The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Greetings,
I just installed openwrt, works great, the only thing I have not been able to get working again is the ability to VPN into work. I'm using windowz XP pro on a laptop issued to me by my employer. Its using the native VPN connection. I've RTM on openvpn but it seems to discuss creating a tunnel from the router. Is there a config change I need to make to do VPN pass thru?
Regards
Mike McD.
Look at openvpn.net - that will teach you how to do a openvpn server-client config.
Look at PPTP also - thats more straightforward to setup and requires no special software on your XP machine. Its also less secure.
If you want something quickly, contact me offline.
@mikemcd: Have you got already your vpn server ? or do you want make vpn server with OpenWrt ?
LSU_guy, looks like what I need is PPTP. Thanks
Sonic. no I'm not looking to set up a server.. at least not at the moment. Looks like I'm just needeing to pass throu a pptp tunnel.
I'll let you know how It turns out..
I think, he wants to know how to etablish a pptp connection through the wrt, which is not possible. Which additional packaged must be installed?
He is saying that the company issued laptop is using a VPN client integrated into XP. This means it is either PPTP or IPsec (though he says looks like it is PPTP.) All he wants to know how to do is configure PPTP passthrough in OpenWRT so he can use the client installed on his laptop to establish a tunnel into his company's network.
PPTP was mode to work on this post.
http://forum.openwrt.org/viewtopic.php?id=5813
But seeing as I was the author and do not really know what I am doing, please be aware it may not be secure. Not tested with ipsec either.
As I could find no information to solve the issue, hopefully others can benefit from my brute force problem solving with a good bit of luck!
Enjoy
Chapelhill
I think you must configure the passthrough vpn with iptables. And allow forward GRE protocol imho ...
My lines but it's for pptp server on my OpenWrt ... perhaps you can adapt you
### Tunnel PPTP, VPN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables -A output_rule -p 47 -j ACCEPT # <- Perhaps just that lines can do the job ...
iptables -A input_rule -p 47 -j ACCEPT # <- Perhaps just that lines can do the job ...
iptables -A forwarding_rule -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A output_rule -o ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A input_rule -i ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT(Last edited by Sonic on 25 May 2006, 12:37)
I tried this but got this warning. I suspect that I don't have $WAN defined
===========================
root@rt01:~# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
root@rt01:~#
===========================
here is my current iptables List and Version
===========================
root@rt01:~# iptables --version
iptables v1.3.3
root@rt01:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain forward_vlan1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere huey
ACCEPT udp -- anywhere huey
ACCEPT all -- anywhere huey
ACCEPT tcp -- anywhere huey
ACCEPT udp -- anywhere huey
Chain forwarding_rule (1 references)
target prot opt source destination
forward_vlan1 all -- anywhere anywhere
Chain input_rule (1 references)
target prot opt source destination
input_vlan1 all -- anywhere anywhere
Chain input_vlan1 (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
root@rt01:~#
==================================
I looks like I already have gre (-p 47 ) in my INPUT CHAIN.
Ok I'm a little slow.. the $WAN Var is set in /etc/init.d/S45firewall..
I've added sonic's code between MASQ and USERRULES.. testing
I am working on something simliar - to connect to Inertnet through VPN. My WLAN Provider wants MPPE MSChap v2 for connecting to the internet.
The best link I found is: http://pptpclient.sourceforge.net/routing.phtml
@mikemcd this might be inttersting: http://wiki.openwrt.org/PPTPClientHowto
(Last edited by kultex on 3 Jun 2006, 18:45)
still no joy.. I've loaded tcpdump and I'm still working on it
opps sorry... didn't see you there kultex... thanks I'll check out the link
Well as it turns out this was not exactly an openwrt question as much as it was an iptables question. After consulting a co-worker, thanks Greg, I have a working config
#Send packets on port 1723 from VPN to the right machine
iptables -A FORWARD -p 47 -j ACCEPT
iptables -A FORWARD -d {corp VPN server}/32 -p tcp -j ACCEPT
iptables -A FORWARD -d {copr vpn server}/32 -j ACCEPT
iptables -A FORWARD -s {internal VPN client}/32 -p tcp -j ACCEPT
iptables -A FORWARD -s {internal VPN client}/32 -p 47 -j ACCEPT
iptables -t nat -A PREROUTING -s {copr vpn server}/32 -p tcp --dport 1723 -j DNAT --to {internal VPN client}
iptables -t nat -A PREROUTING -s {internal VPN client}/32 -p tcp --dport 1723 -j DNAT --to {copr vpn server}
iptables -t nat -A PREROUTING -s {copr vpn server}/32 -p 47 -j DNAT --to {internal VPN client}
iptables -t nat -A PREROUTING -s {internal VPN client}/32 -p 47 -j DNAT --to {copr vpn server}
For PPTP NAT try this package: http://downloads.openwrt.org/people/nbd … mipsel.ipk, reboot and let me know if it works.
Very Sorry nbd for not following up. I did check back on this post for several weeks and had thought the issue closed. Yes I did come across your package but the thing is I'm out of RAM. Since I did get the above configuration to work... well.. I now have another project in the pipe for which I may use mipsel. I'll report back in a few weeks.
--:)mcd(:--
The discussion might have continued from here.