pptp / pptpd not working in DD-WRT iptables / router

Although it is well-known that pptp is not secure and is subject to many forms of attacks, the reality is that a lot of legacy and embedded devices use pptp.  I argue that if it is being used for routing or remote access or over an already secure connection (eg. another VPN like ikev2) then this is still acceptable.  Or in a LAN or in a public environment where no private data is exchanged.  However, if the nature of the data is extremely sensitive, you should do whatever it takes to have the second layer of encryption by using a secure VPN protocol.

In iptables you can find many threads and discussions about how to make pptp work with iptables, with crazy forwarding rules and blindly and manually allowing all GRE etc...  However it's much more simple in my experience.  You just need to enable the netfilter conntracking to be able to connect your pptp client.

This solution also applies to a node running Kubernetes and Docker containers (eg. an embedded device that is for some odd reason using pptp).  If you can, switch to ikev2 or OpenVPN.

sysctl -w net.netfilter.nf_conntrack_helper=1

For permanent changes add this to /etc/sysctl.conf:

net.netfilter.nf_conntrack_helper=1

There are other modules necessary to make pptp work, but you can see that any recent kernel will  load them on its own:

nf_nat_pptp            20480  0
nf_conntrack_pptp      24576  1 nf_nat_pptp
nf_nat                 45056  3 nf_nat_pptp,iptable_nat,xt_MASQUERADE
nf_conntrack          139264  6 xt_conntrack,nf_nat,nf_conntrack_pptp,nf_nat_pptp,nf_conntrack_netlink,xt_MASQUERADE


Tags:

pptp, pptpd, dd, wrt, iptables, router, attacks, legacy, embedded, devices, routing, eg, vpn, ikev, acceptable, lan, exchanged, layer, encryption, protocol, threads, discussions, forwarding, blindly, manually, allowing, gre, etc, enable, netfilter, conntracking, applies, node, kubernetes, docker, containers, openvpn, sysctl, nf_conntrack_helper, conf, modules, kernel, nf_nat_pptp, nf_conntrack_pptp, nf_nat, iptable_nat, xt_masquerade, nf_conntrack, xt_conntrack, nf_conntrack_netlink,

Latest Articles

  • How To Force Flash an AMD Instinct GPU To Another Model Using Debian Ubuntu Mint Linux
  • How To compile ollama from source to use unsupported AMD GPU with rocm in Ubuntu Debian
  • QEMU KVM Virtio GPU Windows Cannot Select 1080P
  • Linux Gnome Desktop Ubuntu Mint Debian Gets Slower After Weeks
  • Firefox How to Save Full Page As Screenshot/PDF
  • Nvidia Datacenter Driver Tesla Slow nvidia-smi response and high utilization with 0 usage
  • ffmpeg how to normalize / increase the volume of your audio
  • kdenlive audio blips pops cracks artifacts solution fix
  • haproxy / nginx certbot SSL issues
  • nginx how to see the real IP when behind a CDN
  • Docker how to find real container child process ID
  • Alibaba Aliyun how to reset password solution 'Setup does not meet the requirements, please resetting'
  • RTL88X Series 80Mhz hostapd mode for Linux Debian Kali
  • How To Deploy Your Own Mastodon Server in Docker
  • ffmpeg burning subtitles in non-English errors [Parsed_subtitles_0 @ 0x561d3a0b3b80] Glyph 0x6709 not found, selecting one more font for (Sans, 700, 0)
  • rsyslog in container config
  • Interesting Whisper AI CPU vs GPU Test
  • How to install pytorch with cuda capability for AI acceleration with Nvidia Tesla etc.. GPUs
  • How to Spider the web archive.org to recover your old website/webpage
  • Debian 10 /etc/apt/sources.list
    • Copyright © realtechtalk.com 2026