Difference between revisions of "OpenWRT: Setup PPTP VPN Server"

From OnnoWiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 23: Line 23:
 
  172.16.1.1:
 
  172.16.1.1:
  
Ubah ini menjadi IP address LAN anda jika kita ingin menggunakan IP address LAN yang berbeda. Jika LAN anda menggunakan keluarga IP address 192.168.1.x maka ubah menjadi
+
Ubah ini menjadi IP address LAN anda jika kita ingin menggunakan IP VPN yang berbeda.
 +
Tidak perlu me-restart pptpd jika kita mengubah parameter ini.
  
192.168.1.1:
+
Set agar client menggunakan DNS Server tertentu
  
 +
ms-dns 8.8.8.8 
 +
ms-dns 8.8.4.4
  
 
+
Untuk mengalokasikan lokal IP adress pada sisi server dari tunnel, gunakan opsi localip di /etc/pptpd.conf. Contoh :
 
 
Change this if you want a different IP address. There is no need to restart pptpd if you change this file, because it is used by pppd as soon as the next connection arrives. The file contains options for pppd, see man pppd on a Linux system for more information on the options available.
 
 
 
/!\ ppp sudah obsolet opsi ini (sejak v2.4.3-7). In order to assign the local IP address of the server end of the tunnel, include the localip option in your /etc/pptpd.conf. For example:
 
  
 
  localip 172.16.1.1
 
  localip 172.16.1.1
  
The easiest way to get LAN access is to make sure the localip is in the LAN ip range. To dynamicly assign IP addresses to clients, you can add the following which dynamicly assigns an IP to the client.
+
Cara paling mudah untuk mengakses LAN adalah memastikan localip dalam range IP LAN. Untuk memberikan IP address secara dinamik ke client, kita dapat menambahkan kalimat berikut :
  
 
  remoteip 172.16.1.100-109
 
  remoteip 172.16.1.100-109
  
==Tunnel Remote IP Addresses==
+
==Tunnel Remote IP Address==
  
Add lines to /etc/ppp/chap-secrets for each client. The format is:
+
Tambahkan kalimat ke /etc/ppp/chap-secrets untuk setiap client. Formatnya adalah:
  
 
  username provider password ipaddress
 
  username provider password ipaddress
  
Add an IP address for every client. An example chap-secrets looks like this:
+
Tambahkan IP address untuk setiap client. Contoh chap-secrets sebagai berikut :
  
 
  vpnuser pptp-server vpnpassword 172.16.1.2
 
  vpnuser pptp-server vpnpassword 172.16.1.2
  
See man pppd on a Linux system for more information on this file. Take care that the provider field matches the name option in /etc/ppp/options.pptpd. The default is pptp-server.
+
Agar user VPN memperoleh IP dinamik, gunakan
  
/!\ If you have x-wrt installed and use it to edit the chap-secrets file, it will create every entry with the provider of pptpd. Also, every time the router is rebooted the file will be rewritten so that the provider is pptpd. The easiest way to deal with this is to set the default provider in /etc/ppp/options.pptpd to pptpd.
+
vpnuser pptp-server vpnpassword *
  
/!\ For the bin and pptp builds of OpenWrt, the file will start out being a symbolic link to a template in /rom, so remove the link, copy the template, and make sure it is chmod 600.
+
Cara lain agar kita tidak perlu mengedit dapat menggunakan perintah
  
/!\ It is important to set an IP address rather than use the default asterisk. If you use an asterisk, the peer may propose it's own address, which could cause a routing loop. This results in very large transmit counters on ifconfig ppp0 and a badly performing router, as it spends all it's time trying to move packets through the loop.
+
echo "vpnuser pptpd-server vpnpassword 172.16.1.10" >> /etc/ppp/chap-secrets
 +
 
 +
Ketik man pppd di shell untuk memperoleh informasi lebih lanjut tentang file ini.
 +
Perhatikan bahwa nama provider ada di /etc/ppp/options.pptpd. default adalah pptp-server.
  
 
==Firewall==
 
==Firewall==
  
For your security OpenWrt will ignore connections on the WAN interface, but accept connection from a client on the LAN or wireless interfaces. If your client is to connect on the WAN interface, edit the /etc/firewall.user file and add the following:
+
Keamanan OpenWRT biasanya akan meng-ignore permohonan sambungan dari interface WAN. Untuk mengijinkan-nya dapat menggunakan mengkonfigurasi firewall menggunakan UCI di "/etc/config/firewall":
 
 
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
 
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
 
iptables        -A output_rule            -p 47              -j ACCEPT
 
iptables        -A input_rule              -p 47              -j ACCEPT
 
 
 
See the firewall for help. Be aware that $WAN might not be defined. If that is the case, insert the interface name instead. I.e. replace $WAN by eth1.
 
 
 
Alternatively you can configure the firewall using UCI in "/etc/config/firewall":
 
  
 
  config 'rule'
 
  config 'rule'
Line 79: Line 72:
 
  option 'src' 'wan'
 
  option 'src' 'wan'
  
==Test Connection==
 
 
Tell a client to connect to the PPTP server, using the username and password you set in chap-secrets.
 
 
The connection should work, ping between the client and the server should work, but you may have to do some more configuring to let the client use your PPTP server as a gateway to the internet, or to see inside your LAN. See the routing section below.
 
 
==Configure Debug Logging==
 
  
If you have problems making a connection, increase the amount of information logged:
 
  
    edit /etc/pptpd.conf and add the line debug, and restart pptpd using /etc/init.d/S50pptpd stop followed by /etc/init.d/S50pptpd start,
+
==Konfigurasi Routing==
    edit /etc/ppp/options.pptpd and add the line debug, and the line logfile "/tmp/pptpd.log" … these changes take effect on next client connection, there is no need to restart pptpd.
 
  
To understand the pppd debug log, read these key sections of the PPTP Client Diagnosis HOWTO:
+
Sampai titik ini, client sudah bisa tersambung dengan VPN ke OpenWRT router.
 
+
Untuk memberikan ijin agar client dapat tersambung ke LAN akan sangat mudah jika kita tambahkan
    What does ConfReq, ConfAck, ConfNak, and ConfRej mean?
+
pada /etc/ppp/options.pptpd:
    What are those CCP MPPE bitmasks?
 
 
 
==Configure Routing==
 
 
 
While we now have a VPN ready where the clients can connect to the OpenWrt router we might want to allow the clients to see inside the LAN. Of course we can alway give appropriate routes to server and clients but there's another way. In our example we have a LAN network 192.168.0.1/24 on the LAN port of our router. We want multiple clients to connect to the pptpd server and be able to connect to the LAN without the need of client routes. This is especially useful for Windows machines as they either route everything through the pptpd tunnel or nothing and we want them to be able to connect without much configuration hassle for the users. We will use proxyarp for that purpose and add the following line to /etc/ppp/options.pptpd:
 
  
 
  proxyarp
 
  proxyarp
  
When the next client connection arrives you should see something like:
+
Jika client tersambung maka akan terlihat pada log
  
 
  found interface vlan0 for proxy arp
 
  found interface vlan0 for proxy arp
  
in the logs. The kernel will now answer arp requests for the clients connected through the PPTP tunnel and thus the packets are routed correctly to either the ppp+ device or vlan0. We will have to add additional iptables rules.
+
Kita perlu menambahkan rule iptables :
  
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
+
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
+
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
+
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
+
# This rule will allow traffic towards internet
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT
+
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT
  
 
==Setup for Windows filesharing==
 
==Setup for Windows filesharing==
Line 160: Line 139:
  
 
* http://wiki.openwrt.org/doc/howto/vpn.server.pptpd
 
* http://wiki.openwrt.org/doc/howto/vpn.server.pptpd
 +
* http://www.ewdisonthen.com/how-to-setup-pptp-vpn-server-on-linux-tutorial-07577.php
 +
 +
==Pranala Menarik==

Latest revision as of 10:11, 24 April 2013

Sumber: http://wiki.openwrt.org/doc/howto/vpn.server.pptpd


Paket yang Dibutuhkan

opkg install pptpd kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

pptpd akan jalan, dan akan jangan saat boot. Tambahkan user ke /etc/ppp/chap-secrets (caranya di terangkan di bawah). Pilihan lain, tambahkan proxyarp ke /etc/ppp/options.pptpd. Kemudian coba connect dari client.

Kernel module kmod-mppe dibutuhkan untuk enkripsi. Jika kita menggunakan source code trunk, kita perlu mengupdate firmware ke yang paling akhir sebelum menginstalasi kernel module. Karena kernel kadang berubah, sehingga module reposirory di trunk tidak cocok dengan kernel yang lama.


OpenWrt Generic

Instruksi ini berlaku umum untuk semua versi OpenWRT.

Konfigurasi

Default IP address dari ujung server dari tunnel adalah 172.16.1.1, ini di set di file /etc/ppp/options.pptpd, dengan diakhiri titik dua , seperti: 

172.16.1.1:

Ubah ini menjadi IP address LAN anda jika kita ingin menggunakan IP VPN yang berbeda. Tidak perlu me-restart pptpd jika kita mengubah parameter ini.

Set agar client menggunakan DNS Server tertentu 

ms-dns 8.8.8.8   
ms-dns 8.8.4.4

Untuk mengalokasikan lokal IP adress pada sisi server dari tunnel, gunakan opsi localip di /etc/pptpd.conf. Contoh : 

localip 172.16.1.1

Cara paling mudah untuk mengakses LAN adalah memastikan localip dalam range IP LAN. Untuk memberikan IP address secara dinamik ke client, kita dapat menambahkan kalimat berikut : 

remoteip 172.16.1.100-109

Tunnel Remote IP Address

Tambahkan kalimat ke /etc/ppp/chap-secrets untuk setiap client. Formatnya adalah: 

username provider password ipaddress

Tambahkan IP address untuk setiap client. Contoh chap-secrets sebagai berikut : 

vpnuser pptp-server vpnpassword 172.16.1.2

Agar user VPN memperoleh IP dinamik, gunakan 

vpnuser pptp-server vpnpassword *

Cara lain agar kita tidak perlu mengedit dapat menggunakan perintah 

echo "vpnuser pptpd-server vpnpassword 172.16.1.10" >> /etc/ppp/chap-secrets

Ketik man pppd di shell untuk memperoleh informasi lebih lanjut tentang file ini. Perhatikan bahwa nama provider ada di /etc/ppp/options.pptpd. default adalah pptp-server.

Firewall

Keamanan OpenWRT biasanya akan meng-ignore permohonan sambungan dari interface WAN. Untuk mengijinkan-nya dapat menggunakan mengkonfigurasi firewall menggunakan UCI di "/etc/config/firewall": 

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'pptpd'
	option 'proto' 'tcp'
	option 'dest_port' '1723'
	option 'family' 'ipv4'
	option 'src' 'wan'


Konfigurasi Routing

Sampai titik ini, client sudah bisa tersambung dengan VPN ke OpenWRT router. Untuk memberikan ijin agar client dapat tersambung ke LAN akan sangat mudah jika kita tambahkan pada /etc/ppp/options.pptpd: 

proxyarp

Jika client tersambung maka akan terlihat pada log 

found interface vlan0 for proxy arp

Kita perlu menambahkan rule iptables : 

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
/usr/sbin/iptables -A input_rule -i ppp+ -j ACCEPT
/usr/sbin/iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
/usr/sbin/iptables -A forwarding_rule -i ppp+ -j ACCEPT

Setup for Windows filesharing

If you have Windows PPTP clients and you want them to be able to access file shares on the LAN, you need to set the IP addresses of the PPTP clients to be on the same subnet as the LAN. This is because of a limitation in proxyarp. They also cannot be on the same subnet as the local addresses of the PPTP clients. For example, if your PPTP clients have addresses in the 192.168.0.0/24 subnet, you can set you LAN to be 192.168.30.0/24 with DCHP assigning 192.168.30.50-192.168.30.100, but be careful that your PPTP clients' subnets are not in the 192.168.0.0 range. You would be better off selecting something in the 172.16.0.0/12 range (such as 172.18 for your LAN and 172.19 for the VPN clients with a bitmask of 16, i.e. 255.255.0.0). You can set the IP address of the PPTP server to be 192.168.30.200 by adding the following line to /etc/ppp/options.pptpd: 

192.168.30.200:

You can then assign the client IP address beginning with 192.168.30.201. Use the following settings for VPN in /etc/firewall.user. 

iptables        -A forwarding_rule -s 192.168.30.0/24 -d 192.168.30.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 192.168.30.0/24 -d 192.168.30.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 192.168.30.0/24 -d 192.168.30.0/24 -j ACCEPT
# allow VPN connections to get out WAN interface (to internet)
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

You will now be able to access file shares by IP address. For example, you can type 

\\192.168.30.50

into the address bar of Windows Explorer. Network neighborhood still doesn't detect available computers. If anyone knows how to make this work please post the instructions here. The desired configuration would have automatic detection and population, so there is no need to edit host files. I tried following instructions for setting up samba to run as a WINS server but I couldn't get it to work. Perhaps this is because OpenWrt is running an older version of samba that was selected because it has a smaller memory footprint.

⇒ In general the way for computers to appear in Net-Hood is to have server (master browser) to populate browse list across networks + have hosts or lmhosts file setup on client machines(that is only way I discovered so far). For samba servers you need to have config options in smb.conf: (ip address of router/name of workgroup), but I'm not sure how it works on wrt (as it only have cups I couldn't get them installed due to space limitation) remote announce = 192.168.11.1/UR-WG-NAME and hosts file in windoze (c:\Windows\System32\drivers\etc\hosts) like 192.168.11.10 mypc mypc.behind-wrt54g.org ..

⇒ Other way way for computers to appear in Net-Hood is to use on router side utility called bcrelay. Bcrelay turns on broadcast relay mode, sending all broadcasts received on the server's internal interface to the clients. Default pptpd package on WhiteRussian 0.9 contains pptpd version 1.3.0 compiled without bcrelay support. Good discussion about this problem can be found at http://forum.openwrt.org/viewtopic.php?pid=56890

Decision:

1. Recompile pptpd with bcrelay support or get compiled by simba87 package from http://rapidshare.com/files/59421121/pptpd_1.3.4-1_mipsel.ipk.html. 2. Backup /etc/pptpd.conf and all files in /etc/ppp/. Uninstall old pptpd package. 3. I put pptpd_1.3.4-1_mipsel.ipk to my hosting, then use wget on the router and use ipkg install pptpd_1.3.4-1_mipsel.ipk. 4. Add bcrelay br0 to /etc/pptpd.conf and proxyarp to /etc/ppp/options.pptpd. Troubleshooting

If you can connect to the pptpd and can ping the client from the server and vice versa but are not able to ping anything else refer to this checklist for diagnosis

There is a Windows XP client HOWTO that may help.

There is also the PPTP Client for Linux or check the OpenWrt vpn.pptp.client.

If the PPTP clients are behind an Actiontec DSL Modem/Router, only one of them will be able to connect. This is do to a bug in the Actiontec. Apparently it locks the connection to one client. If the router is rebooted the first client to reconnect is locked in. Putting the Actiontec into bridged mode and using a different router will probably bypass the problem. Does anyone else have any experience with this?




Referensi

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=OpenWRT:_Setup_PPTP_VPN_Server&oldid=36737"