Point-to-Point Tunneling Protocol (PPTP)

Server
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private
networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP
packets. pptpd is server daemon which enables pptp clients to establish tunnel over IP network.
As it is today PPTP with MS-CHAP-v2 encryption is not secure and should not be used1) 2).
Please consider to use other VPN server. For alternative solutions, please visit vpn.overview. See
vpn.client.pptp to set up a client.

Preparation
Prerequisites

Study the documentation available in sourceforge.

Plan your networks. Remote clients can be in "lan", but it is feasible to configure
dedicated network for clients and set up routing accordingly.

Modify your firewall rules as described below.

If upgrading from previous OpenWrt version make backup from pptpd

configuration files. 14.07 init script overwrites chap-secrets file.

/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets

Required Packages

pptpd
kmod-mppe

ppp

See OpenWrt log for other required packages.

Installation
opkg install pptpd kmod-mppe

There are bugs in BARRIER BREAKER (14.07, r42625) init script. Modify /etc/init.d/pptpd to
clean up temporary pptp.conf and chap-secrets. Original init script does not enable multiple
simultaneous clients with fixed remote IP's. Following script and modified configuration file
enables it:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
START=60
BIN=/usr/sbin/pptpd
DEFAULT=/etc/default/$BIN
RUN_D=/var/run
PID_F=$RUN_D/$BIN.pid
CONFIG=/var/etc/pptpd.conf
CHAP_SECRETS=/var/etc/chap-secrets
setup_login() {
local section="$1"
config_get username "$section" username
config_get password "$section" password
config_get remoteip "$section" remoteip
[ -n "$username" ] || return 0
[ -n "$password" ] || return 0
[ -n "$remoteip" ] || return 0
}

echo "$username pptp-server $password $remoteip" >> $CHAP_SECRETS

setup_config() {
local section="$1"
config_get enabled "$section" enabled
[ "$enabled" -eq 0 ] && return 1
mkdir -p /var/etc
cp /etc/pptpd.conf $CONFIG

config_get localip "$section" localip

[ -n "$localip" ] && echo "localip $localip" >> $CONFIG
return 0

start_pptpd() {
[ -f $DEFAULT ] && . $DEFAULT
mkdir -p $RUN_D
for m in arc4 sha1_generic slhc crc-ccitt ppp_generic ppp_async
ppp_mppe; do
insmod $m >/dev/null 2>&1
done
ln -sfn $CHAP_SECRETS /etc/ppp/chap-secrets
service_start $BIN $OPTIONS -c $CONFIG
}
start() {
config_load pptpd
setup_config pptpd || return
config_foreach setup_login login
start_pptpd
}
stop() {
service_stop $BIN

rm -rf $CHAP_SECRETS $CONFIG /etc/ppp/chap-secrets

Configuration
Server configuration
There is no need to modify server configuration files /etc/pptpd.conf /etc/ppp/options.pptpd,
however some parameters needs to be adjusted depending from clients and network
configuration ( such as mtu, mru, ms-dns, proxyarp). See documentation and tips below.
Clients configuration is located in /etc/config/pptpd. Modify it to enable pptpd and configure
clients and network. Following is example for two clients. You can add multiple config 'login'.
config service 'pptpd'
option 'enabled' '1'
option 'localip' xxx.yyy.www.zzz
config 'login'
option 'username' foo
option 'password' bar
option 'remoteip' 'xxx.yyy.zzz.1
config 'login'
option 'username' foo
option 'password' bar
option 'remoteip' 'xxx.yyy.zzz.2

Network configuration
If you are using different subnet for VPN clients you need to add route to /etc/network:
config route
option
option
option
option

interface 'lan'
target 'xxx.yyy.zzz.0'
netmask '255.255.255.0'
gateway 'xxx.yyy.www.zzz'

Firewall configuration
In order to accept pptp traffic in wan to router you need to open following protocols and ports.
Add following to /etc/config/network:
config rule
option
option
option
option
option

target 'ACCEPT'
_name 'pptp'
src 'wan'
proto 'tcp'
dest_port '1723'

config rule
option
option
option
option

target 'ACCEPT'
_name 'gre'
src 'wan'
proto '47'

In order to enable traffic inside VPN to enter, leave and pass trough router you need to add
following. Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration
is insecure and shall be modified. You can add it to /etc/firewall.user:
# Allow all
nets.
iptables -A
iptables -A
# This rule
iptables -A
iptables -A

traffic in and out of the ppp interface. No reason to specify

input_rule -i ppp+ -j ACCEPT
output_rule -o ppp+ -j ACCEPT
will allow traffic towards internet
forwarding_rule -i ppp+ -j ACCEPT
forwarding_rule -o ppp+ -j ACCEPT

Start service
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

Set-up and configuration for historic versions (pre 14.07)

opkg install pptpd kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

pptpd will be running, and will be running on boot. Add a user to /etc/ppp/chap-secrets (see
below). Optionally add proxyarp to /etc/ppp/options.pptpd. Then try to connect from a
client.
The kernel module kmod-mppe is needed for encryption. If you are on trunk, you might need to
update your firmware to latest before installing kernel modules, as the kernel sometimes
changes, thus the trunk repository modules will not match the older kernel.

OpenWrt Generic
Instructions that are not specific to any particular version of OpenWrt.
Configuration
The default IP address of the server end of the tunnel is 172.16.1.1, and is set in the file
/etc/ppp/options.pptpd, with a colon after it, like this:
172.16.1.1:

Change this if you want a different IP address. There is no need to restart pptpd if you change
this file, because it is used by pppd as soon as the next connection arrives. The file contains
options for pppd, see man pppd on a Linux system for more information on the options available.
/!\ ppp has obsoleted this option (as of v2.4.3-7). In order to assign the local IP address of the
server end of the tunnel, include the localip option in your /etc/pptpd.conf. For example:
localip 172.16.1.1

The easiest way to get LAN access is to make sure the localip is in the LAN ip range. To
dynamicly assign IP addresses to clients, you can add the following which dynamicly assigns an
IP to the client.
remoteip 172.16.1.100-109

Tunnel Remote IP Addresses

Add lines to /etc/ppp/chap-secrets for each client. The format is:
username provider password ipaddress

Add an IP address for every client. An example chap-secrets looks like this:
vpnuser pptp-server vpnpassword 172.16.1.2

See man pppd on a Linux system for more information on this file. Take care that the provider
field matches the name option in /etc/ppp/options.pptpd. The default is pptp-server.
/!\ If you have x-wrt installed and use it to edit the chap-secrets file, it will create every entry
with the provider of pptpd. Also, every time the router is rebooted the file will be rewritten so
that the provider is pptpd. The easiest way to deal with this is to set the default provider in
/etc/ppp/options.pptpd to pptpd.
/!\ For the bin and pptp builds of OpenWrt, the file will start out being a symbolic link to a
template in /rom, so remove the link, copy the template, and make sure it is chmod 600.
/!\ It is important to set an IP address rather than use the default asterisk. If you use an asterisk,
the peer may propose it's own address, which could cause a routing loop. This results in very
large transmit counters on ifconfig ppp0 and a badly performing router, as it spends all it's time
trying to move packets through the loop.
Firewall
For your security OpenWrt will ignore connections on the WAN interface, but accept connection
from a client on the LAN or wireless interfaces. If your client is to connect on the WAN
interface, edit the /etc/firewall.user file and add the following:

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT

iptables
-A input_rule
-i $WAN -p tcp --dport 1723 -j ACCEPT
iptables
-A output_rule
-p 47
-j ACCEPT
iptables
-A input_rule
-p 47
-j ACCEPT

See the firewall for help. Be aware that $WAN might not be defined. If that is the case, insert the
interface name instead. I.e. replace $WAN by eth1.
Alternatively you can configure the firewall using UCI in "/etc/config/firewall":
config 'rule'
option
option
option
option
option
option

'target' 'ACCEPT'
'_name' 'pptpd'
'proto' 'tcp'
'dest_port' '1723'
'family' 'ipv4'
'src' 'wan'

Configure Routing
While we now have a VPN ready where the clients can connect to the OpenWrt router we might
want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes
to server and clients but there's another way. In our example we have a LAN network
192.168.0.1/24 on the LAN port of our router. We want multiple clients to connect to the pptpd
server and be able to connect to the LAN without the need of client routes. This is especially
useful for Windows machines as they either route everything through the pptpd tunnel or nothing
and we want them to be able to connect without much configuration hassle for the users. We will
use proxyarp for that purpose and add the following line to /etc/ppp/options.pptpd:
proxyarp

When the next client connection arrives you should see something like:
found interface vlan0 for proxy arp

in the logs. The kernel will now answer arp requests for the clients connected through the PPTP
tunnel and thus the packets are routed correctly to either the ppp+ device or vlan0. We will have
to add additional iptables rules.
# Allow all traffic in and out of the ppp interface. No reason to specify
nets.
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT

Setup for Windows filesharing

If you have Windows PPTP clients and you want them to be able to access file shares on the
LAN, you need to set the IP addresses of the PPTP clients to be on the same subnet as the LAN.
This is because of a limitation in proxyarp. They also cannot be on the same subnet as the local
addresses of the PPTP clients. For example, if your PPTP clients have addresses in the
192.168.0.0/24 subnet, you can set you LAN to be 192.168.30.0/24 with DCHP assigning
192.168.30.50-192.168.30.100, but be careful that your PPTP clients' subnets are not in the
192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/12 range (such
as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0).
You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line
to /etc/ppp/options.pptpd:
192.168.30.200:

You can then assign the client IP address beginning with 192.168.30.201. Use the following
settings for VPN in /etc/firewall.user.
iptables
-A forwarding_rule
ACCEPT
iptables
-A output_rule
192.168.30.0/24 -j ACCEPT
iptables
-A input_rule
192.168.30.0/24 -j ACCEPT
# allow VPN connections to get out
iptables
-A forwarding_rule

-s 192.168.30.0/24 -d 192.168.30.0/24 -j
-o ppp+ -s 192.168.30.0/24 -d
-i ppp+ -s 192.168.30.0/24 -d
WAN interface (to internet)
-i ppp+ -o $WAN -j ACCEPT

You will now be able to access file shares by IP address. For example, you can type
\\192.168.30.50

into the address bar of Windows Explorer. Network neighborhood still doesn't detect available
computers. If anyone knows how to make this work please post the instructions here. The desired
configuration would have automatic detection and population, so there is no need to edit host
files. I tried following instructions for setting up samba to run as a WINS server but I couldn't get
it to work. Perhaps this is because OpenWrt is running an older version of samba that was
selected because it has a smaller memory footprint.
In general the way for computers to appear in Net-Hood is to have server (master browser) to
populate browse list across networks + have hosts or lmhosts file setup on client machines(that is
only way I discovered so far). For samba servers you need to have config options in smb.conf:
(ip address of router/name of workgroup), but I'm not sure how it works on wrt (as it only have
cups I couldn't get them installed due to space limitation) remote announce = 192.168.11.1/URWG-NAME and hosts file in windoze (c:\Windows\System32\drivers\etc\hosts) like
192.168.11.10 mypc mypc.behind-wrt54g.org ..
Other way way for computers to appear in Net-Hood is to use on router side utility called
bcrelay. Bcrelay turns on broadcast relay mode, sending all broadcasts received on the server's
internal interface to the clients. Default pptpd package on WhiteRussian 0.9 contains pptpd

version 1.3.0 compiled without bcrelay support. Good discussion about this problem can be
found at http://forum.openwrt.org/viewtopic.php?pid=56890
Decision:
1. Recompile pptpd with bcrelay support or get compiled by simba87 package from
http://rapidshare.com/files/59421121/pptpd_1.3.4-1_mipsel.ipk.html. 2. Backup /etc/pptpd.conf
and all files in /etc/ppp/. Uninstall old pptpd package. 3. I put pptpd_1.3.4-1_mipsel.ipk to my
hosting, then use wget on the router and use ipkg install pptpd_1.3.4-1_mipsel.ipk. 4. Add
bcrelay br0 to /etc/pptpd.conf and proxyarp to /etc/ppp/options.pptpd.

Troubleshooting
Test Connection
Tell a client to connect to the PPTP server, using the username and password you set in chapsecrets.
The connection should work, ping between the client and the server should work, but you may
have to do some more configuring to let the client use your PPTP server as a gateway to the
internet, or to see inside your LAN. See the routing section above .

Configure Debug Logging

If you have problems making a connection, increase the amount of information logged:

edit /etc/pptpd.conf and add the line debug, and restart pptpd using /etc/init.d/S50pptpd
stop followed by /etc/init.d/S50pptpd start,
edit /etc/ppp/options.pptpd and add the line debug, and the line logfile "/tmp/pptpd.log"
these changes take effect on next client connection, there is no need to restart pptpd.

To understand the pppd debug log, read these key sections of the PPTP Client Diagnosis
HOWTO:

What does ConfReq, ConfAck, ConfNak, and ConfRej mean?

What are those CCP MPPE bitmasks?

Notes
If you can not ping router, host in lan or in internet from VPN client and there are no errors in
pptpd log or system log, most likely packets get dropped in firewall.
If you can connect to the pptpd and can ping the client from the server and vice versa but are not
able to ping anything else refer to this checklist for diagnosis

There is a Windows XP client HOWTO that may help.

There is also the PPTP Client for Linux or check the OpenWrt vpn.pptp.client.
If the PPTP clients are behind an Actiontec DSL Modem/Router, only one of them will be able to
connect. This is do to a bug in the Actiontec. Apparently it locks the connection to one client. If
the router is rebooted the first client to reconnect is locked in. Putting the Actiontec into bridged
mode and using a different router will probably bypass the problem. Does anyone else have any
experience with this?