Reply
Highlighted
Emerging Member
Posts: 89
Registered: ‎08-07-2014
Kudos: 44
Solutions: 4

GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

[ Edited ]

After fighting through this process, I thought I would type up a how to guide.  Once it's configured, it works quite well.  This is the configuration for a LOCAL PPTP VPN, not the RADIUS server VPN.

 

This assumes that you already have used the wizzard to set up your ERL setup for normal use (LAN on port 0, WAN on port 1, LAN (probably not used) on port 2).  That you already have the DHCP server setup and running on it.  And that you have (or are willing to) define a limited range that the DHCP server can assign IP addresses.  It also assumes that you know your real IP address assigned to the router by your ISP, or, you have a dynamic DNS service setup that can be used to find your device on the Internet.

 

On my network, I begin assigning IP addresses via the DHCP server at .100 and stop at .199.  This leaves the lower range for me to assign IP addresses by MAC addresses for common devices that are always present.  The upper range starting at .200 is where I start the PPTP address assignments.  (I only reserve 5 IPs).  Set up your network however you like, I'm providing this for insight as to why I did what I did.

 

Step 1:  BACK UP YOUR CURRENT CONFIGURATION.  Click on the "system" tab at the bottom of the page.  Scroll down until you see the option to "Back Up Config".  Click on the "Download" button.  The resulting file that you download is all of your router's current configuration.  If things go wrong, you can load this file under the "Restore Config" option, to put it back exactly like it was.

 

Step 2:  Make sure you have some IP addresses available to be assigned for PPTP users.  I would suggest under "services", clicking on the menu for your primary DHCP server, selecting "details", and limiting the range that it assigns.  We will use the left over IPs that are not being assigned for the PPTP IPs.  Again, in my case, my starting range is .100, and the ending range is .199.  Set yours up however you want.

 

Step 3:  These commands are simply following the guide here, with a little extra explanation:  http://wiki.ubnt.com/PPTP_Remote_Access_-_CLI_Commands

 

We will now configure the PPTP VPN server: 

1.  Click on the CLI button on the top right of the ERL configuration page, and log in to the resulting prompts using the same administrative login you used to get into the ERL configuration page in the first place.  (Each command shown here, assumes that you are pressing 'return/enter' after typing it)

 

2.  Change the CLI to configuration mode by typing

configure

 

3.  Change the authentication mode from the pointless radius option (that very few people use) to local, by typing:

set vpn pptp remote-access authentication mode local

 

4. Set up the desired users for the PPTP account.  PPTP encryption has been broken, so it is advisable to make very long passwords that are hard to break, and take longer to decrypt.  PPTP isn't perfect, but it's infinitely better than using nothing, particularly when your device is operating on an open, unencrypted WiFi network.  Use the following commands to enter new users, the portion in ALL CAPS, will need to be replaced by you to define the user and password.

set vpn pptp remote-access authentication local-users username FRED password FLINTSTONEMADEEXTRALONGWITH#$!CHARACTERS

 You may re-issue this command with different users and passwords to set up multiple people.  (If you make a mistake or want to delete one, I'll cover that at the end of this section)

 

5.  Define the range of IP addresses that will be assigned to the PPTP users.  Note on this command, the IP addresses indicated will be REPLACED by the IP addresses that make sense for your network.

set vpn pptp remote-access client-ip-pool start 192.168.1.201
set vpn pptp remote-access client-ip-pool stop 192.168.1.206

 

6. Define the name servers that will be used for the PPTP users.  I have not experimented with pointing this at the router IP.  In this case, for my working configuration, I used public DNS servers which (I think) are run by Google.  The indicated IP addresses will work, but, if you want to use a different DNS server, enter those IPs instead.

set vpn pptp remote-access dns-servers server-1 8.8.8.8
set vpn pptp remote-access dns-servers server-2 8.8.8.9

 

7.  This concludes the PPTP setup portion.  We will need to implement the changes now by typing

commit

 This will cause the ERL to begin using the newly entered commands.  At this point, since you have backed up your configuration, I would suggest going ahead and saving it as well, by typing

save

 

 If you are observing the VPN tab in the HTML interface of the router, you will notice that all the user input text boxes are gone, and now just displays the VPN configuration.

 

Changing settings, adding / deleting PPTP users:

Should you choose to modify a setting that we did above, this is done by simply reissuing the command with the desired data changed.  Want to change the DNS?  Issue the command again, with the updated IPs, and the old one will be over-written.  (Remember you will need to be in the "configure" mode)

 

Should you want to DELETE  a PPTP user (or a set command) you can use the "delete" command instead of the "set" command.  For example, let's say that you no longer want Mr. Flintstone to have PPTP access.  The command would be:

delete vpn pptp remote-access authentication local-users username FRED

 

If you have a VPN capable device on your local LAN, it will probably work now... but that doesn't do us any good.  We need to be able to access the PPTP server from the Internet.  Which means that we need to next, configure the firewall to allow this to happen.

 

Step 4:  Configuring the Firewall

You will need to make (2) rules to allow the PPTP traffic from the Internet.  This part for me was not intuitive, and I required some hand holding.

 

1.  Click on "Firewall Policies".  If you used the setup wizard, you should have (2) main rulesets present.  One that is for dealing with traffic coming in from the WAN.  (probably under the 'interfaces' column it will say "eth1/in").  And you should have another ruleset (The one we want to modify) that is dealing with local traffic from the WAN (probably under the 'interfaces' column, it will say "eth1/local").  We want to click on the "Actions" button for the rulset that is dealing with the LOCAL traffic, and choose "edit ruleset"

 

2.  In this ruleset (again if you used the wizard in the beginning to set this up) you should find two rules.  One with the action "accept", and one with the action "drop".  The first rule is allowing inbound traffic if it is a response from something that originated from the router.  The 2nd rule is dropping invalid packets.  We are going to make (2) new rules, and they are going to be positioned after rule number 1.  (not sure that it really matters, but it's how I did it)

 

3.  Click on "Add New Rule".  We will name this rule "Allow PPTP Port 1723".  Under the "basic" tab, check the "Enable" box, click on ACCEPT, click on TCP.  Ignore the "Advanced" and "Source" tabs.  Under the "Destination" tab, in the field marked 'Port' enter "1723".   Then click Save, and wait for the green check mark to appear next to the "X" button to close the window.  (Close the window when it saves)

 

4.  Click on "Add New Rule".  We will name this rule "Allow PPTP GRE".  Under the "basic" tab, check the "Enable" box.  Click on "Accept", click on "Choose a protocol by name" and from the small pull down menu, choose "gre".  (don't make any other changes)  Click the "Save" button, and wait for the green check mark to appear next to the "X" button to close the window.  Then close the window.

 

5.  The the order of your new rules by simply dragging them into place.  We want the "Allow PPTP Port 1723" to be the 2nd rule (click "Save Rule Order"), then drag the "Allow PPTP GRE" rule to be the 3rd rule, and click "Save Rule Order".

 

You are now done, and your PPTP server should be working.  You can setup your device to find the PPTP server by using the real IP address assigned to your router, or, by using a Dynamic DNS Service.

 

Testing and setting up your iPhone:

 

A mobile device such as an iPhone is easy to test with, particularly as it easily allows you to test from an outside IP address.  Using an iphone, simply swipe up from the bottom, and turn off WiFi (so you are not on your local LAN, and you are using cellular data).  (You can also go to 'settings', 'Wi-Fi', and turn it off from there)

 

  • Set up your iOS VPN by going to settings, VPN, "Add VPN Configuration...". 
  • Choose PPTP as the type, name it whatever you want, for the server enter the real IP address of your router (or your Dynamic DNS address). 
  • Enter the account name you assigned to a user (the example was "Fred"),
  • leave RSA off. 
  • Enter the password you assigned to the user (remember it should be long and complex)
  • Encryption Level set to "Maximum"
  • Send All Traffic should be "On"
  • Save
  • Tap on your new VPN configuration, and then tap on the VPN slider to activate the connection.  In a few seconds you should connect, and at the top of the screen you will see a small "vpn" indicator.

 

You're Done.

 

I'm an Edge Router newbie coming from the DD-WRT world, and had been banging my head against this for a few days (particularly on the Firewall rules).  Many thanks to the forum user / Ubiquity Employee UBNT-stig who answered the questions that eventually got me working. 

 

Hopefully this guide will help others better understand the system, and quickly be able to setup their PPTP servers in a matter of minutes vs. days.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Great, thanks for sharing the information!

New Member
Posts: 32
Registered: ‎12-16-2014
Solutions: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Excellent guide.

 

I want to do a little diferent setup and I wondering if someone could help me:

 

1. I want to share a internet connection with 2 other users. So, the users would calling from a diferent local network not from internet. Eg. My router has 10.224.xxx.yyy and other users are in a diferent subnet (10.224.zzz.www).

 

2. I don't want to use DHCP,  i'd rather prefer to use static ip's. Would they be from 10.224.xxx.yyy subnet or something 192.168.xxx.yyy ?

 

3. I use 1.6.0 firmware, with eth0 to local network and eth1 bridged to VDSL modem. eth2 is disabled and I have done the basic WAN+2LAN configuration from the wizard.

 

4. I think that no firewall setup needed because no port needs to be open (I won't call from internet).

New Member
Posts: 38
Registered: ‎12-31-2014
Kudos: 4

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

and on 1.6.0 ? cli say mode invalid for mode local
New Member
Posts: 11
Registered: ‎08-27-2014
Kudos: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I just set it up on 1.6.0 by using the [Config Tree] tab (and [Firewall] tab) without touching the CLI.

It went smoothly, but I haven't tested it yet.

 

OP's guide has all the steps, just need to transmografye them to a click instead of CLI.

 


@MZorzy wrote:
and on 1.6.0 ? cli say mode invalid for mode local

 

 

New Member
Posts: 11
Registered: ‎08-27-2014
Kudos: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS


2. I don't want to use DHCP,  i'd rather prefer to use static ip's. Would they be from 10.224.xxx.yyy subnet or something 192.168.xxx.yyy ?

 

If you set it up from the [Config Tree] tab, there's an option for static assignment for each user.

New Member
Posts: 3
Registered: ‎05-22-2015
Solutions: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Awesome, Thanks for taking the time to make this post, It was a great help! works 1.6 no problems.

Established Member
Posts: 879
Registered: ‎02-07-2015
Kudos: 179
Solutions: 37

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Works on 1.7

 

This should be in the knowledge base for sure... Thanks

Emerging Member
Posts: 86
Registered: ‎06-25-2015
Kudos: 5

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I am on 1.7 and I can not get this to work. I did all the same same settings in the configtree. any device I tryto connect fromjust fails.Does anyone have an idea what to look for?

Established Member
Posts: 879
Registered: ‎02-07-2015
Kudos: 179
Solutions: 37

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

What are you using to connect your clients? Built in Windows Vpn feature? What's the error msg?
Emerging Member
Posts: 86
Registered: ‎06-25-2015
Kudos: 5

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Let just say I am a goose, it was a client issue. I had not checked the ppp encryption button on android lol
Emerging Member
Posts: 86
Registered: ‎06-25-2015
Kudos: 5

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

Now to figure out the traffic and currently connected sessions
New Member
Posts: 6
Registered: ‎08-27-2014

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

[ Edited ]

Let us say i only want to allow the pptp users to access 1 machine (192.168.1.10 for example). And restrict acces to everything else.

How can i set this up in the firewall?

The configuration is the same as in the guide above.

New Member
Posts: 15
Registered: ‎10-01-2013
Kudos: 2

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

First, I want to thank you for putting together a very comprehensive guide. well done and much appreciated.

Second, I am having issues Frown2

 

I have configured everything as per the guide, and I am using an Iphone 6 Plus

 

 

Nov 10 18:33:15 UER pppd[7718]: pppd 2.4.4 started by admin, uid 0
Nov 10 18:33:15 UER zebra[489]: interface ppp0 index 15 <POINTOPOINT,NOARP,MULTICAST> added.
Nov 10 18:33:15 UER pppd[7718]: Connect: ppp0 <--> /dev/pts/0
Nov 10 18:33:15 UER pppd[7718]: MPPE 128-bit stateless compression enabled
Nov 10 18:33:15 UER pppd[7718]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
Nov 10 18:33:16 UER zebra[489]: warning: PtP interface ppp0 with addr 10.255.254.0/32 needs a peer address
Nov 10 18:33:16 UER zebra[489]: interface index 15 was renamed from ppp0 to pptp0
Nov 10 18:33:16 UER zebra[489]: interface pptp0 index 15 changed <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>.
Nov 10 18:33:16 UER pppd[7718]: local  IP address 10.255.254.0
Nov 10 18:33:16 UER pppd[7718]: remote IP address 10.20.30.201
Nov 10 18:33:26 UER pptpd[7717]: GRE: read(fd=7,buffer=419594,len=8260) from network failed: status = -1 error = Message too long
Nov 10 18:33:26 UER pptpd[7717]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
Nov 10 18:33:26 UER pppd[7718]: Modem hangup
Nov 10 18:33:26 UER zebra[489]: interface pptp0 index 15 changed <POINTOPOINT,NOARP,MULTICAST>.
Nov 10 18:33:26 UER pppd[7718]: MPPE disabled
Nov 10 18:33:26 UER pppd[7718]: Connection terminated: no multilink.
Nov 10 18:33:26 UER zebra[489]: interface pptp0 index 15 deleted.
Nov 10 18:33:27 UER pptpd[7717]: CTRL: Couldn't write packet to client.
Nov 10 18:33:27 UER pptpd[7717]: CTRL: Couldn't write packet to client.

 

I have seem similar errors on the forums, but for some reason, none of those issues seem to relate.

 

Please assist me.

New Member
Posts: 1
Registered: ‎02-10-2016

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

[ Edited ]

In order to gain access to my internal network via VPN, I had to add the following:

 

 rule 5011 {
     description "masquerade for VPN"
     log disable
     outbound-interface eth1 ****THIS IS YOUR INTERNAL NETWORK****
     protocol all
     source {
         address x.x.x.x/x
     }
     type masquerade
 }

 

New Member
Posts: 31
Registered: ‎05-07-2014
Kudos: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I have configured my router per your instructions and can connect to the vpn without problems. I have no internet on the device i access the vpn with once i connect. Any help would be much appreciated. I have disconnected the router until i can get this figured out. Thanks

Established Member
Posts: 879
Registered: ‎02-07-2015
Kudos: 179
Solutions: 37

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

[ Edited ]

Have you tried to manually configure the dns servers on your device to see if that allows the Internet to work? Try google DNS 8.8.8.8 or 8.8.4.4


New Member
Posts: 8
Registered: ‎06-14-2014
Kudos: 1

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I had a problem where I could connect, but was unable to browse my LAN.  I found that my LAN DHCP range (.100-.250) overlapped the range I had set for the PPTP pool (.240-.244).  Once I narrowed the LAN DHCP range to .100-.239 using the ConfigTree it all started working as expected.  

 

So, my only suggestion is to add a disclaimer to the top post warning people not to overlap their VPN and LAN DHCP ranges.

 

Thanks!

New Member
Posts: 30
Registered: ‎03-04-2016
Kudos: 10

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I have tried to use this guide with 1.7 and 1.8 firmwares. I seems very random when I am allowed to connect or not without changing config. Sometimes a reboot makes it possible to connect a few times, and then after a few minutes, I get errors when trying from an iPhone.

 

Is there anything I can check...?

Established Member
Posts: 879
Registered: ‎02-07-2015
Kudos: 179
Solutions: 37

Re: GUIDE: How to configure Local PPTP VPN on 1.5.0 Firmware, works on iOS

I have set this up at dozens of offices and have only noticed it not working when there is a double NAT on the network or when trying to use the VPN while using a wifi connection that has the same lan range as the remote location. Could you post your config?
Reply