pptp / pptpd not working in DD-WRT iptables / router

Although it is well-known that pptp is not secure and is subject to many forms of attacks, the reality is that a lot of legacy and embedded devices use pptp.  I argue that if it is being used for routing or remote access or over an already secure connection (eg. another VPN like ikev2) then this is still acceptable.  Or in a LAN or in a public environment where no private data is exchanged.  However, if the nature of the data is extremely sensitive, you should do whatever it takes to have the second layer of encryption by using a secure VPN protocol.

In iptables you can find many threads and discussions about how to make pptp work with iptables, with crazy forwarding rules and blindly and manually allowing all GRE etc...  However it's much more simple in my experience.  You just need to enable the netfilter conntracking to be able to connect your pptp client.

This solution also applies to a node running Kubernetes and Docker containers (eg. an embedded device that is for some odd reason using pptp).  If you can, switch to ikev2 or OpenVPN.

sysctl -w net.netfilter.nf_conntrack_helper=1

For permanent changes add this to /etc/sysctl.conf:

net.netfilter.nf_conntrack_helper=1

There are other modules necessary to make pptp work, but you can see that any recent kernel will  load them on its own:

nf_nat_pptp            20480  0
nf_conntrack_pptp      24576  1 nf_nat_pptp
nf_nat                 45056  3 nf_nat_pptp,iptable_nat,xt_MASQUERADE
nf_conntrack          139264  6 xt_conntrack,nf_nat,nf_conntrack_pptp,nf_nat_pptp,nf_conntrack_netlink,xt_MASQUERADE


Tags:

pptp, pptpd, dd, wrt, iptables, router, attacks, legacy, embedded, devices, routing, eg, vpn, ikev, acceptable, lan, exchanged, layer, encryption, protocol, threads, discussions, forwarding, blindly, manually, allowing, gre, etc, enable, netfilter, conntracking, applies, node, kubernetes, docker, containers, openvpn, sysctl, nf_conntrack_helper, conf, modules, kernel, nf_nat_pptp, nf_conntrack_pptp, nf_nat, iptable_nat, xt_masquerade, nf_conntrack, xt_conntrack, nf_conntrack_netlink,

Latest Articles

  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist
    • Copyright © realtechtalk.com 2024