WikiDevi.Wi-Cat.RU:DD-WRT/PPTP Server Configuration
A PPTP Server (Point-To-Point Tunneling Protocol) allows you to connect securely from a remote location (such as your home) to an LAN (Local Area Network) located in another location, such as your workplace, business office, etc. This way you can use the services provided in your office at the comfort of your home.
It should be noted that PPTP has some security flaws and is considered deprecated. See PPTP Security
For an alternative, see OpenVPN
PPTP
Tested using version DD-WRT 2.3 "VOIP" on WRT54GS router
- Make sure you have flashed the "RIGHT" firmware to your router.
- Goto the Web Administration and goto the "ADMINISTRATION" Tab, and the "SERVICES" sub-tab.
- Go down and you will see "PPTP Server". This option is disabled by default, so to setup PPTP, you click "ENABLE". (In v24 and higher PPTP is a sub-tab in the Services main tab.)
- (In newer versions, this step may be skipped because the options are automatically shown when you click.) Click enable and then click "Save Settings"). After you see the message "Settings Are Successful" click "Continue"
- While still in the "SERVICES" sub-tab, complete the options you need. Descriptions of options can be found below.
- Finally, go down, Save Settings, and then click on "REBOOT ROUTER", this step is very important, no matter what you have configured, if you dont reboot router, settings will not work.
- Once you have completed the data input go down an click on "Save Settings" to save changes, now on the page "Settings Are Succesfull" click on "Continue" and again on "SERVICES" tab, where you doublecheck the values of your PPTP server.
NOTE: After you have done this, only computers the Windows Operating System will be able to connect through the WAN port of the router. Many other operating systems will not work and trying to connect from a LAN port will not work.
Any questions can be posted on the forums or go to www.facebook.com, log in, search for "Marcelo Semino" (Public Figure), Became a fan of me, an then I will help you with your VPN problem for free.
Mac OSX
If you are using MacOSX, you may experience problems while connecting to the DD-WRT PPTP server; this is due to the server having encryption as optional, while Mac OS X requires it when encryption is chosen.
Your options are to either:
- Client (Mac OS X): Set encryption to None.
- Server (your router): Force encryption.
Tscheiby 20:50, 22 February 2011 (CET)
There seems to be a bug in 10.6 which leads to using DNS Servers supplied by DD-WRT PPTP Server even if the VPN Connection is configured not to be the default route. This might be a problem. It breaks local DNS setups. The options.pptpd File must be rewritten and put into Startup Scripts like below.
The Rewrite goes as follows:
sed -i -e '/ms-dns/d' /tmp/pptpd/options.pptpd
This simply removes every DNS entry in the options.pptpd file.
iOS/iPhone
- See DNS Issues below for iPhones !
iOS 4.3
Many people reported that iOS 4.3+ breaks PPTP VPN towards DD-WRT routers and even some commercial VPN providers. So add the following code to your DD-WRT startup command to correct the bug:
#!/bin/sh echo "nopcomp" >> /tmp/pptpd/options.pptpd echo "noaccomp" >> /tmp/pptpd/options.pptpd kill `ps | grep pptp | cut -d ' ' -f 1` pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd
Force Encryption
The default installation makes encryption optional, you can changed this to required (a must to allow encrypted connections from MacOS X-users) by:
In the DD-WRT Web Interface, goto Administration > Commands. Paste the following line in the commands area; and then press Run Commands:
sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
Congratulations, you've just rewritten the options.pptpd-file in place; and should now have a working PPTP-server to connect to with your Mac (as well as other systems, as long as they can handle encryption).
If you prefer to keep track of what's going on (or need/want to experiment with rewriting files) this will take you through the process step by step, and introduce you to some other very basic tools available:
First of all, let's take a look at the original file:
cat /tmp/pptpd/options.pptpd
If we mess up the file we could just reboot the router to get the original back, but to speed things up we're going to make a copy of it on the router:
cp /tmp/pptpd/options.pptpd /tmp/pptpd/options.pptpd~
Now let's do the rewriting:
sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
So what do we do if we when checking the file (using cat, like above) notices that we've ruined it, or we were cautious enough to work on the backup instead of the original?!
Replace the "live" file with the backup by either "moving" it (leaving no backup), or copying it (leaving the backup just as it its:
mv /tmp/pptpd/options.pptpd~ /tmp/pptpd/options.pptpd
cp /tmp/pptpd/options.pptpd~ /tmp/pptpd/options.pptpd
Learn how to automagically reapply your changes at startup by reading: Startup Scripts.
// This guide was written for the dd-wrt.com/wiki by Svanstrom @ 18:56, 16 October 2007 (CEST). //
For those looking for the the earlier version of this guide: It used echo to add a line to the end of options.pptpd; and then used that, along with sleep, in the startup script:
echo 'mppe required,no40,no56,stateless' >> /tmp/pptpd/options.pptpd
sleep 30 echo 'mppe required,no40,no56,stateless' >> /tmp/pptpd/options.pptpd
Options
PPTP Server
Enables or Disables the Service.
Server IP
Your LAN IP Address. (An IP from your network that is not used by any computer or the router).
Example: 192.168.1.1
Update: The internal IP of your router works just fine with firmware DD-WRT v23 SP2 (09/15/06) vpn. My router's internal address is 192.168.1.1 and I used the same to fill in the "Server IP" field of the PPTP Server Configuration. --psiborg 20:49, 6 May 2007 (CEST)
Update: The IP of your router may work but if you use it, the Webinterface gets unreachable (tested on WRT54GS V2 with DD-WRT v23 SP2) --Xstream 21:31, 30 March 2008 (CEST)
Update: With firmware DD-WRT v24 SP1 on WRT54GL the router's LAN or WAN static address may be used without disturbing the Web interface. Furthermore, if an address of 0.0.0.0 is entered, then the PPTP server will track the router's WAN address, allowing DDNS to be used. 10 September 2008
update: In my case, linksys wrt-310n v.1 With fw DD-WRT v24 sp2 vpn version(10/10/2009), I tried to use the router's static ip(192.168.1.1) as pptp server ip, the web interface can't be reached nor pinged anymore if connected by pptp client. The web comes back if connection terminated. I change the server ip to 192.168.1.2 and everything is fine now. --aw11onfire 12:44(GMT+8), 10 Dec 2009
Update: It is bad vpn form to use the same IP as the router when configuring the pptp server. The following should be done: 1. Take note of your router LAN IP. (Example: 192.168.1.1) 2. When creating the pptp server use an IP DIFFERENT than the router LAN IP. (Example: 192.168.1.2) 3. If you are trying to access the VPN from the outside world then go to the NAT settings and forward port 1723 to the LAN IP (Example: 192.168.1.1). 4. After using these settings, apply them. Double check that your chap secrets and client IP ranges are set.
Update: 2010/09/28 v24-sp2 13525, iPhone OS 4.0.2 Could not connect with either port 1723 or 1792 forwarded. Connected with no vpn/pptp ports forwarded.
When you are off site you will try to connect to the VPN (using 1723 for pptp by default). The request will hit the router external IP (the one provided by your ISP). The router NAT will then detect an incoming pkt using port 1723. It will establish a connection to the VPN server by forwarding to 192.168.1.2. The router will create a ppp0 connection on itself which, after connecting to the VPN, you will be able to see. The problem with using the router LAN IP as the pptp server IP is that by default it is bridged and ppp0 can not be added to the bridge. You will connect and will only be able to ping your client IP and the router IP.
Here is a pkt destination flow chart so you can understand how exactly the pkt flows from the outside world to your VPN:
You off sitte --> Internet --> Your router IP (WAN) --> Gateway IP (LAN). --> NAT --> VPN (pptp server IP) <--> VPN Client IP
I couldn't get it to work until I also forwarded port 1792 to 192.168.1.1.
Client IP(s)
The client IP range. IPs in this range are given clients trying to connect. Should be a valid IP Address on the LAN segment of the network.
Note: Inputting client IPs in the format 192.168.1.100-192.168.1.120 does not work.
Example: 192.168.1.100-120
CHAP-Secrets
The Username and Passwords used by to login to the PPTP server are configured here. Pay close attention to the use of spaces and asterisks between usernames and passwords, authentication will not work without them.
General Syntax:
Username * Password * (username_to_use,blank space,asterisk,blank space,password_to_use,blank space,asterisk)
Example:
marcelo * semino * eduardo * crea *
The above will create two accounts: 'marcelo' and '"eduardo"' with the passwords '"semino"' and '"crea"' respectively.
WARNING: Do NOT forget the spaces between asterisk and usernames/passwords. If you omit them it will not work.
Troubleshooting
Windows XP & Internet Connection
If using the VPN connection software built into Windows XP, you might find that your internet connection will die once the vpn connection is established. This is a result of the default settings for Windows XP VPN connections.
See: Use the Local Default Gateway
Loopback
In order to get this to work it's essential to disable "loopback" otherwise it doesn't work (loopback was enabled as default in my firmware version (v.23 std)! Note: Using V23SP1-VOIP 6/5/06, PPTP Server was verified working even with "loopback" enabled (pagedude 6/25/06) Also works with v23 SP2 and v24 beta
Special Characters
Check passwords (chap-secrets file) for special characters ( # - Character in password breaks pptp). The admin password of the router is inserted into chap-secrets by default! --Krikkit 12:12, 7 Mar 2006 (CET) Special Characters work fine if you wrap the password with ". Example: test * "123456#" *
Outgoing PPTP Connections
Another issue in v.23 is that outgoing pptp-trafic cannot pass-through the router with pptp-server enabled. There is a fairly complicated fix for this issue in the dd-wrt forum. [edit]
A simple, if awkward, workaround seems to have been found at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=30245#30245 and http://www.dd-wrt.com/phpBB2/viewtopic.php?p=643714#643714.
DMZ
DMZ must be DISABLED in order to work --ptodic 21:36, 8 Mar 2006 (CET)
Update: Actually, DMZ does NOT need to be disabled. Better solution is
going to Application & Gaming - Port Forwarding and adding a new line:
app: whatever name you want
port from: 1723
protocol: tcp
ip address: LAN IP of the router (default 192.168.1.1)
port to: 1723
enable: checked
--curlyboi 19:20, 6 Jan 2007 (CET)
Disconnects
If you're unable to connect to the PPTP server or can occasionally but not for more than a few minutes at a time, and you use a WAN device that does PPPoE onboard (Like a SpeedStream 5100b DSL Modem) -- You may have to disable the onboard PPPoE and use the PPPoE on the WRT54G. The GRE that's needed for PPTP sometimes gets messed up by your WAN device, probably because it uses a buggy layer 3 stack that corrupts or doesn't pass the GRE packets to your WRT.
You may also have disconnects if the actual network that the client is on is the same subnet that the server is on (e.g. client subnet is 192.168.1.0/24 and the DD-WRT server subnet is 192.168.1.0/24). This causes IP collisions. The best solution is to change the subnet of the server or client network to something unique, such as 192.168.5.0/24 (i.e. an IP range of 192.168.5.1-255 with a netmask of 255.255.255.0).
Two DD-WRT Boxes
If PPTP-connection between two dd-wrt boxes fail with error message "IPCP terminated by peer (Unauthorized remote IP address)" you need "noipdefault" option at client side. You can add pptpd.conf options through WEB gui using MPPE Encryption field. In this case set "MPPE Encryption" as "noipdefault mppe required". --Veekoo 12:51, 15 Aug 2006 (CEST)
Also see Point-to-Point PPTP Tunneling with two DD-WRT for instructions on how to connect two or more DD-WRT routers via PPTP. --Disk Crasher 08:58, 18 October 2009 (CEST)
DNS Issues
Your client may not get the correct DNS setting. To correct this do the following.
To permanently set the WINS/DNS values for the PPTP server that assigned to the client, you can set/commit the following nvram params:
Code:
nvram set pptpd_dns1=ip-address-of-first-dns-server nvram set pptpd_dns2=ip-address-of-second-dns-server nvram set pptpd_wins1=ip-address-of-first-wins-server nvram set pptpd_wins2=ip-address-of-second-wins-server
Example:
To have the PPTP server give out a wins/netBios address of "10.0.0.5", you would type the following in a SSH/telnet session into the router:
Code:
nvram set pptpd_wins1=10.0.0.5 nvram commit reboot
Example:
To have the PPTP server give out a DNS address of "10.0.0.5", you would type the following in a SSH/telnet session into the router:
Code:
nvram set pptpd_dns1=10.0.0.5 nvram commit reboot
Update: 6 nov 2010, Due to a bug on the iPhone, so that DNS resolution works, we must put a public DNS server, such as Google, the 8.8.8.8!
Broadcast to VPN Clients
From: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=4786
Issue: How to get broadcast IP belonging one subnet to additionally broadcast on an another subnet? The answer is routing.
For example, say you're hosting a multiplayer game like Warcraft 3 that utilieses the broadcast IP of the underlying subnetmask the host computer is running on. When you do a cmd -> ipconfig on the hosting computer, you'd most likely see that the subnetmask on your local area connection is 255.255.255.0. If you do the same on a client computer connected to the PPTP server, you'd see that the subnetmask of the VPN connection differs from the local area connection. Local area connection at subnetmask 255.255.255.0 and VPN connection at 255.255.255.255. This means that the VPN connection is on a different subnet.
So the PPTP server uses subnetmask 255.255.255.255 and your game is hosting on subnet 255.255.255.0. Because of this, the VPN connection will never receive the messages broadcasted from the broadcasting IP on the other subnet. Thats why the clients can't find the host on games that uses broadcast IP to announce their presence.
Let's say your router IP is 10.0.0.1. You have setup PPTP server to accept 10 VPN connections in the range of 10.0.0.50-59 (Use outside DHCP range!). In a subnet with subnetmask 255.255.255.0 you have a total of 254 IP-addresses available. (10.0.0.1 - 10.0.0.254). 255 is reserved for broadcasting on the respective subnet. Only difference is that as mentioned, the IP addresses that is reserved for the PPTP server are on a different subnetmask, thus another subnet.
To add a static route to send Broadcast packets to the remote network, do the following:
- Open the DD-WRT web configuration
- Select Basic Setup -> Advanced Routing
- Change the following settings.
In Dest. LAN IP: 10.0.0.1 Subnetmask : 255.255.255.255 Gateway : 0.0.0.0 Interface : LAN/WLAN
Now we have created a static route that routes a connection between those subnets.
v24 SP1 vpn note: The above route appears to get created automatically when setting up a PPTP connection (verified by typing "route" in the CLI). However, broadcast packets do not route, even if a static route is also added to 10.0.0.0/255.255.255.0. The SP2 build has an option to enable bcrelay but that too doesn't appear to be working at this time. --Disk Crasher 04:32, 23 October 2009 (CEST)
See Also:
[dd-wrt-wiki:Point-to-Point_PPTP_Tunneling_with_two_DD-WRT
Uncheck 'Filter WAN NAT Redirection'
If you can connect to the VPN PPTP server from outside (WAN), but only be able to connect/ping at LAN side the router IP, the PPTP server IP (mostly the same as router IP) and your own PPTP client IP but nothing else, then you should check the security settings of your router.
"Code":
1. In the Web GUI goto 'Security', then 'Firewall' and then look at 'Block WAN Requests': 2. Uncheck the entry 'Filter WAN NAT Redirection'.
After that you can connect to all your servers, clients etc. on LAN side behind your PPTP server from the PPTP client side.
Example Configuration
Using the DD-WRT based buffalo firmware on a WHR-HP-G300N the following configuration works great
My router's IP address is set to 10.0.0.1 DHCP gives addresses from 10.0.0.100 to 10.0.0.130
PPTP
1. Server Enable 2. broadcast support enable 3. force encryption enable 4. server ip 10.0.0.2 5. client ip 10.0.0.200-220 6. chap secrets user * password *
Port Forwarding
1. VPN1 1723 TCP 10.0.0.1 1723 Enable 2. VPN2 1792 TCP 10.0.0.1 1792 Enable
Note how the Port Forwarding is forwarded to the ROUTERS IP not the pptp Server IP
Save and Apply all settings and REBOOT ROUTER