RSS

Tag Archives: iptables

TP-Link TL-WR1043ND – Openwrt – Ch03_VPN_pptpd

0) Briefing

  • Up until now
    • OpenWrt installed, password set = ssh enable, Wifi enable, DDNS done
    • 4.77MB memory left (4884B)
  • What next
    • Install PPTP server
    • Add custom rules to firewall
  • pptpd in Openwrt do not have any web interface, so be prepared.

——————————————————————————–

1) Install pptpd

  • Open up your favorite terminal and login into the router
    ssh root@192.168.1.1
  • These commands will update database, list the software in the database and search the list:
    opkg update && opkg list | grep -a pptpd
  • Install pptpd and kmod-mppe:
    opkg install pptpd kmod-mppe
  • Enable pptpd to startup itself at boot, and start the service now:
    /etc/init.d/pptpd enable
    /etc/init.d/pptpd start

——————————————————————————–

3) Setup pptpd

  • There are 2 files to edit:
    • /etc/ppp/options.pptpd
    • /etc/ppp/chap-secrets

3.1) Edit options.pptpd

  • options.pptpd governed how pptpd should work
  • Edit the following config file
    vi /etc/ppp/options.pptpd
  • Here are the details:
    #debug
    #logfile /tmp/pptp-server.log
    192.168.1.1:

    Your Server address, at the moment the easiest way to get it work is to set it the same as your router address

    auth
    name “pptp-server”

    If you change the server name, remember to change it at /etc/ppp/chap-secrets as well, vice versa

    lcp-echo-failure 3
    lcp-echo-interval 60
    default-asyncmap
    mtu 1482
    mru 1482
    nobsdcomp
    nodeflate
    #noproxyarp
    #proxyarp
    #nomppc
    #mppe required,no40,no56,stateless

    I have disable mppe encryption connection, faster data rate, but less secure.

    require-mschap-v2
    refuse-chap
    refuse-mschap
    refuse-eap
    refuse-pap
    ms-dns 192.168.3.1
    #plugin radius.so
    #radius-config-file /etc/radius.conf

3.2) Edit chap-secrets

  • chap-secrets manage all pptp client login informations
  • First change the read/write right for the file
    chmod 600 /etc/ppp/chap-secrets
  • Edit the following config file
    vi /etc/ppp/chap-secrets
  • Here are the details:
    #USERNAME PROVIDER PASSWORD IPADDRESS
    mary pptp-server her_password 192.168.1.101
    john pptp-server his_password 192.168.1.102

——————————————————————————–

4) Add custom rules to iptables

  • By default iptables only allow passive connection from outside, to enable active connection from the Internet, you have to add rules to iptables and allow pptp client to connect from outside.
  • By adding rules to this file, it will automatically add to the iptables at every reboot
  • Edit the following file:
    vim /etc/firewall.user
  • Add the following lines to the file:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    iptables -A input_wan -p tcp –dport 1723 -j ACCEPT
    iptables -A input_wan -p gre -j ACCEPT

    iptables -A input_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -i ppp+ -j ACCEPT
    iptables -A forwarding_rule -o ppp+ -j ACCEPT
    iptables -A output_rule -o ppp+ -j ACCEPT

    • The first 2 iptables rules allow remote client to connect from the Internet.
    • The last 4 iptables rules allow connected client to contact local computer and out to the Internet.

——————————————————————————–

Appendix : References

 
1 Comment

Posted by on April 21, 2013 in Networking, Router

 

Tags: , , , , , , , , ,

 
%d bloggers like this: