Search My Site:

Installing Linux (OpenWRT) on a home router with remote VPN access - Last Modified 2012-02-08 19:30 UTC - Created 2012-02-08 19:26 UTC

I have a Buffalo WZR-HP-AG300H wireless router for my home network. I like it because it supports Linux and has a USB port for my network backup drive as well. It came with DD-WRT, but it was too buggy for stable use as a network drive server and VPN server. I opted for OpenWRT instead which while it requires more configuration effort has worked out very nicely. I've included the steps below I used for setting up a PPTP VPN server I can access remotely. This works out really nice as well for playing video games with friends and family since they just VPN into my network and appear on my local LAN. I choose PPTP over OpenVPN or other solutions because Windows 7 has native support for the client which is easier for others to configure. For security I used passwords that were 30+ characters long which alleviates brute force attacks.

I used OpenWrt Firmware Attitude Adjustment (r29484) / LuCI Trunk (trunk+svn8073) and kernel version 2.6.39.4.

Steps

Install the following packages (I used the LuCI System, Software page):
pptpd
luci-proto-pptp
pptp
The LuCI web interface doesn't have a page for doing configuration for PPTP VPNs
ssh into your router (root@ipaddress)
vi /etc/pptpd.conf (or whatever editor/method you prefer)

Content of pptpd.conf

option /etc/ppp/options.pptpd

# Set IPs to something not in your DHCP allocated LAN but on the same subnet
localip 10.1.1.2
remoteip 10.1.1.3-10

#debug

vi /etc/ppp/options.pptpd

Content of options.pptpd

# Tested against Windows 7 client

auth
name "pptp-server"

#debug
#dump
# pppd logfile option
#logfile "/tmp/log/pptpd.log"

refuse-pap
refuse-chap
refuse-mschap

require-mschap-v2
# PLEASE NOTE THAT ON OpenWRT (or DD-WRT, etc) distribution builds the pppd is special patched
#	The MPPC flag builds a non-standard PPP that uses different options.
# So don't rely on most pptpd or pppd examples since you need the special version one
mppe required,no40,no56,stateless

# Makes clients look like they are on the lan
proxyarp

# Client alive check
lcp-echo-failure 3
lcp-echo-interval 60

vi /etc/ppp/chap-secrets

Content of chap-secrets

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
#	* for IPADDRESS means dynamically assign from the remoteip range in options.pptpd
rbeede pptp-server ProvideAReallyLongPasswordHere *
gamer pptp-server ProvideAReallyLongPasswordHere *

Set firewall rules to allow outside Internet connections to VPN into you and for VPN users to talk to the full LAN

In the LuCI web interface
Network tab
Firewall subtab
Custom Rules sub-subtab

Add the following for your custom rules:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

WAN=eth1

# Allow VPN server
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT

# Allow VPN pptpd connections access to the lan
iptables        -A forwarding_rule -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT

# Allow VPN pptpd connections Internet access
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

You may have to adjust IP addresses in the above as needed

/etc/init.d/pptpd enable
/etc/init.d/pptpd start
You should now be able to connect using your public IP
You may find enabling dyndns on your router useful
You may also want to enable a time server client in OpenWrt to ensure you don't have issues with connecting