VPN Server with OpenWrt

Details

One popular use for routers with OpenWrt is hosting a VPN server. Here is a way to setup your own VPN server so you can access your files from anywhere using Windows' built-in VPN client.

The /etc/ppp/options file

This holds the configuration settings shared by all your PPP connexions.

# désactive les compressions et autres contrôles de connection
noaccomp
nopcomp
nocrtscts

lock # garanti un accès exclusif sur l'interface réseau
maxfail 0 # en cas d'échec, recommence à l'infini

The /etc/ppp/options.pptpd file

This file contains the pptp server options.

Caution: you have to make sure your VPN server and your LAN address are on a different network.

logfile /tmp/pptp-server.log
192.168.99.1: # L'adresse ip du serveur
auth
name "*"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
nodefaultroute
proxyarp
ipparam mon_vpn # le nom donné à la connection dans les scripts ip-up et ip-down.

# requis pour que l'on puisse se connecter via une connection vpn "Windows".
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap

ms-wins 192.168.99.100 # Si vous disposez d'un serveur wins

The /etc/ppp/ip-up.d/mon_vpn file

This script is called whenever a new connexion is established. Here we will authorize this new trafic by adding a new rule in iptable.

if [ $6 = "mon_vpn" ]; then
/usr/sbin/iptables -A FORWARD -i $1 -j ACCEPT
exit 0
fi

The /etc/ppp/chap-secrets file

This is the list of authorized users and their passwords.

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
nom_login * mon_mdp 192.168.99.20

The /etc/init.d/S51pptpd file

This script will start the VPN server during router startup.

#!/bin/sh

BIN=pptpd
DEFAULT=/etc/default/$BIN
RUN_D=/var/run
PID_F=$RUN_D/$BIN.pid
[ -f $DEFAULT ] && . $DEFAULT

case $1 in
start)
mkdir -p $RUN_D
for m in arc4 sha1 slhc ppp_generic ppp_async ppp_mppe_mppc ip_conntrack_proto ip_nat_proto_gre ip_conntrack_proto_gre ip_gre ip_nat_pptp ip_conntrack_pptp; do
insmod $m >/dev/null 2>&1
done
$BIN $OPTIONS
;;
stop)
[ -f $PID_F ] && kill $(cat $PID_F)
;;
*)
echo "usage: $0 (start|stop)"
exit 1
esac

exit $?

You're done, now you should be able to connect to your VPN from outside Smile

Comments   

# Craig Crawford 2012-12-24 14:14
PPTP and MS-CHAPv2 should both be considered insecure.

Would be better to show us how to set up a OpenVPN, IPSec or L2TP server ;).
Reply