1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The PPTP Server/GUI Thread

Discussion in 'Tomato Firmware' started by georges, Feb 5, 2012.

  1. georges

    georges Reformed Router Member

    Hi to all members.

    Is there a project involvind a gui for pptp ? A have troubles configuring an optware pptp server, nothing seems to work.
    I use shibby's mod because of the transmission gui that works great with the optware path.
    Is there anyone interested to implementing this feature ?
    I think there are alot of newcommers who would like to link their androids and iphones to the home.network without the hassle of the openvpn config.

    What do you think ?
     
  2. georges

    georges Reformed Router Member

    No answer , this must be an impossible task.
     
  3. Mirko Baila

    Mirko Baila Reformed Router Member

    I agree to this development
     
  4. Dr Strangelove

    Dr Strangelove Serious Server Member

  5. Mirko Baila

    Mirko Baila Reformed Router Member

    Is very hard for a noob like me, I tried but no result
     
  6. Mirko Baila

    Mirko Baila Reformed Router Member

  7. macbrian

    macbrian Serious Server Member

    I would like this feature too, but remember that the Tomato developers are doing most of the work on the Tomato Firmware in their spare time.
    If we really wan't this feature i suggest we ask the developers how much we should donate before they would implement it?
     
  8. Mirko Baila

    Mirko Baila Reformed Router Member

    I've donated a small sum but I did not ask at devoloper
     
  9. georges

    georges Reformed Router Member

    I guess I will make a donation but who is willing to do it ?
    I think this type of server must be implemented as native , the optware option is not as stable nor not as easy to install as we would like to be...
     
  10. Mirko Baila

    Mirko Baila Reformed Router Member

    i agree
     
  11. macbrian

    macbrian Serious Server Member

    I would donate to. It would be nice to hear some feedback from the developers? Anyone of them willing to implement a PPTP server with GUI ???
     
  12. georges

    georges Reformed Router Member

    How about we add asterisk gui too and make a statement of what you are willing to pay for that . This should work in conjuction with the standard optware install. Involving money should wake some interest from some developers. I think that a gui is easyer to make , all you have to do is to rewrite the cfg files and restart service. Well , I don't know that much programming to do that yet. Any help ?
     
  13. macbrian

    macbrian Serious Server Member

  14. Toastman

    Toastman Super Moderator Staff Member Member

    Give it another try. So far pretty much everyone who has tried it has found it to work very well indeed.

    It's included in my latest RT & RT-N VPN builds also.
     
  15. macbrian

    macbrian Serious Server Member

    Great that you have included it in your builds also. You guys rock :)

    Is it necessary to configure anything in the NAT or Firewall section in Tomato to make PPTP VPN work?
     
  16. macbrian

    macbrian Serious Server Member

    I have tried the PPTP server again. It works perfectly when i use my iPhone as a client (no need to configure any firewall settings or NAT in Tomato)
    The trouble starts when i try using Mac OS X 10.7.3 as a client. I have tried both encrypted (MPPE-128) and none encrypted.

    The log in Mac OS X says:
    31/03/12 13.32.26,953 pppd: MS-CHAP authentication failed: Access denied
    31/03/12 13.32.27,130 pppd: PPTP error when reading socket : EOF
    31/03/12 13.32.27,130 pppd: PPTP error when reading header : read -1, expected 12 bytes
    31/03/12 13.32.27,131 pppd: Connection terminated.
    31/03/12 13.32.27,140 pppd: PPTP disconnecting...
    31/03/12 13.32.27,140 pppd: PPTP disconnected
    Log in Tomato says:
    Peer "MYUSERNAME" failed CHAP authentication

    Any ideas, anyone?
     
  17. teaman

    teaman Addicted to LI Member

    Works with the Mac OS X 10.6.8 I have here... I wonder what might be different or have changed between those two versions...

    EDIT: I remember reading somewhere that for /some/ devices out there it is actually required to use/have/set a 'public-reachable' DNS server on your PPTP server settings, otherwise clients might be instructed to refuse connecting at all (although, I do realize the error messages you've posted do /not/ seem to be about this precise point, but then I thought... /what if?/). Best of luck!
     
    macbrian likes this.
  18. macbrian

    macbrian Serious Server Member

    Hi teaman,

    I tried adding my 'public-reachable' DNS server in the PPTP server settings and now VPN access from Mac OS X 10.7.3 works like a charm.

    THANK YOU VERY MUCH... :)
     
  19. kaabob

    kaabob Networkin' Nut Member

    public VPN trick... closely related but also sometimes related to openvpn also. no idea why.

    learned to just use OpenDNS addresses on the router all the time.
     
  20. lancethepants

    lancethepants Addicted to LI Member

    It could be ISPs only accept DNS traffic from IPs within their range, and reject all other else.
    http://www.grc.com/dns/benchmark.htm
    Running this test I've noticed some IPs DNS will actively drop your queries.
     
  21. maple.chick

    maple.chick Reformed Router Member

    Teaman, you just became my most favorite person on this planet!!!

    Thank you so much!
     
  22. M_ars

    M_ars LI Guru Member

    Hi teaman,

    i am trying to connect with an ipad 2 from the inside of my network and get the following error-message:

    Apr 6 18:03:50 RT-N16 daemon.info pptpd[1603]: CTRL: Client 10.xx.xx.xx control connection started
    Apr 6 18:03:50 RT-N16 daemon.info pptpd[1603]: CTRL: Starting call (launching pppd, opening GRE) Apr 6 18:03:50 RT-N16 daemon.info pppd[1604]: Plugin rp-pppoe.so loaded.
    Apr 6 18:03:50 RT-N16 daemon.info pppd[1604]: RP-PPPoE plugin version 3.10 compiled against pppd 2.4.5
    Apr 6 18:03:50 RT-N16 daemon.err pppd[1604]: unrecognized option 'local'
    Apr 6 18:03:50 RT-N16 daemon.err pptpd[1603]: GRE: read(fd=6,buffer=4218bc,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Apr 6 18:03:50 RT-N16 daemon.err pptpd[1603]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    Apr 6 18:03:50 RT-N16 daemon.debug pptpd[1603]: CTRL: Reaping child PPP[1604] Apr 6 18:03:50 RT-N16 daemon.info pptpd[1603]: CTRL: Client 10.10.10.76 control connection finished

    I also cannot connect from the outside. Any ideas?
     
  23. gfunkdave

    gfunkdave Networkin' Nut Member

    Not sure what might be causing M_ars' problem, but I have a DNS issue going on that I'd appreciate advice on. My iPhone and laptop can connect just fine to the PPTP server remotely, but they can't access any DNS services from the router. I've tried leaving the DNS fields blank in the PPTP config. I've tried typing the router's LAN IP into one field. I've tried typing Google's DNS servers into the fields.

    I know I have connectivity because I can type the LAN IP of my Linux fileserver into Safari and I get its base Apache web page. But connections time out if I try to visit amazon.com or cnn.com.

    Does anyone have an idea of what might be going on?

    Thanks!
     
  24. M_ars

    M_ars LI Guru Member

    Does this have something to do with PPPOE? I found something on google and also here http://tomatousb.org/forum/t-357798#post-1162403

    Tomato with PPTP and PPPoE


    I just wanted to setup my Tomato-Firmware to provide a PPTP-based VPN. Naturally I used the HOWTO, but sadly I ran into a problem where Google couldn't help. The log only showed​

    pppd[8449]: unrecognized option 'local'​

    But my config did not contain "local"! After I'd already given up and tried without PPTP, I stumbled over a post that made the problem obvious, although it did not offer a solution. The problem seems to be, that my router has to use PPPoE and therefore already has a config in /tmp/ppp which is then used for the VPN-connects. No wonder that didn't work.​

    It seems that the path is hardwired into the pppd-binary. So the only solution I came up with, was to copy and modify the binary. Dirty of course, but at least working :-/​

    Found here http://dd9e.blogspot.de/2011/07/tomato-with-pptp.html
     
  25. gfunkdave

    gfunkdave Networkin' Nut Member

    Does your connection use PPPoE (most DSL connections use PPPoE)?

    Seems like you might have found the problem, though apparently it requires a rewrite of some code to fix.
     
  26. Mirko Baila

    Mirko Baila Reformed Router Member

    I have this unsopported error in log:

    Any idea?My smarthphone is Galaxy S2 with Android 2.3.4
     
  27. teaman

    teaman Addicted to LI Member

    Unfortunately - no idea. Are you sure you guys are using a Teaman-RT or Teaman-ND firmware image to do this? And... did you guys erasing nvram before trying to reconfigure it, just to rule this out? I mean... I just did some quick testing and here's an E3000 running WAN with pppd (3G modem) and handling another pair of PPTP clients online simultaneously - that's 3 distinct pppd instances running, each with their own config path/files/settings/routes/rules ;)
    Code:
    root@vader:/tmp/pptpd# ps | grep pp
    2329 root      1560 S    pppd file /tmp/ppp/wanoptions
    2797 root      756 S    pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd -C 6
    2798 root      764 R    /usr/sbin/bcrelay -i br0 -o ppp[4-9].* -n
    2799 root      764 R    /usr/sbin/bcrelay -i ppp[4-9].* -o br0 -n
    3422 root      868 S    pptpd [187.xx.xxx.86:72B9 - 0280]
    3423 root      1556 S    /usr/sbin/pppd local file /tmp/pptpd/options.pptpd 115200 192.168.xxx.xx2:192.168.xxx.81 ipparam 187.xx.xxx.86
    3427 root      868 S    pptpd [189.xx.xxx.76:C017 - 0300]
    3428 root      1556 S    /usr/sbin/pppd local file /tmp/pptpd/options.pptpd 115200 192.168.xxx.xx2:192.168.xxx.82 ipparam 189.xx.xxx.76
    3528 root      1708 S    grep pp
    root@vader:/tmp/pptpd#
     
    root@vader:/tmp/pptpd# route -n
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    10.xx.xx.xx    0.0.0.0        255.255.255.255 UH    0      0        0 ppp0
    192.168.xxx.82  0.0.0.0        255.255.255.255 UH    0      0        0 ppp5
    192.168.xxx.81  0.0.0.0        255.255.255.255 UH    0      0        0 ppp4
    192.168.xxx.0  0.0.0.0        255.255.255.0  U    0      0        0 br0
    172.xx.xx.0    0.0.0.0        255.255.255.0  U    0      0        0 br1
    127.0.0.0      0.0.0.0        255.0.0.0      U    0      0        0 lo
    0.0.0.0        10.xx.xx.xx    0.0.0.0        UG    0      0        0 ppp0
    root@vader:/tmp/pptpd#
     
    root@vader:/tmp/pptpd# ifconfig | egrep -i 'link|inet'
    br0        Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:86
              inet addr:192.168.xxx.xx2  Bcast:192.168.xxx.255  Mask:255.255.255.0
    br1        Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:86
              inet addr:172.xx.xx.xx2  Bcast:172.xx.xx.255  Mask:255.255.255.0
    eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:86
    eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:88
    eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:89
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
    ppp0      Link encap:Point-to-Point Protocol
              inet addr:189.xx.xxx.102  P-t-P:10.xx.xx.xx  Mask:255.255.255.255
    ppp4      Link encap:Point-to-Point Protocol
              inet addr:192.168.xxx.xx2  P-t-P:192.168.xxx.81  Mask:255.255.255.255
    ppp5      Link encap:Point-to-Point Protocol
              inet addr:192.168.xxx.xx2  P-t-P:192.168.xxx.82  Mask:255.255.255.255
    vlan1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:86
    vlan2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:87
    vlan3      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:86
    root@vader:/tmp/pptpd#
    
    VPN_PPTP_Two_Users_Online_WAN_PPP3G.png
    Unfortunately, I have no ADSL service here - so that's the closest I could get.

    Best of luck!
     
  28. maple.chick

    maple.chick Reformed Router Member

    @M_ars: Have you tried adding "nopcomp" and "noaccomp" in options.pptpd? They are specific to iPhone and iPad. I was able to connect and get an ip address after adding them. PPTP server works perfectly for Windows clients but I cant get it to work with WebOS. I get a "No response to 10 echo-requests" error and "0 bytes sent 0 bytes recieved" and then I get disconnected. I have manually forwarded port 47, 1723, 1792 to 192.168.1.1 (PPTP server) but haven't had any luck so far. Also, try unchecking GRE/PPTP option under Conntrack/Netfilter. See if that helps. Oh and you may have to use a similar IP range as your LAN for PPTP client if you don't want to use the default. I had problem getting proxyarp to work with anything else.

    @gfunkdave: Have you tried connecting to PPTP server with a DynDNS?

    I am trying to recover a bricked WRT54G so I havent had the time to play with PPTP feature but I am so looking forward to it!
     
  29. Mirko Baila

    Mirko Baila Reformed Router Member

    I have searched with goggle about the error,i found this!
    The solution is disabled Encryption :(
    It's possible intregate a protocols L2TP/IPSec PSK?
     
  30. quietsy

    quietsy Addicted to LI Member

    Thanks for the great work Teaman!

    This is what I had to do to make it work on a RT-N66U using an iPhone:
    Advanced > Conntrack / Netfilter > Enable GRE / PPTP
    VPN Tunneling > PPTP Server > DNS Servers:
    8.8.8.8
    8.8.4.4
    Administration > Scripts > Firewall :
    Code:
    #!/bin/sh
    iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
    iptables -A INPUT -p gre -j ACCEPT
    iptables -A INPUT -i ppp+ -j ACCEPT
    iptables -A FORWARD -i ppp+ -j ACCEPT
    iptables -A FORWARD -o ppp+ -j ACCEPT
     
    iptables -t nat -I PREROUTING -p tcp --dport 1723 -j ACCEPT
    iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
    iptables -I INPUT -i ppp+ -j ACCEPT
    iptables -I FORWARD -i ppp+ -j ACCEPT
    #Restrict number of TCP connections per user #iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range 192.168.1.50-192.168.1.250 -m connlimit --connlimit-above 100 -j DROP  #Restrict number of non-TCP connections per user #iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.1.50-192.168.1.250 -m connlimit --connlimit-above 50 -j DROP  #Restrict number of simltaneous SMTP connections (from mailer viruses) #iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP
    When connected to the LAN without VPN:
    local IP resolving works
    local hostname resolving works (hostname and hostname.domain)
    internet works

    When connected to the VPN from outside the LAN:
    local IP resolving works
    local hostname resolving doesn't work
    internet works

    Hope this helps.
     
  31. M_ars

    M_ars LI Guru Member

    Hi Teaman,

    my ADSL-Connection uses PPPoE.
    If i turn off PPPoE i CAN connect with my ipad to the PPTP-Server and everything works perfect. As soon as i turn on PPPoE, the PPTP-Server is broken again.
    Can you fix this bug please :) - thank you very much

    @maple.chick: no i havent tried it. PPPoE is causing the problem


    Seems like i am not the only one... and he also has a solution

    Tomato with PPTP and PPPoE


    I just wanted to setup my Tomato-Firmware to provide a PPTP-based VPN. Naturally I used the HOWTO, but sadly I ran into a problem where Google couldn't help. The log only showed

    pppd[8449]: unrecognized option 'local'

    But my config did not contain "local"! After I'd already given up and tried without PPTP, I stumbled over a post that made the problem obvious, although it did not offer a solution. The problem seems to be, that my router has to use PPPoE and therefore already has a config in /tmp/ppp which is then used for the VPN-connects. No wonder that didn't work.

    It seems that the path is hardwired into the pppd-binary. So the only solution I came up with, was to copy and modify the binary. Dirty of course, but at least working :-/

    So here is what I did:
    cp /usr/sbin/pppd /opt/sbin/
    # be careful: the replacement has to be exactly 3 chars!
    sed -i -e 's#/tmp/ppp/#/tmp/xxx/#' /opt/sbin/pppd
    cat > /opt/etc/config/vpn.wanup <<EOF
    #!/bin/sh
    if [ ! -f /tmp/xxx/chap-secrets ]; then
    mkdir -p /tmp/xxx
    ln -s /opt/etc/ppp/chap-secrets /tmp/xxx
    fi
    /opt/etc/init.d/S20poptop restart
    EOF
    /opt/etc/config/vpn.wanup
    # now edit /opt/etc/pptpd.conf
    # and set "ppp /opt/sbin/pppd"
    /opt/etc/init.d/S20poptop restart


    Source: http://dd9e.blogspot.de/2011/07/tomato-with-pptp.html
     
  32. quietsy

    quietsy Addicted to LI Member

    My ADSL connection also uses PPPOE and I've listen above how I got it working, give it a try.
     
  33. M_ars

    M_ars LI Guru Member

    Hi quietsy,
    does not work for me :-(

    My ipad is not able to connect and i get the following error-message:
    Apr 6 18:03:50 RT-N16 daemon.info pppd[1604]: RP-PPPoE plugin version 3.10 compiled against pppd 2.4.5
    Apr 6 18:03:50 RT-N16 daemon.err pppd[1604]: unrecognized option 'local'
    Apr 6 18:03:50 RT-N16 daemon.err pptpd[1603]: GRE: read(fd=6,buffer=4218bc,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Apr 6 18:03:50 RT-N16 daemon.err pptpd[1603]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
     
  34. wilsonhlacerda

    wilsonhlacerda Reformed Router Member

    teaman/Toastman congrats for this new PPTP server GUI!
     
  35. gfunkdave

    gfunkdave Networkin' Nut Member

    Yes, Teaman, thanks!

    Quietsy - I'm not sure why you need to add all these firewall scripts. Activating the PPTP server just works fine without them.

    So, I figured out a bit more. Connecting to VPN from outside my LAN works fine on my laptop (Windows 7), but I can still access other hosts on the LAN I'm connecting from. Shouldn't I not be able to do this when using VPN?

    Connecting to VPN from my iPhone does not work. The iPhone connects to VPN but I can't browse to cnn.com in Safari. I know I have connectivity to the VPN, because if I type my Linux server's IP into Safari I get the Apache "It works!" page.

    Any ideas? Thanks all.
     
  36. teaman

    teaman Addicted to LI Member

    Ideas? Yeah... In fact, two things have been hovering in my mind, but since my remarks/questions (above) seem to have been simply 'ignored', posting again:
    The reasons I'm insisting on asking those 'silly' questions are in fact... quite simple:
    • If you are not using a Teaman-ND or Teaman-RT build (but some other mod), it might be possible these issues with PPPoE could have been introduced when this code was merged into some other branch, making it somewhat harder to track down (specially since I don't use any of those other mods ;) ). Why I'm insisting on that? Well - there's been some posts with fragments of logs... but those seem to be running on devices like the Asus RT-N66U and RT-N16 (and I've only built MIPSr2/Teaman-RT images for the Cisco/Linksys eX000 series, which require devices with 60k of NVRAM).
    • Please keep in mind that when the idea of erasing NVRAM and (re)configuring the whole thing from scratch is suggested... it is not supposed to be a 'just becase' thing - such thing usually helps quite a bit (devs/modders/users) on tracking down any problems - that is, if those are in fact... reproducible (not to mention there's actually a good chance of actually fixing things in the process - my point is: this needs to be done/checked/ruled out at some point...)
    • One idea/possibility/thingie just crossed my mind: please check if, by any chance, there's more than one pppd binary available anywhere on your router (i.e. provided by optware? some other custom/older binary anywhere? i.e. perhaps try/run 'find / -name pppd' via telnet/SSH?).
    Anyways - as posted above, I think I've tried quite hard/done my best trying to find out if something could be possibly off and/or... plain wrong with the code... Therefore, with all that being said... please do believe me when I write to all you folks: I don't mean to sound rude or anything, but on this particular thingie (which seems to be related to something specific to multiple PPPd instances), we couldn't even properly 'confirm' there is, in fact, a real problem with the code/build just yet :(

    @quietsy - while it might be technically 'just fine' to use those iptables rules mentioned on your post, there might be some possibly-unforeseen 'implications' due to that '+' symbol (as it's treated as a regexp):
    Code:
    iptables -A XXX -i ppp+ -j XXX
    What I mean is: there's chance this kind of rule could be matching packets/connections on... all of your pppX connections, not just the ones handling PPTP connections ;) In fact, this is sorta the 'main reason' relating to the existence of this particular config/directive on options.pptpd:
    Code:
    minunit 4
    This is mostly about trying to prevent conflicts between regular/standard/WAN/VPN features and PPP sessions by created via PPTP (i.e. 'reserving' interfaces ppp0~3 for 'existing' features). Hint: have a look at the bcrelay cmdline with 'ps'... not sure if that syntax will actually work, but it's a start.

    In any case - I do hear you ;) and realize... there still might be something lurking deep inside the PPPoE shared lib/plugin... so I guess I'll have to take a look at that code.

    Cheers!

    EDIT: @maple.chick - the next/upcoming version of Tomato/PPTP server will feature an 'advanced/custom config' box, so users can easily set/enter some extra/additional/specific config settings that might be needed...

    EDIT2: I might have found a possible culprit on Teaman-ND/K24 builds due to the fact this particular commit has not been merged into that particular branch:
    http://repo.or.cz/w/tomato.git/commit/82d98a546c763224b4b2b3da72ea4d29a2af9479
    Still: branch Teaman-RT does have it, so this should not be a problem on any other branches that eventually got this code merged/included into... (still looking).
     
    kthaddock likes this.
  37. M_ars

    M_ars LI Guru Member

    Teaman,
    i am using shibby latest 090V build with an RT-N16. I did nvram erase before and after the upgrad and did all configs from the scratch. I am also not using optware.

    I think i am gonna try a different build from you or toastman and re-check again. Thx for you help and tips :)
     
  38. Mirko Baila

    Mirko Baila Reformed Router Member

    I solved with a upgrade at my smartphone.With android 4.0.3 PPTP work fine!!! ;)
     
  39. shibby20

    shibby20 LI Guru Member

    thx for info. I runned PPTP with PPPoE WAN using this solution.

    @Teaman: problem with PPTP + PPPoE is rp-ppoep.so plugin. pppd doesn`t know "local" option.

    My /tmp/ppp/options file:
    this is why PPTPD wont works if we have PPPoE wan type.

    Now when i do:
    cp /usr/sbin/pppd /tmp/pppd
    sed -i -e 's#/tmp/ppp/#/tmp/xxx/#' /tmp/pppd
    mkdir /tmp/xxx
    cp /tmp/ppp/options /tmp/xxx/options
    and remove "plugin rp-pppoe.so" from /tmp/xxx/options, my /tmp/pppd recognize "local" option and i am able to run PPTP.

    In file pptpctrl.c in line 736
    http://repo.or.cz/w/tomato.git/blob...5cbfe3c0:/release/src/router/pptpd/pptpctrl.c

    we have: pppd_argv[an++] = "local";

    maybe we can just remove this line? What do you think?

    Best Regards
     
  40. teaman

    teaman Addicted to LI Member

    Quite complex, but let's try this anyways ;) As per quoted 'pieces', from top to bottom:


    a) 'local' option: I don't think that would be the actual/underlying problem... but the 'absence' of some commits originated from javenard (branch tomato-RT-jyavenard, sorta of a 'byproduct' of his work on the PPTP client).

    b) 'this is why PPTPD wont work...': since Toastman-RT had that commit merged and Teaman-RT had pretty much the whole thing merged 'back' later on, this kind of problem shouldn't be happening on Teaman-RT builds, as mentioned above . It's probably safe-ish to assume Toastman-RT builds should be also fine since I'm somewhat under the impression those PPTPD patches/code from Teaman-RT got merged back a few weeks ago - anyone out there could perhaps confirm if this whole 'PPTPD' + 'PPPx on WAN' thingie is working fine on Toastman-RT/K26 builds just like it should be on Teaman-RT/K26 builds? Thanks in advance if anyone out there is able to test/validate/confirm those test/cases!).

    Anyways - I took a brief look at the git log/history on branch tomato-shibby and did see it got a whole bunch of stuff on commit 469447ef26b3f002ef673112f7f9cdb15cbfe3c0 , but there might be some code possibly 'missing'. Why's that? Well... 'just because' of 'something' I realized: this commit seems to be some kind of cherry-pick, not exactly a 'canonical' merge (if there *is* indeed such thing! ;) ). What I'm thinking is: just realized those two lines are slightly different (see that commit from javenard, above)...
    http://repo.or.cz/w/tomato.git/blob/tomato-shibby:/release/src/router/rc/wan.c#l46
    http://repo.or.cz/w/tomato.git/blob/Teaman-RT:/release/src/router/rc/wan.c#l46

    c and d) 'and remove plugin rp-pppoe...': I don't think that's the best course of action :( Let me explain: I'm currently involved in some deep digging regarding possible ways of mapping/using VLAN IDs above 15 for both K24/MIPSr1 (i.e. WRT54GL) and K26/MIPSr2 (i.e. E3000) kinds of builds... as soon as I get the chance to look at this whole thing in some sort of 'proper' perspective (if there *is* such thing!?), I'll get right on that - afterall, I do want to get this whole PPTPD thingie to be 'working' on not just on my WRT54GL... but on as many devices as we can ;)

    See also:
    http://code.google.com/p/tomato-sdhc-vlan/issues/detail?id=17

    Cheers!
     
  41. shibby20

    shibby20 LI Guru Member

  42. Paul Yeung

    Paul Yeung Network Newbie Member

    First of all I would like to express my gratitude towards Teaman and Toastman and all other Tomato developers for their valuable efforts, especially in providing a GUI for PPTP VPN Server which I have longed for years. It works quite well with my iPhone, only with a minor problem that I would appreciate for your help.

    I am using a Linksys E3000 converted from WRT610N v2 running Toastman's Tomato firmware "tomato-E3000USB-NVRAM60K-1.28.7497.1MIPSR2-Toastman-RT-VPN.bin".
    I have set up the PPTP VPN server as below -
    Local IP Address/Netmask 192.168.1.1 / 255.255.255.0
    Remote IP Address Range 172.19.0.1 - 172.19.0.6
    Encryption MPPE-128
    MTU 1450
    MRU 1450

    I left the DNS server field as default 0.0.0.0.

    When I use my iPhone to connect to the VPN server, connection establishes successfully, but the iPhone can only access to LAN devices (router, IPCAM) but not to internet. I then put 192.168.1.1 in the DNS server field, but the same problem remains. Only when I put a public DNS such as 8.8.8.8 or my ISP's DNS server IP, the iPhone can access internet as expected. I wonder why the internal DNS server does not work. I am sure it works for the LAN devices such as my PC. It seems that the internal DNS server does not want to serve VPN clients. Is it normal or just a bug to be fixed?
     
  43. Anserk

    Anserk Networkin' Nut Member

    I remember reading somewhere that iOS requires DNS server to have a public IP address for VPN connections. I couldn't find any official information but if you search in Google, you will find many complaints about the issue for other VPN servers too. So this is not a Tomato bug but rather an iOS "feature".
     
  44. Paul Yeung

    Paul Yeung Network Newbie Member

    I doubt if it is an iOS problem because I also tested with my PC at work. When it is connected to E3000 at home with DNS server setting blank or 192.168.1.1, the NSLOOKUP command will timeout. So the problem seems not only apply to devices running iOS.
     
  45. Anserk

    Anserk Networkin' Nut Member

    I don't have the new build installed yet, so I can't test it on my setup.
     
  46. teaman

    teaman Addicted to LI Member

    Yes and yes. Just checked/confirmed your report. Thanks for bringing this up - a fix will be released soon.

    The 'problem' is the way we set up dnsmasq when we want it to be running on just a few interfaces. On VLAN-GUI-enabled builds, it needs to be 'told' which interfaces it should serve DHCP and/or the ones we want it to serve just DNS. Problem is... ppp4~9 is not on the list (even if you've set up your PPTP server to use addresses that would be within your LAN address range, any DNS queries would be actually coming from... a pppX interface, which is not on the 'valid interfaces to respond' list).

    In the meantime, there is a work-around ;) Add these to the 'Custom configuration' textbox on the Advanced -> DHCP/DNS page:
    Code:
    no-dhcp-interface=ppp4
    no-dhcp-interface=ppp5
    no-dhcp-interface=ppp...
    And that should take care of things for now (this version supports up to 6 simultaneous connections, interfaces should be ppp4~9, add one line per simultaneous client/interface, as required).

    Anyways - Anserk's comment is also possibly relevant (in some other cases). See this post:
    http://www.linksysinfo.org/index.php?threads/the-pptp-server-gui-thread.36779/#post-181269

    Cheers!
     
  47. Anserk

    Anserk Networkin' Nut Member

    I flashed my RT-N16 with the latest Toastman build and can confirm the issue. First of all, I would like to thank you Teaman and everyone else who made PPTP possible (and GUI!). On older builds I had PPTP server installed from Optware, but could never get it to work with PPPoE enabled. And now thanks to your efforts it is working like a charm - and GUI makes it much easier too.

    However, DNS resolution doesn't work. I did add the ppp interface to dnsmasq configuration but it didn't help. Nslookup from my laptop to the router are timing out. Connectivity is there and port 53 is reachable. I enabled log-queries temporarily and don't even see queries coming from the VPN client. I'm not sure if there a way to turn on verbose logging for dnsmasq. Any ideas?
     
  48. Anserk

    Anserk Networkin' Nut Member

    I figured it out myself. You actually need two lines in custom section for Dnsmasq for each interface:
    interface=ppp4
    no-dhcp-interface=ppp4
    ... etc. One line to enable Dnsmasq for that interface, the second to disable DHCP services on that interface.

    It's not very clear in Dnsmasq man page, but this example gives more details: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example

    P.S. I tested it also with my iPhone - works perfectly. Built-in PPTP server was the only option I was missing in Tomato when I switched to it from DD-WRT long time ago.
     
    Paul Yeung likes this.
  49. maurer

    maurer Addicted to LI Member

    hi,
    my rt-n16 running tomato 092 is configured as AP only (+ some services like BT) and the routing is done by an openwrt tl-wr1043nd.
    I've configured the pptp server and after connection i can only connect to the AP-pptp server (rt-n16 ip 10.1.1.2) but no other hosts like the gateway or my nas.
    iptables was configured on openwrt to allow pptp and seems to work.
    Do i need to configure some static routing on tomato/openwrt?
     
  50. M_ars

    M_ars LI Guru Member

    Can also confirm that issue/problem - Leaving everything at default for DNS-Servers (0.0.0.0 or router-ip) the ipad can only access the local network but i am not able to surf the internet. The only workaround right now is to enter an public DNS, then everything works perfect.

    with shibbys build (using an RT-N16) 092V PPPoE and PPTP server is now working as expected - thx a lot :)
     
  51. Anserk

    Anserk Networkin' Nut Member

    I suspect routing is disabled when you select AP only mode. Run cat /proc/sys/net/ipv4/ip_forward and see if you get 0 or 1. Zero means IP forwarding is disabled.
     
  52. maurer

    maurer Addicted to LI Member

    nope - still enabled:
    Code:
    root@Mau-s:/tmp/home/root# cat /proc/sys/net/ipv4/ip_forward
    1
    
    in the advanced -> routing is configured as router not as gateway

    Anyway - i've configured my openwrt as PPTP server as a workaround :)
     
  53. Paul Yeung

    Paul Yeung Network Newbie Member

    Thanks. By adding "interface=ppp4" on the dnsmasq custom configuration box, my iPhone VPN client connecting to Tomato VPN server with 0.0.0.0 as DNS server finally can access internet! Thanks Anserk and Teaman.

    Just curious to know if I have to add the "no-dhcp-interface=ppp4". Will there be any adverse effect if I just omit it?

    P.S. With a few experiments, I found that I can add one line only "interface=ppp4,ppp5,ppp6,ppp7,ppp8,ppp9" for all six PPTP VPN clients.
     
  54. teaman

    teaman Addicted to LI Member

    It seems that "interface=xxxx" means dnsmasq should listen for requests on that interface whereas "no-dhcp-interface=xxxx" means it won't be serving DHCP (just DNS) on that interface. Since we don't really care about DHCP on our PPTP/pppX interfaces, it should be fine either way...

    I'll get that fixed soon.

    Thanks for your notes!
     
  55. Paul Yeung

    Paul Yeung Network Newbie Member

    May I know if shibbys build has GUI for PPTP server / client now?
     
  56. Riddlah

    Riddlah Serious Server Member

    The latest version (build 092) has support for PPTP Client, I don't recall if the server feature was also included
     
  57. M_ars

    M_ars LI Guru Member

    092V has a PPTP Server (with GUI) but no Client.
     
  58. Paul Yeung

    Paul Yeung Network Newbie Member

    Regarding the DNS problem, it seems it does not only affect PPTP clients, but also other clients linked indirectly to the router. Apart from the E3000 running on "tomato-E3000USB-NVRAM60K-1.28.7497.1MIPSR2-Toastman-RT-VPN.bin", I have a WRT54G running DD-WRT as a client bridge connecting E3000 wirelessly. The WRT54G then connects my set-top box via LAN cable.

    Just yesterday I realised that the set-top box cannot access to some online services with error in resolving hostname. I checked the setting which is okay (DNS server set to 192.168.1.1 which is also my PPTP server). I changed the DNS server manually to 8.8.8.8 but it still doesn't work. (Unlike PPTP server if I set 8.8.8.8 as DNS server for PPTP client it will work). It seems tomato has blocked DNS traffic from the WRT54G. To make sure my set-top box is not faulty I change the WRT54G from client bridge to repeater bridge so that my iphone can connect to WRT54G wirelessly and check if traffic via WRT54G (DD-WRT) to E3000 (Tomato). The result is what I expect - the iphone can not access anything with hostnames but only my local devices via ip address. But to my surprise, the iphone cannot access to 192.168.1.1 as well.
    This DNS problem may be related to my problem previously, maybe not, but I hope Toastman / Teaman may have a look into it. I am pretty sure it is related to the tomato firmware since before my E3000 changed from DD-WRT to Tomato there is no such problem.

    P.S. I just changed the WRT54G from Client Bridge mode back to AP and use WDS mode instead. Everything works now. Maybe WDS is a better way for me than use Client bridge / Repeater bridge.
     
  59. maurer

    maurer Addicted to LI Member

    after i watched this youtube video about how easy is to hack a PPTP VPN I don't want to use this feature anymore:
     
  60. georges

    georges Reformed Router Member

    The connection is insecure if you are on a same network with the one who tries to get to you. But you can get a workaround (beeing on a 3g network for example). This is a solution for connecting your mobile to your home network and acces the local resources (email, other server wich are also password protected). You also have the choice to land an a different subnet and a hacker should be unable to access sensitive data. I also think that l2tp ipsec is a more secure choice for mobile users, time will tell whel tomato will get it. The hard work from the developers gives us a choice . You now have a very complete and useful box that is you router.
     
  61. Morac

    Morac Network Guru Member

    I'm running tomato-E3000USB-NVRAM60K-1.28.7498.1MIPSR2-Toastman-RT-VPN.bin which has the PPTP server GUI in it and while it works, there's a few issues with it:

    1. If I leave the default remote IP address range (172.19.0.1 to 172.19.0.6), I'm able to access IP addresses on my LAN (192.168.1.1/255.255.255.0) as if I'm on that LAN even though I have an IP address of 172.19.0.x. Since 172.19.0.x should be on a different sub-net that shouldn't be possible and actually goes counter to what this page describes. According to that link if I want to access my LAN remotely, I should need to specify a remote IP address range within my LAN, but that's not the case. According to some routing info, the gateway IP is always the same (192.168.1.1) regardless of what sub-net I use. I do notice that the localip in /tmp/pptpd/pptpd.conf is always 192.168.1.1.

    2. Broadcast relay doesn't appear to work as far as I can tell, at least not with my testing from my iPad/iPhone. I have an app that's supposed to be using Bonjour (UDP 5353 Multicast DNS) to discover devices on the LAN and it's not finding any. I did try using an ip address in my LAN (192.168.1.1/255.255.255.0). I'll need to run some more tests though since I tried over 3G, not WiFi and Apple may block Bonjour over 3G.
     
  62. CTXSi

    CTXSi LI Guru Member

    Potentially stupid question, but I'll ask anyway. I presume that for the PPTP server to work properly I should first have a DDNS service or static IP from my ISP. Is this correct?

    I've never used a VPN or PPTP server before but have some extended travel coming up so I'm thinking it could come in handy.
     
  63. CTXSi

    CTXSi LI Guru Member

    I pretty much answered my own question. Setup the DDNS, then the PPTP server, and it worked on the 2nd try (after I corrected a conflict between the local and remote IPs) Excellent work Teaman and Toastman!
     
  64. darkfire

    darkfire Network Newbie Member

    Hello, i have the same problem with a ppoe connection and ppptp server with my WRT54GL.
    Does somebody know a tomato firmware for my wrt54GL with a ppptp server that works.?
     
  65. hevnbnd

    hevnbnd Network Newbie Member

    They above posts did fix one of my problems. Just put in the box for Dnsmasq the following:

    interface=ppp4,ppp5,ppp6,ppp7,ppp8,ppp9

    Then the vpn over ppoe will work! I spend several hours before I stumbled upon this forum! Thanks for the fix.

    The problem I am having may be related to the same thing. My vpn works now, however I use an app from Control4 that uses TAP-Win32 Adapter to VPN into a project on a device and I can NOT get it to connect. It works if I VPN and access it as if I was local. Also works if I use a stock firmware on an e4200 but when using the TAP-Win32 adapter it does not connect. Little background info on the Control4 remote director app.

    Control4 uses openvpn to connect back to control 4 and they probably use a reverse ssh tunnel
     
  66. darkfire

    darkfire Network Newbie Member

    I tried it, but it does not work.
    I copied "interface=ppp4,ppp5,ppp6,ppp7,ppp8,ppp9" in the dnsmasq box in "Advanced->DHCP/DNS" and nothing happens.
    In the log file i see following output
     
  67. mintcookies

    mintcookies Network Newbie Member

    hi,
    im a complete noob here and just recently started trying to set up a PPTP VPN server using the gui that was built-in.
    im running tomoto 1.28 Toastman-VLAN-RT K26 USB VPN-NOCAT.
    i've managed to get the pptp vpn server up and running and am able to connect to the VPN with my android phone as well as a laptop running win7, but my ipad2 cannot connect.
    i attached a screenshot of the settings i put into Tomato PPTP VPN.


    I've read that the "options.pptpd" file has to edited to include "nomppe-stateful" or "nopcomp" for iOS devices to connect
    but how do i edit the "options.pptpd" file?
    could someone please help me and provide me some instructions?

    thanks in advance
     

    Attached Files:

  68. mraneri

    mraneri LI Guru Member

    Ok guys, can't figure this out. I'm using toastman's latest build. (7500) and am having multiple problems with my iOS device.
    When the iPhone is on the local network, I can attempt to connect to the server (this fails, but not the problem for now...) pptpd logs show the connection attempts but authentication problems.

    sent [LCP TermReq id=0x3 "peer refused to authenticate"]
    rcvd [LCP TermReq id=0x2 "MPPE required but not available"]

    But the bigger problem at the moment, is I can't even reach the server when I'm connecting from outside the network. The Packets are dropped:
    DROP IN=vlan2 OUT= SRC=PHONEIP DST=MYWANIPADDRESS LEN=44 TTL=50 ID=39609 PROTO=TCP SPT=63110 DPT=1723

    So, If I setup a port forward to forward connections to port 1723 to the router's IP, I still get dropped packets.
    DROP IN=vlan2 OUT=SRC=PHONEIP DST=192.168.1.1 LEN=44 TTL=50 ID=39609 PROTO=TCP SPT=63110 DPT=1723

    Any clue what's happening here? I am otherwise running a pretty standard configuration. No custom IPTABLES entries anywhere...

    Thanks for any insight. If one thinks this is related to Toastman integration, and you think I should post over in his thread, please let me know.

    - Mike
     
  69. mraneri

    mraneri LI Guru Member

    Bump...
    Anyone have any ideas?
     
  70. ilyaa

    ilyaa Addicted to LI Member

    Hi,
    I have a weird problem - after enabling PPTP, two rules are added into the iptables INPUT chain:
    Code:
    ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:1723
    ACCEPT    gre  --  any    any    anywhere            anywhere
    Resulting INPUT comes up as:
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DROP      all  --  br0    any    anywhere            wan-ip.XXXXX.com
        0    0 DROP      all  --  any    any    anywhere            anywhere            state INVALID
      109 20491 ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED
        0    0 ACCEPT    all  --  lo    any    anywhere            anywhere
      72  5115 ACCEPT    all  --  br0    any    anywhere            anywhere
        0    0 logaccept  icmp --  any    any    anywhere            anywhere            limit: avg 1/sec burst 5
      11  352 logaccept  udp  --  any    any    anywhere            anywhere            udp dpts:33434:33534 limit: avg 5/sec burst 5
        7  2422 logdrop    all  --  any    any    anywhere            anywhere
        0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:1723
        0    0 ACCEPT    gre  --  any    any    anywhere            anywhere
    
    and all PPTP connections are dropped by a "logdrop" rule.
    I have to manually (via firewall script) insert TCP port 1723 and GRE rules in the beginning of the chain to make it work.

    Running "tomato-WRT54G_WRT54GL-1.28.0025Teaman-VLAN-SNMP-PPTPD-Std" on WRT54GL.

    Any ideas?
     
  71. EDDYMERCKX

    EDDYMERCKX LI Guru Member


    Having same exact issue with Tomato Firmware v1.28.0025 Teaman-VLAN-SNMP-PPTPD ND VPN on WRT54GL v1.1.
     
  72. superdos

    superdos Reformed Router Member

    Hi, I got problems to get pptp to work as well. I use Tomato Firmware v1.28.0500 MIPSR2Toastman-RT-N K26 USB VPN.

    If I add the TCP port 1723 and GRE rules in the beginning of the INPUT chain as mentioned above it gets further but it won't authenticate.

    I've unticked the NAT helpers for GRE/PPTP and it doesn't matter if I leave it checked.

    any tips how to get it working?

    note: the pptp works fine if I'm already connected to the wifi/lan.

    the messages log says:

    daemon.debug pppd[14032]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x74c6d184> <pcomp> <accomp>]
    user.warn kernel: ACCEPT IN=br0 OUT=vlan2 SRC=192.168.1.100 DST=98.231.132.143 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=30658 PROTO=UDP SPT=35719 DPT=54447 LEN=38
    user.warn kernel: DROP IN=vlan2 OUT= MACSRC=78:d6:f0:af:31:12 MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=85.233.247.213 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57621 DPT=57621 LEN=48
    user.warn kernel: DROP IN=vlan2 OUT= MACSRC=58:b2:32:41:42:4f MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=85.233.247.213 DST=85.229.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=14128 PROTO=UDP SPT=57621 DPT=57621 LEN=52
    daemon.debug pppd[14032]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x74c6d184> <pcomp> <accomp>]
    daemon.warn pppd[14032]: LCP: timeout sending Config-Requests
    daemon.notice pppd[14032]: Connection terminated.
    daemon.notice pppd[14032]: Modem hangup
    daemon.info pppd[14032]: Exit.
    daemon.err pptpd[14031]: GRE: read(fd=6,buffer=4218bc,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    daemon.err pptpd[14031]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    daemon.debug pptpd[14031]: CTRL: Reaping child PPP[14032]
    daemon.info pptpd[14031]: CTRL: Client 95.13.23.142 control connection finished


    and the pptp log says:

    using channel 24
    Using interface ppp4
    Connect: ppp4 <--> /dev/pts/1
    sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x806ac0e9> <pcomp> <accomp>]
    sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x806ac0e9> <pcomp> <accomp>]
    sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x806ac0e9> <pcomp> <accomp>]
    sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x806ac0e9> <pcomp> <accomp>]
    Hangup (SIGHUP)
    Modem hangup
    Connection terminated.
    iptables:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
    0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
    19 852 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    153 12576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    36 2183 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    0 0 logaccept udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    116 10762 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    3256 1117K all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    4 218 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    236 12168 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    3080 1108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    172 9114 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    172 9114 logaccept all -- br0 * 0.0.0.0/0 0.0.0.0/0
    Chain OUTPUT (policy ACCEPT 9 packets, 5448 bytes)
    pkts bytes target prot opt in out source destination
    Chain logaccept (12 references)
    pkts bytes target prot opt in out source destination
    153 8082 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `ACCEPT '
    172 9114 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
    Chain logdrop (1 references)
    pkts bytes target prot opt in out source destination
    116 10762 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `DROP '
    116 10762 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    Chain logreject (0 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `REJECT '
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
     
  73. mraneri

    mraneri LI Guru Member

    I solved my dropped packet problem (toastman's 7500) by adding the following to the firewall script:
    iptables -t filter -I INPUT 1 -p tcp --dport 1723 -j ACCEPT

    Should this be built into the firmware? How are others making connections from outside the LAN without something like this in their IPTABLES?

    Still can't solve my iPhone connection problems, but at least the two are reaching each other.
     
  74. superdos

    superdos Reformed Router Member

    Thanks mraneri! it works when adding you iptable rule.
    I can now connect with my iPhone over 3G.
     
  75. mraneri

    mraneri LI Guru Member

    Excellent! Can you return the favor? I still can't connect with my iPhone...
    Can you tell me all of your PPTP settings? (except user/pass, of course!) Especially those custom settings..
    I still can't authenticate with my iPhone.

    Appreciate any help you can provide.
     
  76. superdos

    superdos Reformed Router Member

    Sure here's my settings:
    Local ip/netmask: 192.168.1.1 255.255.255.0
    Remote ip range: 192.168.1.210 - 192.168.1.125
    Broadcast relay mode: disable
    Encryption: mppe-128
    Everythng Else is default which is no dns servers set, mtu/mru at 1450
    Note that i've disabled Tracking / NAT Helpers for gre/pptp
     
  77. mraneri

    mraneri LI Guru Member

    Still not working for me...
    You have nothing in the custom configuration box?
    (the dreaded MPPE Required but not available...)
    Any other ideas?

    From the log...
    Code:
    Jul 15 11:02:46 router daemon.info pptpd[2939]: CTRL: Client [SNIP] control connection started
    *.info pptpd[2939]: CTRL: Starting call (launching pppd, opening GRE)
    *.notice pppd[2940]: pppd 2.4.5 started by root, uid 0
    *.debug pppd[2940]: using channel 4
    *.info pppd[2940]: Using interface ppp4
    *.notice pppd[2940]: Connect: ppp4 <--> /dev/pts/0
    *.debug pppd[2940]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x8fea0fde> <pcomp> <accomp>]
    *.debug pppd[2940]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x8fea0fde> <pcomp> <accomp>]
    *.debug pppd[2940]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x5c40560d> <pcomp> <accomp>]
    *.debug pppd[2940]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x5c40560d> <pcomp> <accomp>]
    *.debug pppd[2940]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x5c40560d> <pcomp> <accomp>]
    *.debug pppd[2940]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x5c40560d> <pcomp> <accomp>]
    *.debug pppd[2940]: rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
    *.debug pppd[2940]: sent [LCP ConfReq id=0x2 <mru 1450> <asyncmap 0x0> <magic 0x8fea0fde> <pcomp> <accomp>]
    *.debug pppd[2940]: rcvd [LCP ConfAck id=0x2 <mru 1450> <asyncmap 0x0> <magic 0x8fea0fde> <pcomp> <accomp>]
    *.debug pppd[2940]: sent [LCP EchoReq id=0x0 magic=0x8fea0fde]
    *.warn pppd[2940]: peer refused to authenticate: terminating link
    *.debug pppd[2940]: sent [LCP TermReq id=0x3 "peer refused to authenticate"]
    *.debug pppd[2940]: rcvd [LCP EchoReq id=0x0 magic=0x5c40560d]
    *.debug pppd[2940]: rcvd [LCP TermReq id=0x2 "MPPE required but not available"]
    *.debug pppd[2940]: sent [LCP TermAck id=0x2]
    *.err pptpd[2939]: CTRL: EOF or bad error reading ctrl packet length.
    *.err pptpd[2939]: CTRL: couldn't read packet header (exit)
    *.err pptpd[2939]: CTRL: CTRL read failed
    *.debug pptpd[2939]: CTRL: Reaping child PPP[2940]
    *.info pppd[2940]: Hangup (SIGHUP)
    *.notice pppd[2940]: Modem hangup
    *.notice pppd[2940]: Connection terminated.
    *.info pppd[2940]: Exit.
    *.info pptpd[2939]: CTRL: Client [SNIP] control connection finished
    
     
  78. superdos

    superdos Reformed Router Member

    Nope nothing extra.
    If you have anything extra in forms of scripts/funtions running. Try to disable it and run vanilla.
    I noticed some problems running the adblock-script with pixlserver and I had do remove it.
     
  79. Morac

    Morac Network Guru Member

    I can VPN into my router over 3G from my iPhone and iPad without any problems, but when I try to do so from my workplace's WiFi I get the following error in the log. I'm not sure what it means.

    Code:
    Jul 19 10:48:21 unknown daemon.debug pppd[26902]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0xff63854e> <pcomp> <accomp>]
    Jul 19 10:48:21 unknown daemon.err pptpd[26901]: GRE: read(fd=7,buffer=419854,len=8260) from network failed: status = -1 error = No route to host
    Jul 19 10:48:21 unknown daemon.err pptpd[26901]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
    
    Edit:

    Searching the net, the above apparently has something to do with going through a proxy server (my company uses a "paywall" proxy server to force an accept page). Not sure why that would block VPN once network access is granted.
     
  80. rhester72

    rhester72 Network Guru Member

    If they don't allow GRE, you'll get this. Verizon LTE doesn't, either.

    Rodney
     
  81. raoul

    raoul Network Newbie Member

    Out of interest did you have any joy in the end. I am also having the same problems with peer refusal to authenticate and MPPE not being available when attempting to connect with iPhone to PPTP Server (GUI) running on Shibby 1.28 MIPSR2-100 K26.

    Many thanks in advance.
     
  82. mraneri

    mraneri LI Guru Member

    No joy. Tried lots of different combinations of stuff including disabling some of the scripts I have going. Never could get past this. I eventually gave up. Maybe if the guys can get IPSec going (seems there's an effort ongoing) I'll give that a shot.

    Mike
     
  83. raoul

    raoul Network Newbie Member

    Just on the off chance you are still interested in getting PPTP server to work, I eventually succeeded although to be honest I can not be certain how I achieved it.
    As you may well agree it would appear from the log that something was either missing or broken. As such I changed from Shibby to DD-WRT by doing this I was forced to do a hard reset (30-30-30 reset).
    From there it was very straight forward to get the iPhone talking to the PPTP server.
    Unfortunately DD-WRT firmware is missing a couple of key features that I've grown accustom to, as such I then re-flashed back to Shibby (100 Big VPN), again I needed to do a hard reset following the flash.
    I re-enetered all the relevant data and I'm up and running with either direct ip or DYNDNS.
    If you choice to try again and have any trouble drop me a line. Best of luck.
     
  84. M_ars

    M_ars LI Guru Member

    Hi
    just played a bit with the pptp server and noticed, that my android 4.03 phone can connect to the router without encryption? How is that possible?

    I checked the option-file but it looks ok? --> mppe-128 is required...
    Code:
    logfile /var/log/pptpd-pppd.log
    debug
    lock
    name *
    proxyarp
    minunit 4
    nobsdcomp
    lcp-echo-failure 10
    lcp-echo-interval 5
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    nomppe-stateful
    ms-ignore-domain
    chap-secrets /tmp/pptpd/chap-secrets
    ip-up-script /tmp/pptpd/ip-up
    ip-down-script /tmp/pptpd/ip-down
    mtu 1450
    mru 1450
    Does anyone else have the same problem?

    The router log file looks like this - but i still have access to my local files and so on..

    Code:
    Oct  6 12:50:49 RT-N16 daemon.err pppd[1623]: Received bad configure-rej:  12 06 01 00 00 40
    Oct  6 12:50:51 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfReq id=0x3]
    Oct  6 12:50:51 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfAck id=0x3]
    Oct  6 12:50:52 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfReq id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:52 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfRej id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:52 RT-N16 daemon.err pppd[1623]: Received bad configure-rej:  12 06 01 00 00 40
    Oct  6 12:50:54 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfReq id=0x3]
    Oct  6 12:50:54 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfAck id=0x3]
    Oct  6 12:50:55 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfReq id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:55 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfRej id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:55 RT-N16 daemon.err pppd[1623]: Received bad configure-rej:  12 06 01 00 00 40
    Oct  6 12:50:57 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfReq id=0x3]
    Oct  6 12:50:57 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfAck id=0x3]
    Oct  6 12:50:58 RT-N16 daemon.debug pppd[1623]: sent [CCP ConfReq id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:58 RT-N16 daemon.debug pppd[1623]: rcvd [CCP ConfRej id=0xc <mppe +H -M +S -L -D -C>]
    Oct  6 12:50:58 RT-N16 daemon.err pppd[1623]: Received bad configure-rej:  12 06 01 00 00 40
    
     
  85. gfunkdave

    gfunkdave Networkin' Nut Member

    The server is still requiring encryption. At least, that's how it works on my iPhone.
     
  86. M_ars

    M_ars LI Guru Member

    The last few days i am seeing some connection trys from china to my pptp vpn. Can someone hack the vpn server without having a network/traffic record of a successfull connection of a user?

    I think without the record, the invader can try but wont be successfull any time soon right?
     

Share This Page