{"id":29,"date":"2012-08-08T22:02:53","date_gmt":"2012-08-08T18:02:53","guid":{"rendered":"http:\/\/www.bandidor.info\/wp\/?p=29"},"modified":"2014-12-11T21:20:49","modified_gmt":"2014-12-11T18:20:49","slug":"openwrt-pptp-tunnel-to-the-office-lan-with-windows-vpn-server","status":"publish","type":"post","link":"https:\/\/www.bandidor.info\/wp\/?p=29","title":{"rendered":"OpenWRT pptp tunnel to the office LAN with Windows VPN server"},"content":{"rendered":"

Problem<\/h1>\n

\"\"<\/a>The idea was to have a separate VPN tunnel tothe office to access office LAN resources without a need to bring up the VPN connection on the workstation. The challenge was a) to find right PPTP options to connect to Windows VPN server and b) to adjust the routing table on the router to route connections to the office LAN through this tunnel.<\/p>\n

OpenWRT version Backfire (10.03.1, r29592)<\/code> running on TP-LINK TP-WR1043ND.<\/p>\n

Solution<\/h1>\n
    \n
  1. Configure new PPTP interface via LuCI or directly in \/etc\/config\/network<\/code>\n
    \r\nconfig 'interface' 'bw116'\r\n    option 'proto' 'pptp'\r\n    option 'auto' '0'\r\n    option 'server' 'xx.yy.zz.116'\r\n    option 'username' 'AB\\Cdefg'\r\n    option 'password' '12345'\r\n    option 'defaultroute' '0'\r\n    option 'peerdns' '0'\r\n<\/pre>\n
    Important is not to set default route and not to use DNS, in my case I connect to office resources via IP. In the first version I bring this tunnel up manually via LuCI, future plan is to bring it up on demand.
    \nAlso note username<\/code> specified as Windows Domain\\User Name<\/code> with just one slash above.<\/li>\n
  2. Adjust\u00a0\/etc\/ppp\/options<\/code>\u00a0and\u00a0\/etc\/ppp\/options.pptp<\/code>\n
    \r\nroot@OpenWrt:~# cat \/etc\/ppp\/options\r\n debug\r\n logfile \/dev\/null\r\n noaccomp\r\n ipparam vpn\r\n replacedefaultroute\r\n nopcomp\r\n nocrtscts\r\n persist\r\n holdoff 10\r\n lock\r\n maxfail 0\r\n lcp-echo-failure 5\r\n lcp-echo-interval 5\r\n<\/pre>\n
    \r\nroot@OpenWrt:~# cat \/etc\/ppp\/options.pptp\r\n lock\r\n noauth\r\n nobsdcomp\r\n nodeflate\r\n idle 0\r\n defaultroute\r\n maxfail 0\r\n refuse-eap\r\n mppe required,no40,no56,stateless\r\n <\/pre>\n
    Last 2 lines appear to be essential to connect to Windows VPN server<\/li>\n
  3. Create new routing table. OpenWrt package ip will be needed.\n
    \r\nroot@OpenWrt:~# opkg info ip\r\n Package: ip\r\n Version: 2.6.29-1-2\r\n Provides:\r\n Status: install user installed\r\n Section: net\r\n Architecture: ar71xx\r\n Maintainer: OpenWrt Developers Team\r\n MD5Sum: bb8d81a04dc2042a041ff3866167a05c\r\n Size: 76789\r\n Filename: ip_2.6.29-1-2_ar71xx.ipk\r\n Conffiles:\r\n \/etc\/iproute2\/rt_tables a1313318d6778fe6b8c680248ef5a463\r\n Source: package\/iproute2\r\n Description: Routing control utility\r\n Installed-Time: 1342434293\r\n<\/pre>\n
    Edit\u00a0\/etc\/iproute2\/rt_tables<\/code> and add new entry vpn<\/em> for a new routing table. This is persistent, no need to repeat this after reboot or to write any script to create it.<\/p>\n
    \r\nroot@OpenWrt:~# cat \/etc\/iproute2\/rt_tables\r\n #\r\n # reserved values\r\n #\r\n 255\u00a0\u00a0\u00a0\u00a0 local\r\n 254\u00a0\u00a0\u00a0\u00a0 main\r\n 253\u00a0\u00a0\u00a0\u00a0 default\r\n 10\u00a0\u00a0\u00a0\u00a0\u00a0 vpn\r\n 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 unspec\r\n #\r\n # local\r\n #\r\n #1\u00a0\u00a0\u00a0\u00a0\u00a0 inr.ruhep\r\n #\r\n<\/pre>\n<\/li>\n
  4. Create new script, that will be run each time out new PPTP interface goes up.\n
    \r\nroot@OpenWrt:~# cat \/etc\/ppp\/ip-up.d\/10-bw116\r\n #!\/bin\/sh\r\n #PPP_REMOTE=$5\r\n logger -p daemon.debug "Starting script \/etc\/ppp\/ip-up.d\/10-bw116"\r\n #This is office LAN subnet\r\n REMOTE_NET="192.168.100.0\/24"\r\n #Custom routing table created in previous step\r\n VPN_TABLE="vpn"\r\n #Delete an entry for VPN gateway in the main routing table\r\n #created when interface went up by \/etc\/ppp\/ip-up script\r\n #5-th command line argument is this GW IP\r\n route del $5\r\n #Remove all old rules for this remote network\r\n ip rule list | grep -E "to[ \\t]+$REMOTE_NET"\u00a0 | while read line ; do\r\n     ip rule del to "$REMOTE_NET"\r\n done\r\n #Add rule to route everything going to the remote LAN network\r\n #via custom routing table\r\n ip rule add to $REMOTE_NET lookup $VPN_TABLE\r\n #Put just one entry in the custom routing table to send via\r\n #PPTP interface\r\n ip route add $REMOTE_NET dev $1 table $VPN_TABLE\r\n logger -p daemon.debug "Finishing script \/etc\/ppp\/ip-up.d\/10-bw116"\r\n<\/pre>\n<\/li>\n
  5. Done for now.<\/li>\n<\/ol>\n
    Discussion<\/h1>\n
    Things to consider for further improvement<\/p>\n
      \n
    • Connection won’t restore automatically, when dropped. For relatively stable WAN uplink might not be so important. Actually it never drops unless I manually help it.<\/li>\n
    • Would be nice to have this VPN link going up on demand, i.e. when somebody wants to connect to 192.168.100.x address, it goes up ans stays connected for as long as needed and then shuts down after some inactivity period. This could be rather simple as most commodity routers do provide this feature in some form, just needs time for testing.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
      Problem The idea was to have a separate VPN tunnel tothe office to access office LAN resources without a need to bring up the VPN connection on the workstation. The challenge was a) to find right PPTP options to connect to Windows VPN server and b) to adjust the routing table on the router to…<\/p>\n","protected":false},"author":1,"featured_media":127,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3],"tags":[24,7,8],"class_list":["post-29","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-openwrt","tag-openwrt","tag-pptp","tag-vpn"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/www.bandidor.info\/wp\/wp-content\/uploads\/2012\/08\/ScreenShot001.bmp","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EszU-t","_links":{"self":[{"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/29","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29"}],"version-history":[{"count":52,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions"}],"predecessor-version":[{"id":457,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions\/457"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=\/wp\/v2\/media\/127"}],"wp:attachment":[{"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bandidor.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}