TP-Link TL-WR1043ND – Openwrt – Ch03_VPN_pptpd

0) Briefing

  • Up until now
    • OpenWrt installed, password set = ssh enable, Wifi enable, DDNS done
    • 4.77MB memory left (4884B)
  • What next
    • Install PPTP server
    • Add custom rules to firewall
  • pptpd in Openwrt do not have any web interface, so be prepared.


1) Install pptpd

  • These commands will update database, list the software in the database and search the list:
    opkg update && opkg list | grep -a pptpd
  • Install pptpd and kmod-mppe:
    opkg install pptpd kmod-mppe
  • Enable pptpd to startup itself at boot, and start the service now:
    /etc/init.d/pptpd enable
    /etc/init.d/pptpd start


3) Setup pptpd

  • There are 2 files to edit:
    • /etc/ppp/options.pptpd
    • /etc/ppp/chap-secrets

3.1) Edit options.pptpd

  • options.pptpd governed how pptpd should work
  • Edit the following config file
    vi /etc/ppp/options.pptpd
  • Here are the details:
    #logfile /tmp/pptp-server.log

    Your Server address, at the moment the easiest way to get it work is to set it the same as your router address

    name “pptp-server”

    If you change the server name, remember to change it at /etc/ppp/chap-secrets as well, vice versa

    lcp-echo-failure 3
    lcp-echo-interval 60
    mtu 1482
    mru 1482
    #mppe required,no40,no56,stateless

    I have disable mppe encryption connection, faster data rate, but less secure.

    #radius-config-file /etc/radius.conf

3.2) Edit chap-secrets

  • chap-secrets manage all pptp client login informations
  • First change the read/write right for the file
    chmod 600 /etc/ppp/chap-secrets
  • Edit the following config file
    vi /etc/ppp/chap-secrets
  • Here are the details:
    mary pptp-server her_password
    john pptp-server his_password


4) Add custom rules to iptables

  • By default iptables only allow passive connection from outside, to enable active connection from the Internet, you have to add rules to iptables and allow pptp client to connect from outside.
  • By adding rules to this file, it will automatically add to the iptables at every reboot
  • Edit the following file:
    vim /etc/firewall.user
  • Add the following lines to the file:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    iptables -A input_wan -p tcp –dport 1723 -j ACCEPT
    iptables -A input_wan -p gre -j ACCEPT

    iptables -A input_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -o ppp+ -j ACCEPT
    iptables -A output_rule -o ppp+ -j ACCEPT

    • The first 2 iptables rules allow remote client to connect from the Internet.
    • The last 4 iptables rules allow connected client to contact local computer and out to the Internet.


Appendix : References

1 Comment

  1. Jorge Oliveira

    Really liked this post. Have been using Openvpn solution on my TP-Link WDR3600, but I have to give up on other packages because of the low memory (having some trouble mounting /overlay with latest trunk releases…).
    This VPN solution seems much more lightweight and easy to set-up, as well as it’s natively supported by Android and Windows.
    The only part that I would like to know is how to setup the firerwall settings using Luci… I can see that I have to open TCP port 1723, but that’s all I can undestand.
    Could you please tell me what rules to add using UCI?

Comments are closed.