PPTP Server Configuration

From DD-WRT Wiki

Jump to: navigation, search

A PPTP Server (Point-To-Point Tunneling Protocol) allows you to connect securely from a remote location (such as your home) to an LAN (Local Area Network) located in another location, such as your workplace, business office, etc. This way you can use the services provided in your office at the comfort of your home.

Contents

[edit] Introduction

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP), IPSec and OpenVPN, but its still commonly used and natively supported by a lage scale of routers and clients. One of the big advantages of using PPTP over OpenVPN with DD-WRT is that PPTP is supported out-of-the-box for 4Mb firmware images and up.

For an alternative, have a look at the OpenVPN article.

[edit] IP Addresses

To avoid IP address conflicts, IP addresses on your LAN should be different from LAN addresses at remote VPN points. Since the the default 192.168.1.0 subnet is commonly used, you should set an unusual other range for your LAN, like 192.168.111.0 (or something random in the vast 10.0.0.0 block) in Setup > Basic Setup.

[edit] Security

A PPTP implementation may not fulfill enterprise class security requirements and in fact is has some security flaws and is considered deprecated, but for home-use or for implementations that do not rely on high encryption grades should be sufficient. Just be sure to use strong passwords of >12 charaters. With this ticket we request eap-tls authentication in DD-WRT. This will add support for x.509 certs which will increase the pptp security a lot (depending on the cert strength) and brings it back to enterprise class security.

[edit] PPTP Server

  1. On BCM routers make sure you have flashed at least the "mini" firmware to your router. All other routers have the pptp-server per default.
  2. Goto the Web Administration and goto the "ADMINISTRATION" Tab, and the "SERVICES" sub-tab.
  3. Go down and you will see "PPTP Server". This option is disabled by default, so to setup PPTP, you click "ENABLE". (In v24 and higher PPTP is a sub-tab in the Services main tab.)
  4. (In newer versions, this step may be skipped because the options are automatically shown when you click.) Click enable and then click "Save Settings"). After you see the message "Settings Are Successful" click "Continue"
  5. While still in the "SERVICES" sub-tab, complete the options you need. Descriptions of options can be found below.
  6. Finally, go down, Save Settings, and then click on "REBOOT ROUTER", this step is very important, no matter what you have configured, if you dont reboot router, settings will not work.
  7. Once you have completed the data input go down an click on "Save Settings" to save changes, now on the page "Settings Are Succesfull" click on "Continue" and again on "SERVICES" tab, where you doublecheck the values of your PPTP server.

NOTE: After you have done this, only computers the Windows Operating System will be able to connect through the WAN port of the router. Many other operating systems will not work and trying to connect from a LAN port will not work.

Any questions can be posted on the forums or go to www.facebook.com, log in, search for "Marcelo Semino" (Public Figure), Became a fan of me, an then I will help you with your VPN problem for free.


[edit] Options

There are some options you need to know if you would like to setup e.g. Linux clients. The server requires:

  • mschap-v2
  • mppc compression

[edit] PPTP Server

Enables or Disables the Service.

[edit] Broadcast Support

Default: disbaled

In disabled mode pptd-server does set proxy-arp which works for broadcasting in most cases. When enabled bcrelay will relay all broadcast messages to the default bridge network. This will increase cpu load a lot and is not recommend.

[edit] MPPE Encryption

Default: enabled

DD-WRT forces clients to use encyption with 128bit. When encyption is disabled encryption to clients is allwed but not forced.

[edit] DNS

Add your local/wan DNS server. Setting DNS2 is optional.

[edit] WINS

Add your local WINS servers. This settings are optional.

[edit] MTU/MRU

Default: 1436

These settings are very important for correct working connections. Both settings should be set equal. The default values are valid for ethernet paket networks with an MTU of 1500 Byte. If you like to use pptp on other (wan) connections, e.g. DSL, Coax, Fiber, etc, you will have to adjust the values to the correct working settings. Set them to 1300 and ceck the connection. If its working increase the MTU to the values the connection doesnt work anymore correctly. Them go back to the latest working setting.

[edit] Server IP

Your LAN IP Address. (An IP from your network that is not used by any computer or the router).

Example (assuming DD-WRT LAN address 192.168.111.1): 192.168.111.2

When you are off site you will try to connect to the VPN (using 1723 for pptp by default). The request will hit the router external IP (the one provided by your ISP). The router NAT will then detect an incoming pkt using port 1723. It will establish a connection to the VPN server by forwarding to 192.168.111.2. The router will create a ppp0 connection on itself which, after connecting to the VPN, you will be able to see. The problem with using the router LAN IP as the pptp server IP is that by default it is bridged and ppp0 can not be added to the bridge. You will connect and will only be able to ping your client IP and the router IP.

[edit] Client IP(s)

The client IP range. Leave it blank will not work. You have to input format like 192.168.111.xxx-yyy

IPs in this range are given clients trying to connect. Should be a valid IP Address on the LAN segment of the network, and outside of the DHCP address range.

Note: Inputting client IPs in the format 192.168.111.200-192.168.111.220 does not work.

Working Example (assuming DHCP range of 192.168.111.100-199): 192.168.111.200-220

[edit] Max Associated Clients

Max allowed concurrent clients.

[edit] Authentication

Radius or CHAP Secrets

Radius is an authentication server with auths and controlls access. It can be used to do centralized auth conrol of services, eg wifi, ftp, pptp, pppoe server and openvpn. Its included in a professional builds >=16MB.

[edit] CHAP-Secrets

The Username and Passwords used by to login to the PPTP server are configured here. Pay close attention to the use of spaces and asterisks between usernames and passwords, authentication will not work without them. The last asterisk can be replaced with a fixed IP for the client if needed.

General Syntax:

 Username * Password *
 (username_to_use,blank space,asterisk,blank space,password_to_use,blank space,asterisk)
 Username * Password IP

Example:

marcelo * semino *

or

eduardo * crea 192.168.111.34

The above will create two accounts: 'marcelo' and '"eduardo"' with the passwords '"semino"' and '"crea"' respectively.

WARNING: Do NOT forget the spaces between asterisk and usernames/passwords. If you omit them it will not work.

[edit] Client Settings

[edit] Mac OSX

If you are using MacOSX, you may experience problems while connecting to the DD-WRT PPTP server; this is due to the server having encryption as optional, while Mac OS X requires it when encryption is chosen.

Your options are to either:

  • Client (Mac OS X): Set encryption to None.
  • Server (your router): Force encryption.


Tscheiby 20:50, 22 February 2011 (CET)
There seems to be a bug in 10.6 which leads to using DNS Servers supplied by DD-WRT PPTP Server even if the VPN Connection is configured not to be the default route. This might be a problem. It breaks local DNS setups. The options.pptpd File must be rewritten and put into Startup Scripts like below.

The Rewrite goes as follows:

sed -i -e '/ms-dns/d' /tmp/pptpd/options.pptpd

This simply removes every DNS entry in the options.pptpd file.

[edit] iOS/iPhone

  • See DNS Issues below for iPhones !

[edit] iOS 4.3

Many people reported that iOS 4.3+ breaks PPTP VPN towards DD-WRT routers and even some commercial VPN providers. So add the following code to your DD-WRT startup command to correct the bug:

#!/bin/sh
echo "nopcomp" >> /tmp/pptpd/options.pptpd
echo "noaccomp" >> /tmp/pptpd/options.pptpd
kill `ps | grep pptp | cut -d ' ' -f 1`
pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd

[edit] Windows XP

Step 1: You have to go to the "Network Connections" in you windows and do click "make new connection" as you see on the image below , and click on "NEXT"

Image:VPN1.JPG


Step 2: Now you have to select "make a connection to my office/workplace" it is the 2nd option.

Image:VPN2.JPG


Step 3: Now you have to select VPN Connection

Image:VPN3.JPG


Step 4: Give the Connection a NAME , this name is just for "Name the connection" it has nothing related to VPN connection.

Image:VPN4.JPG


Step 5: If you have to connect to the internet with a Dialup Connection before try to connect to the VPN , here is the place where you do that.

Image:VPN5.JPG


Step 6: here is the most important step, make sure that you write correctly the WAN ip address of your LINKSYS , because otherwise you won't be able connect to it. Note that you have to provide the EXTERNAL ip address (the one on the WAN interface). You can use DynDNS or other similar service if your ISP issues dynamic IPs. You can also type a FQDN here, something like mylinksys.dyndns.org

Image:VPN6.JPG


Step 7: Here we can see a summary of our new network connection.

Image:VPN7.JPG


Step 8: Now you have to enter the username and password configured on PPTP server in the linksys , so you can validate the connection, make this as you can see in the screenshoot below.

Image:VPN8.JPG


NOW click on connect and if you have the correct settings you will connect over VPN to DD-WRT.


[edit] Extra Configuration (Optional)

[edit] Use the Local Default Gateway

By default windows will use the remote gateway to access non-local networks (i.e. The Internet) while connected via a windows VPN connection. Unless your VPN is over a high speed network, or you have specific need for using the remote gateway to access certain resources, it is generally more efficient to use the local gateway. To configure the VPN connection to use the local gateway do the following:

Step 1: Open Network connections from the control panel. Right click on the VPN connection you would like to modify and click "Properties"

Step 2: Select "Internet Protocol (TCP/IP)" option from the item box and click "Properties"

Step 3: Click "Advanced" and Un-Tick "Use default gateway on remote network"

Step 4: Click OK until you return to the Network Connections control panel

Your VPN will now be configured to use the local default gateway.

[edit] Change the VPN network access order

While connected to a VPN you will have at least 2 active network connections and this can cause problems with some applications when they are trying to decide which connection to use. For example if a game used broadcast packets to tell all the other game clients that it was hosting a game, which connection should it use? The standard network card connection or the VPN? We can change the access order to ensure the application preferrs the VPN connection over other networks. To change the network access order do the following:

Step 1: Open Network connections from the control panel. Select the "Advanced" menu from the top toolbar and Click "Advanced Settings..."

Step 1: In the connections box, select the VPN connection you wish to modify and click the Up arrow until it is at the top of the list.

Step 3: Click OK until you return to the Network Connections control panel

The VPN will now be the preferred network connection.

[edit] Troubleshooting

[edit] Windows XP & Internet Connection

If using the VPN connection software built into Windows XP, you might find that your internet connection will die once the vpn connection is established. This is a result of the default settings for Windows XP VPN connections.

See: Use the Local Default Gateway


[edit] Special Characters

Check passwords (chap-secrets file) for special characters ( # - Character in password breaks pptp). The admin password of the router is inserted into chap-secrets by default! --Krikkit 12:12, 7 Mar 2006 (CET) Special Characters work fine if you wrap the password with ". Example: test * "123456#" *

[edit] Outgoing PPTP Connections

Another issue in v.23 is that outgoing pptp-trafic cannot pass-through the router with pptp-server enabled. There is a fairly complicated fix for this issue in the dd-wrt forum. [edit]

A simple, if awkward, workaround seems to have been found at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=30245#30245 and http://www.dd-wrt.com/phpBB2/viewtopic.php?p=643714#643714.

[edit] DMZ

DMZ must be DISABLED in order to work --ptodic 21:36, 8 Mar 2006 (CET)

Update: Actually, DMZ does NOT need to be disabled. Better solution is going to Application & Gaming - Port Forwarding and adding a new line:

app: whatever name you want
port from: 1723
protocol: tcp
ip address: LAN IP of the router (default 192.168.1.1)
port to: 1723
enable: checked
--curlyboi 19:20, 6 Jan 2007 (CET)

[edit] Disconnects

If you're unable to connect to the PPTP server or can occasionally but not for more than a few minutes at a time, and you use a WAN device that does PPPoE onboard (Like a SpeedStream 5100b DSL Modem) -- You may have to disable the onboard PPPoE and use the PPPoE on the WRT54G. The GRE that's needed for PPTP sometimes gets messed up by your WAN device, probably because it uses a buggy layer 3 stack that corrupts or doesn't pass the GRE packets to your WRT.

You may also have disconnects if the actual network that the client is on is the same subnet that the server is on (e.g. client subnet is 192.168.1.0/24 and the DD-WRT server subnet is 192.168.1.0/24). This causes IP collisions. The best solution is to change the subnet of the server or client network to something unique, such as 192.168.5.0/24 (i.e. an IP range of 192.168.5.1-255 with a netmask of 255.255.255.0).

[edit] Two DD-WRT Boxes

If PPTP-connection between two dd-wrt boxes fail with error message "IPCP terminated by peer (Unauthorized remote IP address)" you need "noipdefault" option at client side. You can add pptpd.conf options through WEB gui using MPPE Encryption field. In this case set "MPPE Encryption" as "noipdefault mppe required". --Veekoo 12:51, 15 Aug 2006 (CEST)

Also see [1] for instructions on how to connect two or more DD-WRT routers via PPTP. --Disk Crasher 08:58, 18 October 2009 (CEST)

[edit] DNS Issues

Your client may not get the correct DNS setting. To correct this do the following.

To permanently set the WINS/DNS values for the PPTP server that assigned to the client, you can set/commit the following nvram params:

Code:

  nvram set pptpd_dns1=ip-address-of-first-dns-server 
  nvram set pptpd_dns2=ip-address-of-second-dns-server 
  nvram set pptpd_wins1=ip-address-of-first-wins-server 
  nvram set pptpd_wins2=ip-address-of-second-wins-server 

Example:

To have the PPTP server give out a wins/netBios address of "10.0.0.5", you would type the following in a SSH/telnet session into the router:

Code:

  nvram set pptpd_wins1=10.0.0.5 
  nvram commit 
  reboot

Example:

To have the PPTP server give out a DNS address of "10.0.0.5", you would type the following in a SSH/telnet session into the router:

Code:

  nvram set pptpd_dns1=10.0.0.5 
  nvram commit 
  reboot

Update: 6 nov 2010, Due to a bug on the iPhone, so that DNS resolution works, we must put a public DNS server, such as Google, the 8.8.8.8!

[edit] Broadcast to VPN Clients

From: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=4786

Issue: How to get broadcast IP belonging one subnet to additionally broadcast on an another subnet? The answer is routing.

For example, say you're hosting a multiplayer game like Warcraft 3 that utilieses the broadcast IP of the underlying subnetmask the host computer is running on. When you do a cmd -> ipconfig on the hosting computer, you'd most likely see that the subnetmask on your local area connection is 255.255.255.0. If you do the same on a client computer connected to the PPTP server, you'd see that the subnetmask of the VPN connection differs from the local area connection. Local area connection at subnetmask 255.255.255.0 and VPN connection at 255.255.255.255. This means that the VPN connection is on a different subnet.

So the PPTP server uses subnetmask 255.255.255.255 and your game is hosting on subnet 255.255.255.0. Because of this, the VPN connection will never receive the messages broadcasted from the broadcasting IP on the other subnet. Thats why the clients can't find the host on games that uses broadcast IP to announce their presence.

Let's say your router IP is 10.0.0.1. You have setup PPTP server to accept 10 VPN connections in the range of 10.0.0.50-59 (Use outside DHCP range!). In a subnet with subnetmask 255.255.255.0 you have a total of 254 IP-addresses available. (10.0.0.1 - 10.0.0.254). 255 is reserved for broadcasting on the respective subnet. Only difference is that as mentioned, the IP addresses that is reserved for the PPTP server are on a different subnetmask, thus another subnet.

To add a static route to send Broadcast packets to the remote network, do the following:

  1. Open the DD-WRT web configuration
  2. Select Basic Setup -> Advanced Routing
  3. Change the following settings.
 In Dest. LAN IP: 10.0.0.1
 Subnetmask : 255.255.255.255
 Gateway : 0.0.0.0
 Interface : LAN/WLAN

Now we have created a static route that routes a connection between those subnets.

v24 SP1 vpn note: The above route appears to get created automatically when setting up a PPTP connection (verified by typing "route" in the CLI). However, broadcast packets do not route, even if a static route is also added to 10.0.0.0/255.255.255.0. The SP2 build has an option to enable bcrelay but that too doesn't appear to be working at this time. --Disk Crasher 04:32, 23 October 2009 (CEST)


See Also:

http://www.dd-wrt.com/wiki/index.php/Point-to-Point_PPTP_Tunneling_with_two_DD-WRT

[edit] Uncheck 'Filter WAN NAT Redirection'

If you can connect to the VPN PPTP server from outside (WAN), but only be able to connect/ping at LAN side the router IP, the PPTP server IP (mostly the same as router IP) and your own PPTP client IP but nothing else, then you should check the security settings of your router.

"Code":

1. In the Web GUI goto 'Security', then 'Firewall' and then look at 'Block WAN Requests':
2. Uncheck the entry 'Filter WAN NAT Redirection'.

After that you can connect to all your servers, clients etc. on LAN side behind your PPTP server from the PPTP client side.

[edit] Example Configuration

Using the DD-WRT based buffalo firmware on a WHR-HP-G300N the following configuration works great

My router's IP address is set to 10.0.0.1 DHCP gives addresses from 10.0.0.100 to 10.0.0.130

PPTP

1. Server Enable
2. broadcast support enable
3. force encryption enable
4. server ip 10.0.0.2
5. client ip 10.0.0.200-220
6. chap secrets     user * password *

Port Forwarding

1. VPN1 1723 TCP 10.0.0.1 1723 Enable
2. VPN2 1792 TCP 10.0.0.1 1792 Enable

Note how the Port Forwarding is forwarded to the ROUTERS IP not the pptp Server IP

Save and Apply all settings and REBOOT ROUTER