Author
Message
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sat Jul 07, 2012 11:44 Post subject: PPTP server setup problem
Hello
I'm having setting up a PPTP server on my DD-WRT box.
It is a Linksys WRT160NL Wireless-N Broadband Router.
Software build version is r18777.
I have tried to follow the instructions in the wiki:
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration
My internal network is 172.16.101.0/24
The DD-WRT lives on 172.16.101.1
I have assigned 172.16.101.2 to the PPTP server
I have NAT-ed port 1723 to 172.16.101.2
Doesn't seem to work at all (ie I don't think the external clients - a mix on Win 7 machines - are actually not getting to "talk" to the server).
I'm pretty sure I missed something but can't figure it out. Any help / pointer most welcome.
Back to top
Sponsor
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sat Jul 07, 2012 14:04 Post subject:
eibgrad wrote: Seems to me the server IP should be the same as the router's local IP (I suspect the one you specified is not even in use).
Well the various entries in the wiki tend to point towards assigning a non used IP to the PPTP server. Are you sure I'd rather have to use the router IP ?
Quote: I also don't think you need to manually port forward 1723. IIRC, enabling the PPTP server does that automatically. It's easy enough to check by dumping iptables.
Again this is mentioned in the Wiki. But I shall check the IP tables.
Quote: Shouldn't you also specify some client IPs, so that clients can be assigned local IPs?
Good point - what would be the proper syntax for that ?
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sat Jul 07, 2012 19:11 Post subject:
eibgrad wrote: My motto, wiki + skepticism + common sense = greater chance of success
Thanks - I am relatively new to dd-wrt and not too sure how much I can trust the online documentation (which I always try to read before asking possibly obvious questions).
Anyway back to the task at hand
I have assigned the same IP for the router and the PPTP server
I have declared a client IP
I have removed the NAT rules
Still no go.
here are my iptables
Code: root@myrouter:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
logdrop udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
logdrop udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 172.16.101.1 tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
logdrop 2 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
logdrop 0 -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 47 -- 172.16.101.0/24 0.0.0.0/0
ACCEPT tcp -- 172.16.101.0/24 0.0.0.0/0 tcp dpt:1723
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
lan2wan 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 172.16.101.100 udp dpt:25498
ACCEPT tcp -- 0.0.0.0/0 172.16.101.100 tcp dpt:25498
ACCEPT udp -- 0.0.0.0/0 172.16.101.139 udp dpt:52615
ACCEPT udp -- 0.0.0.0/0 172.16.101.124 udp dpt:58799
ACCEPT udp -- 0.0.0.0/0 172.16.101.136 udp dpt:52746
ACCEPT tcp -- 0.0.0.0/0 172.16.101.136 tcp dpt:52746
ACCEPT udp -- 0.0.0.0/0 172.16.101.139 udp dpt:48116
ACCEPT tcp -- 0.0.0.0/0 172.16.101.139 tcp dpt:48116
ACCEPT udp -- 0.0.0.0/0 172.16.101.119 udp dpt:34817
ACCEPT tcp -- 0.0.0.0/0 172.16.101.119 tcp dpt:34817
ACCEPT udp -- 0.0.0.0/0 172.16.101.115 udp dpt:3917
ACCEPT tcp -- 0.0.0.0/0 172.16.101.115 tcp dpt:3917
ACCEPT udp -- 0.0.0.0/0 172.16.101.135 udp dpt:52746
ACCEPT tcp -- 0.0.0.0/0 172.16.101.135 tcp dpt:52746
ACCEPT udp -- 0.0.0.0/0 172.16.101.147 udp dpt:29135
ACCEPT tcp -- 0.0.0.0/0 172.16.101.147 tcp dpt:29135
ACCEPT udp -- 0.0.0.0/0 172.16.101.136 udp dpt:21045
ACCEPT tcp -- 0.0.0.0/0 172.16.101.136 tcp dpt:21045
ACCEPT tcp -- 0.0.0.0/0 172.16.101.80 tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 172.16.101.80 udp dpt:22
TRIGGER 0 -- 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
trigger_out 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
logdrop 0 -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
Chain logbrute (0 references)
target prot opt source destination
0 -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source
RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
logdrop 0 -- 0.0.0.0/0 0.0.0.0/0
Chain logdrop (6 references)
target prot opt source destination
DROP 0 -- 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
root@myrouter:~#
Somewhat above my pay grade but I don't seem to see a built in rule for PPTP...
Here is the content of pptpd.conf:
Code:
bcrelay br0
localip 172.16.101.1
remoteip 172.16.101.99
Is there any specific log I can look into ?
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 8:21 Post subject:
Definitely testing from outside network (mix of Win7 and Server 2008 machines).
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 14:08 Post subject:
here we go...
Code: root@myrouter:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
272 39036 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 logdrop udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
177 23780 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
14 4854 ACCEPT 0 -- br1 * 0.0.0.0/0 0.0.0.0/0
1 64 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.1 tcp dpt:22
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT 0 -- br1 * 0.0.0.0/0 0.0.0.0/0
77 7446 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 47 -- * ppp0 172.16.101.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 172.16.101.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
8 448 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4396 747K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
4317 736K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
55 7537 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br1 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.100 udp dpt:25498
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.100 tcp dpt:25498
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.139 udp dpt:52615
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.124 udp dpt:58799
18 2313 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.136 udp dpt:52746
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.136 tcp dpt:52746
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.139 udp dpt:48116
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.139 tcp dpt:48116
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.119 udp dpt:34817
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.119 tcp dpt:34817
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.115 udp dpt:3917
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.115 tcp dpt:3917
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.135 udp dpt:52746
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.135 tcp dpt:52746
3 429 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.147 udp dpt:29135
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.147 tcp dpt:29135
3 399 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.136 udp dpt:21045
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.136 tcp dpt:21045
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.135 udp dpt:52746
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.135 tcp dpt:52746
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.101.80 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.101.80 udp dpt:22
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 59 packets, 8847 bytes)
pkts bytes target prot opt in out source destination
315 44357 ACCEPT 0 -- * br0 0.0.0.0/0 0.0.0.0/0
13 4625 ACCEPT 0 -- * br1 0.0.0.0/0 0.0.0.0/0
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logbrute (0 references)
pkts bytes target prot opt in out source destination
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (6 references)
pkts bytes target prot opt in out source destination
77 7446 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination
root@myrouter:~# cat /tmp/pptpd/pptpd.conf
bcrelay br0
localip 172.16.101.1
remoteip 172.16.101.99
root@myrouter:~# cat /tmp/pptpd/options.pptpd
lock
name *
nobsdcomp
nodeflate
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
mppe required,stateless
mppc
debug
logfd 2
ms-ignore-domain
chap-secrets /tmp/pptpd/chap-secrets
ip-up-script /tmp/pptpd/ip-up
ip-down-script /tmp/pptpd/ip-down
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 6
mtu 1450
mru 1450
ms-wins 172.16.101.80
ms-wins 172.16.101.80
ms-dns 172.16.101.1
ms-dns 172.16.101.1
ms-dns 8.8.8.8
root@myrouter:~#
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 17:52 Post subject:
Thanks for your suggestions.
It is indeed connecting now - quite a step forward (although it take ages to handshake, I'd say more than a minute).
Will have to put the iptables in the persistent config.
Had a networking issue (probably not directly linked to dd-wrt) where it seems that the client machine has all trafic redirected through the VPN - turns out this is a default in the PPTP connexion but can be avoided by unchecking "use default gateway on remote network" in the IPv4 settings
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 21:17 Post subject:
Again many thanks for your help.
I am trying to follow your advices about the DNS but I can't seem to be able to have the GUI settings propagated to the options.pptpd file:
Code: root@myrouter:/tmp/pptpd# cat options.pptpd
lock
name *
nobsdcomp
nodeflate
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
mppe required,stateless
mppc
debug
logfd 2
ms-ignore-domain
chap-secrets /tmp/pptpd/chap-secrets
ip-up-script /tmp/pptpd/ip-up
ip-down-script /tmp/pptpd/ip-down
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 6
mtu 1450
mru 1450
ms-wins 172.16.101.80
ms-dns 172.16.101.1
ms-dns 172.16.100.5
I do not want the last two entries as they mess up my networking. I tried to edit them manually using vi but it does not survive a reboot.
Any idea where I should look ?
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 21:43 Post subject:
Quote: The only thing you can do is use the command script to OVERWRITE the /tmp files once their re-established after a reboot. That's why the wiki has weird commands like the following:
sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
Thanks - I guess I will have to dig into this one...
Is there not a way to write to the "defaults" ? What's the point of the web GUI if the settings entered there are not saved ? Or am I missing something ?
So if I understand correctly I shall run the sed command automatically via the startup script to replace the various settings I want to modify ?
One further question: how can I delete a config line using the above technique ?
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Sun Jul 08, 2012 23:15 Post subject:
thanks
I managed to create a startup script which delete the "offending" dns options. Is seems that my client is not anymore picking up those unwanted IPs.
Still it's quite a kludge - I still don't understand what would be the problem of having persistent settings. If nothing else the GUI should be updated to the effect that the settings are mostly cosmetic and do not reflect the true configuration of the router - very disturbing for a newbie !
Back to top
atakacs DD-WRT Novice Joined: 09 Apr 2012 Posts: 26
Posted: Mon Jul 09, 2012 6:29 Post subject:
Thanks for your input. It's still baffles me to see different things between the active config and what's reported in the web interface - this is a major "no no" in my book.
Anyway as far as the connection goes I still have issues but not 100% sure they are related to dd-wrt.
My domain is a plain vanilla MS AD network, with IP range 172.16.100.0/24, gateway on .1, PDC-DNS on .5 and a standalone server on .10 (this is my VPN client, WS2008).
Target network (no MS domain) uses IP range 172.16.101.0/24, gateway & DNS on .1
I manage to connect my VPN without issue now but I still have DNS being set to both networks, despite having specified my settings as follows
(note the DNS entry 172.16.101.1 which is the default gsteway on network B)
and having the "rewrite" script purging the config file of all DNS entries
Code:
root@myrouter:/tmp/pptpd# cat options.pptpd
lock
name *
nobsdcomp
nodeflate
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
mppe required,stateless
mppc
debug
logfd 2
ms-ignore-domain
chap-secrets /tmp/pptpd/chap-secrets
ip-up-script /tmp/pptpd/ip-up
ip-down-script /tmp/pptpd/ip-down
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 6
mtu 1450
mru 1450
root@synergixrouter:/tmp/pptpd# cat options.pptpd
lock
name *
nobsdcomp
nodeflate
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
mppe required,stateless
mppc
debug
logfd 2
ms-ignore-domain
chap-secrets /tmp/pptpd/chap-secrets
ip-up-script /tmp/pptpd/ip-up
ip-down-script /tmp/pptpd/ip-down
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 6
mtu 1450
mru 1450
The result is that my domain networking is messed up (for instance file shares are being disconnected, the server reported as not found on the network). Somehow my client machine can't see the other nodes on the local net an my best bet is that it has to do with not resolving DNS correctly.
I have read the wiki and tried to save DNS entries in NVRAM using
nvram set pptpd_dns1=ip-address-of-first-dns-server
nvram set pptpd_dns2=ip-address-of-second-dns-server
but it does not help.
Back to top