Help setting up VPN client

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

ng3700v2
Posts: 32
Joined: Thu Mar 17, 2011 9:02 am

Re: Help setting up VPN client

Post by ng3700v2 »

Thanks for the reply. In the meantime, I decided to setup a git environment and build an image from scratch on a virtual ubuntu system under virtualbox. After issuing "make custom", I picked all of the kernel modules I have listed above and successfully compiled for my router (Netgear WNDR3700v2). I flashed my router with my "custom" firmware, but I must have missed the "gargoyle" packages as I the gargoyle web-front-end didn't work. I could, however, ssh into the box and see that all of the necessary kernel modules were loaded!!

I tried "opkg install gargoyle", but that failed with conflicting packages. I tried again with "opkg install gargoyle --force-overwrite" which appeared to be successful, but after a reboot I received "ERROR: no system package defined!" when trying to access the web-front-end -- so that was useless.

Do you know what gargoyle packages to select in menuconfig to get the equivalent to a standard gargoyle build in addition to the extra kernel modules?

Thanks!

mix
Posts: 292
Joined: Sun Feb 27, 2011 11:18 am

Re: Help setting up VPN client

Post by mix »

You read the Gargoyle developer documentation?
WRT54GL v1.1
Gargoyle 1.4.7

doritos
Posts: 45
Joined: Mon May 02, 2011 2:02 pm

Re: Help setting up VPN client

Post by doritos »

ng3700v2 wrote: Do you know what gargoyle packages to select in menuconfig to get the equivalent to a standard gargoyle build in addition to the extra kernel modules?
Administration -> Gargoyle

I let my system building a new image with all helpers tonight, I think now is just a matter of firewall rules

Code: Select all

root@Gargoyle:~# lsmod | grep -E 'mppe|gre'
ip_gre                 11248  0
nf_nat_proto_gre         848  1 nf_nat_pptp
nf_conntrack_proto_gre     2448  1 nf_conntrack_pptp
nf_nat                 10160 12 nf_nat_sip,nf_nat_pptp,nf_nat_h323,nf_nat_proto_gre,nf_nat_amanda,nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat
nf_conntrack           37744 29 sch_esfq,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_nat_h323,nf_conntrack_h323,nf_conntrack_proto_gre,nf_nat_amanda,nf_conntrack_amanda,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,xt_layer7,ipt_MASQUERADE,iptable_nat,nf_nat,xt_CONNMARK,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_NOTRACK,xt_state,nf_conntrack_ipv4
ppp_mppe                4864  2
ppp_generic            18848 12 ppp_mppe,ppp_async,pppoe,pppox

ng3700v2
Posts: 32
Joined: Thu Mar 17, 2011 9:02 am

Re: Help setting up VPN client

Post by ng3700v2 »

I FINALLY GOT IT WORKING!!!!
After building a custom image, adding the necessary packages that I listed above and adding the gargoyle packages, I can now connect to the Windows 7 PPTP VPN server running behind gargoyle. All I had to do after flashing the firmware image was to port-foward 1723 to the IP of my Win7 VPN server, and it works like a charm! Thanks for the help!

Kind of frustrating that I was SO CLOSE to this multiple times, but never got it exactly right. Oh well, I learned a bunch in the meantime... :-)

Mitch76
Posts: 1
Joined: Tue Mar 20, 2012 12:13 am

Re: Help setting up VPN client

Post by Mitch76 »

ng3700v2 wrote:I FINALLY GOT IT WORKING!!!!
After building a custom image, adding the necessary packages that I listed above and adding the gargoyle packages, I can now connect to the Windows 7 PPTP VPN server running behind gargoyle. All I had to do after flashing the firmware image was to port-foward 1723 to the IP of my Win7 VPN server, and it works like a charm! Thanks for the help!

Kind of frustrating that I was SO CLOSE to this multiple times, but never got it exactly right. Oh well, I learned a bunch in the meantime... :-)
NICE WORK!

Are you planning to share your own custom brew ?
I'm about hitting almost the same issue. My work is using a MS VPN (based on 2003 server), it would be great my router (NG3700v2) could do this connection. Then i don't have to care about create manual VPN connections on my desktop-pc and laptop. (hey, i could even use my iPad for the company intranet ;) )

I tried this on DD-WRT before, but due too many bugs (choice between not-working VPN, or working VPN without working WiFi) i had to surrender myself.

Since my NG3700v2 is working very well and stable on Gargyle, it would be great to let the router make the PPtP connection to my work VPN.

doritos
Posts: 45
Joined: Mon May 02, 2011 2:02 pm

Re: Help setting up VPN client

Post by doritos »

Well, I'm also 'so close', but my problem is not yet solved, so stop hijacking my thread and help me too :lol:

What you managed to do is VPN Passthru. I need further more. I want my gargoyle box to estabilish a VPN connection to a Win2k8 box over the internet.

So far it estabilishes the connection, but I dont know how to route the packets between my network and the remote endpoint

My local network

Code: Select all

root@Gargoyle:~# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr F8:D1:11:44:XX:XX
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.

The remote end point (note that the TX/RX bytes increase when I ping the remote end point, so they are working, I just need the right routing/rules :/

Code: Select all

pptp-vpn  Link encap:Point-to-Point Protocol
          inet addr:192.168.10.9  P-t-P:192.168.10.2  Mask:255.255.255.255
          RX bytes:2501 (2.4 KiB)  TX bytes:1434 (1.4 KiB)

ng3700v2
Posts: 32
Joined: Thu Mar 17, 2011 9:02 am

Re: Help setting up VPN client

Post by ng3700v2 »

Mitch76 - I'm not sure if my custom build would be beneficial to you or not. But I'd be more than happy to send it to you if you'd like. Let me know and I will upload it somewhere and send you a link. It sounds like you are wanting a VPN Client running on your gargoyle router. Do you want ALL traffic through your router to be funneled through your work VPN or just select systems/IPs? Either way, it sounds like you want something similar to what doritos is trying to figure out.

Doritos - Unfortunately, routing tables probably make less sense to me than they do to you, so I don't know how much help I can be especially since I don't have access to an outside VPN to even test with.

I'm going to assume that you've already seen this page:
http://wiki.openwrt.org/doc/howto/vpn.client.pptp

This portion here seems applicable:
Supposing you want to route two hosts with addresses 192.168.1.20 and 192.168.1.30 (could be any addresses) use

ip rule add from 192.168.1.20 table vpn
ip rule add from 192.168.1.30 table vpn


Now add a default route to your new table and flush the route cache using

ip route add default via <ip_of_the_far_end_of_your_tunnel> dev <pptp_iface_name> table vpn
ip route flush cache

Now all the traffic from hosts using the alternate routing table will go through the VPN. You can traceroute from a VPN routed host to check it. The table you created will survive reboots (it's written), but the route and rules won't so you must add them in some way. Search documentation for the proper way to do that or wait until this part of the howto is finished.

doritos
Posts: 45
Joined: Mon May 02, 2011 2:02 pm

Re: Help setting up VPN client

Post by doritos »

ng3700v2 wrote: I'm going to assume that you've already seen this page:
http://wiki.openwrt.org/doc/howto/vpn.client.pptp
Yep, I have done everything on this page, but the firewall stuff relies on LuCI (web ui) and I don't know the exact results it produces to the config files.

I think next step would be building an OpenWRT + LuCi image, get it working and catch up the config files

Also, most of the documents found on OpenWRT forum are outdated, pointing to whiterussian specific config files that don't exists anymore on backfire.

doritos
Posts: 45
Joined: Mon May 02, 2011 2:02 pm

Re: Help setting up VPN client

Post by doritos »

Never give up! :D

The magic:

/etc/config/network

Code: Select all

config 'interface' 'vpn'
        option 'ifname'       'pptp-vpn'
        option 'proto'        'pptp'
        option 'username'     '<USER>'
        option 'password'     '<PASS>'
        option 'server'       '<HOST>'
        option 'buffering'    '1'
        option 'defaultroute' '0'
        # this fuc@#$ line 
        option 'pppd_options' 'mppe required,no40,no56,stateless' 
Everything was correct from the begginng.

PS. OpenWRT/LuCI don't work as well

Gideon7
Posts: 2
Joined: Sun Jul 15, 2012 4:40 pm

Re: Help setting up VPN client

Post by Gideon7 »

Thanks for the critical mppe config line!

There appears to be no documentation anywhere about how to properly set up OpenWrt to use client VPN using PPTP. The Openwrt Wiki link is pretty much useless.

Anyway, I FIGURED IT OUT (thank you) and it works! My home Comcast D-LINK DIR-825 router with OpenWrt 10.03.1 (Backfire) now has a permanent working client VPN connection to my office PPTPD server (DD-WRT). Yay! :P

Here's how I did it.

First, below is my /etc/config/network section. Substitute 111.222.000.111 with the external IP of your RRAS or PPTPD server.

Code: Select all

config 'interface' 'vpn'
  option 'proto' 'pptp'
  option 'server' '111.222.000.111'
  option 'username' 'MyUserName'
  option 'password' 'MyPassword'
  option 'defaultroute' '0'
  option 'peerdns' '0'
  option 'keepalive' '10'
  option 'interval' '5'
  option 'pppd_options' 'logfile /tmp/pptp.log dump mppe required,no40,no56,stateless'
The last line is the critical one. It writes status messages into a text file (/tmp/pptp.log), dumps the parsed contents of the options from all sources (command-line, /etc/ppp/options, /etc/ppp/options.pptp, in that order of priority), and sets the bleeping mppe option. :evil: Put no spaces between the commas.

Here are the config sections for /etc/config/firewall:

Code: Select all

config 'zone'
  option 'name' 'vpn'
  option 'network' 'vpn'
  option 'input' 'ACCEPT'
  option 'output' 'ACCEPT'
  option 'forward' 'ACCEPT'
  option 'masq' '1'
  option 'log' '1'

config 'forwarding'
  option 'src' 'lan'
  option 'dest' 'vpn'

config 'forwarding'
  option 'src' 'vpn'
  option 'dest' 'lan'
The trick is to turn on MASQUERADE. The PPP endpoint is usually a single IP address on the remote end, so this is generally required if you have multiple devices at home.

Add 'debug' to /etc/ppp/options:

Code: Select all

# Comment-out the following for production (noisy in syslog GUI)
debug
# The remainder of this file is stock default:
logfile /dev/null
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
The option 'debug' is critical for debugging and troubleshooting client VPN problems with pppd. Output goes to /tmp/pptp.log. Once things are working remove the line as it really slows down performance.

Finally I had to set up the dynamic route to the office VPN. I didn't want to enable defaultroute as it would force all my home traffic to run through my office.

Create the file /etc/ppp/ip-up.d/ip-up.sh. The following example assumes that the office pptpd gateway is located remotely at 10.0.0.254 in the office LAN 10.0.0.0/24:

Code: Select all

#!/bin/sh
# chmod 755 /etc/ppp/ip-up.d/ip-up.sh
# Add routes
REMOTESUB=10.0.0.0
REMOTENET=255.255.255.0
GW=10.0.0.254
DEV=pptp-vpn
echo 1 > /proc/sys/net/ipv4/conf/pptp-vpn/log_martians
route add -net $REMOTESUB netmask $REMOTENET gw $GW dev $DEV
#
#Correct 'ip route' output:
#  10.0.0.254 dev pptp-vpn proto kernel scope link src 10.0.0.200
#  10.0.0.0/24 via 10.0.0.254 dev pptp-vpn
#
#Correct 'route -e' output:
#  Destination  Gateway    Genmask         Flags    Iface
#  10.0.0.254   *          255.255.255.255 UGH      pptp-vpn
#  10.0.0.0     10.0.0.254 255.255.255.0   UG       pptp-vpn
#
iptables -A output_rule --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $DEV
iptables -A input_rule --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $DEV
iptables -A forwarding_rule --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $DEV
iptables -A forwarding_rule --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $DE
Next, create the file /etc/ppp/ip-down.d/ip-down.sh to unwind your route(s) and your iptables settings:

Code: Select all

#!/bin/sh
# chmod 755 /etc/ppp/ip-down.d/ip-down-ALAN.sh
# Delete PPP route(s)
REMOTESUB=10.0.0.0
REMOTENET=255.255.255.0
GW=10.0.0.254
DEV=pptp-vpn
route del -net $REMOTESUB netmask $REMOTENET gw $GW dev $DEV
# Delete iptables rules
iptables -D output_rule --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $DEV
iptables -D input_rule --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $DEV
iptables -D forwarding_rule --source 0.0.0.0/0.0.0.0 --destination $REMOTESUB/$REMOTENET --jump ACCEPT --out-interface $DEV
iptables -D forwarding_rule --source $REMOTESUB/$REMOTENET --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface $DEV
I had to decode hundreds of lines of spaghetti shell code to figure this mess. It took days to figure out.

The hardest part was figuring out how to stop and restart the PPP client without rebooting every time. You'd think the OpenWrt developers would give you an easy way to start/stop daemons.

Here is what I finally came up with..

Code: Select all

To modify files in /etc/config
  cd /etc/config
  mkdir /etc/_SAVE/etc/config/OLD
  cp * /etc/_SAVE/etc/config/OLD
  vi network  (or vi wifi, or whatever)
  cp * /etc/_SAVE/etc/config
  uci commit   <-- Copy to NVRAM -- important!

To show the configuration tree
  uci show network
  uci show system
  uci show firewall

To stop and restart the client VPN pppd:  (SAVE!)
  sh
  set -x
  . /etc/functions.sh
  include /lib/config
  include /lib/network
  config_load network
	
  stop_interface_ppp vpn   # This stops VPN pppd

  rm /tmp/pptp.log    # Clean up
  rm /var/lock/ppp-pptp-vpn    # Clean up

  setup_interface_pptp pptp-vpn vpn  # This restarts VPN pppd

The above executes the following command:

  start-stop-daemon -S -b -x /usr/sbin/pppd -m -p /var/run/ppp-pptp-vpn.pid -- pty /usr/sbin/pptp 111.222.000.111 --loglevel 0 --nolaunchpppd file /etc/ppp/options.pptp mtu 1492 mru 1492 lcp-echo-interval 5 lcp-echo-failure 10 persist nodefaultroute user MyUserName password MyPassword ipparam vpn ifname pptp-vpn logfile /tmp/pptp.log dump mppe required,no40,no56,stateless nodetach

    -S == Start
    -b == Fork to background
    -x == Daemon to execute
    -p == Path to the lock file to create/check
    -m == Check the lock file and bail if already started
    -- == Pass the remainder of the command-line as-is to the daemon

The above in turn invokes
    /usr/sbin/pppd pty /usr/sbin/pptp 111.222.000.111 --loglevel 0 --nolaunchpppd file /etc/ppp/options.pptp mtu 1492 mru 1492 lcp-echo-interval 5 lcp-echo-failure 10 persist nodefaultroute user MyUserName password MyPassword ipparam vpn ifname pptp-vpn logfile /tmp/pptp.log dump mppe required,no40,no56,stateless nodetach
If there is an easier way I'd love to know about it.

I'm really beginning to regret switching from DD-WRT to OpenWrt. If the developers hadn't apparently abandoned the development of DD-WRT a couple years ago I would switch back from OpenWrt in a heatbeat.

I can't believe there is no way to start/stop a daemon without such contortions. And the lack of documentation. Unbelievable.

Post Reply