I have just switched from Oleg's firmware on a WL500g to openwrt (RC5) on a WRTSL54GS (as my home DSL router) and I'm having one little problem:

I can't setup a VPN connection (with PPTP) from a machine inside the network (typically my PowerBook) to a VPN server out there in the internet.

So I guess that by default OpenWRT does not enable any kind of PPTP VPN passthrough.  Now the problem is that I can't seem to figure out how to enable such a passthrough.  It seems like a pretty basic thing (all routers I've used until now had such a toggle in their web interface), but I can't seem to figure out how to do it with OpenWRT.  Even after googling around a searching the Wiki.

I understand that there can be 2 ways to do it, where the easy way only allows one outgoing  PPTP VPN connection at a time.  I'd be happy with either.

monnier - I have lots of these routers at different jobsites. I can VPN into them. I'm also always behind an openwrt router when I'm VPNing out and it works for me. Here are a few things to try

1) Direct connect your MAC to the internet. Can you still VPN. If you cant then thats your problem.
2) Disable the firewall...open up all ports. Does that help. If it does, its a firewall problem.
3) Telnet to the vpn server. Could you establish this session?
4) What do the logs in the VPN server say?
5) Post error messages here. Its hard to tell whats happening without any logs or error messages

Also look at the PPTP and PPTPD pages in the howto. They should provide some help.

(Last edited by LSU_guy on 23 May 2006, 09:33)

I'm not very good on these things, but I had the same problem. I googled and googled again.
I have managed to get pptp vpn working by adding the following lines to the /etc/firewall.user file.

iptables -t nat -A postrouting_rule -p 50 -j ACCEPT
iptables -t nat -A postrouting_rule -p 51 -j ACCEPT
iptables -A forwarding_rule -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A forwarding_rule -o $WAN -j ACCEPT
iptables -A forwarding_rule -i $LAN -j ACCEPT
iptables -t nat -A postrouting_rule -o $WAN -j MASQUERADE

I am not sure if they are in the right order but it works for rc5 pptp tested with two different servers. The first two relate to ipsec and are probably not required, but have not tested it. I think the third line is the key on as I think it says allow anything back if it originates from LAN.
Not sure how secure it is as it is behind another NAT router.
The information came from this page http://www.e-infomax.com/ipmasq/ as most of the other pages are too far out of date for current iptable syntax.
Good luck
If someone could point us to a realtively simple guide to iptables I would be most grateful!
Regards
Chapelhill

1) yes, I can VPN when connected directly (or from the router itself)
2)
3) yes, telnet works fine.
4) No idea, I don't have access to it.
5) It really seems like nothing is getting through:

# pppd call UdeM debug nodetach
using channel 6
Using interface ppp0
Connect: ppp0 <--> /dev/pts/9
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd4444f5a> <pcomp> <accomp>]
LCP: timeout sending Config-Requests
Connection terminated.
Script pptp vpn.cc.umontreal.ca --nolaunchpppd  finished (pid 1095), status = 0x0
Modem hangup
#

tcpdump running on the router gives me the impression that the GRE packets sent from the VPN server never make it to my client.  I have done `insmod ip_gre' and I've added "iptables -I INPUT -p gre -j ACCEPT" but it didn't help.  What have you changed compared to the base RC5 config?

(Last edited by monnier on 28 May 2006, 02:35)

I havent changed anything on the RC5 config. It worked out of the box (so as to speak). I also have it working with RC4.

If you ssh into your router and run the following command
>iptables -L
you will see that one of the input rules is to forward all your GRE traffic.

If it's not working for you, please try to install http://downloads.openwrt.org/people/nbd … mipsel.ipk, reboot and see if it works then. Please report back here after that.

To give you some feedback on your package, I've tried it and the modules would not load:

root@silverbox:/etc/modules.d# insmod ip_conntrack_pptp
Using /lib/modules/2.4.30/ip_conntrack_pptp.o
insmod: unresolved symbol ip_ct_gre_keymap_add
insmod: unresolved symbol ip_ct_gre_keymap_destroy

I am running RC5 basic.

I tried your package because I've had spotty luck with kmod-ipt-nat-extra, which seems to work for a while and then just not.  It provides the same modules your package does and then some.

Thanks for your help!

Don't know if this is gonna help. I had simmlar issue with my vpn which turned out to be a vlan problem.

I connect my laptop through wireless and vpn connection can be established without a problem. But I can't access anywhere. From the vpn client's statistic I found there is no single incoming packet. I tcpdumped on the router and found that all the ESP packets from my lappy to vpn server were dropped by the router. ISAKMP packets are OK. The difference between these two types I see is that ESP packets all have a VLAN tag with ID 0. I'm not familliar with VLAN at all and don't know if this ID means src or dst. So I moved my laptop to a wired connection and, dah, it works.

(Last edited by dreamdreams on 13 Sep 2006, 03:32)