Edgerouter PPTP client

Setting up a PPTP tunnel to a VPN provider.

My goal in this blogentry is to set up a permanent open PPTP tunnel to a VPN provider. I am going to set up a couple of internal clients in my network to always be tunneled through this provider.

The first step set up a basic tunnel to the PPTP tunnel provider

set interfaces pptp-client pptpc0 default-route none
set interfaces pptp-client pptpc0 description 'VPN to privateinternetaccess.com'
set interfaces pptp-client pptpc0 mtu 1500
set interfaces pptp-client pptpc0 name-server auto
set interfaces pptp-client pptpc0 require-mppe
set interfaces pptp-client pptpc0 server-ip country.privateinternetaccess.com
set interfaces pptp-client pptpc0 user-id someusername
set interfaces pptp-client pptpc0 password superlongpassword

Now we make a source-routing entry (number 1) to default route traffic through the tunnel interface

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pptpc0

Then we set up a firewall group called PPTP_CLIENTS which contains all the clients we want to route through the VPN tunnel. In my case here I have one client in my VLAN 30 (Wifi trusted) and one client in VLAN 40 (Wifi guest).

set firewall ip-src-route enable
set firewall group address-group PPTP_CLIENTS address 192.168.30.15
set firewall group address-group PPTP_CLIENTS address 192.168.40.10
set firewall modify SOURCE_ROUTE rule 10 description 'traffic via VPN'
set firewall modify SOURCE_ROUTE rule 10 source group address-group PPTP_CLIENTS
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces ethernet eth3 vif 30 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth3 vif 40 firewall in modify SOURCE_ROUTE

It’s important to bind this source routing rule to each interface where you might have clients that you want to tunnel. This is done in the last two lines.

Finally we set up all VPN traffic to be natted through the tunnel.

set service nat rule 5010 outbound-interface pptpc0
set service nat rule 5010 type masquerade
set service nat rule 5010 description "Outbound NAT on PPTP tunnel interface"

Last step is to traceroute or use whatismyip.com from the clients to confirm that the traffic is actually tunneled 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *