Make Ubuntu as port redirect server for your routers

Server Norckon 989℃ 0评论



As we know, If your router behind a firewall or in ISP internal network, you can’t access your router on internet. Fortunately, you can use a server with Public IP (such as VPS) to help you redirect router to Internet through PPTP service.


Side OS / Firmware Software
Server Side Ubuntu 14.04.1 64bit pptpd v1.3.4
Client Side Tomato 1.28 Shibby Mod pppd 2.4.5

*NOTICE: Following steps are based on THIS environment. Some OS or Firmware have some different.


Follow these steps, help you to build PPTP service.

1. Update your system software database, and then install package pptpd.

sudo apt-get update
sudo apt-get install pptpd

2. Edit pptpd configuration file, use editor to open file sudo vi /etc/pptpd.conf, modify the corresponding values.

option /etc/ppp/pptpd-options             # Specify pptpd options file path
debug                                     # Enable debug mode if you want
localip                       # Specify server side (gateway) IP
remoteip,  # Specify client side IP (DHCP enabled)

3. Edit pptpd option file, use editor to open file sudo vi /etc/ppp/pptpd-options, modify the corresponding values.

name pptpd                    # Service Name
refuse-pap                    # Refuse PAP authentication mode
refuse-chap                   # Refuse CHAP authentication mode
refuse-mschap                 # Refuse MS-CHAP v1 authentication mode
#require-mschap-v2            # Require MS-CHAP v2 authentication mode
#require-mppe-128             # Require MPPE-128 encryption mode
+chap                         # Using CHAP as encryption mode

#Notice: Some router firmware not support MSCHAP-V2 and MPPE-128, So I disabled it,
#        I used CHAP to replace it. If you make sure know your router support it ,
#        delete character "#" before the line, and delete "+chap" to enable mschap
#        v2 and mppe-128 mode.
ms-dns                # Set primary DNS server
ms-dns                # Set secondary DNS server
proxyarp                      # Enable proxy arp mode
debug                         # Enable debug mode if you want
dump                          # Print completely information at startup
lock                          # Lock tty devices
nobsdcomp                     # Disable BSD compression mode
logfile /var/log/pptpd.log    # Logging to file

4. Add users to pptpd service, use editor to open file sudo vi /etc/ppp/chap-secrets, add user in new line.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1           pptpd   user1_password
user2           pptpd   user2_password
user3           pptpd   user3_password          *

Description for every columns:

Column Description
First User’s username
Second Service type, here should be “pptpd”
Thrid User’s password
Fourth <IP>: Specifies IP addresses for users

<*>: Assign IP address via DHCP

5. Limit every account only one user. use command touch /etc/ppp/auth-up create file auth-up, then use command chmod a+x /etc/ppp/auth-up change file auth-up permissions, then use editor open file sudo vi /etc/ppp/auth-up, add following code.

# get the username/ppp line number from the parameters
# create the directory to keep pid files per user
  mkdir -p /var/run/pptpd-users
# if there is a session already for this user, terminate the old one
  if [ -f /var/run/pptpd-users/$USER ]; then
    kill -HUP `cat /var/run/pptpd-users/$USER`
# copy the pid file of current user to /var/run/pptpd-users
  cp "/var/run/$" /var/run/pptpd-users/$USER

6. Restart pptpd service by command sudo service pptpd restart.


Following steps are based on Tomato firmware, others may have different.

1. Login your router administration page and find PPTP (or VPN) settings.

2. Put following values to your router VPN settings.

Parameter Value
Server Address Your pptp server’s public IP address, e.g.
Server Port default: 1723, If you modified please fill it.
Username User’s username saved in /etc/ppp/chap-secrets
Password User’s password saved in /etc/ppp/chap-secrets
Encrypt (MPPE) None, If you enabled mschapv2 or mppe, please select
Remote Network /
NAT Mode None / Disabled

3. Please check router web interface port is open from Server side.  If OPEN skip next steps, If NOT please continue.

4. Some router not bind web interface to VPN interface, we can’t access web interface through VPN. If you are using Tomato firmware please do following steps, If others please contact your router manufacturer.

  • Format and enable your tomato JFFS function.
  • Create file /jffs/ and give executable  permission.
  • Set schedule task per minute for /jffs/

FILE /jffs/

export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin: 
export ISEXIST=$(iptables -t nat -L|grep -c "tcp dpt:`nvram get http_lanport` to:`nvram get lan_ipaddr`:`nvram get http_lanport`") 
if [ $ISEXIST -lt 1 ] ; then 
    iptables -tnat -APREROUTING -p tcp --dport `nvram get http_lanport` -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get http_lanport` 

5. Some router can’t keep VPN connection, If VPN interface have no traffic, VPN connection break. Create new schedule task per minute for command /jffs/ to solve issue.

FILE /jffs/

export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin:
export IS_IN_EXIST=$(iptables -L INPUT -v|grep -c "ACCEPT     all  --  ppp1   any     anywhere             anywhere")
export IS_OUT_EXIST=$(iptables -L OUTPUT -v|grep -c "ACCEPT     all  --  any    ppp1    anywhere             anywhere")

if [ $IS_IN_EXIST -lt 1 ] ; then
    iptables -I INPUT 1 -i ppp1 -j ACCEPT

if [ $IS_OUT_EXIST -lt 1 ] ; then
    iptables -I OUTPUT 1 -o ppp1 -j ACCEPT


6. Reboot your router and wait for 2 minutes, Let your router connect to pptp server.


Through the previous steps, you can access your router in server terminal or browser through VPN IP address. But can’t access on Internet. Following steps help you to redirect port to Internet.

1. Install rinetd port mapping tool by command sudo apt-get install rinted.

2. Edit rinetd options, use editor to open file sudo vi /etc/rinetd.conf, add forwarding rule.

  ... ... ...
# bindadress    bindport  connectaddress  connectport       8081   80       8082   80       8083   80
  ... ... ...
Column Description
bindadress default: means open for any interface
bindport Port you want redirect to.
connectaddress Router’s VPN client IP address.
connectport Router’s web interface port.

3. Restart rinetd service by command sudo service rinetd restart to take effect.

Now you can using your pptp server’s public IP address to access your internal network routers.



Pekaikon Norckon
2015-10-01 (Thu)

喜欢 (0)
Cancel Comment

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website