This is one of those posts that is meant to save time for myself in the future when I'll have to figure all of this out from scratch.
I spend a lot of time in coffee shops and public places with unsecure wifi. Unsecure wifi scares the bejeesus out of me so I wanted to figure out a way to secure any traffic going through. It would also be nice to access things on my home network. It turns out there are a million different ways to do this and I found one that worked for me. Here were the constraints that I imposed.
If you don't have these constraints, there are many different ways to do this. Here are some alternate options
But if you happen to have these specific set of constraints I do and like DIY-hacks, read on.
VPNs can be created using a multitude of protocols and the one we are going to use, PPTP, is the most insecure of the lot. Wait, what? Why are we picking the most insecure one if the whole purpose of the exercise is to make internet usage more secure? Worse, by using something insecure, we could let somebody get into our home network and rampage around. If you're not going to use a long passphrase/password, you shouldn't be doing this.
Here's why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.
If you don't understand what I'm talking about or if you don't agree, you shouldn't be doing this.
PPTP Server -> Enable
Broadcast support -> Enable
Force MPPE Encryption -> Enable
Server IP -> 192.168.1.1 (you can pick anything here, just remember to use this when you forward traffic a bit later)
Client IP -> 192.168.1.110-120 ( you can use any valid range here)
DNS1/DNS2 -> 22.214.171.124/126.96.36.199 (not using Google's DNS also worked for me but others on the web have reported issues here)
CHAP-Secrets -> __ * username * "password" *
The format of the username/password line is critical. It is asterisk-space-username-space-asterisk-space-password enclosed by quotes-space-asterisk. If you don't have special characters in your password, you can skip the quotes. If you have multiple usernames and passwords, just use the same format in a new line. REMEMBER - use a long password with special characters or you will be in trouble.
Hit 'Apply Settings'.
#!/bin/sh echo "nopcomp" >> /tmp/pptpd/options.pptpd echo "noaccomp" >> /tmp/pptpd/options.pptpd kill `ps | grep pptp | cut -d ' ' -f 1` pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd
sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
The next step is to get this accessible from anywhere in the world. DD-WRT has built-in support for DynDNS which makes this easy.
dig username.dyndns-server.comin a terminal (or use nslookup on Windows), you should now see your public IP.
Now comes the scary step - forwarding traffic from the outside world. We're going to forward two ports only (one should be sufficient but some users report errors here). Go to the NAT/QoS->Port Forwarding tab and add the following entries. If you didn't pick 192.168.1.1 before as the server IP address, you need to change that here.
Application - vpn, Port from - 1723, Protocol - Both, IP Address - 192.168.1.1, Port To - 1723, Enabled - Check
Application - vpn, Port from - 1792, Protocol - Both, IP Address - 192.168.1.1, Port To - 1792, Enabled - Check
Hit 'Apply Settings'.
Reboot the router. I typically do this by pulling out the power cord and plugging it back in.
At this point, you should have a functional VPN server. Let's connect to it! I'm going to lay out the instructions for OSX and since Apple uses the same terminology, iOS setup is almost identical from inside the General Settings->Network UI. All other VPN clients should have a similar configuration experience as well.
You should have a VPN interface created for you. Here, enter your DynDNS hostname in 'Server Address', your username that you entered in the CHAP Secrets section as 'Account Name'. Press 'Advanced...' and check the option to send all traffic through this connection. Now, back in the main pane, press 'Connect'. Enter the password you typed out back in the CHAP Secrets section and...
Voila! You are now connected to your own VPN server. If this actually worked on your first attempt, congratulations! You can now browse securely from anywhere in the world by channeling all traffic through your home network.
There are several things that could go wrong above. Here are some common debugging tasks