Topic: Help connecting to VPN (PPTP)

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Siemova

1 Jan 2012, 01:21

Hi guys,

I have a Netgear WNDR3700 sitting behind a Motorola NVG510 gateway from AT&T (U-verse). For some inscrutable reason, this RG doesn't have a bridge mode setting, but I'm able to pass its IP and traffic to the router, which achieves a similar effect. However, under the stock firmware (1.0.16.98, the latest available), this setup gives me some performance issues, so I thought I'd try some third-party firmware. I installed arokh's r29617 build of OpenWRT yesterday, and after initial configuration everything seems to be working quite well.

...All except the PPTP connection to my work VPN. This worked fine under the Netgear firmware, where I could (essentially) put my home workstation in DMZ, but I don't see any similar option in LuCI. My computer can connect to the server but then I get a "timeout sending Config-Requests" error. In search of a solution, I've gone through the relevant Wiki entries and a number of forum posts, but in the end they've only confused me. Perhaps you fine folks can help clear the air around this topic.

I've been hoping for a port forwarding or "PPTP passthrough" solution, but I'd settle for putting my workstation in a "DMZ" like it was before. Is there something simple I can add to /etc/firewall.user or /etc/config/network to accomplish this? Can anybody coach me through the process of making such a change? For my sake and the sake of those who might have the same question later, please assume - and forgive - total inexperience. Thanks!

Post #2

fyi

1 Jan 2012, 11:11

Install kmod-ipt-nat-pptp / kmod-ipt-nat-extra
forward tcp 1723
accept proto gre

Incoming PPTP VPN passthrough on OpenWRT - Black Manticore
Firewall configuration - OpenWrt Wiki - Simple DMZ rule & IPSec passthrough

Post #3

Siemova

2 Jan 2012, 21:48

Thanks for the suggestions, fyi.

I get an "unknown package" error when I attempt to install both of those packages using "opkg install package-name", but "kmod-ipt-nathelper-extra" is already installed and up to date.

Forwarding port 1723 was the first thing I did.

Before posting I had already found and tried both of the solutions you linked to. After making the changes I've tried restarting the router and simply restarting the firewall via LuCI, to make sure the rules were recognized and applied. Even putting the "Simple DMZ" rule (with my own IP address, of course) into /etc/config/firewall doesn't seem to work for me... but perhaps I'm doing something wrong. Have you gotten this to work yourself? Can you, or someone else, walk me through the setup in more detail? I'd be much obliged.

Post #4

fyi

3 Jan 2012, 16:26

Try iptables.

Post #5

Siemova

4 Jan 2012, 04:31

I appreciate your help, fyi, but I don't think I follow. To be sure we're on the same page, I'll post more details about what I've already tried.

Per the Black Manticore article, I put the following code into firewall.user, with no success. (192.168.2.200 is my computer's static IP.)

# PPTP: forward initiator 1723/tcp
iptables -t nat -A prerouting_wan -p tcp --dport 1723 -j DNAT --to 192.168.2.200
iptables -A forwarding_wan -p tcp --dport 1723 -d 192.168.2.200 -j ACCEPT

# PPTP: forward tunnel GRE traffic
iptables -t nat -A prerouting_wan -p gre -j DNAT --to 192.168.2.200
iptables -A forwarding_wan -p gre -d 192.168.2.200 -j ACCEPT

Per another discussion in this forum, I tried this alternate approach, with no better results:

iptables -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables -A input_wan -p gre -j ACCEPT

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

I had also already tried putting the following at the end of /etc/config/firewall. No joy.

config 'redirect'
    option 'src' 'wan'
    option 'proto' 'all'
    option 'dest_ip' '192.168.2.200'

Am I doing something wrong here, or is there some other code that would do the trick? With my background as a web developer, I understand enough to have some idea of what the code is ostensibly doing, but not enough to be sure it's right.

Post #6

fyi

4 Jan 2012, 23:29

Read "Black Manticore" again.

Siemova wrote:

I get an "unknown package" error when I attempt to install both of those packages using "opkg install package-name", but "kmod-ipt-nathelper-extra" is already installed and up to date.

opkg update
opkg install iptables-mod-extra kmod-ipt-extra kmod-ipt-nat-extra
opkg list_installed | grep ipt
lsmod | grep ip_

Black Manticore was referring to WhiteRussian and I can't find kmod-ipt-nat-pptp, iptables-extra and kmod-iptables-extra in Kamikaze and Backfire.

lunarg@Black Manticore wrote:

ip_conntrack_proto_gre.o
ip_nat_proto_gre.o
ip_conntrack_pptp.o
ip_nat_pptp.o

OpenWrt / Cannot get PPTP passthrough working

MMCM wrote:

I needed the following modules (on 2.6 Kamikaze):
ip_conntrack_pptp 6448 1 ip_nat_pptp, Live 0xc00ec000
ip_gre 9776 0 - Live 0xc00de000
ip_nat_pptp 2960 0 - Live 0xc00ea000

I'm not a firewall expert. You'd better ask help from others.

Iptables router PPTP passthrough : vpn, iptables, pptp passthrough

(Last edited by fyi on 5 Jan 2012, 19:52)

The discussion might have continued from here.

Page 1 of 1