This post is the last in the series of upgrades I completed on my router running the new TomatoUSB router firmware. Most data for this post is thanks to this tutorial
Requirements:
- A router running TomatoUSB
- Install and configure Optware on the router
- A way to address the router from outside the home network - like setting up a dynamic DNS maybe
- A VPN client to connect to the router
Installation
Log onto your TomatoUSB via SSH and run the following on the shell
ipkg install poptop
That is it. Wait for ipkg to do it's thing and you are done installing.
Configuration
Edit the file /opt/etc/pptpd.conf
I installed what is called a Single-Net configuration, after logging in, the entire network is available to the VPN. This was a home network, and I wasn't going to implement any sort of zoning on it.
Ensure the following line is commented
logwtmp
Establish the list of available IP addresses. Here is what I have
localip 192.168.1.1 #This is the local IP address of the router remoteip 192.168.1.245-254 #These are the available remote IPs to be used when a remote VPN connection is made
Edit the file /opt/etc/ppp/options.pptpd
Here is what I have as the final configuration. I have removed the prompts & help text to keep it clean(er).
name pptpd #chapms-strip-domain # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless nomppe-stateful # }}} # Network and Routing ms-dns 192.168.1.1 #ms-dns 10.0.0.2 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp # Logging #debug #dump # Miscellaneous lock nobsdcomp
Authentication & Credentials
Create the file /opt/etc/ppp/chap-secrets with the VPN setup credentials. My file looks like below, of course with a valid username & password.
# Username Server Password AllowedIPs myusername * myawesomepassword *
As with any password file, ensure it is only readable by root by running the following as root.
chmod 600 /opt/etc/ppp/chap-secrets
Configure Firewall
Create the file /opt/etc/config/vpn.fire and put the following in it
#!/bin/sh iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i ppp+ -j ACCEPT iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -o ppp+ -j ACCEPT
Make the script executable by running the following
chmod +x /opt/etc/config/vpn.fire
Restart the firewall service
service firewall restart
Start VPN server
This is the last step. Create the file /opt/etc/config/vpn.wanup and add the following
#!/bin/sh if [ ! -f /tmp/ppp/chap-secrets ]; then mkdir -p /tmp/ppp ln -s /opt/etc/ppp/chap-secrets /tmp/ppp fi /opt/etc/init.d/S20poptop restart
Make this script executable
chmod +x /opt/etc/config/vpn.wanup
That is it, this will ensure the vpn always runs whenever the WAN comes back up. The VPN is up and running.
Testing it may end up being a bit tricky. You cannot log into the network while you are on it. I used my phone, disabled WiFi, and configured it to log in via the mobile network to ensure that the VPN was indeed accessible and working. Presto, I could log into my home network from anywhere in the world.
Check out the original post about ways to configure a VPN client on an iOS or Android device.