最後更新: 2014-11-24

目錄

• Version 12 安裝
  - mtu 與 mru
  - Window Client
  - GUI
  - NAT 後的 PPTP
  - LOG
• Version 14 安裝
  - /etc/config/pptpd
  - /etc/firewall.user
  - /etc/config/firewall
  - /etc/ppp/options.pptpd
• CPU Resource
• pptp passthrough (lan client -> wan server)

 

 

---

Version 12 安裝

 

PPTP Daemon Install:

執行:

opkg install pptpd

output:

Configuring kmod-ipv6.
Configuring kmod-gre.
Configuring pptpd.

kmod-mppe

單是安裝 pptpd 是沒有包括安裝 kernel 的加密 module (kmod-mppe), 如有"需要"加密, 那可自行安裝它

執行:

opkg install kmod-mppe 

Output:

Configuring kmod-crypto-hash.
Configuring kmod-crypto-manager.
Configuring kmod-crypto-ecb.
Configuring kmod-crypto-sha1.
Configuring kmod-mppe.

Check:

lsmod | grep ppp_mppe

ppp_mppe                4768  2
ppp_generic            18848 12 ppp_mppe,pppoe,pppox,ppp_async

其他相關 Package:

• kmod-pptp
• ppp-mod-pptp 

 

---

Check version:

pptpd  -v

pptpd v1.3.4

 

---

設定

version: 12.09

• /etc/ppp/options.pptpd

172.16.1.1:          <-- 設定 server ip, tunnels local IP defaults to 192.168.0.1, <localip>:<remoteip>
proxyarp             <-- client 可以去 lan

• /etc/pptpd.conf

delegate

# delegates the allocation of  client  IP  addresses  to  pppd
# pppd may use chap-secrets to allocate an address. (server 用 options.pptpd: "192.168.1.2:" 去指定 IP)
# Default: pppd manages the list of IP addresses

增減帳戶:

• /etc/ppp/chap-secrets

由於只有 chap-secrets 所以設定有

require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap

內容格式:

/etc/ppp/chap-secrets

# username provider password ipaddress
tester * mypw 192.168.1.221

• provider: 對應設定裡的 name "pptp-server"
• ipaddress: VPN 建立後, Client 將會獲得的 IP

 

version: 14.07

/etc/config/pptpd

config service 'pptpd'
        option 'enabled' '1'
        option 'localip' '192.168.88.1'
        option 'remoteip' '192.168.88.50-70'

config 'login'
        option 'username' 'youruser'
        option 'password' 'yourpass'

/etc/init.d/pptpd start

---

Firewall 與 Network

 

vi /etc/config/firewall

config 'rule'
	option 'target'    'ACCEPT'
	option 'proto'     'tcp'
	option 'dest_port' '1723'
	option 'family'    'ipv4'
	option 'src'       'wan'

GRE tunnel, which uses IP protocol 47 (GRE)<-- 非必要

config 'rule'
        option 'target' 'ACCEPT'
        option 'name'   'GRP'
        option 'src'    'wan'
        option 'proto'  '47'

 

---

Forward traffic from vpn to lan & wan

 

/var/config/firewall:

config 'zone'
        option 'input'   'ACCEPT'
        option 'forward' 'REJECT'
        option 'output'  'ACCEPT'
        option 'name'    'vpn'
        option 'network' 'vpn'

# vpn --> lan
config 'forwarding'
        option 'dest' 'lan'
        option 'src'  'vpn'

# vpn --> wan
config 'forwarding'
        option 'dest' 'wan'
        option 'src'  'vpn'

# lan --> vpn
config 'forwarding'
        option 'dest' 'vpn'
        option 'src'  'lan'

/etc/config/network:

config 'interface'      'vpn'
        option 'proto'  'none'
        option 'ifname' 'ppp.'
        option 'auto'   '1'

/etc/init.d/firewall restart

/etc/init.d/network restart

會生成以下 Rules

iptables -v -nL | grep ppp

    3   156 zone_vpn_forward  all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
   71  5599 zone_vpn   all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
    8  9428 ACCEPT     all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0
   71  5599 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0

另一個方法係用以下 cmd:

/etc/firewall.user

# Allow all traffic in and out of the ppp interface.
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A input_rule -j RETURN
        
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
/usr/sbin/iptables -A output_rule -j RETURN

# This rule will allow traffic towards internet
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A forwarding_rule -j RETURN

注意在這裡用的 ppp+ 在 pppoe 的情況下會好出事, 因為 pppoe interface 都會中這 Rules !!

iptables 係唔 support "." 的

 

---

---

網絡結構:

• One Network
• Two Networks - Routed

 

One Network:

在設定加入

proxyarp

Two Networks - Routed:

iptables        -A forwarding_rule -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
# allow VPN connections to get out WAN interface (to internet)
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

 

iptables        -A forwarding_rule -s 172.16.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables        -A forwarding_rule -s 192.168.1.0/24 -d 172.16.1.0/24 -j ACCEPT

 

---

mtu 與 mru

 

mtu 1482
mru 1482

 

---

Window Client

 

route print 會見到

0.0.0.0        0.0.0.0    192.168.123.1  192.168.123.21       20

127.0.0.0      255.0.0.0        127.0.0.1       127.0.0.1       1
192.168.1.222  255.255.255.255  127.0.0.1       127.0.0.1       50

192.168.1.0      255.255.255.0      192.168.1.222   192.168.1.222       1
192.168.1.255    255.255.255.255    192.168.1.222   192.168.1.222       50
255.255.255.255  255.255.255.255    192.168.1.222   192.168.1.222       1

192.168.123.21 是本機的 local IP

192.168.1.222 是 vpn 後獲得的 IP

 

---

GUI

luci client:

• luci-proto-ppp

 

---

NAT 後的 PPTP

 

圖示:

          NAT
Client1----|___ Router____PPTP_Server
Client2----|

------PPTP----->

在沒有 helper 的幫助下, 以上的 PPTP 是只有一個 Client 用到

原因:

GRE uses only IP addresses but no port numbers giving the router's NAT a tough time to track such a connection.

opkg install kmod-ipt-nathelper-extra

獲得:

• nf_nat_proto_gre.ko       # pptp 時用
• nf_nat_pptp.ko               # pptp 時用
• ..............................

依賴:

kmod-lib-textsearch

• /etc/modules.d/lib-textsearch
• /lib/modules/3.10.49/ts_fsm.ko
• /lib/modules/3.10.49/ts_bm.ko
• /lib/modules/3.10.49/ts_kmp.ko

 

---

LOG

connect

# 沒有 debug 的 log

Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
Warning - secret file /etc/ppp/chap-secrets has world and/or group access
MPPE 128-bit stateless compression enabled
found interface br-lan for proxy arp
local  IP address 192.168.8.1
remote IP address 192.168.8.201

disconnect

LCP terminated by peer ()M-\kM-^M^@<M-Mt^@^@^@^@)
Connect time 7.7 minutes.
Sent 992165 bytes, received 125490 bytes.
Modem hangup
Connection terminated.

 

# debug 的 log

using channel 24
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1482> <auth chap MS-v2> <magic 0xfbab659c>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x372e25e0> <pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <mru 1482> <auth chap MS-v2> <magic 0xfbab659c>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x372e25e0> <pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <magic 0x372e25e0>]
sent [LCP ConfAck id=0x2 <magic 0x372e25e0>]
sent [LCP EchoReq id=0x0 magic=0xfbab659c]
sent [CHAP Challenge id=0x62 <??>, name = "pptp-server"]
rcvd [LCP EchoReq id=0x0 magic=0x372e25e0]
sent [LCP EchoRep id=0x0 magic=0xfbab659c]
rcvd [LCP EchoRep id=0x0 magic=0x372e25e0]
rcvd [CHAP Response id=0x62 <??>, name = "datahunter"]
sent [CHAP Success id=0x62 "S=?? M=Access granted"]
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.123.1>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
sent [IPCP ConfNak id=0x1 <addr 192.168.123.202>]
rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 192.168.123.1>]
rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 192.168.123.202>]
sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 192.168.123.202>]
found interface br-lan for proxy arp
local  IP address 192.168.123.1
remote IP address 192.168.123.202

---

---

Version 14

 

在 v14 的 openwrt 上的 pptp 設定與 v12 有所不同, 它不再依賴 pptp package 的 configure file

而改由 /etc/config/pptpd 去設定一切

/etc/config/pptpd

config service 'pptpd'
        option 'enabled' '1'
        option 'localip' '192.168.0.1'
        option 'remoteip' '192.168.0.20-30'

config 'login'
        option 'username' 'youruser'
        option 'password' 'yourpass'

config 'login'
        option 'username' 'user2'
        option 'password' 'pw2'

OR

config service 'pptpd'
        option 'enabled' '1'
        option 'localip' 'xxx.yyy.zzz.1'

config 'login'
        option 'username' 'youruser'
        option 'password' 'yourpass'
        option 'remoteip' 'xxx.yyy.zzz.201'

config 'login'
        option 'username' 'user2'
        option 'password' 'pw2'
        option 'remoteip' 'xxx.yyy.zzz.202'

/etc/firewall.user

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT

/etc/config/firewall

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1723'
        option name 'pptp'

config 'rule'
        option 'target' 'ACCEPT'
        option 'name'   'GRP'
        option 'src'    'wan'
        option 'proto'  '47'

Client to Lan:

/etc/ppp/options.pptpd

* 以下 setting 是比 pppd 的 !!

# log the contents of all control packets sent or received in a readable form
#debug
#logfile /tmp/pptp-server.log

192.168.123.1:
auth
name "pptp-server"

lcp-echo-failure 3
lcp-echo-interval 60

# Disable asyncmap negotiation, forcing all control characters to be escaped for both the transmit and the receive direction.
default-asyncmap

mtu 1482
mru 1482

# pppd will not request or agree to compress packets
# Disables BSD-Compress compression
# Disables Deflate compression
nobsdcomp
nodeflate

mppe required,no40,no56,stateless

# Add an entry to this system's ARP table with the IP address of the peer
#noproxyarp
proxyarp

#nomppc

require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap

ms-dns 192.168.123.1
ms-dns 8.8.8.8

修改這個 file 後, 新的設定會在新的 connect 時自動應用.

詳見:

man pppd

Firewall view:

 

 

---

---

CPU Resource

 

在以下的 pptp 設定時,

• nobsdcomp
• nodeflate
• mppe required,no40,no56,stateless

用 TP-Link 741N v4

system type             : Atheros AR9330 rev 1
BogoMIPS                : 265.42

SCP 速度時

1200 K/s

平衡要

36% CPU Time

 

 

---

pptp passthrough (lan client -> wan server)

 

設定

1. 安裝 kernel module (kmod-nf-nathelper-extra)
2. 設定 sysctl (net.netfilter.nf_conntrack_helper)

V18.06 install kernel module

opkg update

opkg install kmod-nf-nathelper-extra

kmod-nf-nathelper-extra Includes:

- amanda
- h323
- irc
- mms
- pptp
- proto_gre
- sip
- snmp_basic
- tftp
- broadcast

Checking

lsmod | grep pptp

...
nf_nat_proto_gre         784  1 nf_nat_pptp

設定 sysctl

/etc/sysctl.d/local.conf

net.netfilter.nf_conntrack_helper = 1

/etc/init.d/sysctl restart

Checking

sysctl net.netfilter.nf_conntrack_helper

# After client connect vpn

grep SERVER_IP /proc/net/nf_conntrack

ipv4 2 gre 47 17991 timeout=600, stream_timeout=18000
 src=SERVER_IP dst=Client_WAN_IP
  srckey=0x9680 dstkey=0xcfa1 packets=32 bytes=1352
 src=Client_LAN_IP dst=SERVER_IP
  srckey=0xc60 dstkey=0x9680 packets=54 bytes=6792
 [ASSURED] mark=0 zone=0 use=2

ipv4 2 tcp 6 7418 ESTABLISHED
 src=Client_LAN_IP dst=SERVER_IP sport=53153 dport=1723
  packets=6 bytes=620
 src=SERVER_IP dst=Client_WAN_IP sport=1723 dport=53153
  packets=6 bytes=436
 [ASSURED] mark=0 zone=0 use=3