wrt54g vpn problem

Discussion in 'Networking Issues' started by midol, Jun 25, 2008.

  1. midol

    midol Addicted to LI Member


    I have a wrt54g v8 wireless router and am not able to get incoming vpn connections. I have Windows XP on the target box (the server) and am using the XP server software. From the client I have used both Linux and Windows xp software to no avail. I've set up a new user on the server specifically for testing, no id or pswd issues.

    In browsing your forums I saw a reference to forum threads as below but the urls don't resolve. Hints? Pointers? Do I need a firmware update?


  2. HennieM

    HennieM Network Guru Member

    I have not read the link, but here's the basics:

    When a VPN client connects to your WRT from the internet, your WRT must know where to send that connection. It does not know this except if you explicitly configure it so.

    You must therefore set up port forwarding (for INcoming connections) on the WRT, that says:

    Mr. WRT, when you get a connection from the internet on port xxx, formward that connection to local server with IP address a.b.c.d on port yyy.

    Normally port xxx and port yyy are the same ports.

    You must therefore find out to which port (xxx) your VPN client would connect, and on which port you VPN server expects or listens for connections (yyy), and then do the above.

    You may also have to open the relevant OUTgoing port(s); i.e. when your server responds to the VPN client connecting to it, it will talk back to the WRT which in turn will talk to the client, but if your WRT blocks the port that the server is trying to use for this outgoing connection, it would fail.
  3. midol

    midol Addicted to LI Member

    and moreover...

    Thanks, HennieM. I should confess that this is turning out to be MUCH more complicated than I ever thought it would be, but anyway, here's what I've done.

    The server computer is running MS Windows XP SP2. This OS claims to be able to accept incoming VPN connections, so I have followed instructions and set up the server.

    The WRT54G has a security section (in the web gui) that allows PPTP passthrough and that is enabled. I first tried directing incoming ports 1723 and 500 to, which is the local machine (the XP server). This got me nowhere. So then I thought I'd try having all incoming ports forwarded to 1.104 so I enabled a DMZ for the local machine, thinking this would mean I'd get the incoming packets for sure. But no luck.

    Also I am confused by several nomenclatural issues. My Linux client has a vnc client for Cisco routers and Cisco's name is all over the Linksys router. Does that mean I should expect programs for Cisco gear to work here? And it seems that a vpn connection could be used with IPSec too. Is there any reason to use one rather than another? What would the tradeoffs be?

    If there is a step by step guide, I'd be thrilled. If it matters I'm using Fedora Linux version 7.

    Happy for any and all advice.

  4. HennieM

    HennieM Network Guru Member

    As I understand the VPN Passthrough setting in the WRT is for OUTgoing (client) connections - it makes no difference for incoming VPN connections. I may be wrong about this, but try with passthrough on and off.

    A VPN is not just a VPN. You get all kinds of VPNs; e.g. if you use Skype, you make a VPN with whomever you talk to; if you use OpenVPN as the server, you use an SSL type VPN and must use an SSL OpenVPN client as the client; if you use an IPSec based VPN such as Juniper or other commercial VPNs, you must use a client that speaks the same language.
    In your case, if you use XP as a PPTP VPN server, you must use a PPTP client, with the same encryption, etc.

    Now I don't know what OUTgoing ports a PPTP VPN server would use, but perhaps try with all outgoing ports open on your WRT for starters.

    Further, make sure the IP addresses/subnet used for your VPN, is VERY different from you normal (192.168.x.x) addresses. Use perhaps 172.16.x.x for the VPN. This is because the routing on both the client and server can sometimes get confused in what to send over the VPN and what is already in the VPN and must be send over the normal interface.

    If you can, run the VPN server in debug mode so you can watch if there's any attempt at a connection when a client tries to connect. Also try a sniffer, such as Ethereal (name changed - forget what it is now), or tcpdump (on your Fedora box) to see if there's ANY comms when a VPN client tries to connects.

    As a complete alternative, I'd suggest you rather run OpenVPN on your Fedora box. If you google a bit you should find a step-by-step on how to set that up. A steep learning curve, but not difficult.

    Another alternative is to get a "proper" WRT (a v8 is not a proper WRT in my book) such as a WRT45GL, or a Buffalo, load dd-wrt or Tomato firmware with the VPN server built into the firmware, and run OpenVPN or a PPTP server on the WRT. This way you have none of the port forwarding issues (not that the port forwarding is major... ;)

    If you are highly security oriented, OpenVPN is a much better bet that a PPTP VPN. This is IMO - others may disagree.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice