Update: Suggest you consider a new solution, that I’ve posted here
Hi there –
Myself and others have had a problem using the solution that I posted here. It works for a couple of hours, but then stops and requires a reboot to get it running again. I finally took some time to try and figure it out, and found that I needed to modify the IP-UP script to reestablish a couple of things. Here is an update to the original post:
I’m a StrongVPN customer and just today I had a use case that required that I was able to setup the VPN tunnel from my router and only route a specific host down the VPN.
Here is how I did it using these:
- Router running DD-WRT v24-sp2 (08/07/10) std
- StrongVPN account (PPTP)
Do the following on your router:
Services->VPN
- PPTP Client Options: Enable
- Server IP or DNS name: <this is the IP of the VPN server, hostnames DON’T work>
- Remote Subnet: <This is the IP that the YOU receive from the VPN server, to get this first connect on Mac/Win and check what IP you get)
- Remote Subnet Mask: <This is the Subnet Mask of the remote VPN server, to get this first connect on Mac/Win and check what subnet you get – likely that 255.255.255.0 would be fine>
- MPPE Encryption: mppe required,stateless
- MTU: 1450
- MRU: 1450
- NAT: Enable
- Username: <This is your StrongVPN user ID>
- Password: <This is your StrongVPN password>
Setup -> Basic Setup
Under: Network Address Server Settings (DHCP)
- Static DNS 1: 216.131.94.5
- Static DNS 2: 216.131.95.20
Administration -> Commands
- EDIT the INT and SOURCETOROUTE and interface (e.g ppp0) to suit and paste the following to the end of the STARTUP script, then click ‘save startup’. The IP specified in SOURCETOROUTE is the source IP that will be routed via the VPN.
# Customize PPTPD client sleep 50 mkdir /tmp/etc/config echo "#!/bin/sh" > /tmp/pptpd_client/ip-up; echo "SOURCETOROUTE=192.168.1.119" >> /tmp/pptpd_client/ip-up; echo "REMOTEIP=\$(ifconfig ppp0 | sed -n 's/.*inet *addr:\([0-9\.]*\).*/\1/p')" >> /tmp/pptpd_client/ip-up; #echo "ip rule add from \$SOURCETOROUTE table 200" >> /tmp/pptpd_client/ip-up; echo "/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200" >> /tmp/pptpd_client/ip-up; echo "/usr/sbin/ip route flush cache" >> /tmp/pptpd_client/ip-up; echo "touch /tmp/execute-debug" >> /tmp/pptpd_client/ip-up; echo "/usr/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE" >> /tmp/pptpd_client/ip-up; echo "/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu" >> /tmp/pptpd_client/ip-up; #echo "echo "/tmp/pptpd_client/ip-up - $(date)" >> /tmp/dbvpndebug" >> /tmp/pptpd_client/ip-up; chmod 777 /tmp/pptpd_client/ip-up;
- Then in the same area, add the following to the FIREWALL script, and once again modify the SOURCETOROUTE and interface as necessary:
INT=ppp0 SOURCETOROUTE=192.168.1.119 echo “sleep 40″ > /tmp/firewall_script.sh echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ; echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ; echo “ip rule add from $SOURCETOROUTE table 200″ >> /tmp/firewall_script.sh ; echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ; echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200″ >> /tmp/firewall_script.sh ; #echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ; sh /tmp/firewall_script.sh &
Enjoy.
Excellent post on something a lot of people have trouble with.
I was looking around for a solution for a friend of mine who uses StrongVPN and wanted to do this.
I use Overplay which has a embedded DD-WRT application available so you do not have to do any of this scripting or logging in. Even purchased a DD-WRT E1000 router through their router provider, https://www.flashrouters.com.
Thanks again for the nice tutorial.
I use the PPTP built in client on my WRT54GL Lynksys to connect to my http://www.highspeedvpn.com/ account. It`s working good, I have 3 laptop connected to the router.
Very handy and has helped me out. However, how can I add multiple souretoroute entries so that more than one device can be routed over the VPN?
CV8R – Haven’t tested this, but figure this should work…
——–
STARTUP
——–
# Customize PPTPD client
sleep 50
mkdir /tmp/etc/config
echo “#!/bin/sh” > /tmp/pptpd_client/ip-up;
echo “SOURCETOROUTE=192.168.1.119” >> /tmp/pptpd_client/ip-up;
echo “SOURCETOROUTE2=192.168.1.120” >> /tmp/pptpd_client/ip-up;
echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/pptpd_client/ip-up;
#echo “ip rule add from \$SOURCETOROUTE table 200” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/ip route flush cache” >> /tmp/pptpd_client/ip-up;
echo “touch /tmp/execute-debug” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface ppp0 –jump MASQUERADE” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/pptpd_client/ip-up;
#echo “echo “/tmp/pptpd_client/ip-up – $(date)” >> /tmp/dbvpndebug” >> /tmp/pptpd_client/ip-up;
chmod 777 /tmp/pptpd_client/ip-up;
——–
FIREWALL
——–
INT=ppp0
SOURCETOROUTE=192.168.1.119
SOURCETOROUTE2=192.168.1.120
echo “sleep 40” > /tmp/firewall_script.sh
echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ;
echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ;
echo “ip rule add from $SOURCETOROUTE table 200” >> /tmp/firewall_script.sh ;
echo “ip rule add from $SOURCETOROUTE2 table 200” >> /tmp/firewall_script.sh ;
echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ;
echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/firewall_script.sh ;
#echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ;
sh /tmp/firewall_script.sh &
Thanks for this, I was searching for something like this for so long. I have tried it and it worked for me but my current VPN is slow and I can’t switch between servers. My friend showed me Astrill VPN on his router and I think I will get it as it’s much esier to use – take a look http://i40.tinypic.com/2ms4juh.png Anyone used Astrill VPN ?
Ah thanks for pointing out Astrill and the Tomato applet – looks very user friendly
I got this working yesterday, but sometime in the last day it stopped working, not sure when. Ever since, I cannot get the routing to work. When it did work, I saw entries in the log which listed the IP I was trying to route. Since then…nothing. Any debugging hints or lessons learned you could share? Thanks-
Here are some of the common things I look at:
1. ifconfig ppp0 – assuming your interface name is ppp0, check that is up.
2. ip rule – should show your configured source IP referring to table 200
3. ip route show table 200 – should output the route for VPN sources as default via configured interface (e.g. ppp0)
4. ip route flush cache – good for debugging to clean up route cache
5. tcpdump -i ppp0 – check what traffic if any is going down ppp0
6. ps – good for looking at running processes, in particular to watch the SLEEP post script run (usually boot-up)
Hi,
Thanks for great post!
Does anyone know how to modify this to get only certain ports on one ip-number to get routed through ppp0?
Thomas
Anyone been able to get multiples sources working? it doesn’t work
If I want only 192.168.1.119 + 192.168.1.120 routed on the VPN PPTP client, this code is OK :
——
STARTUP
——
#Customize PPTPD client
sleep 50
mkdir /tmp/etc/config
echo “#!/bin/sh” > /tmp/pptpd_client/ip-up;
echo “SOURCETOROUTE1=192.168.1.119” >> /tmp/pptpd_client/ip-up;
echo “SOURCETOROUTE2=192.168.1.120” >> /tmp/pptpd_client/ip-up;
echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/pptpd_client/ip-up;
echo “ip rule add from \$SOURCETOROUTE1 table 200” >> /tmp/pptpd_client/ip-up;
echo “ip rule add from \$SOURCETOROUTE2 table 200” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/ip route flush cache” >> /tmp/pptpd_client/ip-up;
echo “touch /tmp/execute-debug” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface ppp0 –jump MASQUERADE” >> /tmp/pptpd_client/ip-up;
echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/pptpd_client/ip-up;
#echo “echo “/tmp/pptpd_client/ip-up – $(date)” >> /tmp/dbvpndebug” >> /tmp/pptpd_client/ip-up;
chmod 777 /tmp/pptpd_client/ip-up;
——
FIREWALL
——
INT=ppp0
SOURCETOROUTE1=192.168.1.119
SOURCETOROUTE1=192.168.1.120
echo “sleep 40” > /tmp/firewall_script.sh
echo “/usr/sbin/iptables –table nat –append POSTROUTING –out-interface $INT –jump MASQUERADE” >> /tmp/firewall_script.sh ;
echo “/usr/sbin/iptables –insert FORWARD –protocol tcp –tcp-flags SYN,RST SYN –jump TCPMSS –clamp-mss-to-pmtu” >> /tmp/firewall_script.sh ;
echo “ip rule add from $SOURCETOROUTE1 table 200” >> /tmp/firewall_script.sh ;
echo “ip rule add from $SOURCETOROUTE2 table 200” >> /tmp/firewall_script.sh ;
echo “REMOTEIP=\$(ifconfig ppp0 | sed -n ‘s/.*inet *addr:\([0-9\.]*\).*/\1/p’)” >> /tmp/firewall_script.sh ;
echo “/usr/sbin/ip route add default via \$REMOTEIP dev ppp0 table 200” >> /tmp/firewall_script.sh ;
#echo “echo “/tmp/firewall_script.sh – $(date)” >> /tmp/dbvpndebug” >> /tmp/firewall_script.sh ;
sh /tmp/firewall_script.sh &
It was a question 🙂
My VPN service is dynamic. Is it possible for me to use your solution with it? I am not sure how to get it to work.
Could you elaborate on ‘dynamic’?
Most VPN services provide Dynamic (DHCP) IP addresses – that is normal and does work with this solution.
Yeah my VPN service provide DHCP IP addresses. The PPTP setup in your case was Static. How can I implement a VPN service which provides DHCP IP addresses with your solution. StrongVPN provides a firewall script to enable it at http://www.strongvpn.com/dd-wrtfirewall.shtml. When I used that script together with the script you provided, the routing did not seem to work.
Hi,
How do you find the remote subnet of your vpn?
Connect the VPN from a computer (Mac/Windows/Linux… whatever) then use their command-line tools to get the IP information (including subnet) for the virtual interface:
Mac/Linux/Unix: ifconfig ppp0
Windows: ipconfig /all
Thanks for the help. Does the code you provide work together with the firewall script at http://www.strongvpn.com/dd-wrtfirewall.shtml ? I am not sure what the script from the strongvpn website actually does. Hopefully you can help me with this.
Don’t use theirs in conjunction with mine. You should be fine if you just use mine. Cheers.