Configure Multiple PPTP VPNs on Tomato Based Router

Robbie Crash

9 min read

I have a VPN setup from my router to work so that I don't have to dial one up when I need to get to some server from home. However, I also live in Canada and want to be able to purchase stuff from Google Play that I can't get here, namely music, and be able to get US Netflix, Amazon Prime bonuses, etc. So I needed to set up a second PPTP VPN, since the US endpoint I have access to is a Windows server with RRAS. Unfortunately, the GUI doesn't support two PPTP VPNs, so I had to figure out how to script it.
tl;dr

Also, note that Microsoft PPTP is broken. If you have any choice, don't use PPTP, use something that hasn't been cracked with 100% certainty, and that can't be reliably broken in less than a day. Use IPSec.

The process should be similar for other VPN types, find the config file and copypasta; I haven't tried it though, so I can't promise.

So, I dug around to find how the VPN actually works, and found that the configuration was stored in /etc/vpn/options.vpn. This is run at startup when the option is configured. So I enabled jffs, and set up a startup script to connect my second VPN. The startup script follows:

#!/bin/sh  
/usr/sbin/pppd file /jffs/options.vpn  
  
/usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
/usr/sbin/iptables --table nat --insert POSTROUTING --out-interface ppp1 --jump MASQUERADE

The VPN options file:

lock  
noauth  
refuse-eap  
lcp-echo-failure 3  
lcp-echo-interval 2  
maxfail 0  
persist  
plugin pptp.so  
pptp_server IPAddress_of_VPN_Server  
idle 0  
ip-up-script /jffs/ip-up  
ip-down-script /jffs/ip-down  
ipparam kelokepptpd  
mtu 1450  
mru 1450  
user vpn_username  
password password  
nomppe-stateful  
unit 1

The ip-up and ip-down scripts set up firewall rules, routes, etc.

ip-up:

#!/bin/sh  
  
# Wait 30 seconds to be sure that VPN connects  
sleep 30  
  
DEFAULTROUTE=$(/bin/nvram get pptp_client_dfltroute)  
REMOTESUB=$(/bin/nvram get pptp2_client_srvsub)  
REMOTENET=$(/bin/nvram get pptp2_client_srvsubmsk)  
case "$6" in  
 kelokepptpd)  
  if [ $DEFAULTROUTE -eq 1 ]; then  
    REMOTESUB="0.0.0.0"  
    REMOTENET="0.0.0.0"  
    /sbin/route add default dev $1  
  else  
    # Add routes for Google music  
    /sbin/route add -net 74.125.225.0 netmask 255.255.255.248 ppp1  
    /sbin/route add 74.125.225.9 ppp1  
    /sbin/route add 74.125.225.14 ppp1  
    /sbin/route add -net 74.125.225.20 netmask 255.255.255.252 ppp1  
    /sbin/route add -net 74.125.225.96 netmask 255.255.255.240 ppp1  
    /sbin/route add -net 74.125.225.40 netmask 255.255.255.248 ppp1  
  
    # Repeat above for Netflix and Amazon  
  
  fi  
   # Add firewall rules for traffic for each route, Google Play is here, others snipped  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --des1`tination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.14/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT   --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.96/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT --source 74.125.225.96/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.96/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.96/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.224 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert INPUT --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.224 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN  
  
   if [ "$(/bin/nvram get pptp_client_nat)" = "1" ]; then  
   /usr/sbin/iptables --table nat --append POSTROUTING --out-interface ppp1 --jump MASQUERADE  
  fi  
/sbin/service dnsmasq restart  
  ;;  
 *)  
esac  
exit 0

ip-down just tears everything down:

#!/bin/sh  
DEFAULTROUTE=$(/bin/nvram get pptp_client_dfltroute)  
REMOTESUB=$(/bin/nvram get pptp2_client_srvsub)  
REMOTENET=$(/bin/nvram get pptp2_client_srvsubmsk)  
case "$6" in  
 kelokepptpd)  
  if [ $DEFAULTROUTE -eq 1 ]; then  
    REMOTESUB="0.0.0.0"  
    REMOTENET="0.0.0.0"  
    /sbin/route del default dev $1  
  else  
  
        # Delete routes for Google Play  
   /sbin/route del -net 74.125.225.0 netmask 255.255.255.224 ppp1  
   /sbin/route del 74.125.225.9 ppp1  
   /sbin/route del 74.125.225.14 ppp1  
   /sbin/route del 74.125.225.19 ppp1  
   /sbin/route del 74.125.225.110 ppp1  
  fi  
   /usr/sbin/iptables -D OUTPUT --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT --source 74.125.225.0/255.255.255.224 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.248 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.0/255.255.255.248 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT   --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.9/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.9/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT   --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.14/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.14/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT   --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.19/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.19/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT   --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.110/255.255.255.255 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.110/255.255.255.255 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
   /usr/sbin/iptables -D OUTPUT  --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D INPUT   --source 74.125.225.0/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 0.0.0.0/0.0.0.0 --destination 74.125.225.0/255.255.255.240 --jump ACCEPT --out-interface ppp1  
   /usr/sbin/iptables -D FORWARD --source 74.125.225.0/255.255.255.240 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1  
   /usr/sbin/iptables -D FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu  
  
  if [ "$(/bin/nvram get pptp_client_nat)" = "1" ]; then  
    /usr/sbin/iptables --table nat -D POSTROUTING --out-interface ppp1 --jump MASQUERADE  
  fi  
 /sbin/service dnsmasq restart  
 ;;  
 *)  
esac  
exit 0

Sign up for more like this.

Enter your email
Subscribe