What's new

Solved PPTP VPN server assign static IP for clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tymchyshyn90

Occasional Visitor
Hi!

Some my clients connect to PPTP VPN server running on my AC68U. Is there any way to assign static ip to clients?
 
It's been ages since I used PPTP, but iirc, the underlying authentication file (chap-secrets) is what gets created in response to what you specify in the username and password fields of the GUI. And that chaps-secrets file contains four fields, the first and third of which are where the username and password are stored. The fourth field is optional and allows you to specify a preferred IP address for the named user. However, the GUI does NOT expose that optional field! As a result, it forces you to accept whatever IP the PPTP server deems is available.

Although I've never tried it, what you might be able to do is NOT specify any username/passwords on the GUI, but instead use a postconf script for the pptpd.conf file and add the username, password, and preferred IP ip address to that chaps-secret file (/tmp/pptpd/chap-secrets) at runtime.

Code:
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
...

IOW, just configure the chap-secrets file to your liking. Either overwrite the /tmp/pptpd/chap-secrets file, or replace the file reference w/ your own (/jffs/chap-secrets).

Again, I've haven't tried this. I'm just thinking out loud about how I would deal w/ the issue if forced to use PPTP for some reason (obviously PPTP is strongly discouraged around here due to its serious security issues).
 
Last edited:
It's been ages since I used PPTP, but iirc, the underlying authentication file (chap-secrets) is what gets created in response to what you specify in the username and password fields of the GUI. And that chaps-secrets file contains four fields, the first and third of which are where the username and password are stored. The fourth field is optional and allows you to specify a preferred IP address for the named user. However, the GUI does NOT expose that optional field! As a result, it forces you to accept whatever IP the PPTP server deems is available.

Although I've never tried it, what you might be able to do is NOT specify any username/passwords on the GUI, but instead use a post conf script for the pptpd.conf file and add the username, password, and preferred IP ip address to that chaps-secret file (/tmp/pptpd/chap-secrets) at runtime.

Code:
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
...

IOW, just configure the chap-secrets file to your liking. Either overwrite the /tmp/pptpd/chap-secrets file, or replace the file reference w/ your own (/jffs/chap-secrets).

Again, I've haven't tried this. I'm just thinking out loud about how I would deal w/ the issue if forced to use PPTP for some reason (obviously PPTP is strongly discouraged around here due to its serious security issues).
Thank you for yor response! I just tried it.

In pptpd.conf:

localip 192.168.0.1
remoteip 192.168.10.1-10
bcrelay br0,pptp[0-9]+

What can I change in this? Information about "chap-secrets" location stored in options.pptpd.
I try to assign IP in "chap-secret", try to create another file and change location in options.pptpd. But when i restart service all configurations restore from firmware and no reslut...
 
Yeah, it's a little misleading. The post conf script is merely being used as a trigger in this case. The actual file you need to change in response to the trigger is the options file (/tmp/pptpd/options.pptpd). In that file you'll see the following:

Code:
chap-secrets /tmp/pptpd/chap-secrets

It's that file you'll either need to change or replace.

P.S. If it doesn't work (I just saw your updated response), it may be a timing issue.
 
If you still have problems, I may have to play w/ it myself to be sure it's possible. Remember, I was just thinking out loud w/o actually testing it.
 
Yeah, it's a little misleading. The post conf script is merely being used as a trigger in this case. The actual file you need to change in response to the trigger is the options file (/tmp/pptpd/options.pptpd). In that file you'll see the following:

Code:
chap-secrets /tmp/pptpd/chap-secrets

It's that file you'll either need to change or replace.

P.S. If it doesn't work (I just saw your updated response), it may be a timing issue.
I tried to change and replace. But after restart service all files restore from firmware
 
I created "options.pptpd" and "chap-secrets" in /jffs/configs

Created script:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "option /jffs/configs/options.pptpd" $CONFIG


After that "/tmp/pptpd/pptpd.conf" change after restart when restore from firmware:
localip 192.168.0.1
remoteip 192.168.10.1-10
bcrelay br0,pptp[0-9]+
option /jffs/configs/options.pptpd

In /jffs/configs/options.pptpd I change location of "chap-secrets" to /jffs/configs/chap-secrets

It would seem that everything should work. But no, client receive IP from IP-pool begining, not what I specified manually...
 
Please be patient. I believe I have something working (and know why what you did is NOT working). I'm just putting it all together at the moment.
 
This is a bit trickier than usual because the file we're triggering (/tmp/pptpd/pptpd.conf) is NOT the file that needs modification (/tmp/pptpd/chap-secrets). And once triggered, any attempt to modify /tmp/pptpd/options.pptpd seems to get overwritten. So I used a different approach.

The following postconf script only changes the contents of the default /tmp/pptpd/chap-secrets file. In order to prevent any overwrites of our changes by the PPTP process, it runs in the background and waits 10 seconds for the PPTP server to get fully established, *then* overwrites it.

Code:
#!/bin/sh

mkdir -p /jffs/scripts

cat << "_EOF" > /jffs/scripts/pptpd.postconf
#!/bin/sh
(
sleep 10

cat << "EOF" > /tmp/pptpd/chap-secrets
eduardo * 8RX1p3inL9bfcMWF 192.168.1.100
pedro * LamxQ7t1r5u6BR22 192.168.1.101
EOF
) &
_EOF

chmod +x /jffs/scripts/pptpd.postconf

Once you specify your own username/passwords and IPs, you can open a shell (ssh) and copy/paste the script into the window. It will automatically create and configure the necessary postconf script.

Of course, like all postconf scripts, you need to have JFFS and JFFS scripts enabled under System->Administration.

Note, I did NOT test this w/ a PPTP client. I just don't have one available at the moment (mostly because my smartphone (iOS) no longer supports it!). But I can see the chap-secrets file has changed and so it *should* work now (assuming it hasn't cached it prior to the changes).
 
Last edited:
Thank you so much! It's work!
But I delete sleep 10. Because client conected faster with old config

The sleep command does NOT affect how fast the client connects. The sleep is only there for when the PPTP server is getting established. It's needed to ensure that the PPTP server doesn't overwrite our changes. It does this by waiting a few seconds to make sure the PPTP server is done configuring the chaps-secret file, then we make our changes. But that only happens ONCE, at the time the PPTP server is started. If you mess w/ the sleep setting, I can't guarantee it will always work. You could probably reduce it a bit, say 3, 4 or 5 seconds, but I don't recommend eliminating it.
 
The sleep command does NOT affect how fast the client connects. The sleep is only there for when the PPTP server is getting established. It's needed to ensure that the PPTP server doesn't overwrite our changes. It does this by waiting a few seconds to make sure the PPTP server is done configuring the chaps-secret file, then we make our changes. But that only happens ONCE, at the time the PPTP server is started. If you mess w/ the sleep setting, I can't guarantee it will always work. You could probably reduce it a bit, say 3, 4 or 5 seconds, but I don't recommend eliminating it.
I tried SLEEP 1. Then restart pptpd

But my client (MIKROTIK) auto reconnect with not manually assigned IP. When I delete sleep - all ok
 
I tried SLEEP 1. Then restart pptpd

But my client (MIKROTIK) auto reconnect with not manually assigned IP. When I delete sleep - all ok

Well yeah, if your client is connecting so fast to the restarted PPTP server that the script hasn't even had a chance to update the chap-secrets file, that's why! But I wouldn't normally expect a PPTP client to connect to a just started PPTP server within 1 or 2 seconds!

The reason we're adding this slight delay is to prevent the PPTP server from possibly overwriting the chap-secrets file *after* we've made our changes. But if you find that's not happening, and the changes persist w/o the need for the sleep command, that's great. But that wasn't something I was willing to risk. If you are, go for it.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top