Backtrack:  
 
by lunarg on February 1st 2010, at 16:46

To set up a Windows PPTP VPN server behind your OpenWRT enabled router, you need to forward the necessary ports and protocols, and install the proper modules.

Finding information about how to do this was a lengthy process. I never actually found the necessary info (although I noticed there are quite a few people which are rather clueless about networking; makes me wonder why they're bothering with OpenWRT in the first place, it's not the easiest firmware out there).
But I've managed to compile the bits and pieces of various sources into a coherent mass. It's not a guide in the literal sense, but will tell you want you need, assuming you do know your way around OpenWRT.

The setup was tested with an SBS 2008 as Windows Server, and a OpenWRT White Russian 0.9, enhanced with X-Wrt packages.

Install required kernel modules

Install the following packages (for White Russian; in Kamikaze, they are probably named differently)

ipkg install kmod-ipt-nat-pptp iptables-extra iptables-mod-extra kmod-ipt-extra kmod-ipt-nat-extra kmod-iptables-extra

If it doesn't work, don't forget to run an ipkg update first.
Also, as I said earlier, for Kamikaze, you may have to adjust the package names.

If all went well, you should have additional kernel modules available. The important ones are:

ip_conntrack_proto_gre.o
ip_nat_proto_gre.o
ip_conntrack_pptp.o
ip_nat_pptp.o

Load them in the order above, or reboot your router (the latter is perhaps easier). If you get errors about unresolved symbols, you've forgotten to load them in the right order. If it loads nicely, you're halfway there.

Adjust your firewall settings

You still need to add the necessary rules to forward PPTP traffic to the Windows server on your LAN. PPTP consists of two components:

  • Connection initiation is done through port 1723/tcp. This is standard TCP traffic, and needs to be forwarded to the same port on your Windows server;
  • the actual encapsulation is not TCP nor UDP, but is protocol 47, better known as GRE. GRE packets need to be unconditionally forwarded to the Windows server as well.

It may sound difficult (and questing for it on Google is in fact not easy), but it is not. Add these lines to your firewall configuration file. For White Russian, this is /etc/firewall.user:

## PPTP: forward initiator 1723/tcp
iptables -t nat -A prerouting_wan -p tcp --dport 1723 -j DNAT --to 192.168.1.10
iptables -A forwarding_wan -p tcp --dport 1723 -d 192.168.1.10 -j ACCEPT

## PPTP: forward tunnel GRE traffic
iptables -t nat -A prerouting_wan -p gre -j DNAT --to 192.168.1.10
iptables -A forwarding_wan -p gre -d 192.168.1.10 -j ACCEPT

In the sample, the Windows server has IP 192.168.1.10. Adjust accordingly to your settings, naturally.

Finally, restart your firewall script (or reboot the router), and you should be good to go. Setting up the VPN server on the Windows side is beyond the scope of this article.