Difference between revisions of "Linksys AC Series Router Configuration Tips for OpenWRT"

First a warning so no one gets frustrated.  Right out of the box, the configuration for PPTPD from OpenWRT is broken.  The hint for correcting it was found here: https://forum.openwrt.org/t/default-config-file-for-pptpd-lacks-logwtmp-option/4795  And as of 8.2020 it is still busted.  How to fix it?  Well, follow the below directions. Hint, this is the key setting in the /etc/config/pptpd file to get it functional (see below for more information): option 'logwtmp' '0'

There is no LuCI GUI available.  Oddly, given there is no LuCI GUI, OpenWRT configuration of PPTPD is done through an /etc/config/ppptd file (usually this is only reserved for services that have a companion LuCI GUI available)

* OpenWRT PPTPD Configuration File: /etc/config/pptpd

* PPTPD Configuration File: /etc/pptpd.conf* (BIG Asterisk here, see below) (as part of the /etc/init.d/pptpd startup script, this file is copied to /var/etc/pptpd.conf.  This could be changed in the startup script, but to keep things withing the OpenWRT configuration paradigm things can be left as they are, but just know this is going on behind the scenes.)

** /etc/ppp/chap-secrets (AKA User Names and Passwords for PPTPD): /etc/ppp/chap-secrets (the /etc/ppp/chap-secrets is actually "located" here /tmp/etc/chap-secrets and is dynamically generated by the /etc/init.d/pptpd startup script.  When PPTPD is started a symbolic link is created as /etc/ppp/chapt-secrets which is pointed to /tmp/etc/chap-secrets.  It should also be noted the pptpd package contains an /etc/ppp/chap-secrets file that is empty except for some commented out column headings.  This might lead one to believe that this is the file where user names and passwords are created for PPTPD.  This is not the case.  The user names and passwords are dynamicaly generated as previously noted and the information used when it is generated is derived from the /etc/config/ppptp file.  So make sure user names and passwords are created in the /etc/config/pptpd file in the format noted in the example below)

** /etc/ppp/filter (OpenWRT PPTPD doesn't seem to utilize the settings in this file, even though it is included, so probably relegated to PPP only stuff.  Research indicates it seems to be related to "allowed" outbound protocols)

** /etc/ppp/options (This file contains the ppp (Point to Point Protocol) configuration and can be left with default settings.  Do not confuse it with the options.pptpd file which is used for PPTPD PPP settings.  IE, PPP is used for more than PPTPD and the plain options file is just for PPP)

</syntaxhighlight>Notice the ''option 'logwtmp' '0'<nowiki/>'' line.  It MUST be included for the service to start (or the startup script in /etc/init.d/pptpd has to be modified).  And of course substitute the W.X.Y.Z and ABC with your own IP Address range.

The above noted "logwtmp" setting is NOT included in the default pptpd file.  That is very, very odd, because the /etc/init.d/pptpd startup script explicilty checks for the existence of that setting and will show an "sh: out of range" error message if it is not included.  So why would the default startup script requre a setting that isn't included in the default configuration file?  Additionally the main OpenWRT [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic documentation page for PPTPD] does not mention it at all.  It's almost like the nice people at OpenWRT don't want PPTPD to be used.  It is a somewhat "old & busted" VPN protocol (Google it), so using a more modern alternative like OpenVPN would be a good choice.  But sometimes it is necessary to support older protocols such as this.

*/etc/ppp/options (this can be left with default OpenWRT settings)

The [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic information on the OpenWRT site on PPTP] is a bit misleading (possibly just outdated), because as noted above /etc/pptpd.conf is not the true configuration file. It is actually generated dynamically as many OpenWRT services are.  The article also references an issue with the /etc/init.d/pptpd startup script that no longer seems to exist.

This option for the /etc/ppp/options.pptpd is NOT supported by the OpenWRT PPTPD service: require-mppe-128 (an error message of: In file /var/etc/options.pptpd: unrecognized option 'require-mppe-128' error will occur if it is included).  It should also be noted that the mppe-128 is built into the OpenWRT /usr/sbin/pptpd binary / executable file, thus making the setting unneccessary as it is enabled by default (pptp-server.log if enabled shows this: MPPE 128-bit stateless compression enabled).  So do not include require-mppe-128 in the /etc/ppp/options.pptpd.

======Configuring a Certificate Authority Infrastructure (Certificate Authority, Server Certificate, Client Certificate(s)======

*Create a Certificate Authority

====Webmin for OpenVPN and Certificate Management====

*Install in the Webmin interface: Webmin, Webmin Configuration, Webmin Modules, Install from Local File, Select File, Install Module.

**Download the module if the Webmin interface doesn't populate with available modules

***wget https://www.webmin.com/cgi-bin/search_third.cgi?modules=1

****If wget displays an error, make sure the full version of wget is installed (not the one built into BusyBox): opkg install wget

****If a certificate error occurs, add this to the end of the wget line: --no-check-certificate

***Site: https://www.webmin.com/cgi-bin/search_third.cgi?modules=1

***OpenVPN & Certificate Management Module Link (version 3.2): http://www.openit.it/downloads/OpenVPNadmin/openvpn-3.2.wbm.gz

***Sometimes the interface seems to work, sometimes it doesn't.  Possibly due to Wemin site issues or Perl issues on a local machine.

*By default, the OpenVPN... Module is located in Servers.  Given that it deals with Networking and an equivalent Module (PPTP) is located in Networking, it makes sense to relocate the Module to Networking

**Webmin, Webmin Configuration, Reassign Modules, OpenVPN..., Networking, Save