PPTP Tunneling

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 23:22, 31 December 2008 (edit)
Jbrazio (Talk | contribs)

← Previous diff
Revision as of 01:41, 4 February 2009 (edit) (undo)
CrashR (Talk | contribs)
(dd-wrt-01)
Next diff →
Line 47: Line 47:
Now we tell the router that there is another network on the other side of the WAN. Now we tell the router that there is another network on the other side of the WAN.
Basically we're telling "If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address "192.168.2.1". Basically we're telling "If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address "192.168.2.1".
-# Goto Administration > Advanced Routing+# Goto Setup > Advanced Routing
 +# Under Static Routing:
# Set Route Name to "foo-corp-dd-wrt-02" # Set Route Name to "foo-corp-dd-wrt-02"
# Set Metric to "0" # Set Metric to "0"
Line 69: Line 70:
This router will have the role of "concentrator" meaning that every router that wants to be part of our bridge should connect to it. This router will have the role of "concentrator" meaning that every router that wants to be part of our bridge should connect to it.
If you've got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A. If you've got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A.
-# Goto Services > VPN+# Goto Services > PPTP
# Enable PPTP Server # Enable PPTP Server
-# Enable Broadcast Support 
# Set Server IP to "192.168.1.1" # Set Server IP to "192.168.1.1"
# Set Client IP(s) to "192.168.1.200-201" # Set Client IP(s) to "192.168.1.200-201"
# Set CHAP-Secrets to: "<PPTP_CLIENT_USERNAME_SITE02> * <PPTP_CLIENT_PASSWORD_SITE02> *" # Set CHAP-Secrets to: "<PPTP_CLIENT_USERNAME_SITE02> * <PPTP_CLIENT_PASSWORD_SITE02> *"
-# Disable Radius 
# Disable PPTP Client Options # Disable PPTP Client Options
# '''Save''' # '''Save'''
Line 81: Line 80:
Saving ourselves from a headache.. ;-) Saving ourselves from a headache.. ;-)
-# Goto Security > VPN Passthrough+# Goto Security > VPN
# Enable PPTP Passthrough # Enable PPTP Passthrough
# Disable IPSec and L2TP Passthrough # Disable IPSec and L2TP Passthrough
Line 98: Line 97:
# Goto Administration # Goto Administration
# '''Reboot Router''' # '''Reboot Router'''
- 
== dd-wrt-02 == == dd-wrt-02 ==

Revision as of 01:41, 4 February 2009

Contents

Introduction

This setup will bridge DD-WRT routers, allowing any host connected to the network to be visible from the WAN cloud. To turn this HOWTO simple I'll use only two DD-WRT routers but theoretically you can further extend the setup to any number of routers.


Notes

  • If your ISP do not provide you a fixed IP address, you should no create a dynamic DNS account from any DD-WRT supported provider. I'll use No-IP.com account in the examples.
  • I assume you've got your WAN already up, if you need a different setup please feel free to change whatever you need.


Configuration

Generic information

  • dd-wrt-01
    • Address: 192.168.1.1
    • Netmask: 255.255.255.0
    • Gateway: 0.0.0.0
    • DHCP Range: 192.168.1.100-150
    • DDNS: foo-corp-dd-wrt-01.no-ip.com


  • dd-wrt-02
    • Address: 192.168.2.1
    • Netmask: 255.255.255.0
    • Gateway: 0.0.0.0
    • DHCP Range: 192.168.2.100-150
    • DDNS: foo-corp-dd-wrt-02.no-ip.com


dd-wrt-01

This step will configure the basic information for the local network.

  1. Goto Setup > Basic Setup
  2. Set Router Name and Host Name to "dd-wrt-01"
  3. Set Local IP Address to "192.168.1.1"
  4. Set Subnet Mask to "255.255.255.0"
  5. Save


Now lets make your dynamic IP address always reachable trough a hostname.

  1. Goto Administration > DDNS
  2. Set DNS Service to "No-IP.com"
  3. Change Username, Password and Hostname to your personal account information
  4. Hostname in this example will be set to "foo-corp-dd-wrt-01.no-ip.com"
  5. Save


Now we tell the router that there is another network on the other side of the WAN. Basically we're telling "If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address "192.168.2.1".

  1. Goto Setup > Advanced Routing
  2. Under Static Routing:
  3. Set Route Name to "foo-corp-dd-wrt-02"
  4. Set Metric to "0"
  5. Set Destination LAN NET to "192.168.2.0"
  6. Set Subnet Mask to "255.255.255.0"
  7. Set Gateway to "192.168.2.1"
  8. Set Interface to "ANY"
  9. Save


Once uppon a time someone told that "Loopback" should be disabled, can't find a reason for it.. so I think this should be the way to go.

  1. Goto Administration > Management
  2. Enable "Loopback"
  3. Enable "Routing"
  4. Set Maximum Ports: 4096
  5. Set TCP Timeout: 3600
  6. Set UDP Timeout: 120
  7. Save


This router will have the role of "concentrator" meaning that every router that wants to be part of our bridge should connect to it. If you've got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A.

  1. Goto Services > PPTP
  2. Enable PPTP Server
  3. Set Server IP to "192.168.1.1"
  4. Set Client IP(s) to "192.168.1.200-201"
  5. Set CHAP-Secrets to: "<PPTP_CLIENT_USERNAME_SITE02> * <PPTP_CLIENT_PASSWORD_SITE02> *"
  6. Disable PPTP Client Options
  7. Save


Saving ourselves from a headache.. ;-)

  1. Goto Security > VPN
  2. Enable PPTP Passthrough
  3. Disable IPSec and L2TP Passthrough
  4. Save


This step maybe optional.. but routing packets trough a WAN interface without being encrypted is stupid.

  1. Goto Administration > Commands
  2. Enter "sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd"
  3. Save Startup
  4. NOTE: This will force all PPTP clients to use encryption
  5. Save


Wrapping everything up..

  1. Goto Administration
  2. Reboot Router

dd-wrt-02

  1. Goto Setup > Basic Setup
  2. Set Router Name and Host Name to "dd-wrt-02"
  3. Set Local IP Address to "192.168.2.1"
  4. Set Subnet Mask to "255.255.255.0"
  5. Save


  1. Goto Administration > DDNS
  2. Set DNS Service to "No-IP.com"
  3. Change Username, Password and Hostname to your personal account information
  4. Hostname in this example will be set to "foo-corp-dd-wrt-02.no-ip.com"
  5. Save


Now we tell the router that there is another network on the other side of the WAN. Basically we're telling "If you want to access any host on the 192.168.1.x subnet please forward your packet trough the router at the IP address "192.168.1.1".

  1. Goto Administration > Advanced Routing
  2. Set Route Name to "foo-corp-dd-wrt-01"
  3. Set Metric to "0"
  4. Set Destination LAN NET to "192.168.1.0"
  5. Set Subnet Mask to "255.255.255.0"
  6. Set Gateway to "192.168.1.1"
  7. Set Interface to "ANY"
  8. Save


  1. Goto Administration > Management
  2. Enable "Loopback"
  3. Enable "Routing"
  4. Set Maximum Ports: 4096
  5. Set TCP Timeout: 3600
  6. Set UDP Timeout: 120
  7. Save


This router will have the role of "node".

  1. Goto Services > VPN
  2. Disable PPTP Server
  3. Enable PPTP Client Options
  4. Set Server IP or DNS Name to "foo-corp-dd-wrt-01.no-ip.com"
  5. Set Remote Subnet to "192.168.1.0"
  6. Set Remote Subnet Mask to "255.255.255.0"
  7. Set MPPE Encryption to "mppe required"
  8. Set MTU to "1450"
  9. Set MRU to "1450"
  10. Enable NAT
  11. Set Username to "PPTP_CLIENT_USERNAME_SITE02"
  12. Set Password to "PPTP_CLIENT_PASSWORD_SITE02"
  13. Save


  1. Goto Security > VPN Passthrough
  2. Enable PPTP Passthrough
  3. Disable IPSec and L2TP Passthrough
  4. Save


Wrapping everything up..

  1. Goto Administration
  2. Reboot Router


Notes

  • The router's subnets should not intersect each other (i.e. 192.168.<XXX>.1).
  • The IP address pool for VPN clients must be outside the range of DHCP clients.
  • In the example the IP range used for VPN clients were "192.168.1.200-201" thus 2 VPN clients are allowed to connect to our concentrator. You should increase this if more routers will be bridged.


See Also

PPTP_Server_Configuration
HOW_TO_configure_a_WINDOWS_BOX_to_make_a_VPN_Connection_to_linksys