PPTP VPN Client - Route only traffic for remote site

[Faw]

I don't know if there is a way to do this in the GUI with merlin, so I'm asking here.
I'm connecting to a remote site through PPTP, the remote site address range is 192.168.10.???.
My local address is 192.168.1.???.

When the client is up all traffic goes through the VPN, so it slows everything down.
I want only request to the remote site (192.168.10.???) go through the VPN.

Is there a way to do that with the GUI? If not, how do I do it?

 

[eibgrad]

Most PPTP client implementations do NOT support PBR (policy based routing), similar to what you see w/ the OpenVPN client and the VPN Director. So *everything* gets routed over the PPTP VPN, including internet access.

PPTP is so rarely used these days (due to serious security concerns), there's never been a good reason to implement PBR. Sometimes you can override directives (i.e., in this case, whatever directive determines whether to change the default gateway to the VPN) using a postconf file, but in this case, all I see from the Merlin wiki is a postconf for the PPTP server, NOT the client.

I think you'd have to find another way, such as monitoring the network for the successful PPTP connection, then overriding the change in the default gateway back to the WAN. A bit hokey, but it probably can be done.

That's the problem w/ PPTP these days. The support was never all that great to begin with, but at this point, w/ the protocol effectively deprecated, there's absolutely no incentive to improve things. Basically, it is what is, for better or worse (mostly the latter).

Of course, you could switch to OpenVPN and you wouldn't have this problem AT ALL, and better security ta-boot!

 

[eibgrad]

I was rewriting some of my existing scripts for better file management purposes and decided to tackle this problem while I'm at it. I hadn't done anything w/ PPTP in years, so I figured why not.

merlin-pptp-gw-override.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

I wrote the script in such a way that it will hopefully be usable by others w/ similar needs (however ever diminishing that audience may be).

You need to set "Enable JFFS custom scripts and configs" in Administration > System to Yes. Then ssh into the router and copy/paste the following, which will download and run the script for installation purposes.

curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s MLtSBb6E

It will create and configure the following two (2) files.

/jffs/scripts/merlin-pptp-gw-override.sh
/jffs/scripts/init-start

NOTE: As a safety precaution, it will NOT overwrite any pre-existing init-start script, including its own.

You can edit the merlin* file w/ your preferred options. They should be self-explanatory (if NOT, let me know). Minimally that will include your own remotely accessible ip(s)/network(s) over the VPN.

nano /jffs/scripts/merlin-pptp-gw-override.sh

Finally, reboot.

It will monitor the system waiting for the PPTP client to get established. If and when found, it will delete the overrides that change the default gateway to the VPN, then add your own static routing.

By default, it only runs long enough to do the fixup, then quits. Hence, I specified a very small polling interval (30 secs). If you decide to run it continuously, you might want to increase that a bit, perhaps 60 or even 120 secs. Even if you choose NOT to run it continuously (which is just a convenience), you can always execute it manually from the command line.

/jffs/scripts/merlin-pptp-gw-override.sh

To uninstall the script, ssh into the router again, copy/paste the following commands, and reboot.

rm -f /jffs/scripts/merlin-pptp-gw-override.sh
rm -f /jffs/scripts/init-start

Just to restate, I still think you're way better off using OpenVPN instead, if only for the additional security. But I also realize ppl are still going to turn to PPTP for a variety of reasons. Frankly, I had a difficult time even finding a public PPTP server I could trust. Many commercial VPN providers have abandoned it (at least the ones I frequent). Ended up having to configure a PPTP server in my lab.

 

[Faw]

Sweet, that works. Thanks.

I would use OpenVPN (even L2PT) but I don't like dealing with issuing/renewing certificates and all that crap just for a remote connection. PPTP is the easiest although lest secure. I'm eagerly waiting for the Wireguard stuff in Merlin though.

PS: In the examples then script is merlin-pptp-gw-override.sh, then you used merlin-vpnc-gw-override.sh.

 

[eibgrad]

PS: In the examples then script is merlin-pptp-gw-override.sh, then you used merlin-vpnc-gw-override.sh.

Thanks. I'll correct it. I had rename several times. Decided against vnpc in favor of pptp to make it clearer what it was for.

 

[sircurse]

I was rewriting some of my existing scripts for better file management purposes and decided to tackle this problem while I'm at it. I hadn't done anything w/ PPTP in years, so I figured why not.

merlin-pptp-gw-override.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

I wrote the script in such a way that it will hopefully be usable by others w/ similar needs (however ever diminishing that audience may be).

You need to set "Enable JFFS custom scripts and configs" in Administration > System to Yes. Then ssh into the router and copy/paste the following, which will download and run the script for installation purposes.

curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s MLtSBb6E

It will create and configure the following two (2) files.

/jffs/scripts/merlin-pptp-gw-override.sh
/jffs/scripts/init-start

NOTE: As a safety precaution, it will NOT overwrite any pre-existing init-start script, including its own.

You can edit the merlin* file w/ your preferred options. They should be self-explanatory (if NOT, let me know). Minimally that will include your own remotely accessible ip(s)/network(s) over the VPN.

nano /jffs/scripts/merlin-pptp-gw-override.sh

Finally, reboot.

It will monitor the system waiting for the PPTP client to get established. If and when found, it will delete the overrides that change the default gateway to the VPN, then add your own static routing.

By default, it only runs long enough to do the fixup, then quits. Hence, I specified a very small polling interval (30 secs). If you decide to run it continuously, you might want to increase that a bit, perhaps 60 or even 120 secs. Even if you choose NOT to run it continuously (which is just a convenience), you can always execute it manually from the command line.

/jffs/scripts/merlin-pptp-gw-override.sh

To uninstall the script, ssh into the router again, copy/paste the following commands, and reboot.

rm -f /jffs/scripts/merlin-pptp-gw-override.sh
rm -f /jffs/scripts/init-start

Just to restate, I still think you're way better off using OpenVPN instead, if only for the additional security. But I also realize ppl are still going to turn to PPTP for a variety of reasons. Frankly, I had a difficult time even finding a public PPTP server I could trust. Many commercial VPN providers have abandoned it (at least the ones I frequent). Ended up having to configure a PPTP server in my lab.

Hi eibgrad,

I was looking for something like this, to be honest even the PPTP is legacy I guess it is still pretty functional, I will explain my case. I m not looking for security and just need a tunnel, for gaming experience this is all that matters since it can have better performance, also many game servers blocks traffic coming from VPN encrypted tunnels as it also hides information about the users/players openning a gate for attackers.

I have tested several VPN providers, using OpenVPN with UDP, TCP and recently Wireguard, the Wireguard had the best performance but it still hides the information making the servers to block the connections from players.
Today I have tested the PPTP and it worked like a charm, my intention was only to be able to connect in lobbys of ppl that speaks my native language as I m living in a different country now, so this protocol worked perfectly to me.

I was looking into your script and wanted to understand how the script apply the new static routes? In my case, I just want a few IP addresses being routed to the PPTP tunnel, I saw this:

# create static routes to remote ip(s)/network(s) over vpn
for i in $REMOTE_NET; do
ip route add $i via $VPN_IP dev $VPN_IF
done

But I didn't understand how can I set these specific IPs to be inserted with this lines, can you help me?

Thank you!
Curse.