Configure Multiple PPTP VPNs on Tomato Based Router

I have a VPN setup from my router to work so that I don’t have to dial one up when I need to get to some server from home. However, I also live in Canada and want to be able to purchase stuff from Google Play that I can’t get here, namely music, and be able to get US Netflix, Amazon Prime bonuses, etc. So I needed to set up a second PPTP VPN, since the US endpoint I have access to is a Windows server with RRAS. Unfortunately, the GUI doesn’t support two PPTP VPNs, so I had to figure out how to script it.tl;dr

Also, note that Microsoft PPTP is broken. If you have any choice, don’t use PPTP, use something that hasn’t been cracked with 100% certainty, and that can’t be reliably broken in less than a day. Use IPSec.

The process should be similar for other VPN types, find the config file and copypasta; I haven’t tried it though, so I can’t promise.

So, I dug around to find how the VPN actually works, and found that the configuration was stored in /etc/vpn/options.vpn. This is run at startup when the option is configured. So I enabled jffs, and set up a startup script to connect my second VPN. The startup script follows:

#!/bin/sh
/usr/sbin/pppd file /jffs/options.vpn

/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
/usr/sbin/iptables --table nat --insert POSTROUTING --out-interface ppp1 --jump MASQUERADE

The VPN options file:

lock
noauth
refuse-eap
lcp-echo-failure 3
lcp-echo-interval 2
maxfail 0
persist
plugin pptp.so
pptp_server IPAddress_of_VPN_Server
idle 0
ip-up-script /jffs/ip-up
ip-down-script /jffs/ip-down
ipparam kelokepptpd
mtu 1450
mru 1450
user vpn_username
password password
nomppe-stateful
unit 1

The ip-up and ip-down scripts set up firewall rules, routes, etc.

ip-up:

#!/bin/sh

# Wait 30 seconds to be sure that VPN connects
sleep 30

DEFAULTROUTE=$(/bin/nvram get pptp_client_dfltroute)
REMOTESUB=$(/bin/nvram get pptp2_client_srvsub)
REMOTENET=$(/bin/nvram get pptp2_client_srvsubmsk)
case "$6" in
 kelokepptpd)
  if [ $DEFAULTROUTE -eq 1 ]; then
    REMOTESUB="0.0.0.0"
    REMOTENET="0.0.0.0"
    /sbin/route add default dev $1
  else
    # Add routes for Google music
    /sbin/route add -net 74.125.225.0 netmask 255.255.255.248 ppp1
    /sbin/route add 74.125.225.9 ppp1
    /sbin/route add 74.125.225.14 ppp1
    /sbin/route add -net 74.125.225.20 netmask 255.255.255.252 ppp1
    /sbin/route add -net 74.125.225.96 netmask 255.255.255.240 ppp1
    /sbin/route add -net 74.125.225.40 netmask 255.255.255.248 ppp1

    # Repeat above for Netflix and Amazon

  fi
   # Add firewall rules for traffic for each route, Google Play is here, others snipped
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --des1`tination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.14/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.96/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT --source 74.125.225.96/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.96/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.96/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.224 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert INPUT --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.224 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN

   if [ "$(/bin/nvram get pptp_client_nat)" = "1" ]; then
   /usr/sbin/iptables --table nat --append POSTROUTING --out-interface ppp1 --jump MASQUERADE
  fi
/sbin/service dnsmasq restart
  ;;
 *)
esac
exit 0

ip-down just tears everything down:

#!/bin/sh
DEFAULTROUTE=$(/bin/nvram get pptp_client_dfltroute)
REMOTESUB=$(/bin/nvram get pptp2_client_srvsub)
REMOTENET=$(/bin/nvram get pptp2_client_srvsubmsk)
case "$6" in
 kelokepptpd)
  if [ $DEFAULTROUTE -eq 1 ]; then
    REMOTESUB="0.0.0.0"
    REMOTENET="0.0.0.0"
    /sbin/route del default dev $1
  else

        # Delete routes for Google Play
   /sbin/route del -net 74.125.225.0 netmask 255.255.255.224 ppp1
   /sbin/route del 74.125.225.9 ppp1
   /sbin/route del 74.125.225.14 ppp1
   /sbin/route del 74.125.225.19 ppp1
   /sbin/route del 74.125.225.110 ppp1
  fi
   /usr/sbin/iptables -D OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT   --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT   --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.14/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT   --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT   --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D INPUT   --source 74.125.225.0/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1
   /usr/sbin/iptables -D FORWARD --source 74.125.225.0/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

  if [ "$(/bin/nvram get pptp_client_nat)" = "1" ]; then
    /usr/sbin/iptables --table nat -D POSTROUTING --out-interface ppp1 --jump MASQUERADE
  fi
 /sbin/service dnsmasq restart
 ;;
 *)
esac
exit 0