March 03, 2012

Configuring PPTP VPN

This post is the last in the series of upgrades I completed on my router running the new TomatoUSB router firmware. Most data for this post is thanks to this tutorial

Requirements:

  • A router running TomatoUSB
  • Install and configure Optware on the router
  • A way to address the router from outside the home network - like setting up a dynamic DNS maybe
  • A VPN client to connect to the router

Installation

Log onto your TomatoUSB via SSH and run the following on the shell

ipkg install poptop

That is it. Wait for ipkg to do it's thing and you are done installing.

Configuration

Edit the file /opt/etc/pptpd.conf

I installed what is called a Single-Net configuration, after logging in, the entire network is available to the VPN. This was a home network, and I wasn't going to implement any sort of zoning on it.

Ensure the following line is commented

logwtmp

Establish the list of available IP addresses. Here is what I have

localip 192.168.1.1 #This is the local IP address of the router remoteip 192.168.1.245-254 #These are the available remote IPs to be used when a remote VPN connection is made

Edit the file /opt/etc/ppp/options.pptpd

Here is what I have as the final configuration. I have removed the prompts & help text to keep it clean(er).

name pptpd #chapms-strip-domain # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless nomppe-stateful # }}} # Network and Routing ms-dns 192.168.1.1 #ms-dns 10.0.0.2 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp # Logging #debug #dump # Miscellaneous lock nobsdcomp

Authentication & Credentials

Create the file /opt/etc/ppp/chap-secrets with the VPN setup credentials. My file looks like below, of course with a valid username & password.

# Username Server Password AllowedIPs myusername * myawesomepassword *

As with any password file, ensure it is only readable by root by running the following as root.

chmod 600 /opt/etc/ppp/chap-secrets

Configure Firewall

Create the file /opt/etc/config/vpn.fire and put the following in it

#!/bin/sh iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i ppp+ -j ACCEPT iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -o ppp+ -j ACCEPT

Make the script executable by running the following

chmod +x /opt/etc/config/vpn.fire

Restart the firewall service

service firewall restart

Start VPN server

This is the last step. Create the file /opt/etc/config/vpn.wanup and add the following

#!/bin/sh if [ ! -f /tmp/ppp/chap-secrets ]; then mkdir -p /tmp/ppp ln -s /opt/etc/ppp/chap-secrets /tmp/ppp fi /opt/etc/init.d/S20poptop restart

Make this script executable

chmod +x /opt/etc/config/vpn.wanup

That is it, this will ensure the vpn always runs whenever the WAN comes back up. The VPN is up and running.

Testing it may end up being a bit tricky. You cannot log into the network while you are on it. I used my phone, disabled WiFi, and configured it to log in via the mobile network to ensure that the VPN was indeed accessible and working. Presto, I could log into my home network from anywhere in the world.

Check out the original post about ways to configure a VPN client on an iOS or Android device.