solution. Using a secondary router to handle Wireguard sounds good, but using port forwarding adds too much processing time. One speculation of mine is that it might be possible to use an IPv6 node to handle wireguard and avoid the port forwarding penalty. But would the extra translation be too costly?

One other thing about the TP link AX1800 is that it is really rough getting basic things done like making nodes static and setting up port forwarding. Way harder than OpenWrt.

Are you aware of ANY commercial routers out there at all that support wireguard natively?

Yes, I think it would have been best to disable SSH on the web. I used that for configuring WireGuard and never took it down. Some of the port forwards into the camera had IP restrictions in OpenWrt. But the IP is dynamic.So I needed a way to get back into the router to remotely to change them.

With the R6260 there is a failsafe flash program, but it seldom works. The first symptoms were that both radios quit working at the same time. I then saved the configuration which then turned out to be a fake file. I didn't know it at the time, and when I tried to restore a previously known good configuration, that's when it went bye-bye for good.

Because its so prone to bricking, I really don't want it any more. However, finding an openWrt compatible router is getting harder and harder.

I have a Raspberry Pi2 that I might try to use as a wireguard node sometime. I don't like PPTP any more than you do. I'm sure the hacker is currently busy hammering away at the PPTP port. I have noticed that the connection time can take 10 seconds or more, whereas with wireguard it was only a second or two. That could possibly be an indicator of how much its being hammered.

This doesn't sound right at all. What gives you this impression?

So return this unit and get something else. Walmart is not a particularly good place to buy network equipment... so many other options out there (depending on where you are in the world)... Best Buy, Amazon, Newegg, and a zillion other retailers have better network device options than Walmart (this is speaking from a US perspective).

I'm failing to understand how OpenWrt was producing restrictions unless you mean you created them using the firewall.

Dynamic IPs shouldn't produce any issues -- use a dynamic DNS to solve for that. And if you need to make changes to the router itself, do it by means of the VPN connection (which uses the dynamic DNS hostname to resolve).

This sounds like a misconfiguration, not the work of a hacker. And it sill should be recoverable using the failsafe method I linked earlier.

There are almost 2000 devices on this list. Look at online stores to see what they have in stock in the price range you're willing to pay (so in the US: Amazon, Best Buy, Microcenter, Newegg, Walmart, Target, etc.), then look at the ToH list. Can't find one that way? Look at used options on eBay, craigslist, facebook marketplace, etc.

When I first installed the PPTP server, I tested the port forward route against the PPTP server route and the PPTP route was faster by a significant amount. Its possible it was a coincidence, but the extra delay was very noticeable.

A Raspberry Pi is really expensive right now, but I have heard that WireGuard runs fine on an ESP32 which is an inexpensive 32 bit board. I don't know how well it works in practice.

I could return the unit, and may still do it, however, its unlikely that I will find another unit that supports wireguard natively. A lot of the units on the OpenWrt list are older models that are not made any longer. At least with Walmart, I do have 30 days to return it.

OpenWrt allows you to add IP addresses to the port forward so only incoming connections from those addresses will forward. The problem is that the IP address in this case was dynamic so it can periodically change. So a way to change it remotely is necessary.

It was configured perfectly before it suddenly failed. So the hacker did something to it.

I bookmarked the list you send and will be using it for research. There is another list that comes up when you google it, but that list says it is known to be inaccurate. Not sure why they have more than one list.

True... but OpenWrt does support WireGuard

That is true in that when you have thousands of supported routers, many of them are older. But there are plenty that are relatively new. And the used market should have lots of options. Even if this sits behind your new TP-Link router, that's fine. It can be a "VPN appliance" on your LAN.

Unless you really need wifi 6 or super high performance routing (500Mbps - 1Gbps), you don't need to get the newest hardware. I'm running a USG that is capable of gigabit routing but is actually old -- it was released in 2014). And while it is true that Wifi 6 (ax) has many improvements over Wifi 5 (ac), those differences are more relevant to high density wifi user environments. Home users will see very little actual performance benefit relative to the later generation Wifi 5 APs (especially if you don't have many/any Wifi 6 end devices).

You replied before I finished my edit.

I am going to look into setting up a wireguard appliance. The speed advantage of PPTP is no longer relevant because the hacker is hammering the port so hard that I have problems with the connection. I don't think its a DOS attack, just some guy trying to get in. Its only a 3Mb connection so it doesn't take much to overwhelm it.

I am not a famous person, but I think he's pi$$ed that I blocked him from access to the cameras. I believe that is why he wants access so bad.

or... bots/hackers crawl for open ports and assault any with TCP 1723 open because of how easy it is to crack it... it might not be personal, it may be because you're using an insecure protocol that you become a target. For example, Paris is known for pickpockets who often target tourists because of how easy it is to identify tourists who might have nice things to steal and who are not really paying attention to their surroundings to protect themselves and their belongings.

What list is that? Can you provide a link?

Here is the list, but it looks like its actually for ddwrt not openwrt.

https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices

does the fact that it is on the dd-wrt.com website give that away?

The problem with older routers is that they have caps in them that go bad and harm the hardware. The best router I ever had was an Asus RT-N16 but finding one that is still good is pretty hard. But you are correct that I don't need the higher performance router. I will look at the list, but I am leaning toward the wireguard appliance solution.

Sometimes... but typically the caps that fail will cause the device to stop working reliably before they cause other damage the hardware (such as chemical/corrosion from leaking caps)... replacing caps is pretty easy.

I replaced the caps in the asus the first time which gave me several more years, but the second time the damage was too severe.

I want to use a wireguard appliance, but in the interim, I'm thinking that Open VPN would be a good temporary fix. Is the OpenVPN port easily detectable by hackers? is it secure?

Yes. Very easily detected. It is “chatty”.

Properly configured, yes, it should be.

I was reading that it can use both TCP and UDP ports. The port number has a standard, but is not fixed.

So the question is Can a hacker ping a OpenVPN port and get a response? Like "Login: Hacker, Password: DumbDog", Response: "Sorry that is the wrong password for user Hacker for this OpenVPN port".

Or does sending an invalid login result in no response?