This discussion is for clarifying the use of VPN to connect to a network protected by OpenWRT using PPTPD (see installation instruction at http://wiki.openwrt.org/PPTPDHowto).  Previous knowledge of iptables is expected (See http://wiki.openwrt.org/OpenWrtDocs/IPTables and http://iptables-tutorial.frozentux.net/ … orial.html)

For the purpose of this discussion lets assume the following:

The case scenario is a home network connected to the internet by an openWrt Whiterussians 0.9 box and someone on the internet needs to access to his home network privately.  The router can be accessed from internet with the address 'home.dyndns.org' (it's fake) and this cannot be resolved to an address in the range 192.168.200.0/24.

The lan network is identified by 192.168.1.0/24.  The '/etc/ppp/options.pptpd' file has this line 192.168.200.1: and the line name "pptp-server".  The '/etc/ppp/chap-secrets' file has this line user1 pptp-server pass1 192.168.200.10.

Lets begin.

First we establish a connection to the router on the 1723 TCP port.  In order for the packets to reach the PPTP server on the router, the following rules must be added in the '/etc/firewall.user' file.

Note: All the added rules have to be placed after the iptables flush lines (Ex: iptables -t nat -F prerouting_rule) or they will be deleted by the flush lines.

Now the pptp connection handshaking will start the communication followed by authentication.

Note: The handshaking will fail if the name (here it's pptp-server) in the '/etc/ppp/options.pptpd' file is not the same as the second parameter on the line from the '/etc/ppp/chap-secrets' file.

Once the authentication succeeded, the tunneling can begin (the GRE protocol no. 47).  For this the following rules must be added in the '/etc/firewall.user' file.  Also, a new interface new interface is created named pppX (where X is a number).

From what I observed, packets after going through the tunnel will enter the firewall with the IN interface set at pppX (mentioned earlier) before the prerouting rules.  After traversing the prerouting rules, the packets will be routed to the input rules if it is one of the many destination ip address that resolve to a local interface (the router itself) or it will be routed to the forward rules if it does not resolve to a local interface.

So, if you want to be able to communicate with all the computers on the lan, the following rules must be added in the '/etc/firewall.user' file.

Note: In the first rule, the source ip/network is important because if you connect your wan with PPPOE, the interface for the wan will be ppp0 and without the source ip/network, people on the wan side can access the computers on the lan side.

By default, the firewall let all communication through when not coming from vlan1 (or when not coming from either vlan1 or ppp0 in the case of PPPOE wan) because of LAN_ACCEPT chain in the firewall.  To PREVENT all the VPN clients from communicating with the router, add the following rules to the '/etc/firewall.user' file.

To access the internet as if your were inside your lan, add the following rules to the '/etc/firewall.user' file.

Note: For this to work properly, you must make sure that all your internet traffic is routed to the VPN interface on the computer that you use to access your home network remotely.

Also to be able to communicate from one VPN client to an other, add the following rules to the '/etc/firewall.user' file.

If there are errors or omissions, please let me know.  Also it would be great to have an in depth explanation on how the proxyarp works.

(Last edited by dominiquefortin on 19 Jun 2008, 04:05)

What about logging?  If it's the only port (TCP1723) one on your firewall that is open, you might want to know when there are connection attempts made on it.  So here's a rule for just that.

Note: Make sure you place the rules before their ACCEPT counterpart.

To know if the pptp server established a vpn connection you'll have to look at the syslog.