Solved PPTP VPN server assign static IP for clients

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

tymchyshyn90

Occasional Visitor
Hi!

Some my clients connect to PPTP VPN server running on my AC68U. Is there any way to assign static ip to clients?
 

eibgrad

Very Senior Member
It's been ages since I used PPTP, but iirc, the underlying authentication file (chap-secrets) is what gets created in response to what you specify in the username and password fields of the GUI. And that chaps-secrets file contains four fields, the first and third of which are where the username and password are stored. The fourth field is optional and allows you to specify a preferred IP address for the named user. However, the GUI does NOT expose that optional field! As a result, it forces you to accept whatever IP the PPTP server deems is available.

Although I've never tried it, what you might be able to do is NOT specify any username/passwords on the GUI, but instead use a postconf script for the pptpd.conf file and add the username, password, and preferred IP ip address to that chaps-secret file (/tmp/pptpd/chap-secrets) at runtime.

Code:
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
...

IOW, just configure the chap-secrets file to your liking. Either overwrite the /tmp/pptpd/chap-secrets file, or replace the file reference w/ your own (/jffs/chap-secrets).

Again, I've haven't tried this. I'm just thinking out loud about how I would deal w/ the issue if forced to use PPTP for some reason (obviously PPTP is strongly discouraged around here due to its serious security issues).
 
Last edited:

tymchyshyn90

Occasional Visitor
It's been ages since I used PPTP, but iirc, the underlying authentication file (chap-secrets) is what gets created in response to what you specify in the username and password fields of the GUI. And that chaps-secrets file contains four fields, the first and third of which are where the username and password are stored. The fourth field is optional and allows you to specify a preferred IP address for the named user. However, the GUI does NOT expose that optional field! As a result, it forces you to accept whatever IP the PPTP server deems is available.

Although I've never tried it, what you might be able to do is NOT specify any username/passwords on the GUI, but instead use a post conf script for the pptpd.conf file and add the username, password, and preferred IP ip address to that chaps-secret file (/tmp/pptpd/chap-secrets) at runtime.

Code:
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
...

IOW, just configure the chap-secrets file to your liking. Either overwrite the /tmp/pptpd/chap-secrets file, or replace the file reference w/ your own (/jffs/chap-secrets).

Again, I've haven't tried this. I'm just thinking out loud about how I would deal w/ the issue if forced to use PPTP for some reason (obviously PPTP is strongly discouraged around here due to its serious security issues).
Thank you for yor response! I just tried it.

In pptpd.conf:

localip 192.168.0.1
remoteip 192.168.10.1-10
bcrelay br0,pptp[0-9]+

What can I change in this? Information about "chap-secrets" location stored in options.pptpd.
I try to assign IP in "chap-secret", try to create another file and change location in options.pptpd. But when i restart service all configurations restore from firmware and no reslut...
 

eibgrad

Very Senior Member
Yeah, it's a little misleading. The post conf script is merely being used as a trigger in this case. The actual file you need to change in response to the trigger is the options file (/tmp/pptpd/options.pptpd). In that file you'll see the following:

Code:
chap-secrets /tmp/pptpd/chap-secrets

It's that file you'll either need to change or replace.

P.S. If it doesn't work (I just saw your updated response), it may be a timing issue.
 

eibgrad

Very Senior Member
If you still have problems, I may have to play w/ it myself to be sure it's possible. Remember, I was just thinking out loud w/o actually testing it.
 

tymchyshyn90

Occasional Visitor
Yeah, it's a little misleading. The post conf script is merely being used as a trigger in this case. The actual file you need to change in response to the trigger is the options file (/tmp/pptpd/options.pptpd). In that file you'll see the following:

Code:
chap-secrets /tmp/pptpd/chap-secrets

It's that file you'll either need to change or replace.

P.S. If it doesn't work (I just saw your updated response), it may be a timing issue.
I tried to change and replace. But after restart service all files restore from firmware
 

tymchyshyn90

Occasional Visitor
I created "options.pptpd" and "chap-secrets" in /jffs/configs

Created script:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "option /jffs/configs/options.pptpd" $CONFIG


After that "/tmp/pptpd/pptpd.conf" change after restart when restore from firmware:
localip 192.168.0.1
remoteip 192.168.10.1-10
bcrelay br0,pptp[0-9]+
option /jffs/configs/options.pptpd

In /jffs/configs/options.pptpd I change location of "chap-secrets" to /jffs/configs/chap-secrets

It would seem that everything should work. But no, client receive IP from IP-pool begining, not what I specified manually...
 

eibgrad

Very Senior Member
Please be patient. I believe I have something working (and know why what you did is NOT working). I'm just putting it all together at the moment.
 

eibgrad

Very Senior Member
This is a bit trickier than usual because the file we're triggering (/tmp/pptpd/pptpd.conf) is NOT the file that needs modification (/tmp/pptpd/chap-secrets). And once triggered, any attempt to modify /tmp/pptpd/options.pptpd seems to get overwritten. So I used a different approach.

The following postconf script only changes the contents of the default /tmp/pptpd/chap-secrets file. In order to prevent any overwrites of our changes by the PPTP process, it runs in the background and waits 10 seconds for the PPTP server to get fully established, *then* overwrites it.

Code:
#!/bin/sh

mkdir -p /jffs/scripts

cat << "_EOF" > /jffs/scripts/pptpd.postconf
#!/bin/sh
(
sleep 10

cat << "EOF" > /tmp/pptpd/chap-secrets
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
EOF
) &
_EOF

chmod +x /jffs/scripts/pptpd.postconf

Once you specify your own username/passwords and IPs, you can open a shell (ssh) and copy/paste the script into the window. It will automatically create and configure the necessary postconf script.

Of course, like all postconf scripts, you need to have JFFS and JFFS scripts enabled under System->Administration.

Note, I did NOT test this w/ a PPTP client. I just don't have one available at the moment (mostly because my smartphone (iOS) no longer supports it!). But I can see the chap-secrets file has changed and so it *should* work now (assuming it hasn't cached it prior to the changes).
 
Last edited:

eibgrad

Very Senior Member
Thank you so much! It's work!
But I delete sleep 10. Because client conected faster with old config

The sleep command does NOT affect how fast the client connects. The sleep is only there for when the PPTP server is getting established. It's needed to ensure that the PPTP server doesn't overwrite our changes. It does this by waiting a few seconds to make sure the PPTP server is done configuring the chaps-secret file, then we make our changes. But that only happens ONCE, at the time the PPTP server is started. If you mess w/ the sleep setting, I can't guarantee it will always work. You could probably reduce it a bit, say 3, 4 or 5 seconds, but I don't recommend eliminating it.
 

tymchyshyn90

Occasional Visitor
The sleep command does NOT affect how fast the client connects. The sleep is only there for when the PPTP server is getting established. It's needed to ensure that the PPTP server doesn't overwrite our changes. It does this by waiting a few seconds to make sure the PPTP server is done configuring the chaps-secret file, then we make our changes. But that only happens ONCE, at the time the PPTP server is started. If you mess w/ the sleep setting, I can't guarantee it will always work. You could probably reduce it a bit, say 3, 4 or 5 seconds, but I don't recommend eliminating it.
I tried SLEEP 1. Then restart pptpd

But my client (MIKROTIK) auto reconnect with not manually assigned IP. When I delete sleep - all ok
 

eibgrad

Very Senior Member
I tried SLEEP 1. Then restart pptpd

But my client (MIKROTIK) auto reconnect with not manually assigned IP. When I delete sleep - all ok

Well yeah, if your client is connecting so fast to the restarted PPTP server that the script hasn't even had a chance to update the chap-secrets file, that's why! But I wouldn't normally expect a PPTP client to connect to a just started PPTP server within 1 or 2 seconds!

The reason we're adding this slight delay is to prevent the PPTP server from possibly overwriting the chap-secrets file *after* we've made our changes. But if you find that's not happening, and the changes persist w/o the need for the sleep command, that's great. But that wasn't something I was willing to risk. If you are, go for it.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top