Set up VPN server on a DD-WRT router behind NAT

Posted on

QUESTION :

I am trying to setup a PPTP VPN Server on my DD-WRT router behind NAT (the ISP router of my provider). I’ve done a lot of googling, but it seems like not many people mention about this exact scenario below:

INTERNET <–> ISP router <–> DD WRT

ISP router: WAN IP: xx.xxx.xx.xx subnet: 192.168.1.xxx router ip: 192.168.1.1

DD WRT (My Router): WAN IP: 192.168.1.10 subnet: 10.170.1.xxx router ip: 10.170.1.1

VPN server enabled with PPTP chap secret: thomas * password *

The ISP router is something I cannot touch. I do not have the login to the router, and the ISP is not going to change any settings (eg. DMZ) for me.

I’ve tried to sign up for a VPN service (StrongVPN), and have my DD-WRT router connect to that VPN so it can get a public WAN ip address (let’s say 123.123.123.123). I succeeded in getting the WAN IP address, but when I use another computer (from an external network), and connect to 123.123.123.123, for some reason StrongVPN immediately cuts the connection.

I’m pretty frustrated at the moment, and hope some network experts out there can shed me some light.

Your help is appreciated!

ANSWER :

A PPTP server requires TCP Port 1723, as well as IP Protocol 47 (GRE) to be forwarded to it. Assuming your ISP router handles port forwarding, you won’t be able to run a PPTP server through this without having the ports forwarded to it.

I don’t believe there are any actual VPN server solutions that will work without the relevant ports being forwarded to it.

There may be other software solutions that mimic a similar interface, but I have no recommendations for this and software recommendations are outside of the remit of this site. Your best bet would be to search for something along the lines of VPN server without port forwarding.

There is a similar topic here although this isn’t specific to VPN, depending on your requirements it may still be helpful.

I noticed that the problem lies in DD-WRT. When you want to make use of the VPN Service in DD-WRT’s firmware, and at the same time, if your router is behind NAT and would like to establish another VPN client connection to a third party VPN service, DD-WRT somehow doesn’t respond correct (I’m guessing probably because of some sort of bug in the DD-WRT firmware).

Of course, I’m not interested in fixing bugs.

I did do a workaround, which works beautifully. I added an extra DD-WRT router.

INTERNET <–> ISP router <–> DD WRT <–> DD-WRT

Let’s name them this way:
A <–> B <–> C <–> D

I set up “C” such that it is a VPN client itself, and connections to a third party vpn (PureVPN in my case) with a static IP address (eg. 123.123.123.123). I then set this to have a DMZ, which routes all packages to “D”.

Then, “D” now by default is public, because making pings, or any types of connection to 123.123.123.123 will simply go to “D”. I set up a VPN service on “D”, and bingo! Works like a charm!

For those of you trying to do the same thing, just to give you a heads up. Initially I got this working, but somehow whenever I’m trying to establish a VPN connection from the outside world, into my VPN service in “D”, it drops the connection immediately.

The reason behind this was because in: Security > VPN Passthrough, I have enabled all 3 passthroughs, which even until now, I thought that made more sense:
– IPSec Passthrough
– PPTP Passthrough
– L2TP Passthrough

But in reality, you have to disable IPSec Passthrough and L2TP Passthrough in order to stop the VPN server from dropping an outside connection.

Still unsure why. Maybe someone can explain? But that’s not important in the scope of this question.