in Networking, Troubleshooting, VPN, Web 366 Words

StrongVPN PPTP on DD-WRT – Source based routing

Update: Improved version posted here

I’m a StrongVPN customer and just today I had a use case that required that I was able to setup the VPN tunnel from my router and only route a specific host down the VPN.

Here is how I did it using these:

Do the following on your router:

Services->VPN

  • PPTP Client Options: Enable
  • Server IP or DNS name: <this is the IP of the VPN server, hostnames DON’T work>
  • Remote Subnet: <This is the IP that the YOU receive from the VPN server, to get this first connect on Mac/Win and check what IP you get)
  • Remote Subnet Mask: 255.255.255.0
  • MPPE Encryption: mppe required,stateless
  • MTU: 1450
  • MRU: 1450
  • NAT: Enable
  • Username: <This is your StrongVPN user ID>
  • Password: <This is your StrongVPN password>

Setup -> Basic Setup

Under: Network Address Server Settings (DHCP)

  • Static DNS 1: 216.131.94.5
  • Static DNS 2: 216.131.95.20

Security -> Firewall

  • SPI Firewall: Disable

Administration -> Commands

  • EDIT the INT and SOURCETOROUTE variables to suite and paste the following, then click ‘save firewall’. The IP specified in SOURCETOROUTE is the source IP that will be routed via the VPN. 
    INT=ppp0
SOURCETOROUTE=192.168.1.119
echo "sleep 40" &gt; /tmp/firewall_script.sh
echo "/usr/sbin/iptables --table nat --append POSTROUTING --out-interface $INT --jump MASQUERADE" &gt;&gt;  /tmp/firewall_script.sh ;
echo "/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu" &gt;&gt; /tmp/firewall_script.sh ;
echo "ip rule add from $SOURCETOROUTE table 200" &gt;&gt; /tmp/firewall_script.sh ;
echo "REMOTEIP=\$(ifconfig $INT | sed -n 's/.*inet *addr:\([0-9\.]*\).*/\1/p')"  &gt;&gt; /tmp/firewall_script.sh ;
echo "ip route add default via \$REMOTEIP dev $INT table 200"  &gt;&gt; /tmp/firewall_script.sh ;
echo "ip route flush cache" &gt;&gt;  /tmp/firewall_script.sh ;
sh /tmp/firewall_script.sh &amp;
  • Reboot your router, after which give it about 5mins and give it a try from the machine specified in SOURCETOROUTE

15 thoughts on “StrongVPN PPTP on DD-WRT – Source based routing

  1. Hi, thanks for sharing this. Does your code handle StrongVPN dynamic IP? The IP in Remote Subnet won’t always be the same…

    Reply

  2. Nvm, with your firewall code, it blocks me from connecting to StrongVPN on my PC. I thought I could use this for my PS3 as well as my Win 7 PC.

    Reply

  3. Hello Darran
    1) The code appears cutted echo “ip rule add from $SOURCETOROUTE table 200” >> /tmp/firew –> COULD YOU PLEASE DETAIL !!
    2) May I define SOURCETOROUTE as a range, for example 192.168.1. 200-220

    Regards, Aldo

    Reply

  4. I have to reboot my router every hour or so or the ip routes will somehow “disappear” and not go through vpn. Any updates on your solution? 🙂

    Reply

  5. Thanks for the firewall code. Does it work also with more than 1 IP? Is it possible to specify a range of IP-addresses?

    Reply

    1. Not quite a range but your can specify your devices. Here an example:

      # VPN Device
      INT=ppp0

      # Wait a while for it to boot
      echo “sleep 90” > /tmp/firewall_script.sh

      # Magic stuff
      echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh
      echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh

      # Always routed through United-Statian VPN
      #My PC
      echo “ip rule add from 10.2.8.2 table 200” >> /tmp/firewall_script.sh
      #My smart phone
      echo “ip rule add from 10.2.8.3 table 200” >> /tmp/firewall_script.sh
      #my Xbox
      echo “ip rule add from 10.2.8.4 table 200” >> /tmp/firewall_script.sh

      # More magic stuff
      echo “REMOTEIP=\$(ifconfig $INT | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh
      echo “ip route add default via \$REMOTEIP dev $INT table 200” >> /tmp/firewall_script.sh
      echo “ip route flush cache” >> /tmp/firewall_script.sh

      # Launch in background
      sh /tmp/firewall_script.sh &

      Reply

  6. @Aldo – Copy-n-paste of the above code block will include the text that is cut-off

    @Aldo, @See – I am not aware of how do do a rangem sorry.

    @Hak – Yes, I’ve faced the same problem. The resolution is to rerun the ip route commands in an IPUP script. I’ve got something working but it’s not quite right yet… I will post once done.

    Reply

  7. Thanks for your reply
    Unfortunately is not working, I needed to change ppp0 by ppp1 due to adsl is on ppp0.
    All computer connected to Internet, but SOURCETOROUTE seems no conection.
    The same as with other solutions, maybe is a Linksys problem

    Reply

  8. Hi, I’m a very newbie in this. I need to know about hardware connection. Perhaps you can help me. In my environment I have my ADSL Router for Internet and have my DD-WRT modified router. Do I need both? How is connected beetwen?

    Reply

  9. Hi Darran,
    Love your script.
    However, my PPTP connection gets dropped after a certain period (mins to hours).

    Could you pin point the source of the problem?

    Regards,
    David

    Reply
  11. Pingback: StrongVPN PPTP on DD-WRT – Source based routing (improved) « Darran Boyd

Leave a comment