0) Briefing

• Up until now
  • OpenWrt installed, password set = ssh enable, Wifi enable, DDNS done
  • 4.77MB memory left (4884B)
• What next
  • Install PPTP server
  • Add custom rules to firewall
• pptpd in Openwrt do not have any web interface, so be prepared.

——————————————————————————–

1) Install pptpd

• Open up your favorite terminal and login into the router

  ssh [email protected]

• These commands will update database, list the software in the database and search the list:

  opkg update && opkg list | grep -a pptpd

• Install pptpd and kmod-mppe:

  opkg install pptpd kmod-mppe

• Enable pptpd to startup itself at boot, and start the service now:

  /etc/init.d/pptpd enable
  /etc/init.d/pptpd start

——————————————————————————–

3) Setup pptpd

• There are 2 files to edit:
  • /etc/ppp/options.pptpd
  • /etc/ppp/chap-secrets

3.1) Edit options.pptpd

• options.pptpd governed how pptpd should work
• Edit the following config file

  vi /etc/ppp/options.pptpd

• Here are the details:
  #debug
  #logfile /tmp/pptp-server.log
  192.168.1.1:

  Your Server address, at the moment the easiest way to get it work is to set it the same as your router address

  auth
  name “pptp-server”

  If you change the server name, remember to change it at /etc/ppp/chap-secrets as well, vice versa

  lcp-echo-failure 3
  lcp-echo-interval 60
  default-asyncmap
  mtu 1482
  mru 1482
  nobsdcomp
  nodeflate
  #noproxyarp
  #proxyarp
  #nomppc
  #mppe required,no40,no56,stateless

  I have disable mppe encryption connection, faster data rate, but less secure.

  require-mschap-v2
  refuse-chap
  refuse-mschap
  refuse-eap
  refuse-pap
  ms-dns 192.168.3.1
  #plugin radius.so
  #radius-config-file /etc/radius.conf

3.2) Edit chap-secrets

• chap-secrets manage all pptp client login informations
• First change the read/write right for the file

  chmod 600 /etc/ppp/chap-secrets

• Edit the following config file

  vi /etc/ppp/chap-secrets

• Here are the details:
  #USERNAME PROVIDER PASSWORD IPADDRESS
  mary pptp-server her_password 192.168.1.101
  john pptp-server his_password 192.168.1.102

——————————————————————————–

4) Add custom rules to iptables

• By default iptables only allow passive connection from outside, to enable active connection from the Internet, you have to add rules to iptables and allow pptp client to connect from outside.
• By adding rules to this file, it will automatically add to the iptables at every reboot
• Edit the following file:

  vim /etc/firewall.user

• Add the following lines to the file:
  

  # This file is interpreted as shell script.
  # Put your custom iptables rules here, they will
  # be executed with each firewall (re-)start.
  iptables -A input_wan -p tcp –dport 1723 -j ACCEPT
  iptables -A input_wan -p gre -j ACCEPT

  iptables -A input_rule -i ppp+ -j ACCEPT
  iptables -A forwarding_rule -i ppp+ -j ACCEPT
  iptables -A forwarding_rule -o ppp+ -j ACCEPT
  iptables -A output_rule -o ppp+ -j ACCEPT

  • The first 2 iptables rules allow remote client to connect from the Internet.
  • The last 4 iptables rules allow connected client to contact local computer and out to the Internet.

——————————————————————————–

Appendix : References

• http://blog.netnerds.net/2011/02/openwrt-pptpd-a-love-story/
• http://knowhow.bart.prokop.name/install/openwrt/pptpd