TP-Link TL-WR1043ND – Openwrt – Ch04_VPN_OpenVPN

0) Briefing

  • Up until now
    • OpenWrt + ssh + wifi + ddns + pptpd
    • 4.53MB memory left (4640B)
  • What next
    • Install OpenVPN server
    • Add custom rules to firewall
  • pptpd in Openwrt do not have any web interface, so be prepared.

——————————————————————————–

1) Install OpenVPN

  • These commands will update database, list the software in the database and search the list:

    opkg update && opkg list | grep -a openvpn

  • Install pptpd and kmod-mppe:

    opkg install pptpd kmod-mppe

  • Enable pptpd to startup itself at boot, and start the service now:

    /etc/init.d/pptpd enable
    /etc/init.d/pptpd start

——————————————————————————–

3) Setup pptpd

  • There are 2 files to edit:
    • /etc/ppp/options.pptpd
    • /etc/ppp/chap-secrets

3.1) Edit options.pptpd

  • options.pptpd governed how pptpd should work
  • Edit the following config file

    vi /etc/ppp/options.pptpd

  • Here are the details:
    #debug
    #logfile /tmp/pptp-server.log
    192.168.1.1:

    Your Server address, at the moment the easiest way to get it work is to set it the same as your router address

    auth
    name “pptp-server”

    If you change the server name, remember to change it at /etc/ppp/chap-secrets as well, vice versa

    lcp-echo-failure 3
    lcp-echo-interval 60
    default-asyncmap
    mtu 1482
    mru 1482
    nobsdcomp
    nodeflate
    #noproxyarp
    #proxyarp
    #nomppc
    #mppe required,no40,no56,stateless

    I have disable mppe encryption connection, faster data rate, but less secure.

    require-mschap-v2
    refuse-chap
    refuse-mschap
    refuse-eap
    refuse-pap
    ms-dns 192.168.3.1
    #plugin radius.so
    #radius-config-file /etc/radius.conf

3.2) Edit chap-secrets

  • chap-secrets manage all pptp client login informations
  • Edit the following config file

    vi /etc/ppp/chap-secrets

  • Here are the details:
    #USERNAME PROVIDER PASSWORD IPADDRESS
    mary pptp-server her_password 192.168.1.101
    john pptp-server his_password 192.168.1.102

——————————————————————————–

4) Add custom rules to iptables

  • By default iptables only allow passive connection from outside, to enable active connection from the Internet, you have to add rules to iptables and allow pptp client to connect from outside.
  • By adding rules to this file, it will automatically add to the iptables when reboot
  • Edit the following file:

    vim /etc/firewall.user

  • Add the following lines to the file:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    iptables -A input_wan -p tcp –dport 1723 -j ACCEPT
    iptables -A input_wan -p gre -j ACCEPT

    iptables -A input_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -o ppp+ -j ACCEPT
    iptables -A output_rule -o ppp+ -j ACCEPT

    • The first 2 iptables rules allow remote client to connect from the Internet.
    • The last 4 iptables rules allow connected client to contact local computer and out to the Internet.

——————————————————————————–

5) Debrief

  • 4.54MB memory left (4644B)

——————————————————————————–

Appendix : References