TP-Link TL-WR1043ND – Openwrt – Ch04_VPN_OpenVPN

0) Briefing

  • Up until now
    • OpenWrt + ssh + wifi + ddns + pptpd
    • 4.53MB memory left (4640B)
  • What next
    • Install OpenVPN server
    • Add custom rules to firewall
  • pptpd in Openwrt do not have any web interface, so be prepared.


1) Install OpenVPN

  • These commands will update database, list the software in the database and search the list:

    opkg update && opkg list | grep -a openvpn

  • Install pptpd and kmod-mppe:

    opkg install pptpd kmod-mppe

  • Enable pptpd to startup itself at boot, and start the service now:

    /etc/init.d/pptpd enable
    /etc/init.d/pptpd start


3) Setup pptpd

  • There are 2 files to edit:
    • /etc/ppp/options.pptpd
    • /etc/ppp/chap-secrets

3.1) Edit options.pptpd

  • options.pptpd governed how pptpd should work
  • Edit the following config file

    vi /etc/ppp/options.pptpd

  • Here are the details:
    #logfile /tmp/pptp-server.log

    Your Server address, at the moment the easiest way to get it work is to set it the same as your router address

    name “pptp-server”

    If you change the server name, remember to change it at /etc/ppp/chap-secrets as well, vice versa

    lcp-echo-failure 3
    lcp-echo-interval 60
    mtu 1482
    mru 1482
    #mppe required,no40,no56,stateless

    I have disable mppe encryption connection, faster data rate, but less secure.

    #radius-config-file /etc/radius.conf

3.2) Edit chap-secrets

  • chap-secrets manage all pptp client login informations
  • Edit the following config file

    vi /etc/ppp/chap-secrets

  • Here are the details:
    mary pptp-server her_password
    john pptp-server his_password


4) Add custom rules to iptables

  • By default iptables only allow passive connection from outside, to enable active connection from the Internet, you have to add rules to iptables and allow pptp client to connect from outside.
  • By adding rules to this file, it will automatically add to the iptables when reboot
  • Edit the following file:

    vim /etc/firewall.user

  • Add the following lines to the file:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    iptables -A input_wan -p tcp –dport 1723 -j ACCEPT
    iptables -A input_wan -p gre -j ACCEPT

    iptables -A input_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -o ppp+ -j ACCEPT
    iptables -A output_rule -o ppp+ -j ACCEPT

    • The first 2 iptables rules allow remote client to connect from the Internet.
    • The last 4 iptables rules allow connected client to contact local computer and out to the Internet.


5) Debrief

  • 4.54MB memory left (4644B)


Appendix : References