For many years, I have used routers that were DD-WRT compatible for the additional configuration options the 3rd party firmware provides. When I purchased a Linksys E3000 last year, I immediately installed DD-WRT in place of the stock Linksys firmware. I experienced some stability issues (later found out that it was due to high interference in the 2.4ghz spectrum) and had switched to the Tomato USB firmware. I immediately loved the interface which felt clean and organized. Since it was based off of the DD-WRT project, I knew that it would be just as customizable.
With the addition of iDevices and the constant demand to access home resources at home from the road, I decided that a VPN would be the best way to secure these resources as it is already supported on iDevices. PPTP was the best choice since these devices supported it out of the box. Here, I will run over the installation method to get a working VPN connection through the Tomato USB firmware.
- Pre-Flashed Tomato USB Compatible Router
- Flash Drive for Optware install
- Preconfigured internet connection
- Static IP or a Dynamic Service such as DynDns.com
Installation and Configuration:
The following commands will install a couple of packages to get things going and allow us to edit the configurations:
# ipkg install poptop
# ipkg install nano
Now we can edit the pptpd.config file in /opt/etc. Use the following commands to access the file:
# cd /opt/etc
# nano pptpd.com
My pptpd.conf looks like this:
NOTE: If you have an entry for logwtemp, comment it out by putting a # in front of it. If you do not, pptpd will not run.
In nano, you can hit ctrl-o and then ctrl-x to save and then exit.
Next, we will edit options.pptpd in the /opt/etc/ppp folder. Use the following commands:
# cd /opt/etc/ppp
# nano options.pptpd
My options.pptpd looks like this:
Create user ids by entering the following commands to edit the chaps-secrets file:
# cd /opt/etc/ppp
# nano chaps-secrets
Here is an example:
# Username Server Password Allowed IPs
user * password *
Once you have added the users you want to add, run this last command to make sure that it is not globally accessible unless you are a admin:
# chmod 500 chaps-secrets
Now we need to create the scripts that run the pptpd process and allows firewall traffic for the vpn. We must create a vpn.wanup and a vpn.fire file to handle this:
# cd /opt/etc/config
# nano vpn.wanup
Enter in the following:
if [ ! -f /tmp/ppp/chap-secrets ]; then
mkdir -p /tmp/ppp
ln -s /opt/etc/ppp/chap-secrets /tmp/ppp
Then save and exit. Run the next command to make it executable:
# chmod +x vpn.wanup
Now, run the next set of commands to create the firewall exceptions:
# nano vpn.fire
And enter the following:
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
Then make this executable as well:
# chmod +x vpn.fire
Note: Sometimes the .wanup and/or .fire does not load automatically so you may need to add it to the scripts section in the GUI in the Wanup. I was having trouble with .fire and not .wanup.
At this point, you can test the vpn by rebooting the router and seeing if you can connect to it with an external device like an iPhone on the 3G network. Configuration of these devices is simple.
Description: Whatever you like.
Server: Static IP of your internet conniption or a DynDNS address.
Account: One of the user names created in the chaps-secrets file.
RSA Secure ID: Off
Password: Password signed to the user set above in the chad-secrets file.
Encryption Level: Auto
Send All Traffic: On (Optional if you want all data to go through your router and then to the phone while access internet resources.)
URL: Leave Blank
If everything is working right, you should be able to access local resources on your home network.
I can access remote desktops and files without the need to expose these computers to the internet with port forwarding. I am even able to access XBMC systems and remotely control them. Though PPTPD does not provide the best encryption, it is still better then not having anything at all.
I have to get credit to the Tomato USB project and recognize that this blog post is written based off of this wiki article over on the Tomato USB website. I created this entry to help document the settings for future reference since there are minor modifications to the settings demonstrated in the original article.