1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Question] Tomato firmware and PPTP

Discussion in 'Tomato Firmware' started by Dr Strangelove, Oct 11, 2011.

  1. Dr Strangelove

    Dr Strangelove Serious Server Member

    Hope I'm not opening old wounds here, but I'm wondering what options are available for the use of a PPTP server in Tomato firmware.

    I have a Linksys E4200 runnnig Toastmans latest USB 2.4Ghz/5Ghz with OpenVPN firmware.

    It's all working very well.

    I have the OpenVPN server set up on my E4200 for access to my NAS with notebook based clients.

    However, my Sony Ericsson XPERIA X10i Android phone it a bit of a bug in the anointment.

    It supports PPTP and L2TP/IPSEC and I'm not sure I want to root the phone to attempt an OpenVPN 'might work' solution. Mind, with Sony Ericsson providing supporting information to groups like Cyanogenmod who knows what's possible.

    I'd like to stick with the Toastman firmware as my Linksys E4200 seems to like it.

    Would the Toastman firmware camp entertain adding PPTP to the build?

    I think I read somewhere one of the Tomato variants did have PPTP support.

    I know it's not the most secure protocol, but it's better than nothing, which is all I have at the moment. I would ask for L2TP/IPSec but figure I'd start with something do'able first. ;)

    Thank you for any thoughts on this.
  2. lancethepants

    lancethepants Addicted to LI Member

  3. kthaddock

    kthaddock LI Guru Member

  4. Dr Strangelove

    Dr Strangelove Serious Server Member

    Thank you very much for your replies.
    I'll give both options a go and report back on how I get on.
  5. rhester72

    rhester72 Network Guru Member

  6. Dr Strangelove

    Dr Strangelove Serious Server Member

    OK, the above information seemed straight forward. Followed the setup almost to the letter.

    Only really changed the IP addresses.

    But, nothing could be that easy... and it's not... that easy.

    I have a double NAT'd setup and a dyndns dynamic IP public address.

    ISP(ADSL2)->modem-->portforward 1723--(10.0.0.252/30)-->e4200--->(10.2.0.0/24) LAN

    I'm using 10.2.35.1 as the iplocal address and 10.2.35.10-15 as the ipremote address.

    Oct 15 02:06:17 e4200 user.warn kernel: ACCEPT IN=vlan2 OUT=vlan2 SRC=202.nn.nnn.nnn DST=nnn.nn.35.1 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=273 DF PROTO=TCP SPT=13788 DPT=1723 SEQ=584882935 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)

    Oct 15 02:06:20 e4200 user.warn kernel: ACCEPT IN=vlan2 OUT=vlan2 SRC=202.nn.nnn.nnn DST=nnn.nn.35.1 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=279 DF PROTO=TCP SPT=13788 DPT=1723 SEQ=584882935 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)

    Oct 15 02:06:26 e4200 user.warn kernel: ACCEPT IN=vlan2 OUT=vlan2 SRC=202.nn.nnn.nnn DST=nnn.nn.35.1 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=285 DF PROTO=TCP SPT=13788 DPT=1723 SEQ=584882935 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)

    It appears the incoming connect is being accepted, but at the client the connect is dropped with a disconnection message.
    I was using my Android phone to test this, but now using a notebook as I thought it may provide an insight into any error messages.

    As I've never setup a PPTP connect before, I'm a bit lost as to what to check.

    The connection doesn't provide any error messages to problem solve from that I can find thus far.

    I'm a bit worried the PPTP process is not even running.
    Is there a 'ps' command or something I can use to check?

    The first time manual startup processes didn't show any errors.

    Should I be putting echo statements or something in some of the config files to track progress? And which ones?

    I have OpenVPN working on the same E4200 router.

    I'm using the following firmware.

    Tomato Firmware v1.28.0486 MIPSR2-Toastman-RT K26 USB VPN

    Thank you for any spoon feeding you can provide, I promise I won't ask to be burped.
  7. Toastman

    Toastman Super Moderator Staff Member Member

  8. Dr Strangelove

    Dr Strangelove Serious Server Member

    Cool, thank you everybody.

    I'm sure it's just some stupid config error I've made, or something that's going to prompt the 'ah-ha' moment.

    I know the process was running as I can see it in the system processes and when I manually restart it, it does so with no errors(I'm aware of).
    It also closes the previous process in doing so, as seen by the process PID.

    Oct 15 15:20:44 e4200 daemon.debug pptpd[844]: CTRL: Closing child BCrelay with pid 845
    Oct 15 15:20:45 e4200 daemon.debug pptpd[13094]: CTRL: BCrelay incoming interface is br0
    Oct 15 15:20:45 e4200 daemon.debug pptpd[13096]: CTRL (BCrelay Launcher): Launching BCrelay with pid 0
    Oct 15 15:20:45 e4200 daemon.debug pptpd[13096]: MGR: BCrelay incoming interface is br0
    Oct 15 15:20:45 e4200 daemon.debug pptpd[13096]: MGR: BCrelay outgoing interface is regexp ppp[0-9].*
    Oct 15 15:20:45 e4200 daemon.info bcrelay[13096]: Running as child
    Oct 15 15:20:45 e4200 daemon.info pptpd[13094]: MGR: Manager process started
    Oct 15 15:20:45 e4200 daemon.info pptpd[13094]: MGR: Maximum of 6 connections available

    Anyway, I'm just stepping out to check something... I might be a while.
  9. Dr Strangelove

    Dr Strangelove Serious Server Member

    I've done a bit of playing around and it appears if I make the PPTP VPN connection from the local LAN it establishes a connection when using a Win7 PPTP client.

    The connection I am trying to establish is from the Internet through the WAN port of the E4200.
    The system startup is seen as folllows:

    Oct 17 14:04:33 e4200 daemon.debug pptpd[24372]: CTRL: Closing child BCrelay with pid 24374
    Oct 17 14:04:34 e4200 daemon.debug pptpd[24399]: CTRL: BCrelay incoming interface is br0
    Oct 17 14:04:34 e4200 daemon.debug pptpd[24400]: CTRL (BCrelay Launcher): Launching BCrelay with pid 0
    Oct 17 14:04:34 e4200 daemon.debug pptpd[24400]: MGR: BCrelay incoming interface is br0
    Oct 17 14:04:34 e4200 daemon.debug pptpd[24400]: MGR: BCrelay outgoing interface is regexp ppp[0-9].*
    Oct 17 14:04:34 e4200 daemon.info bcrelay[24400]: Running as child
    Oct 17 14:04:34 e4200 daemon.info pptpd[24399]: MGR: Manager process started
    Oct 17 14:04:34 e4200 daemon.info pptpd[24399]: MGR: Maximum of 6 connections available

    My WAN connect is as follows:

    --> ISP public IP address sourced using dyndns
    --> Thomson TG585V8 modem with port 1723 forwarded

    FIREWALL rule : Protocol: TCP
    Src ip: nnn.nnn.nnn.nnn Src port: 53007
    Dst ip: 10.0.33.254 Dst port: 1723
    Chain: forward_host_service Rule Id: 4 Action: accept

    --> 10.0.33.252/30 (Local WAN connection between TG585 and E4200 router)
    --> E4200 router

    Oct 18 11:52:07 e4200 user.warn kernel: DROP IN=vlan2 OUT= MACSRC=hh:hh:hh:hh:hh:hh MACDST=hh:hh:hh:hh:hh:hh MACPROTO=0800 SRC=nnn.nnn.nnn.nnn DST=10.0.32.254 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=44066 DF PROTO=TCP SPT=29267 DPT=1723 SEQ=1748025473 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A003D6DCC0000000001030301)
    Oct 18 11:52:13 e4200 user.warn kernel: DROP IN=vlan2 OUT= MACSRC=hh:hh:hh:hh:hh:hh MACDST=hh:hh:hh:hh:hh:hh MACPROTO=0800 SRC=nnn.nnn.nnn.nnn DST=10.0.32.254 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=44067 DF PROTO=TCP SPT=29267 DPT=1723 SEQ=1748025473 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A003D70240000000001030301)

    --> 10.0.32.0/24 (Local LAN BR0)

    vlan2 = the E4200 WAN Ethernet interface

    PPTP address range is defined as follows:
    iplocal 10.0.32.30
    ipremote 10.0.32.35-40

    The dyndns address is port forwarded throught to 10.0.32.254 which is the router LAN IP address.

    root@e4200:/tmp/home/root# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT gre -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere tcp dpt:1723
    ACCEPT all -- anywhere anywhere

    Chain wanin (1 references)
    target prot opt source destination
    logaccept tcp -- anywhere 10.0.32.254 tcp dpt:1723

    [​IMG]

    The tunnel(tun21) is because I already have OpenVPN running.

    So, in summary the PPTP VPN appears to be able to establish a connection from the LAN with username and password verified.
    The connect is seen to have an IP address of 10.0.32.35 with the DNS server correctly configured. It all looks OK on the LAN side as a test only.

    However when attempting to connect from the WAN, the connection is disconnected.
    It appears I have a routing problem or a interface not configured correctly... or something

    Anybody have any thoughts on the routing configuration?

    Ideally, I'd like to have a separate VLAN for the PPTP setup, but I thought I should get it working first before start going to far a field with IP routing and VLANs

    I'm still adhering very strictly to the following setup.

    http://tomatousb.org/tut:configuring-a-pptp-vpn.

    Still battling on... any pointers would be VERY greatly accepted.
  10. rhester72

    rhester72 Network Guru Member

    Get a tcpdump of the connection from inside and outside and compare - my bet is on a firewall block.

    Rodney
  11. Dr Strangelove

    Dr Strangelove Serious Server Member

    Thanks Rodney.

    You may be right, but after disabling the firewall on the ADSL2+ modem interfacing the E4200 Tomato router, I'm starting to run out of options/ideas.

    Sorry, Microsoft windows so using wireshark LAN analyzer. :)

    Looking at the connection in a LAN analyzer I only see three requests of the following nature on the failing connection.

    No. Time Source Destination Protocol Length Info
    10 8.204572 192.168.42.65 nnn.nnn.nnn.nnn TCP 66 50626 > pptp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

    Frame 10: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Ethernet II, Src: ea:9a:5d:68:61:04 (ea:9a:5d:68:61:04), Dst: hh:hh:hh:hh:hh:hh (hh:hh:hh:hh:hh:hh)
    Internet Protocol Version 4, Src: 192.168.42.65 (192.168.42.65), Dst: nnn.nnn.nnn.nnn (nnn.nnn.nnn.nnn)
    Transmission Control Protocol, Src Port: 50626 (50626), Dst Port: pptp (1723), Seq: 0, Len: 0

    These requests are seen on the Linksys E4200 tomato PPTP server as DROP packets.

    I have disabled the firewall on the modem connected to the ISP, but this has made no difference.
    It's as it the packets see no destination or return path when they get to the E4200 and just die.

    A successful connection goes through a whole series of PPTP request and responses as seen in wireshark on both connection and controlled disconnection.

    I'll have a bit of ye olde chat with the local tech crowd who use the same Telecom networks/ISP and see if they know of any reason these packets may not be getting passed, but I don't hold out much hope.

    I don't like giving up, but I'm getting pretty close to it.
  12. Dr Strangelove

    Dr Strangelove Serious Server Member

    Bit more testing.

    Using one of my local LAN Windows 7 PCs I configured a PPTP VPN server on it.

    I then enabled port forwarding on 1723 on the Tomato Linksys E4200 router directly to the local Windows 7 PC with the PPTP VPN server.

    Then using my Android phone I made a connection via my mobile phone provider using my dyndns.com address to my ISP through the 1723 PPTP port forwarded Thomson TG585v8 modem and then through the 1723 PPTP port forwarding on the Linksys E4200 Tomato router and onto my Windows 7 PPTP VPN server.....

    AND it works!!!!!!! [moment of quiet reflection..] :D

    One sees a VPN connection on the Win7 PC with the username of the connection that has just been establish and the Android phone indicates it is connected.

    OK.

    So now we know the connection/path(at least) works.. except the WAN interface connection when using the Linksys E4200 as a PPTP server...Doesn't!!!.
    I have tested it using the LAN side of the E4200 router and that establishes a connection.

    So, now I have to work out what I'm missing on the Linksys E4200 WAN to PPTP server connection.
    At the moment I have it Port forwarded to the Local LAN IP host address on the Linksys E4200.
    The WAN network connecting the E4200 is 10.0.33.252/30
    The LAN network is 10.0.32.0/24 with the E4200 host address of 10.0.32.254
    I do have an OpenVPN tunnel LAN in there somewhere too. Thats working fine.

    Does this prompt any new thoughts on the configuration?????
  13. rhester72

    rhester72 Network Guru Member

    Remember that when running locally, you can't port forward to open the firewall, you have to use INPUT/WANPREROUTING rules instead. If that doesn't make sense, let me know and I'll explain in more detail.

    Rodney
  14. lancethepants

    lancethepants Addicted to LI Member

    Maybe you could dmz everything from your modem to the router right behind it. The double nat seems like it could be sticky business to get working. Or put you e4200 right behind your modem like was discussed in the other thread, if I understood right. I guess it looks like you your vpn.fire is executing, so those firewall rules should allow it to come in.
  15. Dr Strangelove

    Dr Strangelove Serious Server Member

    Just so I'm not confusing people on my current LAN layout, here is a quick pic.

    [​IMG]

    The Windows 7 PC I used to test a PPTP VPN server is also on the 10.0.32.0/24 LAN
    As I have an OpenVPN server working fine on the E4200 in the current LAN setup, I'd like to leave the LAN in the same configuration if possible.
    The end goal is to run PPTP on the Linksys E4200 allowing access to the local LAN of 10.0.32.0/24

    The current firewall configuration is that of the standard E4200 Tomato firmware with the addition of the following PPTP server entries.
    I have included my routing entries above in a E4200 snaphot.
    I am currently running Firmware v1.28.0486 MIPSR2-Toastman-RT K26 USB VPN

    vpn.fire is as follows:

    #!/bin/sh
    iptables -A INPUT -p gre -j ACCEPT
    iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
    iptables -A INPUT -i ppp+ -j ACCEPT
    iptables -A FORWARD -i ppp+ -j ACCEPT
    iptables -A FORWARD -o ppp+ -j ACCEPT
  16. rhester72

    rhester72 Network Guru Member

    What I think you're missing:

    iptables -t nat -A WANPREROUTING -p tcp --dport 1723 -j DNAT --to-destination 10.0.33.254
    (and maybe but I doubt it, I don't even think it's a valid rule and I don't think GRE works that way)
    iptables -t nat -A WANPREROUTING -p gre -j DNAT --to-destination 10.0.33.254

    Rodney
  17. Dr Strangelove

    Dr Strangelove Serious Server Member

    Bit more reading and a lot of testing and I still can't get it to work.
    Had to give up or I'd go insane. ... Grrrhhh!!!
  18. Dr Strangelove

    Dr Strangelove Serious Server Member

    Ok, what techie ever really gives up when working on a problem. ;)

    I became more than a little bit fixated with the router/gateway mode with the firmware on the linksys E4200.
    Gateway mode seems the only successful mode in my current configuration (see above) so I've stuck with it.

    Decided to embrace change and start all over again.

    Installed Tomato Firmware v1.28.0407 MIPSR2-Toastman-VLAN-RT K26 USB VPN with nvram erase.

    Configured 10.0.33.252/30 WAN and 10.0.32.0/24 LAN and using the existing USB Optware pptp install, one started again.

    Fired up the Android pptp client expecting it to fail as it's done for so long in the past ...... connected...????!!!!!

    Wow! wasn't excepting that. :D

    Verified that I had access to my NAS on my Android phone using private IP address which would normally only work when using WiFi on the local LAN. Using HSDPA via public IP address (Internet) I was able to access the same local (private) network/NAS. Sweet.

    About the only thing I'd done other than the standard pptp install was to assign the pptp listener to vlan2 (WAN interface). This was done prior to my fresh start and was part of the legacy pptp install on my USB stick which is attached to the Linksys USB port. This was not successful in my original configuration.

    Currently I have no port forwarding enabled in the latest configuration.

    So now I have to reconfigure all my previous configuration manually step by step and hope it doesn't break my PPTP configuration. If it does at least I'll have a better idea of what is/was 'breaking' my PPTP config if that's the case.

    So, everything looks rosy going forward. Fingers crossed.

    **Progress update and Final Summary**

    Tomato Firmware: v1.28.0407 MIPSR2-Toastman-VLAN-RT K26 USB VPN
    Hardware: Linksys E4200v1

    PPTP and OpenVPN server now both working on Linksys E4200 v1

    This was implemented by first installing the above firmware with an nvram erase.
    The router was left in gateway mode as seen within Advnaced->Routing
    An IP network address was assigned to WAN interface port and to the Ethernet LAN ports.
    PPTP was installed as per the instruction at the top of this post by lancethepants.
    This process was done straight after the firmware install with no other configurations implemented prior to this.
    The only change to the PPTP configuration was to assign the PPTP listener to the WAN port.

    Edit opt/etc/init.d/S20poptop and modify the following line.

    Code:
    /opt/sbin/pptpd -b `nvram get wan_ifname`  -c /opt/etc/pptpd.conf -o /opt/etc/ppp/options.pptpd -p /opt/var/run/pptpd.pid -d
    Then I tested the PPTP connection and found it to work.

    I have not tested this process with any other firmware versions HOWEVER, I suspect that my previous configuration had other configuration attributes which conflicted with PPTP and resulted in it's continued failure to work.

    SO, in summary, PPTP installed on Tomato Toastman firmware should work on a Linksys E4200v1

    If you install it and it doesn't work, then use the above procedure to confirm PPTP does work on your firmware/hardware.

    Once confirmed, you have the option to continue manually building out your original configuration or apply your existing configuration and then attempting to reverse engineer the configuration until you find out what is conflicting.

    I chose the first option :)

    On my Android phone, I have found estrong ES File Explorer to give the best all round access to my NAS both locally and via PPTP. ES File Explorer also supports local files, LAN/NAS files, Bluetooth, FTP and cloud storage.

    Update - I have found every version of Toastman firmware I have used since configuring my optware PPTP server to work fine with no problems. Seems like a cleared NVRAM and clean install to get me going was all I needed. No problems since.
    lancethepants and maple.chick like this.
  19. lancethepants

    lancethepants Addicted to LI Member

    Great! Out of curiosity I was trying to see if I could get it going with no luck. Let us know when you've reached some conclusions.

Share This Page