OpenWrt with PPTP VPN on TP-Link TL-MR3020

Hey! Listen! There are a few posts about installing OpenWrt on these travel routers. Make sure you’re reading the latest version, below.

DateURLUpdates
2015-08-26OpenWrt with OpenVPN server on TP-Link Archer C7
  • Initial post
  • 2015-02-15OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Setup entirely through SSH instead of LuCI
  • Small tweaks
  • 2015-01-24OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Added SAMBA share
  • Added alerting scripts
  • 2014-10-19OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Replaced PPTP client with OpenVPN client
  • Replaced my home server with PIA server
  • 2014-06-28OpenWrt with PPTP VPN on TP-Link TL-MR3020
  • Replaced WR703n with MR3020
  • 2014-06-08OpenWrt on TP-Link TL-WR703n
  • Initial post
  •  

    The other day, I gave up trying to put OpenWrt on a TP-Link TL-WR703n. The stock firmware seems to check for valid hashes, and OpenWrt doesn’t pass the test. Until someone comes up with a hack, I’ve moved on to the TL-MR3020. From what I’ve read only, the only difference is that the MR3020 has a few status LEDs, and the stock interface is in English instead of Chinese.

    Again, my plan for this router is to use it when I travel. I plan on plugging it into the ethernet port in a hotel and having it broadcast a wireless network. Any devices that join that wireless network will be VPNed in back to a PPTP VPN server at my house. This encrypts my connection, as well as gives me access to resources at home. Eventually, I’ll be upgrading the VPN server at home to OpenVPN. If you don’t know the difference between PPTP, IPSec, and OpenVPN, you should get started with this.

     

    Install OpenWrt

    First, disconnect your PC from all wired and wireless networks. Then, plug the MR3020 into your PC with a wired connection. Do not do any of this over wireless. I started off by checking my IP in Windows.

    Ethernet adapter Local Area Connection:
     
    Connection-specific DNS Suffix . :
    IPv4 Address. . . . . . . . . . . : 192.168.0.100
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.254

     

    I opened Chrome and navigated to 192.168.0.254. At the prompts, enter “admin” for the username and password.

    20140614_001

     

    English this time.

    20140614_002

     

    Next, you’ll want to check out the OpenWrt wiki page for the MR3020 and download the latest version of OpenWrt, located here. From the status screen, select System Tools, then Firmware upgrade. Upload the firmware like you would a regular firmware upgrade.

    20140614_003

     

    You’ll need to wait for the progress bar to cycle through twice. Once for the installation, and once for the reboot.

    20140614_004

    20140614_005

     

    Check your IP again, as mine had changed.

    Ethernet adapter Local Area Connection:
     
    Connection-specific DNS Suffix . :
    IPv4 Address. . . . . . . . . . . : 192.168.1.229
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1

     

    Configure OpenWrt

    From here, the OpenWrt wiki page recommends going through the basic configuration for any OpenWrt installation. I’m going to be combining some of the basic configuration with my configuration for the VPN client.

    Navigate to 192.168.1.1 and you’ll be greeted by LuCI, the web interface for OpenWrt. OpenWrt recently switched to the Unified Configuration Interface, also known as UCI. The UCI is basically a collection of easy-to-read configuration files that are all centrally located, making it much simpler to configure. What’s nice about LuCI is that it reads/writes from/to the UCI files. Any changes you make in LuCI are reflected in the UCI files, and vice versa, meaning you can program the MR3020 from the web interface, or from the command line.

    Anyway, moving on. Leave the username as  “root” and the password field empty. Press Login to continue.

    20140614_006

     

    Set a password

    From the main status screen, we’re going to set a root password by using the link in the red box at the top of the page.

    20140614_007

     

    Here, you can set a root password as well as setup SSH access. Press Save & Apply to continue.

    20140614_008

     

    Look for Password successfully changed! at the top of the screen.

    20140614_009

     

    Verify SSH access by using PuTTY or another SSH client.

    20140614_010

    20140614_011

     

    Setup NTP

    The MR3020 doesn’t have a real-time clock or CMOS battery. Because of this, every time it loses power, the clock resets to September 8th, 2011. To circumvent this, we’re going to use NTP to get our time from the internet. You don’t have to setup NTP, but it makes troubleshooting easier when you’re looking at timestamped log files. Keep in mind, since the MR3020 is connected directly to your PC (not the internet), this won’t take effect until after we get it online.

    Go to the System tab, then the System tab. Under System Properties, you can set a hostname, as well as select a timezone. Then, under Time Synchronization, make sure the box is checked for Enable NTP client and provide a few NTP servers in the boxes below. I’m using US servers from the NTP Pool Project. Press Save & Apply to continue.

    20140614_012

    Set default IP

    Next, we’re going to change the default IP of the router from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want). Most devices ship with 192.168.1.1 as the default, and since we’re going to be double NATed, we can’t have two identical IPs on the same network.

    Go to the Network tab, then the Interfaces tab. Select Edit on the LAN interface (which is actually a bridge of the wired and wireless interfaces). Under Common Configuration, change the IPv4 address field from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want). You can also limit the number of addresses available in the DHCP pool if you prefer. Press Save & Apply to continue.

    20140614_013

     

    You’ll have to reboot your MR3020, and then check your IP settings again to verify the change.

    Ethernet adapter Local Area Connection:
     
    Connection-specific DNS Suffix . :
    IPv4 Address. . . . . . . . . . . : 10.80.1.19
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.80.1.1

    Log back into the web interface at the new address using your new password.

     

    Create wireless network

    We need to create a wireless network for the MR3020 to broadcast. Eventually, we’re going to turn off LAN access on the ethernet port, and we’ll need a way to connect to the router locally.

    Go to the Network tab, then the Wifi tab. Select Enable on the wireless network. Once enabled, select Edit. Setup your network as needed, preferably choosing WPA2-PSK and a strong password from the Wireless Security tab, under Interface configuration. Remember, this device is going to be a direct link back to your home network. Even if you have a strong VPN password, a weak WiFi password could compromise your network. Press Save & Apply to continue.

    20140614_014

     

    At this point, you should disconnect the ethernet cable from the MR3020 and connect to the WiFi network we just setup. Normally, it’s not recommended to configure routers over wireless, but since we’re not going to be transferring files or upgrading firmware, we should be ok.

     

    Setup WAN interface

    We need the MR3020 to request an IP address from another router when it is plugged in. For this, we’ll need to make a new interface that will act as a DHCP client.

    Go to the Network tab, then the Interfaces tab. Here, you can see the default interface, br-lan, which is a bridge of the wired and wireless interfaces. We’re going to create the WAN interface by pressing Add new interface at the bottom of the screen. Name the interface something like WAN, with the protocol being set to DHCP client, covering the eth0 interface. Press Submit to continue.

    20140614_015

     

    On the next screen, under Common Configuration, go to the Firewall Settings tab and select WAN. Press Save & Apply to continue.

    20140614_016

     

    Unbridge LAN interfaces

    By default, the wired and wireless interfaces are bridged. I want them to be separate, so that I can plug the MR3020 into another router and use the wireless interface of the MR3020 to broadcast a SSID. Essentially, I making it so that only another router can use the ethernet port, and only clients can use the wireless network. If you don’t unbridge the interfaces, you’ve basically just created a wireless AP for the other router.

    Go to the Network tab, then the Interfaces tab. Select Edit on the LAN interface. Under the Physical Settings, uncheck the box for Bridge interfaces. Then, check the radio button next to the OpenWrt (or whatever you named your) wireless network. Press Save & Apply to continue, then reboot your MR3020.

    20140614_017

     

    Verify internet access

    At this point, plug your MR3020 into a LAN port on your other router, and connect your PC to the MR3020’s wireless network. It doesn’t matter what IP your MR3020 gets from the other router, as your PC should see the MR3020 as 10.80.1.1. You should be able to access the internet, as well as ping websites through SSH.

    In addition, go to the Status tab to make sure your Local Time field is updated with the correct time, now that we’re on the internet.

     

    Setup VPN

    My plan for this router is to have it run a VPN client and any clients that then connect to the wireless network will be automatically VPNed in. I already have a PPTP VPN server at home, which I’ll soon to be upgrading to OpenVPN. You should read OpenWrt’s VPN overview, as well the PPTP guide, and the PPTP NAT guide.

    First, we’ll need to install two VPN packages. This is easiest done by connecting to the MR3020 through SSH and running the commands below.

    opkg update
    opkg install ppp-mod-pptp luci-proto-ppp

     

    Keep in mind, after installing OpenWrt,  there is only about 1MB of flash memory left for us, so don’t go crazy installing packages.

    Before…

    root@OpenWrt:~# df -h
    Filesystem                Size      Used Available Use% Mounted on
    rootfs                    1.1M    212.0K    876.0K  19% /
    /dev/root                 2.0M      2.0M         0 100% /rom
    tmpfs                    14.3M    752.0K     13.5M   5% /tmp
    tmpfs                   512.0K         0    512.0K   0% /dev
    /dev/mtdblock3            1.1M    212.0K    876.0K  19% /overlay
    overlayfs:/overlay        1.1M    212.0K    876.0K  19% /
    

    After…

    root@OpenWrt:~# df -h
    Filesystem                Size      Used Available Use% Mounted on
    rootfs                    1.1M    444.0K    644.0K  41% /
    /dev/root                 2.0M      2.0M         0 100% /rom
    tmpfs                    14.3M    752.0K     13.5M   5% /tmp
    tmpfs                   512.0K         0    512.0K   0% /dev
    /dev/mtdblock3            1.1M    444.0K    644.0K  41% /overlay
    overlayfs:/overlay        1.1M    444.0K    644.0K  41% /

     

    Next, we need to create a new interface.

    Go to the Network tab, then the Interfaces tab and press Add new interface at the bottom of the screen. Name the interface something descriptive (e.g., PPTP), with the protocol being set to PPtP. Press Submit to continue.

    20140614_018

     

    On the next screen, under the General Setup tab, fill in your VPN server address (if you’re running your own server, it helps if you have dynamic DNS setup), as well as a username and password. For this example, I’ll be using PIA’s PPTP servers, since I’m writing this article at my house, from behind my router. When I travel, I’ll change this server address, username, and password to connect back to my house.

    20140614_019

     

    Go to the Firewall Settings tab and select WAN. Press Save & Apply to continue, then reboot your MR3020.

    20140614_020

     

    Reconnect to the OpenWrt network, go to the Status tab and look at the IPv4 WAN Status section. You should see something similar to this, showing you are online.

    20140614_021

     

    Check your IP with an external tool, like WhatIsMyIP, both on your local wireless network, as well as the OpenWrt network. You should see the difference, meaning you are successfully connected!

     

    Before (on my local network)

    20140614_023

     

    After (VPNed in)

    20140614_024

     

    A note about PPTP

    Again, for this demo, I’m not connecting to my home PPTP server, since I’m at home. Instead, I’m using PIA’s PPTP servers. However, my router here is setup to allow PPTP traffic to pass through. When I tried to use this router outside my house, to connect to my PPTP VPN server, I couldn’t get connected because the remote router had PPTP traffic blocked. Since I didn’t have admin access to that router, I couldn’t open those ports. This is where OpenVPN would be useful 🙂

     

    Backup your config

    You did all this work, don’t lose it. Go to the System tab, then the Backup/Flash Firmware tab and press Generate Archive to download a backup of all your configuration files.

    20140614_022

     

    That’s it! I’ll be tweaking this guide as I go, but let me know if anything is incorrect or missing.

    -Logan

    31 thoughts on “OpenWrt with PPTP VPN on TP-Link TL-MR3020

    1. Greetings

      a silly request from a amateur.

      Any USA server VPN service allows upto 5 devices to be used. CAN U RECOMMEND SOMEONE WHO CAN CONFIGURE ALL THIS N SELL TO ME A PRE CONFIGURED 5 TP3020 FROM A RELIABLE SERVICE PROVIDER.
      THE FEES FOR ALL BE ADDED.

      Ajey

      • I don’t know if any providers would sell a pre-configured device, as you’d need an account already on the device. AFAIK, most VPN providers don’t deal in hardware.

    2. Thank you very much, i was not able to understand how openwrt works till reading your article. I have applied this procedure to my MR3040 and working fine, however, the VPN speed is too slow. can you advise about this?

      Thank you in Advance.

      • Ahmed,

        Glad it helped! Your speed issue could be due to a number of things:

        • What kind of WAN connection does the MR3040 have? Are you operating out of a congested network (e.g., hotel, public wifi, etc..)?
        • The MR3040 has some pretty modest hardware, with only a 400MHz CPU. The overhead of encryption might mean the CPU is the bottleneck.
        • What server are you connecting to? I’m assuming you’re paying for a VPN service and connecting to them? Does your provider offer a server that is physically closer to you?
        • Also, you may want to check what your MTU is set at.

        Logan

    3. I am having an issue with the configuration. After setting up the PPTP connection, it does not appear the traffic is routing through it. On the status overview the WAN is still showing eth0, not PPTP as it does in your screenshot above. I went through the steps and do not believe I missed anything. Any ideas?

    4. Explain very clearly. Thanks again!
      Using OpenWrt B.B how can I redirect the traffic for transmission on a PPTP VPN?
      Regards.
      Frank (italy)

      • Frank,

        Are you trying to keep the Transmission traffic off the VPN? With this setup, any device using the WiFi network will have all traffic go over the VPN, which is what I think you would want. Also, I highly recommend switching to OpenVPN if you can, PPTP has known flaws.

        Logan

    5. I’m trying to route traffic of Tansmission within the VPN, but transmission connects only to a few peers and then goes into freeze. ok for OpenVPn .
      Thanks for the reply.
      frank

      • To be honest, I’m not sure what’s going on. This setup should work for all traffic, not just HTTP or another protocol. If it works for a few minutes, it’s probably not a firewall issue…

    6. Followed this and got my 3040 to work great at home! Thanks for taking the time to publish this! Quick question, how can I set it up to work with an existing wifi network? I like to work out of cafes that have their own wifi network. I want to connect this router to the cafe’s wifi and then create my own sub-wifi VPN network for my devices, without having to use an ethernet cord. Any help is appreciated.

      • Nikhil,

        A previous user and myself both tried this, without success, here. If the cafe WiFi you’re using has some sort of login system in front of it (e.g., captive portal), then it’s not possible.

    7. Hello,
      I have a question, is it also possible to block dns for chromecast?
      And how can I back to the original firmware?
      Thnx for sharing.

      • I can’t really speak to the first point. I’d assume you can put in a firewall rule to block Chromecast’s DNS servers (they appear to be hardcoded). But, this would probably block all of Google’s services at a router-level, so you might want to try to only block them for a certain IP (your Chromcast, if that’s possible).

        As for the second point, most OpenWrt wiki pages include instructions for reverting, but there is also a generic page as well. I’ve never tested it, so I can’t say if it works or not…

    8. Hi,
      2 things –
      1. I have the 3020 and it is flashed w/ DD-WRT. How do I make the jump to OPEN WRT easily? Do I flash it from DD-WRT ? Or do I do a factory reset back to Factory Firmware, then follow your instructions above?

      2. RE: your comment to Nikhil above – do you have any solutions to getting around a captive portal with ANY travel router (ie, firmware/hardware configuration combinations)?

    9. Hi Logan,

      Thanks for this really nice manual!
      I don’t like to have PPTP, so I stopped after being in the Internet with the MR3020.

      Since this is fine, Telnet don’t reach the router, also if I plugged in a cable and connect it again to the laptop.
      I’m not an expert, so can you you give me a hint to connect again via telnet?.

      If this works, I would like to maximize the memory over an USB Stick(8GB), which I have already formatted with EXT4.
      I have left round about 6Meg of available memory. Will this reach for USB-support and allows me this to install
      as next more packages, like Lighttpd, so install a simple WEB page?

      Sorry for this simple questions…

      Jo

      • I don’t use the travel routers anymore, so I’m not sure how much help I’ll be…

        I think OpenWrt disables telnet if you enable SSH, so you’ll need to enable telnet manually.

        The amount of memory you need will depend on what packages, which webpages, etc… I always suggest to have more space than you need.

    10. …Hi again. Forget it 🙂 Didn’t read, that after setting a password with LUCI Telnet is dissabled.

      It’s possible to start that client manual, or don’t need it, if ssh works?

      Jo

      • Unfortunately, I didn’t set that up in this post. You’re looking to make PIA the PPTP server and OpenWrt the PPTP client. Check out this guide.

    Leave a Comment