2015年2月21日星期六

OpenWRT Barrier Breaker PPTP VPN server

1. Purpose

With PPTP VPN server on my OpenWRT router sites in my home, I can to access my home computers when I am out; when I uses free WIFI at random places, I can redirect all traffic to go through my home router first with moderate encryption to avoid malicious random Joe.

2. Why PPTP

PPTP is simple. Windows and Android comes with pptp client by default, however the PPTP VPN encryption is quite weak according to OpenWRT, but it's good enough for home use. OpenWRT wiki has a nice page, which I used as reference.

3. Step by Step

#run this command as root after login the openwrt router
opkg install pptpd kmod-mppe
There are bugs in BARRIER BREAKER (14.07, r42625) init script. you can follow the wiki page to modify /etc/init.d/pptpd, but you can simply add the following line into the stop() function of /etc/init.d/pptpd 
#Add the following line into stop() function in /etc/init.d/pptpd
rm -rf $CHAP_SECRETS $CONFIG /etc/ppp/chap-secrets
The use the following command to configure 
#the following will change /etc/config/firewall
uci add firewall rule
uci set firewall.@rule[-1].name=pptp
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=1723
uci commit

uci add firewall rule
uci set firewall.@rule[-1].name=PPTP_GRE
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].proto=47
uci commit

#repeat if you need add more users
#the following will change /etc/config/pptpd
uci add pptpd login
uci set pptpd.@login[-1].username=myuser1
uci set pptpd.@login[-1].password=mypassword1
uci commit

uci set pptpd.pptpd.enable=1
uci set pptpd.pptpd.localip=192.168.100.1
uci set pptpd.pptpd.remoteip=192.168.100.20-30
uci commit

#Add the follow into /etc/firewall.user
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
It is important that for pptp, remote ip does not in the same subnet of LAN otherwise it is difficult to access other computers on the LAN.
发帖者 Eric 时间: 22:40

没有评论:

发表评论

订阅: 博文评论 (Atom)