Edgerouter PPTP client

Setting up a PPTP tunnel to a VPN provider.

My goal in this blogentry is to set up a permanent open PPTP tunnel to a VPN provider. I am going to set up a couple of internal clients in my network to always be tunneled through this provider.

The first step set up a basic tunnel to the PPTP tunnel provider

set interfaces pptp-client pptpc0 default-route none
set interfaces pptp-client pptpc0 description 'VPN to privateinternetaccess.com'
set interfaces pptp-client pptpc0 mtu 1500
set interfaces pptp-client pptpc0 name-server auto
set interfaces pptp-client pptpc0 require-mppe
set interfaces pptp-client pptpc0 server-ip country.privateinternetaccess.com
set interfaces pptp-client pptpc0 user-id someusername
set interfaces pptp-client pptpc0 password superlongpassword

Now we make a source-routing entry (number 1) to default route traffic through the tunnel interface

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pptpc0

Then we set up a firewall group called PPTP_CLIENTS which contains all the clients we want to route through the VPN tunnel. In my case here I have one client in my VLAN 30 (Wifi trusted) and one client in VLAN 40 (Wifi guest).

set firewall ip-src-route enable
set firewall group address-group PPTP_CLIENTS address 192.168.30.15
set firewall group address-group PPTP_CLIENTS address 192.168.40.10
set firewall modify SOURCE_ROUTE rule 10 description 'traffic via VPN'
set firewall modify SOURCE_ROUTE rule 10 source group address-group PPTP_CLIENTS
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces ethernet eth3 vif 30 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth3 vif 40 firewall in modify SOURCE_ROUTE

It’s important to bind this source routing rule to each interface where you might have clients that you want to tunnel. This is done in the last two lines.

Finally we set up all VPN traffic to be natted through the tunnel.

set service nat rule 5010 outbound-interface pptpc0
set service nat rule 5010 type masquerade
set service nat rule 5010 description "Outbound NAT on PPTP tunnel interface"

Last step is to traceroute or use whatismyip.com from the clients to confirm that the traffic is actually tunneled 🙂

3 thoughts to “Edgerouter PPTP client”

  1. Hi.
    I stubled over your setup the other day, I have been trying to setup my edgerouter with vpn the last week, and managed to set it up with openvpn. When using no vpn i get a speed of 24mbs, when using openvpn it drops to 7mbs. I am using pptp today with my asus router, and would like to try the same with the edgerouter. I have tried your settings but get a little confused since i dont have any of the vlans you have setup. The setup i am hoping to achieve is as follows; i set the dhcp range of router to 192.168.1.128/25, so that all clients connecting with dhcp gets a ip address in the range 192.168.1.128-254. These clients should connect directly to my isp, also without going throug vpn. The devices that i want to go through the vpn i will assign ip adressses manually in the range 192.168.1.2-127. My vpn is expressvpn, and i am using it to connect to a danish server to watch danish tv.
    Could you help me with this pls? Thank you in advance, and best regards Lars

  2. I followed the stepsabove and it works. I am not using a VLan, just routing Ip’s on Eth0(LAN), Now all other IP’s will not go to the internet on Eth1.

    What Step did I miss?

  3. Looking to do something like this on an Edgerouter 4, i haven’t found documentation to help create something like this, any help would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *