2

Linksys E3000 Tomato USB Firmware and PPTP

Posted on 27th May 2012

For many years, I have used routers that were DD-WRT compatible for the additional configuration options the 3rd party firmware provides. When I purchased a Linksys E3000 last year, I immediately installed DD-WRT in place of the stock Linksys firmware. I experienced some stability issues (later found out that it was due to high interference in the 2.4ghz spectrum) and had switched to the Tomato USB firmware. I immediately loved the interface which felt clean and organized. Since it was based off of the DD-WRT project, I knew that it would be just as customizable.

With the addition of iDevices and the constant demand to access home resources at home from the road, I decided that a VPN would be the best way to secure these resources as it is already supported on iDevices. PPTP was the best choice since these devices supported it out of the box. Here, I will run over the installation method to get a working VPN connection through the Tomato USB firmware.

Requirements:

Installation and Configuration:

Mare sure that Optware is installed and configured on a flash drive. You can follow the directions over here to get Optware running on your tomato device.

Step 1:

The following commands will install a couple of packages to get things going and allow us to edit the configurations:

# ipkg install poptop
# ipkg install nano

Step 2:

Now we can edit the pptpd.config file in /opt/etc. Use the following commands to access the file:

# cd /opt/etc
# nano pptpd.com

My pptpd.conf looks like this:

option /opt/etc/ppp/options.pptpd
localip 192.168.1.1
remoteip 192.168.1.151-159

NOTE: If you have an entry for logwtemp, comment it out by putting a # in front of it. If you do not, pptpd will not run.

In nano, you can hit ctrl-o and then ctrl-x to save and then exit.

Next, we will edit options.pptpd in the /opt/etc/ppp folder. Use the following commands:

# cd /opt/etc/ppp
# nano options.pptpd

My options.pptpd looks like this:

name pptpd
refuse-pap
#refuse-ohap
#refuse-msohapp
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
nomppe-stateful
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp

Create user ids by entering the following commands to edit the chaps-secrets file:

# cd /opt/etc/ppp
# nano chaps-secrets

Here is an example:

# Username Server Password Allowed IPs
user * password *

Once you have added the users you want to add, run this last command to make sure that it is not globally accessible unless you are a admin:

# chmod 500 chaps-secrets

Step 3:

Now we need to create the scripts that run the pptpd process and allows firewall traffic for the vpn. We must create a vpn.wanup and a vpn.fire file to handle this:

# cd /opt/etc/config
# nano vpn.wanup

Enter in the following:

#!/bin/sh
if [ ! -f /tmp/ppp/chap-secrets ]; then
mkdir -p /tmp/ppp
ln -s /opt/etc/ppp/chap-secrets /tmp/ppp
fi

Then save and exit. Run the next command to make it executable:

# chmod +x vpn.wanup

Now, run the next set of commands to create the firewall exceptions:

# nano vpn.fire

And enter the following:

iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT

Then make this executable as well:

# chmod +x vpn.fire

Note: Sometimes the .wanup and/or .fire does not load automatically so you may need to add it to the scripts section in the GUI in the Wanup. I was having trouble with .fire and not .wanup.

Step 4:

At this point, you can test the vpn by rebooting the router and seeing if you can connect to it with an external device like an iPhone on the 3G network. Configuration of these devices is simple.

Description: Whatever you like.
Server: Static IP of your internet conniption or a DynDNS address.
Account: One of the user names created in the chaps-secrets file.
RSA Secure ID: Off
Password: Password signed to the user set above in the chad-secrets file.
Encryption Level: Auto
Send All Traffic: On (Optional if you want all data to go through your router and then to the phone while access internet resources.)
Proxy: Auto
URL: Leave Blank

If everything is working right,  you should be able to access local resources on your home network.

Conclusion:

I can access remote desktops and files without the need to expose these computers to the internet with port forwarding. I am even able to access XBMC systems and remotely control them. Though PPTPD does not provide the best encryption, it is still better then not having anything at all.

Resources:

I have to get credit to the Tomato USB project and recognize that this blog post is written based off of this wiki article over on the Tomato USB website. I created this entry to help document the settings for future reference since there are minor modifications to the settings demonstrated in the original article.

Discussion

  1. What should i write in Wanup to load the scripts?
    I’m having problems as well.

    • harshy

      In step 3, I have added the code into vpn.wanup and vpn.fire. If in the Tomato GUI, you will not need anything in the WAN Up tab. I do have to following in the Init tab however:

      echo “/dev/sda1 /opt ext3 defaults 1 1” >> /etc/fstab

      This just auto mounts my usb stick with the /opt on it.

Leave a response

Your email address will not be published. Required fields are marked *

<