Make Ubuntu as port redirect server for your routers

Server Norckon 989℃ 0评论

Mikrotik-RB2011uas-2hnd-in-

INTRODUCE

As we know, If your router behind a firewall or in ISP internal network, you can’t access your router on internet. Fortunately, you can use a server with Public IP (such as VPS) to help you redirect router to Internet through PPTP service.

ENVIRONMENT

Side OS / Firmware Software
Server Side Ubuntu 14.04.1 64bit pptpd v1.3.4
Client Side Tomato 1.28 Shibby Mod pppd 2.4.5

*NOTICE: Following steps are based on THIS environment. Some OS or Firmware have some different.

SERVER SIDE PPTP SERVICE STEP

Follow these steps, help you to build PPTP service.

1. Update your system software database, and then install package pptpd.

sudo apt-get update
sudo apt-get install pptpd

2. Edit pptpd configuration file, use editor to open file sudo vi /etc/pptpd.conf, modify the corresponding values.

option /etc/ppp/pptpd-options             # Specify pptpd options file path
debug                                     # Enable debug mode if you want
localip 192.168.0.1                       # Specify server side (gateway) IP
remoteip 192.168.0.200-238,192.168.0.245  # Specify client side IP (DHCP enabled)

3. Edit pptpd option file, use editor to open file sudo vi /etc/ppp/pptpd-options, modify the corresponding values.

name pptpd                    # Service Name
refuse-pap                    # Refuse PAP authentication mode
refuse-chap                   # Refuse CHAP authentication mode
refuse-mschap                 # Refuse MS-CHAP v1 authentication mode
#require-mschap-v2            # Require MS-CHAP v2 authentication mode
#require-mppe-128             # Require MPPE-128 encryption mode
+chap                         # Using CHAP as encryption mode

#Notice: Some router firmware not support MSCHAP-V2 and MPPE-128, So I disabled it,
#        I used CHAP to replace it. If you make sure know your router support it ,
#        delete character "#" before the line, and delete "+chap" to enable mschap
#        v2 and mppe-128 mode.
ms-dns 8.8.8.8                # Set primary DNS server
ms-dns 8.8.4.4                # Set secondary DNS server
proxyarp                      # Enable proxy arp mode
debug                         # Enable debug mode if you want
dump                          # Print completely information at startup
lock                          # Lock tty devices
nobsdcomp                     # Disable BSD compression mode
logfile /var/log/pptpd.log    # Logging to file

4. Add users to pptpd service, use editor to open file sudo vi /etc/ppp/chap-secrets, add user in new line.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1           pptpd   user1_password          192.168.0.100
user2           pptpd   user2_password          192.168.0.200
user3           pptpd   user3_password          *

Description for every columns:

Column Description
First User’s username
Second Service type, here should be “pptpd”
Thrid User’s password
Fourth <IP>: Specifies IP addresses for users

<*>: Assign IP address via DHCP

5. Limit every account only one user. use command touch /etc/ppp/auth-up create file auth-up, then use command chmod a+x /etc/ppp/auth-up change file auth-up permissions, then use editor open file sudo vi /etc/ppp/auth-up, add following code.

#!/bin/sh
# get the username/ppp line number from the parameters
  REALDEVICE=$1
  USER=$2
# create the directory to keep pid files per user
  mkdir -p /var/run/pptpd-users
# if there is a session already for this user, terminate the old one
  if [ -f /var/run/pptpd-users/$USER ]; then
    kill -HUP `cat /var/run/pptpd-users/$USER`
  fi
# copy the pid file of current user to /var/run/pptpd-users
  cp "/var/run/$REALDEVICE.pid" /var/run/pptpd-users/$USER

6. Restart pptpd service by command sudo service pptpd restart.

CLIENT SIDE CONFIGURATION STEP

Following steps are based on Tomato firmware, others may have different.

1. Login your router administration page and find PPTP (or VPN) settings.

2. Put following values to your router VPN settings.

Parameter Value
Server Address Your pptp server’s public IP address, e.g. 220.111.252.172
Server Port default: 1723, If you modified please fill it.
Username User’s username saved in /etc/ppp/chap-secrets
Password User’s password saved in /etc/ppp/chap-secrets
Encrypt (MPPE) None, If you enabled mschapv2 or mppe, please select
Remote Network 192.168.0.0 / 255.255.255.0
NAT Mode None / Disabled

3. Please check router web interface port is open from Server side.  If OPEN skip next steps, If NOT please continue.

4. Some router not bind web interface to VPN interface, we can’t access web interface through VPN. If you are using Tomato firmware please do following steps, If others please contact your router manufacturer.

  • Format and enable your tomato JFFS function.
  • Create file /jffs/redirect-http.sh and give executable  permission.
  • Set schedule task per minute for /jffs/redirect-http.sh.

FILE /jffs/redirect-http.sh

#!/bin/sh 
export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin: 
export ISEXIST=$(iptables -t nat -L|grep -c "tcp dpt:`nvram get http_lanport` to:`nvram get lan_ipaddr`:`nvram get http_lanport`") 
 
if [ $ISEXIST -lt 1 ] ; then 
    iptables -tnat -APREROUTING -p tcp --dport `nvram get http_lanport` -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get http_lanport` 
fi 
 
exit

5. Some router can’t keep VPN connection, If VPN interface have no traffic, VPN connection break. Create new schedule task per minute for command /jffs/pptpd-ipt.sh to solve issue.

FILE /jffs/pptpd-ipt.sh

#!/bin/sh
export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin:
export IS_IN_EXIST=$(iptables -L INPUT -v|grep -c "ACCEPT     all  --  ppp1   any     anywhere             anywhere")
export IS_OUT_EXIST=$(iptables -L OUTPUT -v|grep -c "ACCEPT     all  --  any    ppp1    anywhere             anywhere")

if [ $IS_IN_EXIST -lt 1 ] ; then
    iptables -I INPUT 1 -i ppp1 -j ACCEPT
fi

if [ $IS_OUT_EXIST -lt 1 ] ; then
    iptables -I OUTPUT 1 -o ppp1 -j ACCEPT
fi

exit

6. Reboot your router and wait for 2 minutes, Let your router connect to pptp server.

SERVER SIDE PORT REDIRECT STEP

Through the previous steps, you can access your router in server terminal or browser through VPN IP address. But can’t access on Internet. Following steps help you to redirect port to Internet.

1. Install rinetd port mapping tool by command sudo apt-get install rinted.

2. Edit rinetd options, use editor to open file sudo vi /etc/rinetd.conf, add forwarding rule.

  ... ... ...
# bindadress    bindport  connectaddress  connectport
  0.0.0.0       8081      192.168.0.100   80
  0.0.0.0       8082      192.168.0.200   80
  0.0.0.0       8083      192.168.0.300   80
  ... ... ...
Column Description
bindadress default: 0.0.0.0 means open for any interface
bindport Port you want redirect to.
connectaddress Router’s VPN client IP address.
connectport Router’s web interface port.

3. Restart rinetd service by command sudo service rinetd restart to take effect.

Now you can using your pptp server’s public IP address to access your internal network routers.

REFERENCE

AUTHOR

Pekaikon Norckon
2015-10-01 (Thu)

喜欢 (0)
COMMENT
Cancel Comment
EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website