PPTP Tunneling

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:20, 8 February 2007 (edit)
Jmehney (Talk | contribs)
(Fixing routing from server to client network)
← Previous diff
Current revision (13:41, 18 March 2018) (edit) (undo)
Ian5142 (Talk | contribs)
(Added PPTP Category.)
 
(22 intermediate revisions not shown.)
Line 1: Line 1:
= Introduction = = Introduction =
-The configuration below was tested using two WRT54G (Hardware v2.2) and DD-WRT v23 SP1 std.+This setup will bridge DD-WRT routers, allowing any host connected to the network to be visible from the WAN cloud.
 +To turn this HOWTO simple I'll use only two DD-WRT routers but theoretically you can further extend the setup to any number of routers.
-(Update: The mini version of v23 SP1 may work better than standard, because the free memory will help.) 
-{| border=1 cellspacing=0 cellpadding=5+== Notes ==
-|'''Note: In v23SP2 Final this configuration does not work. Please check bugtracker ID 0001811'''+* If your ISP do not provide you a fixed IP address, you should now create a dynamic DNS account from any DD-WRT supported provider. I'll use a No-IP.com account in the article's examples.
-(Missing routes can be added manually with a "ip route add 192.168.x.0/24 dev ppp0" or similar)+* I assume you've got your WAN already up, if you need a different setup please feel free to change whatever you need.
-Have a look at [[#Fixing routing from server to client network]] for a script solution. 
-|} 
 +== Tested Versions ==
 +This article should work with any supported DD-WRT version. Feel free to add your version to the following list:
 +* DD-WRT v24-sp2 (01/21/09) std
-The purpose of this setup is to connect to any IP Address on network A or B from network A or B.+Does NOT work with
-*Network A in location "a"+* DD-WRT v24-sp2 (10/10/09) std-nokaid (instructions below are not for v24-sp2 firmware; may work (untested) with method from http://www.dd-wrt.com/phpBB2/viewtopic.php?p=10933#10933)
-{| border=1 cellspacing=0 cellpadding=5+= Configuration =
-| Router A address+
-| 192.168.1.1+
-|- +
-| DHCP range+
-| 192.168.1.100-150+
-|- +
-| Dyndns address+
-| "direccion_de_A.dyndns.org"+
-|}+
-* Network B in location "b"+== Generic information ==
 +* '''dd-wrt-01'''
 +** Address: 192.168.1.1
 +** Netmask: 255.255.255.0
 +** Gateway: 0.0.0.0
 +** DHCP Range: 192.168.1.100-150
 +** DDNS: foo-corp-dd-wrt-01.no-ip.com
-{| border=1 cellspacing=0 cellpadding=5 
-| Router B address 
-| 192.168.2.1 
-|-  
-| DHCP range 
-| 192.168.2.100-150 
-|-  
-| Dyndns address 
-| "direccion_de_B.dyndns.org" 
-|} 
-= Configuration =+* '''dd-wrt-02'''
-== For Both Routers ==+** Address: 192.168.2.1
-# Goto "Administration" tab and "Management" sub-tab+** Netmask: 255.255.255.0
-# Enable DNSmasq and Local DNS+** Gateway: 0.0.0.0
-# Disable Loopback+** DHCP Range: 192.168.2.100-150
-# Set Maximum Ports:4096 +** DDNS: foo-corp-dd-wrt-02.no-ip.com
-# Set TCP Timeout: 3600+
-# Set UDP Timeout: 3600+
-http://img237.imageshack.us/img237/9766/loopbackzs4.jpg 
-'''Note:''' Loopback must be disable because VPN doesn't always work when it is enabled.+== dd-wrt-01 ==
 +This step will configure the basic information for the local network.
 +# Goto Setup > Basic Setup
 +# Set Router Name and Host Name to "dd-wrt-01"
 +# Set Local IP Address to "192.168.1.1"
 +# Set Subnet Mask to "255.255.255.0"
 +# '''Save'''
-http://img366.imageshack.us/img366/1888/ipfiltersettingssq5.jpg 
-== For Router A ==+Now lets make your dynamic IP address always reachable trough a hostname.
 +# Goto Administration > DDNS
 +# Set DNS Service to "No-IP.com"
 +# Change Username, Password and Hostname to your personal account information
 +# Hostname in this example will be set to "foo-corp-dd-wrt-01.no-ip.com"
 +# '''Save'''
-=== Router B > VPN > Router A === 
-# Goto "Administration" tab and "Services" sub-tab 
-# Enable PPTP Server 
-# Set "Server IP or DNS Name" to "192.168.1.1" 
-# Set "Client IP(s)" to "192.168.1.200-250" 
-# Set "CHAP-Secrets" to "usernameA * passwordA *" 
-# Apply Changes 
- 
-=== Router A > VPN > Router B === 
-# Goto "Administration" tab and "Services" sub-tab 
-# Enable PPTP Client 
-# Set "Server IP or DNS Name" to the location of Server B (direccion_de_B.dyndns.org) 
-# Set "Remote Subnet" to "192.168.2.0" 
-# Set "Remote Subnet Mask" to 255.255.255.0 
-# Set "MPPE Encryption" to "mppe required" 
-# Set "MTU" to 1450 
-# Set MRU to 1450 
-# Set Username to usernameB 
-# Set password to passwordB 
-# Apply Changes 
-http://img162.imageshack.us/img162/22/ruteadora6ir.jpg+Now we tell the router that there is another network on the other side of the WAN.
 +Basically we're telling "If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address "192.168.2.1".
 +# Goto Setup > Advanced Routing
 +# Under Static Routing:
 +# Set Route Name to "foo-corp-dd-wrt-02"
 +# Set Metric to "0"
 +# Set Destination LAN NET to "192.168.2.0"
 +# Set Subnet Mask to "255.255.255.0"
 +# Set Gateway to "192.168.2.1"
 +# Set Interface to "ANY"
 +# '''Save'''
-== For Router B == 
-=== Router A > VPN > Router B ===+This router will have the role of "concentrator" meaning that every router that wants to be part of our bridge should connect to it.
-# Goto "Administration" tab and "Services" sub-tab+If you've got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A.
 +# Goto Services > PPTP
# Enable PPTP Server # Enable PPTP Server
-# Set "Server IP or DNS Name" to "192.168.2.1"+# Set Server IP to "192.168.1.1"
-# Set "Client IP(s)" to 192.168.2.200-250"+# Set Client IP(s) to "192.168.1.200-201"
-# Set "CHAP-Secrets" to "usernameB * passwordB *"+# Set CHAP-Secrets to: "<PPTP_CLIENT_USERNAME_SITE02> * <PPTP_CLIENT_PASSWORD_SITE02> *"
-# Apply Changes+# Disable PPTP Client Options
 +# '''Save'''
-=== Router B > VPN > Router A === 
-# Goto "Administration" tab and "Services" sub-tab 
-# Enable PPTP Client 
-# Set "Server IP or DNS Name" to the location of Server A (direccion_de_A.dyndns.org) 
-# Set "Remote Subnet" to "192.168.1.0" 
-# Set "Remote Subnet Mask" to 255.255.255.0 
-# Set "MPPE Encryption" to "mppe required" 
-# Set "MTU" to 1450 
-# Set MRU to 1450 
-# Set Username to usernameA 
-# Set password to passwordA 
-# Apply Changes 
-http://img73.imageshack.us/img73/4391/ruteadorb3nn.jpg+Saving ourselves from a headache.. ;-)
 +# Goto Security > VPN
 +# Enable PPTP Passthrough
 +# Disable IPSec and L2TP Passthrough
 +# '''Save'''
-==== Notes ==== 
-* The subnets should not intersect each other (i.e. The third octet of direction IP (192.168.thirdoctet.1) of the network A must be different of the network B. 
-* The range of Client IP(s) must be outside the range of DHCP clients. 
-* In the example the IP range that occurred for clients vpn ("Client IP(s)") was 192.168.x.200-250 therefore 51 VPN clients allowed 
-* '''This is a whammie if you miss it'''. Don't forget to enable "'''PPTP Passthrough'''" if you are using the SPI firewall as found on the '''SECURITY''' tab.+This step maybe optional.. but routing packets trough a WAN interface without being encrypted is stupid.
 +# Goto Administration > Commands
 +# Enter "sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd"
 +# Save Startup
 +# NOTE: This will force all PPTP clients to use encryption
 +# '''Save'''
-== Monitoring == 
-To monitoring and guarantee the connection you can setup Watchdog. The following instructions will setup watchdog to monitor the connection every five minutes (update: works better with 9999 seconds).  
-On both routers:+Wrapping everything up..
 +# Goto Administration
 +# '''Reboot Router'''
-# Goto "Administration" tab and "Keep Alive" sub-tab.+== dd-wrt-02 ==
-# Enable Watchdog+# Goto Setup > Basic Setup
-# Set "Interval" to 300+# Set Router Name and Host Name to "dd-wrt-02"
-# Set IP Addresses to "192.168.1.200 192.168.2.200"+# Set Local IP Address to "192.168.2.1"
 +# Set Subnet Mask to "255.255.255.0"
 +# '''Save'''
-http://img201.imageshack.us/img201/9416/keepaliveye2.jpg 
 +# Goto Administration > DDNS
 +# Set DNS Service to "No-IP.com"
 +# Change Username, Password and Hostname to your personal account information
 +# Hostname in this example will be set to "foo-corp-dd-wrt-02.no-ip.com"
 +# '''Save'''
-= Final Words = 
-*Some times the connection takes minutes in completing itself (more or less 30 minutes), some times is instantaneous. 
-*You can check routing table in setup tab, advanced routing subtab, show routing table botton+Now we tell the router that there is another network on the other side of the WAN.
-if there are 6 lines like:+Basically we're telling "If you want to access any host on the 192.168.1.x subnet please forward your packet trough the router at the IP address "192.168.1.1".
-{| border=1 cellspacing=0 cellpadding=5+# Goto Setup > Advanced Routing
-| WAN_IP_ADRESS+# Set Route Name to "foo-corp-dd-wrt-01"
-| 255.255.255.255+# Set Metric to "0"
-| 0.0.0.0+# Set Destination LAN NET to "192.168.1.0"
-| WAN+# Set Subnet Mask to "255.255.255.0"
-|- +# Set Gateway to "192.168.1.1"
-| 192.168.Y.1+# Set Interface to "ANY"
-| 255.255.255.255+# '''Save'''
-| 0.0.0.0+
-| WAN+
-|- +
-| 192.168.X.200+
-| 255.255.255.255+
-| 0.0.0.0+
-| WAN+
-|- +
-| 192.168.Y.0+
-| 255.255.255.0+
-| 0.0.0.0+
-| WAN+
-|- +
-| 192.168.X.0+
-| 255.255.255.0+
-| 0.0.0.0+
-| LAN & WLAN+
-|- +
-| 0.0.0.0+
-| 0.0.0.0+
-| WAN_IP_ADRESS+
-| WAN+
-|}+
-Your vpn tunnel must be established and working!!!+
-=Fixing routing from server to client network=+This router will have the role of "node".
-To fix the routing problem stated above you can try one of the folowing scripts as a startup script:+# Goto Services > PPTP
 +# Disable PPTP Server
 +# Enable PPTP Client Options
 +# Set Server IP or DNS Name to "foo-corp-dd-wrt-01.no-ip.com"
 +# Set Remote Subnet to "192.168.1.0"
 +# Set Remote Subnet Mask to "255.255.255.0"
 +# Set MPPE Encryption to "mppe required"
 +# Set MTU to "1450"
 +# Set MRU to "1450"
 +# Enable NAT
 +# Set Username to "PPTP_CLIENT_USERNAME_SITE02"
 +# Set Password to "PPTP_CLIENT_PASSWORD_SITE02"
 +# '''Save'''
-<pre>while sleep 10 
-do 
- ROUTING=`route | grep 192.168.0.0 | wc -l` 
- if [ $ROUTING -lt 1 ]; then+# Goto Security > VPN
- ip route add 192.168.0.0/24 dev ppp0+# Enable PPTP Passthrough
- fi+# Disable IPSec and L2TP Passthrough
-done</pre>+# '''Save'''
-Change 192.168.0.0 and 192.168.0.0/24 to the range of the client. 
 +Wrapping everything up..
 +# Goto Administration
 +# '''Reboot Router'''
-<pre>echo "clientip=xxx.xxx.xxx.xxx" >> /tmp/pptpd/ip-up+== Notes ==
-echo "if [ \$clientip == \$6 ]" >> /tmp/pptpd/ip-up+* The router's subnets should not intersect each other (i.e. 192.168.<XXX>.1).
-echo "then" >> /tmp/pptpd/ip-up+* The IP address pool for VPN clients must be outside the range of DHCP clients.
-echo "/usr/sbin/ip route add 192.168.0.0/24 dev \$1" >> /tmp/pptpd/ip-up+* In the example the IP range used for VPN clients were "192.168.1.200-201" thus 2 VPN clients are allowed to connect to our concentrator. You should increase this if more routers will be bridged.
-echo "fi" >> /tmp/pptpd/ip-up+
-echo "clientip=xxx.xxx.xxx.xxx" >> /tmp/pptpd/ip-down+
-echo "if [ \$clientip == \$6 ]" >> /tmp/pptpd/ip-down+
-echo "then" >> /tmp/pptpd/ip-down+
-echo "/usr/sbin/ip route delete 192.168.0.0/24 dev \$1" >> /tmp/pptpd/ip-down+
-echo "fi" >> /tmp/pptpd/ip-down+
-</pre>+
-Change xxx.xxx.xxx.xxx to the public ip address of the client.+== Issues ==
-Change 192.168.0.0 and 192.168.0.0/24 to the range of the client.+* Not sure why "NAT" is enabled, given the sites are a site to site route - NAT will break the whole premise of a site to site connection
-= Useful Links =+= See Also =
-http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1767+[[PPTP_Server_Configuration]]<br>
-http://www.dd-wrt.com/dd-wrtv2/bugtracker/+
- +
-[[PPTP_Server_Configuration]]+
[[HOW_TO_configure_a_WINDOWS_BOX_to_make_a_VPN_Connection_to_linksys]] [[HOW_TO_configure_a_WINDOWS_BOX_to_make_a_VPN_Connection_to_linksys]]
-[[Category:Advanced HOWTO]]+ 
-[[Category:English documentation]]+[[Category:PPTP]]

Current revision

Contents

[edit] Introduction

This setup will bridge DD-WRT routers, allowing any host connected to the network to be visible from the WAN cloud. To turn this HOWTO simple I'll use only two DD-WRT routers but theoretically you can further extend the setup to any number of routers.


[edit] Notes

  • If your ISP do not provide you a fixed IP address, you should now create a dynamic DNS account from any DD-WRT supported provider. I'll use a No-IP.com account in the article's examples.
  • I assume you've got your WAN already up, if you need a different setup please feel free to change whatever you need.


[edit] Tested Versions

This article should work with any supported DD-WRT version. Feel free to add your version to the following list:

  • DD-WRT v24-sp2 (01/21/09) std

Does NOT work with

[edit] Configuration

[edit] Generic information

  • dd-wrt-01
    • Address: 192.168.1.1
    • Netmask: 255.255.255.0
    • Gateway: 0.0.0.0
    • DHCP Range: 192.168.1.100-150
    • DDNS: foo-corp-dd-wrt-01.no-ip.com


  • dd-wrt-02
    • Address: 192.168.2.1
    • Netmask: 255.255.255.0
    • Gateway: 0.0.0.0
    • DHCP Range: 192.168.2.100-150
    • DDNS: foo-corp-dd-wrt-02.no-ip.com


[edit] dd-wrt-01

This step will configure the basic information for the local network.

  1. Goto Setup > Basic Setup
  2. Set Router Name and Host Name to "dd-wrt-01"
  3. Set Local IP Address to "192.168.1.1"
  4. Set Subnet Mask to "255.255.255.0"
  5. Save


Now lets make your dynamic IP address always reachable trough a hostname.

  1. Goto Administration > DDNS
  2. Set DNS Service to "No-IP.com"
  3. Change Username, Password and Hostname to your personal account information
  4. Hostname in this example will be set to "foo-corp-dd-wrt-01.no-ip.com"
  5. Save


Now we tell the router that there is another network on the other side of the WAN. Basically we're telling "If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address "192.168.2.1".

  1. Goto Setup > Advanced Routing
  2. Under Static Routing:
  3. Set Route Name to "foo-corp-dd-wrt-02"
  4. Set Metric to "0"
  5. Set Destination LAN NET to "192.168.2.0"
  6. Set Subnet Mask to "255.255.255.0"
  7. Set Gateway to "192.168.2.1"
  8. Set Interface to "ANY"
  9. Save


This router will have the role of "concentrator" meaning that every router that wants to be part of our bridge should connect to it. If you've got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A.

  1. Goto Services > PPTP
  2. Enable PPTP Server
  3. Set Server IP to "192.168.1.1"
  4. Set Client IP(s) to "192.168.1.200-201"
  5. Set CHAP-Secrets to: "<PPTP_CLIENT_USERNAME_SITE02> * <PPTP_CLIENT_PASSWORD_SITE02> *"
  6. Disable PPTP Client Options
  7. Save


Saving ourselves from a headache.. ;-)

  1. Goto Security > VPN
  2. Enable PPTP Passthrough
  3. Disable IPSec and L2TP Passthrough
  4. Save


This step maybe optional.. but routing packets trough a WAN interface without being encrypted is stupid.

  1. Goto Administration > Commands
  2. Enter "sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd"
  3. Save Startup
  4. NOTE: This will force all PPTP clients to use encryption
  5. Save


Wrapping everything up..

  1. Goto Administration
  2. Reboot Router

[edit] dd-wrt-02

  1. Goto Setup > Basic Setup
  2. Set Router Name and Host Name to "dd-wrt-02"
  3. Set Local IP Address to "192.168.2.1"
  4. Set Subnet Mask to "255.255.255.0"
  5. Save


  1. Goto Administration > DDNS
  2. Set DNS Service to "No-IP.com"
  3. Change Username, Password and Hostname to your personal account information
  4. Hostname in this example will be set to "foo-corp-dd-wrt-02.no-ip.com"
  5. Save


Now we tell the router that there is another network on the other side of the WAN. Basically we're telling "If you want to access any host on the 192.168.1.x subnet please forward your packet trough the router at the IP address "192.168.1.1".

  1. Goto Setup > Advanced Routing
  2. Set Route Name to "foo-corp-dd-wrt-01"
  3. Set Metric to "0"
  4. Set Destination LAN NET to "192.168.1.0"
  5. Set Subnet Mask to "255.255.255.0"
  6. Set Gateway to "192.168.1.1"
  7. Set Interface to "ANY"
  8. Save


This router will have the role of "node".

  1. Goto Services > PPTP
  2. Disable PPTP Server
  3. Enable PPTP Client Options
  4. Set Server IP or DNS Name to "foo-corp-dd-wrt-01.no-ip.com"
  5. Set Remote Subnet to "192.168.1.0"
  6. Set Remote Subnet Mask to "255.255.255.0"
  7. Set MPPE Encryption to "mppe required"
  8. Set MTU to "1450"
  9. Set MRU to "1450"
  10. Enable NAT
  11. Set Username to "PPTP_CLIENT_USERNAME_SITE02"
  12. Set Password to "PPTP_CLIENT_PASSWORD_SITE02"
  13. Save


  1. Goto Security > VPN
  2. Enable PPTP Passthrough
  3. Disable IPSec and L2TP Passthrough
  4. Save


Wrapping everything up..

  1. Goto Administration
  2. Reboot Router

[edit] Notes

  • The router's subnets should not intersect each other (i.e. 192.168.<XXX>.1).
  • The IP address pool for VPN clients must be outside the range of DHCP clients.
  • In the example the IP range used for VPN clients were "192.168.1.200-201" thus 2 VPN clients are allowed to connect to our concentrator. You should increase this if more routers will be bridged.

[edit] Issues

  • Not sure why "NAT" is enabled, given the sites are a site to site route - NAT will break the whole premise of a site to site connection

[edit] See Also

PPTP_Server_Configuration
HOW_TO_configure_a_WINDOWS_BOX_to_make_a_VPN_Connection_to_linksys