jason schaefer . com

Setup PPTP server using OpenWRT

by

jason
in ,

DON”T USE PPTP ITS INSECURE!! USE OPENVPN or WIREGUARD INSTEAD.  TUTORIALS ->
http://jasonschaefer.com/openvpn-on-the-openwrt
https://jasonschaefer.com/wireguard-vpn-on-openwrt/

That said, if you want to setup pptp on the openwrt here is a guide.
The router is Backfire 10.03.1 at address 192.168.11.1/24. This configuration will setup the PPtP VPN server and it should be pointed out that its not a very secure VPN. Basically, it requires that someone capture the authentication handshake of a pptp connection. Then extract the keys and crack the hashes or bruteforce. There is a service that was released last year that will crack these keys and produce the authentication hash, that can auth as the password. This was done to encourage people to stop using this lame technology. Here is a great write up that will answer all questions https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

With the above insecurity disclaimer and a note that this really shouldn’t be used for anything requiring real security. I proceed..

opkg install pptpd kmod-mppe

== /etc/pptpd.conf ==

#debug
option /etc/ppp/options.pptpd
speed 115200
stimeout 10
localip 192.168.11.1
remoteip 192.168.11.40-49

== /etc/ppp/options.pptpd ==

debug
logfile /tmp/pptp-server.log
192.168.11.1:
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
proxyarp #required to be able to connect to the lan subnet without being directly connected.
#noproxyarp
#nomppc
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 192.168.11.1

== /etc/ppp/chap-secrets ==

#USERNAME PROVIDER PASSWORD IPADDRESS
jason * testypass *

== /etc/firewall.user ==

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT

== /etc/config/firewall ==

config 'rule'
option 'target' 'ACCEPT'
option '_name' 'pptpd'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'dest_port' '1723'

Comments

9 responses to “Setup PPTP server using OpenWRT”

  1. moussa Avatar
    moussa

    its not working with me,
    i followed all the steps,
    i hope you can help me

  2. jason Avatar
    jason

    moussa
    Its been so long since I used pptp and am very little help now. Pptp is dead and this tutorial is old (openwrt 10.03). I know you probably have your reasons and don’t care about security but you should not use pptp! Openvpn is where you should spend your precious time. life is too short to use pptp.

  3. RJD Avatar
    RJD

    Just once I would wish that “strong crypto” people would climb off their high horses and actually show an analytical ability. There is no such thing as universal security – there are only objectives, risk mitigation measures, and acceptable tradeoffs remembering two things they never do – every mitigation has a cost and every mitigation introduces some new degree of risk, cost,, or complication.

    OpenVPN is not perfect security. It is not by default on most systems and devices. It’s certs have a nightmare of complications. Any crypto likely will be broken in the future by crypto analysis, better processing, or hardware breakthroughs like quantum computing.

    Working backwards, let us consider not every ease dropper is sophisticated enough to break PPTP. It may be strong enough to deter lighter weight threats. OpvenVPN may be a NSA honey trap. Or more likely FSB. Who knows.

    Now let’s go all the way back – objectives. My objective is IP spoofing. In the extreme Socks as “SmartDNS” would do. But unlike PPTP, Socks is not on nearly every mobile or desktop system including the VAST majority of routers, even the relatively expensive ones. You have to go out of your way to mess with Socks. Kind of like OpenVPN. Got the part about new risks and complications yet? Don’t need certs. Don’t need super strong crypto. PPTP fits my use case much better. Now that’s being analytical.

  4. jason Avatar
    jason

    RJD – No! That is you just being lazy and not caring about security. That is perfectly ok! Just admit it to yourself and move on. No one really cares what you do ;-)

  5. Dennis Avatar
    Dennis

    Didn’t work for me either on openwrt 21.02.0. The openwrt site has another version of the setup that doesn’t work either. Since pptp is the simplest vpn to set up, there is no sense in attempting the more complicated ones because that would be a lost cause. I think this is deliberate on the part of the openwrt team.

    The config instructions on the openwrt site do seem to work locally, but what is the point? They do not allow remote VPN tunneling which is what it is all about.

    I think I can write a program to accomplish the packet forwarding I need. It would have to send everything in clear text, but it can’t be avoided since openwrt doesn’t seem to allow VPNs. I really miss Tomato. With that, it was just a checkbox “Enable VPN Server” and you had a choice of different protocols to choose from.

  6. jason Avatar
    jason

    Dennis
    This tutorial is very old and was for OpenWRT v10!
    Check out my Wireguard tutorial. Its modern and easy to implement on OpenWRT with Windows, Mac, GnuLinux, android, and ios clients.

  7. Nad Okob Avatar
    Nad Okob

    It is not a matter of security why I have to use pptp. I have no options but to use it since I have an endpoint that has an embedded pptp client. The manufacturer no longer exist. If only I have an option, then for sure I will not use pptp.

  8. jason Avatar
    jason

    Hey Nad
    Could you replace it with a OpenWRT compatible device?
    Then you could use Wireguard or OpenVPN or even ssh

  9. Nad Okob Avatar
    Nad Okob

    It is a proprietary device that has an embedded pptp client. If only this device has options to use other VPN tech, for sure I will, in fact I have an openvpn and softether vpns.

Leave a Reply

Your email address will not be published. Required fields are marked *