I have been through the process of setting up OpenVPN and PPTP clients on OpenWrt VLANs, but in this case, I just want a LAN client to be able to connect to the VPN at my office.  I am unable to connect from either my iPhone (iOS 8.4) or laptop (Windows 7).  Both are configured correctly and can connect successfully when accessing the internet from any other router/connection.

I have never had a problem connecting to it on any router or firmware in the past, so I am wondering what the deal is.  I know that on the server-side router, you need to open up 1723 and accept gre traffic, but I have never been required to do any configuration on the client-side router to allow for connections to be made.

I am on CC trunk (WRT1200AC).  Any thoughts?

(Last edited by fecaleagle on 22 Aug 2015, 19:00)

Do I need to set up a user firewall rule to allow forwarding gre traffic to WAN?  Something of that nature?  Is there a best practice for logging the packets sent by LAN clients so that I can determine which packets are not making it out?

Thanks, and my apologies for yet another stupid question.

(Last edited by fecaleagle on 21 Aug 2015, 19:53)

Perhaps this might help:

http://wiki.openwrt.org/doc/uci/firewal … assthrough

Thanks for the input.  This issue was "partially" solved by installing "kmod-ipt-nat-extra", as suggested in http://wiki.openwrt.org/doc/howto/vpn.nat.pptp.

I had done this already when I posted this thread, but I was testing with an iPhone.  I can connect to the VPN server, and I am assigned an IP address in the appropriate range for the remote LAN, but I'm still unable to connect to devices on the remote LAN from my iPhone.

Before bed, I attempted to connect via my laptop, and I can connect to devices on the remote LAN from it.  That is all that that I need in order to work from home, so I say that the issue is "partially" solved.

I have added some user firewall rules:

## PPTP accept incoming GRE traffic
iptables -I INPUT -p gre -j ACCEPT

# PPTP RULES
iptables -A FORWARD -i eth0 -o br-lan -p tcp --dport 1723 -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i br-lan -o eth0 -p tcp -s $VPN_SERVER --sport 1723 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o br-lan -p gre -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i br-lan -o eth0 -p gre -s $VPN_SERVER -m state --state ESTABLISHED,RELATED -j ACCEPT

I am getting traffic through my INPUT chain rule, but none of my FORWARD chain rules:

Any thoughts?  It seems bizarre that I can connect to remote LAN clients from one device but not from another.

Oh!  Did I reverse up my source and destination interfaces in my FORWARD chain rules?  Appears so.

(Last edited by fecaleagle on 22 Aug 2015, 19:31)

To make sure I understand what you are implying: OpenVPN traffic is 'like' PPTP (gre) and that this tool and these rules work for both types of VPN.  I'm not so networking smart.

I wasn't aware that I was implying anything, and I don't believe I mentioned OpenVPN in this thread.  The PPTP connection between my clients and the VPN server (Microsoft PPTP) occurs over the GRE protocol, so it was my assumption that I should add an INPUT chain rule for GRE traffic.  Packets do go through that INPUT chain rule when I establish the connection, but my FORWARD chain rules are not getting any packets passed through them.

None of these rules should be required after running:

opkg update
opkg install kmod-ipt-nat-extra

Please note, however that I am not setting up a VPN client or server using OpenWrt; I was having difficulty establishing a connection to the remote VPN server from my LAN clients.  They couldn't connect before because I was not getting NAT traversal on whatever traffic is required for the PPTP connection (assuming GRE).  My iPhone still can't connect to clients on the remote LAN, which is why I'm still tinkering with firewall rules.

(Last edited by fecaleagle on 23 Aug 2015, 00:33)

Thanks, but the very first line of the post refers to both OpenVPN and PPTP, which is why I was confused.

I asked the question because I have an OpenVPN client (Windows PC) that I want to run through my OpenWRT travel router back to my home OpenWRT OpenVPN server.  I saw running the VPN out through the OpenWRT router as being basically the same scenario.  I also know that my DD-WRT routers all had some config for VPN Pass Through and though this might become an issue for me.

Thanks for the help

I don't know if Chaos Calmer RC3 comes with "kmod-ipt-nat-extra" installed, but that would be the first place to start if you're having any issues with NAT passthrough involving your VPN.  So in your case, will the OpenWrt travel router connect to the OpenVPN server on your home router as an OpenVPN client, or do you just want to connect a travel router LAN client to the OpenVPN server?  If the latter, then "kmod-ipt-nat-extra" may help on the travel router.  Otherwise, I would post a separate question about it.

(Last edited by fecaleagle on 23 Aug 2015, 03:56)

The travel router speed on VPN is about half that of the PC running VPN.  Problem is in hotels with a single connection and 2-3 devices, so I want the ability to do either.  Thanks

Hi,

I'm having exactly the same issue.
I installed all the packages and now the VPN connects but i cannot open my intranet services.
Can you post the firewall rules you've set?

Thanks

@RangerZ, can you please assist??? I've loaded openwrt but now cannot use my work VPN...

This post is marked closed, so you should really start a new thread, if appropriate, referencing this thread.

You need to include:
   What is your exact issue
   Hardware and environment
   OpenWrt version (BB, CC, Trunk, DIY)
   Config files (network, openvpn, firewall, etc) for client and server if appropriate
   Logs (hint set verbose to 5 or more)
   Any other references, messages or info that may be relevant

WTF?

Helpful? Supportive?

@moeller0 @ckm @tapper

Yes Max, both helpful and supportive.

I could not help him with the info provided, so I listed what was needed to help him.  Additionally most others with understanding of the topic would not bother to open a topic marked closed, so I suggested a new one for better visibility to the problem. 

I'm sure you just responded to harass me.  Go back to sleep.

According moeller0's Law, if one has nothing substantial to add, STFU [paraphrased, Ed.]

N.B. - no, it is not at all about RangerZ

sorry actually i would need @fecaleagle to help by sharing his exact solution to this exact issue

If someone experience something similar on latest versions of OpenWrt with kernel 4.7+ this may help you:
- Search this on Google: site:regit.org netfilter secure use of helpers

You'll need to activate PPTP helper through this:

iptables -A PREROUTING -t raw -p tcp --dport 1723 -j CT --helper pptp

You may also need to install the following packages:
- kmod-ipt-raw
- kmod-ipt-raw6

P.S. - As I'm not allowed to post URL, I'll have to relay you through keywords on Google. Sorry for that.

Thanks my problem solved with this way