Static PPTP VPN Client
From DD-WRT Wiki
Generally companies provide a VPN connection for their employees when they need to connect to corporate resources from outside the office. Often the VPN connection is something as simple as the VPN Connection built by the connection wizard in Windows. However the downside is that when you are connected to the corporate VPN in this way all network traffic from that host goes to and through the company proxies, makes requrests of their DNS servers, etcetera - not the optimal configuration. Especially if the company blocks access to internet sites or services you wish to visit.
So, for all of us Couch Warriors out there (a.k.a. those of us lucky enough to be allowed to work from home) there is a need to have a persistent static VPN connection from our home offices to the corporate VPN that is seperate from the rest of the traffic bound for the glorious unfettered Internet. And this document intends to be a HOW-TO for this scenario - if you're already using a DD-WRT enabled router and have it configured, simply use the portions of this HOW-TO appropriate to you.
Much of this information was gathered from other pages on this wiki and the DD-WRT forums - see the credits at the end of this document.
NOTE: For a more native approach, ie without requiring JFFS activation, please check the article PPTP Tunneling.
You will require the following things to successfully follow this HOW-TO:
- A router capable of running the DD-WRT Firmware (we'll be assuming the WRT54G & WRT54GS in this HOW-TO).
- Any DD-WRT Firmware appropriate for your specifc router that contains the PPTP Client. A comparison chart can be found here.
- The latest firmware from your router's manufacturer.
- The VPN Server information for your corporate VPN.
Disclaimer: As with most free information, everything you do is at your OWN risk, we take no responsibility for your actions.
 Further Assumptions
- You are capable of configuring your router to establish the basic connection to your ISP.
- You have a client machine that is capable of making an SSH connection to the router.
If you have all of the above we are ready to begin.
 Getting Started (Here Begins The "HOW-TO")
 Load the DD-WRT Firmware
Choose the version of DD-WRT firmware appropriate for your router. If you have a WRT54G you have a shortage of memory, and will need to use the mini version of the firmware, if you have the WRT54GS model you should use the feature rich standard version of the firmware. If you have a need for any of the other versions of the firmware, your may or may not be able to use the methods in this HOW-TO (they're simply untested).
 Set up Basic Configuration
At this point, set all the configurations you need to or desire to get your router and LAN online with your ISP. This stage is all you. As a general rule of thumb however, don't turn on features you don't need.
- One feature you may need however is DHCP ON both router(server) and computer(client) set to automatic config. I personally could not get this to work with a static ip assigned on the local network. The router connected fine and could ping inside the VPN server but the computers were left outside. A manual static route inside the local computers might work around this but I did not test this theory. The way to have set IPs in this setup is to use the static DHCP option.
 Configure PPTP Client
A very nice feature is the inclusion of a ready-to-go PPTP client configuration in the Web Interface. It has some limitations (addressed further along in this HOW-TO) but for many users you don't need anything more that what you get in the Web Interface.
Browse on over to Administration - Services.
Enable the PPTP Client and, Save Settings
Return to the PPTP Client settings, and configure them as appropriate for your corporate VPN.
PPTP Client Options
|Server IP or DNS Name||The IP Address of your company VPN server (Don't use the FQDN, use the IP address for best results)|
|Remote Subnet||Use the Network Address for the Remote Network (10.20.1.0 for example)|
|Remote Subnet Mask||Use the Subnet Mask Appropriate for the Remote Network (255.255.255.0 for example)|
|MPPE Encryption||The type of security to use for the connection. If you are connecting to another DD-WRT router you need (Example: mppe required). But if you are connecting to a Windows VPN server you need (Example: mppe required,no40,no56,stateless) or (Example: mppe required,no40,no56,stateful)|
|User Name||Your Remote PPTP Network Domain\Username (YOURCORP\\johndoe for example. BOTH backslashes are necessary.)|
|Password||Your Remote PPTP Network Password (p@ssw0rd for example)|
Save Settings and Reboot your router. You should now have a basic PPTP VPN connection to your office. Specifically, you will only have access to the subnet entered. To gain access to more networks, continue reading below.
 DNS for the Remote Network(s)
Chances are you don't want to have to type the IP address of each machine on the remote network, so you probably want DNS of the remote network resolving the hosts within. To do this you simply need to configure DNSmasq.
Under Administration - Management enable DNS Masq, Local DNS, and put in entries into the DNS Masq Options field for the remote nameservers.
The remote domain determines which FQDN lookups get sent to the remote server. More information than you may want to know about DNS Masq can be found here.
Save your settings, reboot, and Enjoy!
 Add Additional Remote Networks
Larger companies often have multiple networks (because of multiple regional offices for example). Using one of the methods below you can add as many additional networks to be routed through your VPN tunnel as you desire.
Option 1 requires more options on the router to be enabled, or access to an external server, but makes editing scripts in the future much easier. Option 2 can be completed entirely through the web interface of DD-WRT.
 Option 1: Activate the JFFS Partition or a Samba Share
Follow the excellent instructions found here to enable the JFFS partition on your router.
You will need to enable JFFS through nvram AND via the web interface - this was the only way we were able to reliably have the JFFS partition function as intended.
An alternative is to use a Samba Share located on an external server. This process is detailed here. Keep in mind, your paths used for the scripts below will change based on how you set up the share.
 Configure Router To Run Your Startup Scripts
Ensure that SSHD is enabled on your router (Administration - Services tab) and SSH into your router. Note that you should replace the IP address in the line below with whatever the actual IP address of your router is on the LAN side.
#ssh -u admin 192.168.1.1
If you are a Windows user, you can find a fine SSH client in PuTTY. You will need to learn to configure and use PuTTY on your own, however.
First we set rc_startup to launch our 'controller' startup script.
nvram set rc_startup="sh /jffs/etc/config/my_startup.sh" nvram commit
Ensure the directories needed exist:
mkdir -p /jffs/etc/config
Now we create our 'my_startup.sh' script:
Enter the following into the editor and save.
#!/bin/sh for I in `/bin/ls /jffs/etc/config/*.startup` do sh $I& done
Quick vi Tutorial for Windows users: i - inserts, ESC:wq - exits editing mode, writes your changes, and quits vi
Ensure the permissions enable the script to be run:
chmod 700 /jffs/etc/config/my_startup.sh
 Create the Network Scripts
Create a /jffs/etc/config/addnet#.startup script for each additional network range you require access to on the corporate network. In the example below our company has a second subnet of 10.20.30.0/24
#!/bin/sh #First we sleep for 2 minutes...we want to wait for ppp0 to come up. sleep 120 #Now we can proceed with the iptables rules needed for this subnet. REMOTESUB=10.20.30.0 REMOTENET=255.255.255.0 INT=ppp0 /sbin/route add -net $REMOTESUB netmask $REMOTENET dev $INT /usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $INT /usr/sbin/iptables --insert INPUT --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $INT /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $INT /usr/sbin/iptables --insert FORWARD --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $INT /usr/sbin/iptables --table nat --append POSTROUTING --out-interface $INT --jump MASQUERADE /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu exit 0
Ensure the permissions enable the script to be run:
chmod 700 /jffs/etc/config/addnet1.startup
 Option 2: Use the Firewall Command to Create/Execute a script
While jffs or Samba make it much easier to edit scripts, using the Firewall Command allows you to complete the same tasks without the need for the additional storage space. (Administration - Commands tab)
The scripts work the same way, except you are now using the firewall command to create a script that will be executed in the background. It must be executed in the background to keep from holding up the other router processes. Enter a script similar to the one below in the box, and click Save Firewall.
echo "REMOTESUB=\"10.177.0.0 10.177.1.0 10.177.2.0 10.177.3.0\"" > /tmp/firewall_script.sh echo "REMOTENET=\"255.255.255.0\"" >> /tmp/firewall_script.sh echo "INT=ppp0" >> /tmp/firewall_script.sh echo "sleep 120" >> /tmp/firewall_script.sh echo "for i in \$REMOTESUB; do" >> /tmp/firewall_script.sh echo "/sbin/route add -net \$REMOTESUB netmask \$REMOTENET dev \$INT" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination \$REMOTESUB/\$REMOTENET --jump ACCEPT --out-interface \$INT" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --insert INPUT --source \$REMOTESUB/\$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface \$INT" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination \$REMOTESUB/\$REMOTENET --jump ACCEPT --out-interface \$INT" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --insert FORWARD --source \$REMOTESUB/\$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface \$INT" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --table nat --append POSTROUTING --out-interface \$INT --jump MASQUERADE" >> /tmp/firewall_script.sh echo "/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu" >> /tmp/firewall_script.sh echo "done" >> /tmp/firewall_script.sh sh /tmp/firewall_script.sh &
 Example Configurations
 Example 1
In my case with static IP 10.110.24.130 and Gate 10.110.24.129, VPN server 10.110.0.9, I made this:
1. Administration -> Services -> PPTP Client remove MPPE Encryption
2. Administration -> Services -> PPTP Client change Remote Subnet 0.0.0.0
3. Administration -> Services -> PPTP Client change Remote Subnet Mask 0.0.0.0
4. Setup -> Advanced Routing Add route 10.110.0.9 255.255.255.255 to 10.110.24.129
Thanks to Evgeniy Melashenko ;)
 Example 2
In my case, with a Dynamically assigned IP of 10.177.140.X, VPN server's public IP of 188.8.131.52, and Gateway showing up as blank in ipconfig using the windows client, I used the following info. Also, advanced routing didn't work at all for me, I had to use the above instructions about additional remote networks on a Samba share to initiate the required route. We have servers covering the entire 10.177.0.0 network. To just access the entire 10.177 network without scripts, change #2 below to 10.177.0.0, and #3 below to 255.255.255.0.
1. Administration -> Services -> PPTP Client -> Server IP or DNS Name = 184.108.40.206
2. Administration -> Services -> PPTP Client -> Remote Subnet = 10.177.140.0
3. Administration -> Services -> PPTP Client -> Remote Subnet Mask = 255.255.255.0
4. Administration -> Services -> PPTP Client -> MPPE Encryption = mppe required,no40,no56,stateless
5. Administration -> Services -> PPTP Client -> MTU = 1450
6. Administration -> Services -> PPTP Client -> MRU = 1450
7. Administration -> Services -> PPTP Client -> NAT = Enable
8. Administration -> Management -> Samba FS Automount -> Enable
9. Administration -> Commands -> Add to Firewall: umount /jffs; smbmount //IP.ADDR.OF.SERVER/SHARE /jffs -o 'username=root,password='; sh /jffs/etc/config/my_startup.sh
10. SSH in and edit my_startup.sh as described below using 10.177.0.0 and 255.255.0.0 (no need for nvram if you complete step 9)
 Example 3
I am using firmware: DD-WRT v3.0-r27365M (06/18/15) kongac on an r7000. Very nice stable build!
1. Administration -> Services -> PPTP Client -> Server IP or DNS Name = vpn.mywork.com
2. Administration -> Services -> PPTP Client -> Remote Subnet = 10.20.10.0
3. Administration -> Services -> PPTP Client -> Remote Subnet Mask = 255.255.255.0
4. Administration -> Services -> PPTP Client -> MPPE Encryption = blank (You can see when you connect in windows that there is no MPPE negotiated for my work vpn, so secure!)
5. Administration -> Services -> PPTP Client -> MTU = 1500
6. Administration -> Services -> PPTP Client -> MRU = 1500
7. Administration -> Services -> PPTP Client -> NAT = Enable (doesn't work for me, but I run some scripts that call the `/tmp/pptpd_client/ip_up ppp0` script. Note the ip_up script is copied to that directory by the firmware when pptp client is enabled, I think.)
8. Administration -> Services -> PPTP Client -> Username = DOMAIN\username (!!! DO NOT USE two backslashes !!! - I found out by using the /tmp/pptpd_client/vpn script in debug mode that this string is ALREADY ESCAPED. This was the KEY to getting my vpn to start up. My work's MS vpn server rejected my connection until I removed the extra backslash. This might be a latest-and-greatest at this time firmware thing (?))
9. Administration -> Services -> PPTP Client -> Password = *********
10. Administration -> Services -> PPTP Client -> Additional PPTP Options =
refuse-pap refuse-eap refuse-chap refuse-mschap require-mschap-v2 noauth nodetach
11. Administration -> Commands -> Startup = /jffs/etc/config/ipup_manual.sh (similar to /tmp/pptpd_client/ip-up ppp0)
My connection WILL NOT connect without the noauth and nodetach options, both options. I know I could probably be doing something better (?). If you want to discuss, please comment in this thread on the forum. You can also see more advanced route troubleshooting there.
I was able to figure out my options by debugging. If you want to debug, use `/tmp/pptpd_client/vpn debug` to try to start up your vpn connection. Here is a list of all the options you can set in the /tmp/pptpd_client/options.vpn file to attempt to figure out which ones work for you. Note the common ones are on the top. These options are the same as the Additional PPTP Options (which should be named "Additional pppd Options"). Once you figure out the right options on the command line, save them in the gui!
Another highly recommended thing to do if you are having trouble (assuming M$), is to connect in Windows, and look at the VPN connection properties and possibly compare them to other ones you can google. To see the properties in Windows 8, right-click on your network connection in the task bar, select "Open Network and Sharing Center", Click on the connected VPN (as a link, to the right), Click on the "Details" tab (NOT the "Details..." button, there is more info on the tab). Compare and translate the options to pppd options! Good luck!
- Peter Frischknecht - Worked out the final details on our experimental WRT54GS to provide the first working solution.
- Curtis Turner - Contributed moral support and technical information, along with motivation for Peter. Performed WRT54G testing.
- The JFFS Wiki Page
- Everyone who contributed to this thread.
- Further questions can be answered in the DD-WRT forum in this thread.
- how to fix OS X