OpenWRT & PPTPD: A Love Story

Firesheep got me thinkin’ that I should probably do a little more to beef up the security of my Internet connection on public networks. PPTP has always been a favorite of mine, because it hides traffic well enough to deter most people and it’s easy to setup on both Linux and Windows. I ran a Windows PPTP server for years, but recently decided to just host the service my WRT54GS v3 router running OpenWRT. Three hours later, I’ve got it running smoothly. Here’s how I did it:

First, I installed and setup OpenWrt Backfire 10.03 and set my internal IP pool to be on the 172.16.x net, with the gateway (OpenWRT router being 172.16.1.1). Then, I headed over to OpenWRT’s PPTPD HOW-TO.

opkg update
opkg install pptpd
opkg install kmod-crypto
opkg install kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

I believe my /etc/ppp/options file doesn’t have any modifications, but just in case, this is what it looks like:

#debug
logfile /dev/null
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1

Now that I think about it, very few modifications were ultimately made to /etc/ppp/options.pptpd

auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
chapms-strip-domain
# Otherwise, your chap-secret file will have to include "DOMAIN\\user" instead of user.
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf

If you compare this to the original file, you’ll notice I deleted the entry “172.16.1.1:” at the top of the file, and added the entry: ms-dns 172.16.1.1. I don’t know why, but DNS didn’t work well when the the client’s defaults were used so I forced them to use the router’s LAN DNS server.

Then I added some users to the /etc/ppp/chap-secrets file. I’ll paste the contents, then go over the details. Oh, and don’t forget to chmod 600 /etc/chap-secrets because the file’s perms are insecure by default:

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
iphone  pptp-server     suprAdv4ncedPwd!       192.168.80.1
ipad    pptp-server     rlyAdv4ncedPwd!       192.168.80.11
hackbook        pptp-server     megaAdv4ncedPwd!       191.68.80.3
windows pptp-server     ttllyAdv4ncedPwd!       192.168.80.2
extra           pptp-server     megaAdv4ncedPwd! 192.68.80.4

The chap-secrets file alone suggests that OpenWRT/PPTP is not an enterprise solution. I wouldn’t propose it for any company with a decent budget, but times are tough and ghetto is looking better than ever to many companies.

I would actually have fewer entries in this file if the IPADDRESS field was not such a big issue. Unfortunately, it seems that the DHCP pool has been compiled into the service. It sets up the router’s pppN to be 192.168.0.x and assigns the clients a 192.168.1.x address by default. Which is unfortunate, because SO DOES EVER OTHER RESIDENTIAL ROUTER, EVER. So routing issues keep pop up. Because of that, I force PPTPD to assign each user a specific IP, in the 192.168.80.x range because I’ve never seen any router use that subnet.

The usernames are whatever you’d like them to be (I made them the name of my devices) but if you are dialing-in from a Windows machine, you will have to preface the username with the Windows domain name or the name of your workstation if you are not on a domain UPDATE: adding chapms-strip-domain to options.pptpd fixes this. The “pptp-server” is what the service was named in options.pptd, the password is just that, and the IPADDRESS is the IP that the given client will be assigned.

Initially, my /etc/firewall.user didn’t have all the proper entries, so my client was able to authenticate and all that, but no traffic was being routed to the 172.16.x subnet, nor was it being routed to the Internet. Here’s what worked:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables    -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables    -A input_wan -p gre -j ACCEPT

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

The first block allows clients to connect to the PPTP service and the second one allows it to communicate with both the Internet and the local network. And voila, you are done. I know it seems straightforward and doesn’t deviate much for the default install, but it took over three hours of trial and error to get here. I’ve logged in successfully with an iPhone (over 3G, EDGE and wifi), an iPad, a Windows 7 machine and Mac OS X. The iPhone is of special importance to me — after connecting to a local coffee shop’s unsecured network on my laptop and my iPhone, I successfully hijacked my iPhone’s Facebook app session using FireSheep. So, now I’ll be encapsulating all of my traffic by sending it over to the fiber connection at my office, what what.

Next up, I’ll probably start playing around with the RADIUS plugin. Stay tuned.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Linux, Networking, Security
9 comments on “OpenWRT & PPTPD: A Love Story
  1. Sean Kearney says:

    Hey Thanks for that! I've been using a script in Powershell that sets up all my users for me daily in including home folder and permissions. the only stumbling block was I had to keep going in and resetting the subfolder permissions after.

    THIS NAILED IT!

    Sean

    the Energized Tech

  2. leandro says:

    Thanks thanks! I didn't get this working using just the OpenWRT Wiki. Now everything is working OK!

  3. Trek says:

    Really a good stuff.
    Thanks for this small and educative tutorial
    I just have a minor note:
    if you do really plan a security solution for the small-to-average business, go for OpenVPN.
    PopTop protocol with the MPPE algos are already broken, so if someone sniffs enough packets he’ll be able to broke it and decrypt the information.
    Otherwise, use RADIUS with CHAP. But…seriously why should we need to make this to our selves when there’re so many free and good working solutions like OpenVPN.

    • Nik says:

      because iphones, ipod and ipads don't support OpenVPN ;)

      • Chrissy LeMaire says:

        Sad but true. I recall OpenWRT's IPSec also not getting along with the iPhone as well. I was sooo close, but there was some issue that stopped me. That was almost a year ago, so hopefully something has updated/changed. We'll see.

        I'm working on a somewhat straightfoward tutorial for OpenVPN and Mac OS X right now and hope to have it published sometime this week. I ain't gonna lie, it was workaround-central but the payoff was nice.

  4. Norbert says:

    Hi,

    Thank you for this very useful post. I successfully connected my iphone to my openwrt router but after a day I discovered something strange. In the system log I could see unsuccessful SSH login attempts from a foreign IP address and after a ('Shields Up') port scan from the internet side it turned out that ports 22, 80, 143, etc. become open on the WAN interface.
    I'm using backfire 10.03.1. Can you please check my findings?

    Thank you!

  5. matjaz says:

    Hi
    Firstly thakns for this great tutorial!
    I would like to get use the routers IP to access to acces some pages with IP restriction from my country (i'm living in another).
    How can I change firewall rules to use the IP from the router (WAN IP)? Thanks

  6. gargola says:

    Hi,
    I am trying to follow your tutorial but I have not been able to install it as you posted.
    I am using backfire 10.03.1 in which there is no kmod-crypt but kmod-crypt-core and some crypto algorithm based extra modules.

    I get the following error:

    using channel 6
    Using interface ppp0
    Connect: ppp0 <–> /dev/pts/1
    sent [LCP ConfReq id=0x1 <mru 1482> <auth chap MS-v2> <magic 0x2dcf0147>]
    sent [LCP ConfReq id=0x1 <mru 1482> <auth chap MS-v2> <magic 0x2dcf0147>]
    rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x249d6efe> <pcomp> <accomp>]
    sent [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
    rcvd [LCP ConfNak id=0x1 <auth eap>]
    sent [LCP ConfReq id=0x2 <mru 1482> <magic 0x2dcf0147>]
    rcvd [LCP ConfNak id=0x1 <auth eap>]
    rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x249d6efe> <pcomp> <accomp>]
    sent [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
    rcvd [LCP ConfReq id=0x2 <magic 0x249d6efe>]
    sent [LCP ConfAck id=0x2 <magic 0x249d6efe>]
    rcvd [LCP ConfAck id=0x2 <mru 1482> <magic 0x2dcf0147>]
    sent [LCP EchoReq id=0x0 magic=0x2dcf0147]
    peer refused to authenticate: terminating link
    sent [LCP TermReq id=0x3 "peer refused to authenticate"]
    rcvd [LCP EchoReq id=0x0 magic=0x249d6efe]
    rcvd [LCP TermReq id=0x3 "MPPE required but not available"]
    sent [LCP TermAck id=0x3]
    Modem hangup
    Connection terminated.

  7. Franco says:

    This post made my day !
    I was fighting with pptpd configuration, your code worked out of the box, thanks!

    Franco

2 Pings/Trackbacks for "OpenWRT & PPTPD: A Love Story"
  1. […] followed these instructions. Again, I ended up with firewall problems, but found a solution. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*