Setting up a PPTP tunnel to a VPN provider.
My goal in this blogentry is to set up a permanent open PPTP tunnel to a VPN provider. I am going to set up a couple of internal clients in my network to always be tunneled through this provider.
The first step set up a basic tunnel to the PPTP tunnel provider
set interfaces pptp-client pptpc0 default-route none set interfaces pptp-client pptpc0 description 'VPN to privateinternetaccess.com' set interfaces pptp-client pptpc0 mtu 1500 set interfaces pptp-client pptpc0 name-server auto set interfaces pptp-client pptpc0 require-mppe set interfaces pptp-client pptpc0 server-ip country.privateinternetaccess.com set interfaces pptp-client pptpc0 user-id someusername set interfaces pptp-client pptpc0 password superlongpassword
Now we make a source-routing entry (number 1) to default route traffic through the tunnel interface
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pptpc0
Then we set up a firewall group called PPTP_CLIENTS which contains all the clients we want to route through the VPN tunnel. In my case here I have one client in my VLAN 30 (Wifi trusted) and one client in VLAN 40 (Wifi guest).
set firewall ip-src-route enable set firewall group address-group PPTP_CLIENTS address 192.168.30.15 set firewall group address-group PPTP_CLIENTS address 192.168.40.10 set firewall modify SOURCE_ROUTE rule 10 description 'traffic via VPN' set firewall modify SOURCE_ROUTE rule 10 source group address-group PPTP_CLIENTS set firewall modify SOURCE_ROUTE rule 10 modify table 1 set interfaces ethernet eth3 vif 30 firewall in modify SOURCE_ROUTE set interfaces ethernet eth3 vif 40 firewall in modify SOURCE_ROUTE
It’s important to bind this source routing rule to each interface where you might have clients that you want to tunnel. This is done in the last two lines.
Finally we set up all VPN traffic to be natted through the tunnel.
set service nat rule 5010 outbound-interface pptpc0 set service nat rule 5010 type masquerade set service nat rule 5010 description "Outbound NAT on PPTP tunnel interface"
Last step is to traceroute or use whatismyip.com from the clients to confirm that the traffic is actually tunneled 🙂