StrongVPN PPTP on DD-WRT – Source based routing (improved)

Update: Suggest you consider a new solution, that I’ve posted here

Hi there –

Myself and others have had a problem using the solution that I posted here. It works for a couple of hours, but then stops and requires a reboot to get it running again. I finally took some time to try and figure it out, and found that I needed to modify the IP-UP script to reestablish a couple of things. Here is an update to the original post:

I’m a StrongVPN customer and just today I had a use case that required that I was able to setup the VPN tunnel from my router and only route a specific host down the VPN.

Here is how I did it using these:

Do the following on your router:

Services->VPN

  • PPTP Client Options: Enable
  • Server IP or DNS name: <this is the IP of the VPN server, hostnames DON’T work>
  • Remote Subnet: <This is the IP that the YOU receive from the VPN server, to get this first connect on Mac/Win and check what IP you get)
  • Remote Subnet Mask: <This is the Subnet Mask of the remote VPN server, to get this first connect on Mac/Win and check what subnet you get – likely that 255.255.255.0 would be fine>
  • MPPE Encryption: mppe required,stateless
  • MTU: 1450
  • MRU: 1450
  • NAT: Enable
  • Username: <This is your StrongVPN user ID>
  • Password: <This is your StrongVPN password>

Setup -> Basic Setup

Under: Network Address Server Settings (DHCP)

  • Static DNS 1: 216.131.94.5
  • Static DNS 2: 216.131.95.20

Administration -> Commands

  • EDIT the INT and SOURCETOROUTE and interface (e.g ppp0) to suit and paste the following to the end of the STARTUP script, then click ‘save startup’. The IP specified in SOURCETOROUTE is the source IP that will be routed via the VPN.
    # Customize PPTPD client
    sleep 50
    mkdir /tmp/etc/config
    echo "#!/bin/sh" > /tmp/pptpd_client/ip-up;
    echo "SOURCETOROUTE=192.168.1.119" >> /tmp/pptpd_client/ip-up;
    echo "REMOTEIP=\$(ifconfig ppp0 | sed -n 's/.*inet *addr:\([0-9\.]*\).*/\1/p')" >> /tmp/pptpd_client/ip-up;
    #echo "ip rule add from \$SOURCETOROUTE table 200" >> /tmp/pptpd_client/ip-up;
    echo "/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200" >> /tmp/pptpd_client/ip-up;
    echo "/usr/sbin/ip route flush cache" >> /tmp/pptpd_client/ip-up;
    echo "touch /tmp/execute-debug" >> /tmp/pptpd_client/ip-up;
    echo "/usr/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE" >> /tmp/pptpd_client/ip-up;
    echo "/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu" >> /tmp/pptpd_client/ip-up;
    #echo "echo "/tmp/pptpd_client/ip-up - $(date)" >> /tmp/dbvpndebug" >> /tmp/pptpd_client/ip-up;
    chmod 777 /tmp/pptpd_client/ip-up;
    
  • Then in the same area, add the following to the FIREWALL script, and once again modify the SOURCETOROUTE and interface as necessary:
    INT=ppp0
    SOURCETOROUTE=192.168.1.119
    echo “sleep 40″ > /tmp/firewall_script.sh
    echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ;
    echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ;
    echo “ip rule add from $SOURCETOROUTE table 200″ >> /tmp/firewall_script.sh ;
    echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ;
    echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200″ >> /tmp/firewall_script.sh ;
    #echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ;
    sh /tmp/firewall_script.sh &
    

    Enjoy.

Advertisements

21 thoughts on “StrongVPN PPTP on DD-WRT – Source based routing (improved)”

  1. Excellent post on something a lot of people have trouble with.

    I was looking around for a solution for a friend of mine who uses StrongVPN and wanted to do this.

    I use Overplay which has a embedded DD-WRT application available so you do not have to do any of this scripting or logging in. Even purchased a DD-WRT E1000 router through their router provider, https://www.flashrouters.com.

    Thanks again for the nice tutorial.

  2. Very handy and has helped me out. However, how can I add multiple souretoroute entries so that more than one device can be routed over the VPN?

    1. CV8R – Haven’t tested this, but figure this should work…

      ——–
      STARTUP
      ——–

      # Customize PPTPD client
      sleep 50
      mkdir /tmp/etc/config
      echo “#!/bin/sh” > /tmp/pptpd_client/ip-up;
      echo “SOURCETOROUTE=192.168.1.119” >> /tmp/pptpd_client/ip-up;
      echo “SOURCETOROUTE2=192.168.1.120” >> /tmp/pptpd_client/ip-up;
      echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/pptpd_client/ip-up;
      #echo “ip rule add from \$SOURCETOROUTE table 200” >> /tmp/pptpd_client/ip-up;
      echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/pptpd_client/ip-up;
      echo “/usr/sbin/ip route flush cache” >> /tmp/pptpd_client/ip-up;
      echo “touch /tmp/execute-debug” >> /tmp/pptpd_client/ip-up;
      echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface ppp0 –jump MASQUERADE” >> /tmp/pptpd_client/ip-up;
      echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/pptpd_client/ip-up;
      #echo “echo “/tmp/pptpd_client/ip-up – $(date)” >> /tmp/dbvpndebug” >> /tmp/pptpd_client/ip-up;
      chmod 777 /tmp/pptpd_client/ip-up;

      ——–
      FIREWALL
      ——–

      INT=ppp0
      SOURCETOROUTE=192.168.1.119
      SOURCETOROUTE2=192.168.1.120
      echo “sleep 40” > /tmp/firewall_script.sh
      echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ;
      echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ;
      echo “ip rule add from $SOURCETOROUTE table 200” >> /tmp/firewall_script.sh ;
      echo “ip rule add from $SOURCETOROUTE2 table 200” >> /tmp/firewall_script.sh ;
      echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ;
      echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/firewall_script.sh ;
      #echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ;
      sh /tmp/firewall_script.sh &

  3. Thanks for this, I was searching for something like this for so long. I have tried it and it worked for me but my current VPN is slow and I can’t switch between servers. My friend showed me Astrill VPN on his router and I think I will get it as it’s much esier to use – take a look http://i40.tinypic.com/2ms4juh.png Anyone used Astrill VPN ?

  4. I got this working yesterday, but sometime in the last day it stopped working, not sure when. Ever since, I cannot get the routing to work. When it did work, I saw entries in the log which listed the IP I was trying to route. Since then…nothing. Any debugging hints or lessons learned you could share? Thanks-

    1. Here are some of the common things I look at:

      1. ifconfig ppp0 – assuming your interface name is ppp0, check that is up.
      2. ip rule – should show your configured source IP referring to table 200
      3. ip route show table 200 – should output the route for VPN sources as default via configured interface (e.g. ppp0)
      4. ip route flush cache – good for debugging to clean up route cache
      5. tcpdump -i ppp0 – check what traffic if any is going down ppp0
      6. ps – good for looking at running processes, in particular to watch the SLEEP post script run (usually boot-up)

  5. Hi,
    Thanks for great post!

    Does anyone know how to modify this to get only certain ports on one ip-number to get routed through ppp0?

    Thomas

  6. If I want only 192.168.1.119 + 192.168.1.120 routed on the VPN PPTP client, this code is OK :

    ——
    STARTUP
    ——
    #Customize PPTPD client
    sleep 50
    mkdir /tmp/etc/config
    echo “#!/bin/sh” > /tmp/pptpd_client/ip-up;
    echo “SOURCETOROUTE1=192.168.1.119” >> /tmp/pptpd_client/ip-up;
    echo “SOURCETOROUTE2=192.168.1.120” >> /tmp/pptpd_client/ip-up;
    echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/pptpd_client/ip-up;
    echo “ip rule add from \$SOURCETOROUTE1 table 200” >> /tmp/pptpd_client/ip-up;
    echo “ip rule add from \$SOURCETOROUTE2 table 200” >> /tmp/pptpd_client/ip-up;
    echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/pptpd_client/ip-up;
    echo “/usr/sbin/ip route flush cache” >> /tmp/pptpd_client/ip-up;
    echo “touch /tmp/execute-debug” >> /tmp/pptpd_client/ip-up;
    echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface ppp0 –jump MASQUERADE” >> /tmp/pptpd_client/ip-up;
    echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/pptpd_client/ip-up;
    #echo “echo “/tmp/pptpd_client/ip-up – $(date)” >> /tmp/dbvpndebug” >> /tmp/pptpd_client/ip-up;
    chmod 777 /tmp/pptpd_client/ip-up;

    ——
    FIREWALL
    ——
    INT=ppp0
    SOURCETOROUTE1=192.168.1.119
    SOURCETOROUTE1=192.168.1.120
    echo “sleep 40” > /tmp/firewall_script.sh
    echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ;
    echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ;
    echo “ip rule add from $SOURCETOROUTE1 table 200” >> /tmp/firewall_script.sh ;
    echo “ip rule add from $SOURCETOROUTE2 table 200” >> /tmp/firewall_script.sh ;
    echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ;
    echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/firewall_script.sh ;
    #echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ;
    sh /tmp/firewall_script.sh &

  7. My VPN service is dynamic. Is it possible for me to use your solution with it? I am not sure how to get it to work.

    1. Could you elaborate on ‘dynamic’?

      Most VPN services provide Dynamic (DHCP) IP addresses – that is normal and does work with this solution.

      1. Yeah my VPN service provide DHCP IP addresses. The PPTP setup in your case was Static. How can I implement a VPN service which provides DHCP IP addresses with your solution. StrongVPN provides a firewall script to enable it at http://www.strongvpn.com/dd-wrtfirewall.shtml. When I used that script together with the script you provided, the routing did not seem to work.

    1. Connect the VPN from a computer (Mac/Windows/Linux… whatever) then use their command-line tools to get the IP information (including subnet) for the virtual interface:

      Mac/Linux/Unix: ifconfig ppp0
      Windows: ipconfig /all

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s