From 3399cfd45381999b7027cc916f79df1bdfff663f Mon Sep 17 00:00:00 2001
From: Aditya Bhargava <rightaditya@gmail.com>
Date: Thu, 12 Dec 2019 10:36:47 -0500
Subject: [PATCH 1/9] Use libcurl if available for DDNS

The existing HTTP request implementation can be slow. I've found that it
takes substantially longer when doing DDNS updates (with Cloudflare)
than it does if libcurl is used.
This commit adds code to use libcurl instead of the built-in
implementation if available, as determined by TCONFIG_BBT and
TCONFIG_NGINX, which are the two configuration settings that pull in
libcurl.
---
 release/src-rt-6.x.4708/router/mdu/Makefile |  12 +-
 release/src-rt-6.x.4708/router/mdu/mdu.c    | 256 +++++++++++++++++++-
 2 files changed, 262 insertions(+), 6 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/mdu/Makefile b/release/src-rt-6.x.4708/router/mdu/Makefile
index 91dfb10674..d88f6b71f0 100644
--- a/release/src-rt-6.x.4708/router/mdu/Makefile
+++ b/release/src-rt-6.x.4708/router/mdu/Makefile
@@ -1,9 +1,9 @@
 include ../common.mak
 
 CFLAGS	= -Os -Wall $(EXTRACFLAGS)
-CFLAGS	+= -I$(SRCBASE)/include -I$(TOP)/shared -I$(TOP)/mssl
+CFLAGS	+= -I$(SRCBASE)/include -I$(TOP)/shared
 LDFLAGS	=
-LIBS = -L$(TOP)/nvram${BCMEX} -lnvram -L$(TOP)/shared -lshared -L$(TOP)/mssl -lmssl
+LIBS = -L$(TOP)/nvram${BCMEX} -lnvram -L$(TOP)/shared -lshared
 #LIBS = -L$(TOP)/nvram -lnvram -L$(TOP)/shared -lshared $(TOP)/mssl/libmssl.a $(TOP)/matrixssl/src/libmatrixsslstatic.a
 
 ifeq ($(TCONFIG_BCMARM),y)
@@ -14,6 +14,14 @@ ifeq ($(FULL_OPENSSL),y)
 LIBS += -L$(TOP)/openssl -lssl -lcrypto
 endif
 
+ifneq ($(TCONFIG_BBT)$(TCONFIG_NGINX),)
+CFLAGS += -DUSE_LIBCURL -I$(TOP)/libcurl/staged/usr/include
+LIBS += -lpthread -L$(TOP)/libcurl/lib/.libs -lcurl
+else
+CFLAGS+= -I$(TOP)/mssl
+LIBS += -L$(TOP)/mssl -lmssl
+endif
+
 OBJS = mdu.o
 
 all: mdu
diff --git a/release/src-rt-6.x.4708/router/mdu/mdu.c b/release/src-rt-6.x.4708/router/mdu/mdu.c
index 9fa9806908..a6a3ea9c94 100644
--- a/release/src-rt-6.x.4708/router/mdu/mdu.c
+++ b/release/src-rt-6.x.4708/router/mdu/mdu.c
@@ -29,8 +29,11 @@
 #include <shutils.h>
 #include <tomato_version.h>
 
+#ifdef USE_LIBCURL
+#include <curl/curl.h>
+#else
 #include "mssl.h"
-
+#endif
 
 
 #ifdef DEBUG
@@ -57,6 +60,12 @@
 #define M_SAME_RECORD			"Record already up-to-date."
 #define M_DOWN				"Server temporarily down or under maintenance."
 
+#ifdef USE_LIBCURL
+int curl_sslerr = 1;
+FILE *curl_dfile = NULL;
+CURL *curl_handle = NULL;
+#endif
+
 char *blob = NULL;
 int error_exitcode = 1;
 
@@ -218,6 +227,151 @@ static const char *get_dump_name(void)
 #endif
 }
 
+#ifdef USE_LIBCURL
+static int curl_dump(CURL *handle, curl_infotype type, char *data, size_t size,
+		void *userptr)
+{
+	const char *prefix;
+	FILE *f_out;
+	size_t i;
+	char c;
+	int is_info;
+
+	is_info = 0;
+	switch (type)
+	{
+		case CURLINFO_HEADER_OUT:
+			prefix = ">H ";
+			break;
+		case CURLINFO_DATA_OUT:
+			prefix = ">D ";
+			break;
+		case CURLINFO_HEADER_IN:
+			prefix = "<H ";
+			break;
+		case CURLINFO_DATA_IN:
+			prefix = "<D ";
+			break;
+		case CURLINFO_TEXT:
+			prefix = "=I ";
+			is_info = 1;
+			break;
+		default:
+			return 0;
+	}
+
+	// pretty up a bit
+	if (is_info)
+	{
+		if (data[size - 1] == '\n')
+			size -= 1;
+		if (data[size - 1] == ':')
+			size -= 1;
+	}
+	else if (data[size - 2] == '\r' && data[size-1] == '\n')
+		size -= 2;
+
+	f_out = (FILE *)userptr;
+	fputs(prefix, f_out);
+
+	c = 0;
+	for (i = 0; i < size; ++i)
+	{
+		c = data[i];
+		if (c == '\r' && !is_info)
+			fputc('\n', f_out);
+		else if (c == '\n')
+		{
+			if (is_info)
+				fputc('\n', f_out);
+			fputs(prefix, f_out);
+		}
+		else
+			fputc(c >= 0x20 && c < 0x80 ? c : '.', f_out);
+	}
+	fputc('\n', f_out);
+
+	return 0;
+}
+
+static void curl_setup()
+{
+	CURLsslset result;
+	const char *dump;
+
+	result = curl_global_sslset(CURLSSLBACKEND_OPENSSL, NULL, NULL);
+	if (result == CURLSSLSET_OK || result == CURLSSLSET_TOO_LATE)
+		curl_sslerr = 0;
+	if (curl_global_init(CURL_GLOBAL_ALL) || !(curl_handle = curl_easy_init()))
+		error("libcurl initialization failure.");
+
+	curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1);
+	curl_easy_setopt(curl_handle, CURLOPT_MAXREDIRS, 20);
+	curl_easy_setopt(curl_handle, CURLOPT_CONNECTTIMEOUT, 10);
+	curl_easy_setopt(curl_handle, CURLOPT_TIMEOUT, 10);
+
+	if ((dump = get_dump_name()) != NULL)
+	{
+		curl_easy_setopt(curl_handle, CURLOPT_VERBOSE, 1L);
+		if ((curl_dfile = fopen(dump, "a")) != NULL)
+		{
+			curl_easy_setopt(curl_handle, CURLOPT_DEBUGFUNCTION, curl_dump);
+			curl_easy_setopt(curl_handle, CURLOPT_DEBUGDATA, (void *)curl_dfile);
+		}
+	}
+}
+
+static void curl_cleanup()
+{
+	if (curl_dfile != NULL)
+		fclose(curl_dfile);
+	curl_easy_cleanup(curl_handle);
+	curl_global_cleanup();
+}
+
+static struct curl_slist *curl_headers(const char *header)
+{
+	char *sub;
+	struct curl_slist *headers = NULL;
+	struct curl_slist *tmp;
+	size_t n = strlen(header);
+
+	if (!header)
+		return NULL;
+
+	sub = strstr(header, "\r\n");
+	while (sub || n > 0)
+	{
+		if (sub)
+			*sub = 0;
+		if (header)
+		{
+			tmp = curl_slist_append(headers, header);
+			if (tmp == NULL)
+			{
+				curl_slist_free_all(headers);
+				curl_cleanup();
+				error("libcurl header failure.");
+			}
+		}
+		if (sub)
+		{
+			n -= sub + 2 - header;
+			headers = tmp;
+			header = sub + 2;
+			*sub = '\r';
+			sub = strstr(header, "\r\n");
+		}
+		else
+		{
+			n = 0;
+			headers = tmp;
+		}
+	}
+
+	return headers;
+}
+#else
 static int _http_req(int ssl, const char *host, int port, const char *request, char *buffer, int bufsize, char **body)
 {
 	struct hostent *he;
@@ -339,9 +493,94 @@ static int _http_req(int ssl, const char *host, int port, const char *request, c
 
 	return -1;
 }
+#endif
 
 static int http_req(int ssl, int static_host, const char *host, const char *req, const char *query, const char *header, int auth, char *data, char **body)
 {
+#ifdef USE_LIBCURL
+	struct curl_slist *headers;
+	char url[HALF_BLOB];
+	FILE *curl_wbuf = NULL;
+	FILE *curl_rbuf = NULL;
+	CURLcode r;
+	int trys;
+	long code;
+
+	if (!static_host) host = get_option_or("server", host);
+	if (ssl)
+	{
+		if (curl_sslerr)
+		{
+			curl_cleanup();
+			error("SSL failure with libcurl.");
+		}
+		snprintf(url, HALF_BLOB, "https://%s%s", host, query);
+	}
+	else
+		snprintf(url, HALF_BLOB, "http://%s%s", host, query);
+	curl_easy_setopt(curl_handle, CURLOPT_URL, url);
+	headers = curl_headers(header);
+	curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, headers);
+
+	if (auth) {
+		curl_easy_setopt(curl_handle, CURLOPT_USERNAME, get_option_required("user"));
+		curl_easy_setopt(curl_handle, CURLOPT_PASSWORD, get_option_required("pass"));
+		curl_easy_setopt(curl_handle, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
+	}
+	else
+		curl_easy_setopt(curl_handle, CURLOPT_HTTPAUTH, CURLAUTH_NONE);
+
+	curl_wbuf = fmemopen(blob, HALF_BLOB, "w");
+	setbuf(curl_wbuf, NULL);
+	curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)curl_wbuf);
+	if (data)
+	{
+		curl_rbuf = fmemopen(data, strlen(data), "r");
+		curl_easy_setopt(curl_handle, CURLOPT_READDATA, (void *)curl_rbuf);
+		curl_easy_setopt(curl_handle, CURLOPT_INFILESIZE, strlen(data));
+		curl_easy_setopt(curl_handle, CURLOPT_UPLOAD, 1L);
+	}
+	else
+	{
+		curl_easy_setopt(curl_handle, CURLOPT_READDATA, NULL);
+		curl_easy_setopt(curl_handle, CURLOPT_INFILESIZE, 0);
+		curl_easy_setopt(curl_handle, CURLOPT_UPLOAD, 0L);
+	}
+
+	if (!strcmp(req, "POST"))
+		curl_easy_setopt(curl_handle, CURLOPT_POST, 1L);
+	else if (!strcmp(req, "GET"))
+		curl_easy_setopt(curl_handle, CURLOPT_HTTPGET, 1L);
+
+	for (trys = 4; trys > 0; --trys)
+	{
+		r = curl_easy_perform(curl_handle);
+		if (r != CURLE_COULDNT_CONNECT)
+			break;
+#ifdef DEBUG
+		perror("connect");
+#endif
+		sleep(2);
+	}
+	curl_slist_free_all(headers);
+	curl_easy_getinfo(curl_handle, CURLINFO_RESPONSE_CODE, &code);
+	fclose(curl_wbuf);
+	if (curl_rbuf)
+		fclose(curl_rbuf);
+	if (curl_dfile)
+	{
+		fputc('\n', curl_dfile);
+		fflush(curl_dfile);
+	}
+	if (r != CURLE_OK)
+	{
+		curl_cleanup();
+		error("Unknown libcurl error %d with response code %ld.", r, code);
+	}
+
+	*body = blob;
+	return code;
+#else
 	char *p;
 	int port;
 	char a[512];
@@ -369,7 +608,7 @@ static int http_req(int ssl, int static_host, const char *host, const char *req,
 		req, query, httpv, host);
 	if (auth) {
 		sprintf(a, "%s:%s", get_option_required("user"), get_option_required("pass"));
-		n = base64_encode((unsigned char *) a, b, strlen(a));
+		n = base64_encode((const char *) a, b, strlen(a));
 		b[n] = 0;
 		sprintf(blob + strlen(blob), "Authorization: Basic %s\r\n", b);
 	}
@@ -400,6 +639,7 @@ static int http_req(int ssl, int static_host, const char *host, const char *req,
 
 	_dprintf("%s: n=%d\n", __FUNCTION__, n);
 	return n;
+#endif
 }
 
 static int wget(int ssl, int static_host, const char *host, const char *get, const char *header, int auth, char **body)
@@ -1434,7 +1674,7 @@ static int cloudflare_errorcheck(int code, const char *req, char *body)
 	else if (code == 403 && strstr(body, "\"code\":9103") != NULL)
 		error(M_INVALID_AUTH);
 
-	error("%s returned HTTP code %d.", req, code);
+	error("%s returned HTTP error code %d.", req, code);
 	return -1; // silence compiler warning
 }
 
@@ -1575,7 +1815,7 @@ static void update_wget(void)
 
 	if ((c = strrchr(host, '@')) != NULL) {
 		*c = 0;
-		s[base64_encode((unsigned char *) host, s, c - host)] = 0;
+		s[base64_encode((const char *) host, s, c - host)] = 0;
 		sprintf(he, "Authorization: Basic %s\r\n", s);
 		header = he;
 		host = c + 1;
@@ -1717,6 +1957,10 @@ int main(int argc, char *argv[])
 */
 	check_cookie();
 
+#ifdef USE_LIBCURL
+	curl_setup();
+#endif
+
 	p = get_option_required("service");
 	if (strcmp(p, "dua") == 0) {
 		update_dua("dyndns", 0, NULL, NULL, 1);
@@ -1840,5 +2084,9 @@ int main(int argc, char *argv[])
 		error("Unknown service");
 	}
 
+#ifdef USE_LIBCURL
+	curl_cleanup();
+#endif
+
 	return 1;
 }

From d9af50667a12828a5715bae4bb3c44202efb2b01 Mon Sep 17 00:00:00 2001
From: Aditya Bhargava <rightaditya@gmail.com>
Date: Thu, 12 Dec 2019 12:43:17 -0500
Subject: [PATCH 2/9] Fix segfault when no headers provided to libcurl request

---
 release/src-rt-6.x.4708/router/mdu/mdu.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/mdu/mdu.c b/release/src-rt-6.x.4708/router/mdu/mdu.c
index a6a3ea9c94..5c0572ef1a 100644
--- a/release/src-rt-6.x.4708/router/mdu/mdu.c
+++ b/release/src-rt-6.x.4708/router/mdu/mdu.c
@@ -498,7 +498,7 @@ static int _http_req(int ssl, const char *host, int port, const char *request, c
 static int http_req(int ssl, int static_host, const char *host, const char *req, const char *query, const char *header, int auth, char *data, char **body)
 {
 #ifdef USE_LIBCURL
-	struct curl_slist *headers;
+	struct curl_slist *headers = NULL;
 	char url[HALF_BLOB];
 	FILE *curl_wbuf = NULL;
 	FILE *curl_rbuf = NULL;
@@ -519,8 +519,11 @@ static int http_req(int ssl, int static_host, const char *host, const char *req,
 	else
 		snprintf(url, HALF_BLOB, "http://%s%s", host, query);
 	curl_easy_setopt(curl_handle, CURLOPT_URL, url);
-	headers = curl_headers(header);
-	curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, headers);
+	if (header)
+	{
+		headers = curl_headers(header);
+		curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, headers);
+	}
 
 	if (auth) {
 		curl_easy_setopt(curl_handle, CURLOPT_USERNAME, get_option_required("user"));

From a6ae58a65319dfff7551a7a39883597193b227f7 Mon Sep 17 00:00:00 2001
From: Aditya Bhargava <rightaditya@gmail.com>
Date: Thu, 12 Dec 2019 13:04:30 -0500
Subject: [PATCH 3/9] Add dns.he.net DDNS support

dns.he.net supports the dyndns protocol (v2) so this is a
very simple patch.
---
 release/src-rt-6.x.4708/router/mdu/mdu.c          | 8 ++++++++
 release/src-rt-6.x.4708/router/www/basic-ddns.asp | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/release/src-rt-6.x.4708/router/mdu/mdu.c b/release/src-rt-6.x.4708/router/mdu/mdu.c
index 9fa9806908..1be130df9d 100644
--- a/release/src-rt-6.x.4708/router/mdu/mdu.c
+++ b/release/src-rt-6.x.4708/router/mdu/mdu.c
@@ -1830,6 +1830,14 @@ int main(int argc, char *argv[])
 		// Tunnel Broker uses the same API as DynDNS
 		update_dua("heipv6tb", 1, "ipv4.tunnelbroker.net", "/nic/update", 1);
 	}
+	else if (strcmp(p, "dnshenet") == 0) {
+		// dns.he.net uses the same API as DynDNS
+		update_dua(NULL, 0, "dyn.dns.he.net", "/nic/update", 0);
+	}
+	else if (strcmp(p, "sdnshenet") == 0) {
+		// dns.he.net uses the same API as DynDNS
+		update_dua(NULL, 1, "dyn.dns.he.net", "/nic/update", 0);
+	}
 	else if (strcmp(p, "cloudflare") == 0) {
 		update_cloudflare();
 	}
diff --git a/release/src-rt-6.x.4708/router/www/basic-ddns.asp b/release/src-rt-6.x.4708/router/www/basic-ddns.asp
index 58398a91c7..17569aa828 100644
--- a/release/src-rt-6.x.4708/router/www/basic-ddns.asp
+++ b/release/src-rt-6.x.4708/router/www/basic-ddns.asp
@@ -77,6 +77,8 @@ var services = [
 	['ovh', 'OVH', 'http://www.ovh.com/', 'uh'],
 	['sovh', 'OVH (https)', 'https://www.ovh.com/', 'uh'],
 	['schangeip', 'ChangeIP (https)', 'https://www.changeip.com/', 'uh'],
+	['dnshenet', 'dns.he.net', 'http://dns.he.net/', 'u', 'Host name', 'DDNS key'],
+	['sdnshenet', 'dns.he.net (https)', 'https://dns.he.net/', 'u', 'Host name', 'DDNS key'],
 	['cloudflare', 'Cloudflare (https)', 'https://www.cloudflare.com/', 'uhbnws', 'Email Address', 'API Key', null, 'Proxied', 'Create record if needed', 'Zone ID'],
 	['custom', 'Custom URL', '', 'c']];
 

From 8e4adc3e8576f192d3528b2ef6ae8379bf00a406 Mon Sep 17 00:00:00 2001
From: pedro <pedro311@gmail.com>
Date: Fri, 13 Dec 2019 14:34:14 +0100
Subject: [PATCH 4/9] router: rc: services.c: c: Add WPAD DHCP option for
 Win7/8 by default if dhcpd_auth >=0 is fixed in nvram

---
 release/src-rt-6.x.4708/router/rc/services.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/release/src-rt-6.x.4708/router/rc/services.c b/release/src-rt-6.x.4708/router/rc/services.c
index 1b01d090df..0f6c90ff51 100644
--- a/release/src-rt-6.x.4708/router/rc/services.c
+++ b/release/src-rt-6.x.4708/router/rc/services.c
@@ -435,7 +435,9 @@ void start_dnsmasq()
 	n = nvram_get_int("dhcpd_lmax");
 	fprintf(f, "dhcp-lease-max=%d\n", (n > 0) ? n : 255);
 	if (nvram_get_int("dhcpd_auth") >= 0) {
-		fprintf(f, "dhcp-authoritative\n");
+	fprintf(f,
+		"dhcp-option=lan,252,\"\\n\"\n"
+		"dhcp-authoritative\n");
 	}
 
 	if (nvram_match("dnsmasq_debug", "1")) {

From 6f789543e3de4c4dab077d56604751feb51193d3 Mon Sep 17 00:00:00 2001
From: Don Bushway <mrdon213@gmail.com>
Date: Sat, 14 Dec 2019 10:17:51 -0700
Subject: [PATCH 5/9] Enable support for lspci in busybox. Enable lsusb,
 CONFIG_FEATURE_WGET_STATUSBAR, and CONFIG_FEATURE_VERBOSE_USAGE in
 config_base instead of Makefile.

---
 release/src-rt-6.x.4708/Makefile                   | 8 --------
 release/src-rt-6.x.4708/router/busybox/config_base | 6 +++---
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/release/src-rt-6.x.4708/Makefile b/release/src-rt-6.x.4708/Makefile
index 0786d230b1..043f406e9a 100644
--- a/release/src-rt-6.x.4708/Makefile
+++ b/release/src-rt-6.x.4708/Makefile
@@ -652,14 +652,6 @@ define BusyboxOptions
 			echo "CONFIG_E2LABEL=y" >>$(1); \
 			sed -i "/CONFIG_FEATURE_VOLUMEID_EXFAT/d" $(1); \
 			echo "CONFIG_FEATURE_VOLUMEID_EXFAT=y" >>$(1); \
-			if [ "$(CONFIG_LINUX26)" = "y" ]; then \
-				sed -i "/CONFIG_LSUSB/d" $(1); \
-				echo "CONFIG_LSUSB=y" >>$(1); \
-				sed -i "/CONFIG_FEATURE_WGET_STATUSBAR/d" $(1); \
-				echo "CONFIG_FEATURE_WGET_STATUSBAR=y" >>$(1); \
-				sed -i "/CONFIG_FEATURE_VERBOSE_USAGE/d" $(1); \
-				echo "CONFIG_FEATURE_VERBOSE_USAGE=y" >>$(1); \
-			fi; \
 		fi; \
 	else \
 		sed -i "/CONFIG_FEATURE_MOUNT_LOOP/d" $(1); \
diff --git a/release/src-rt-6.x.4708/router/busybox/config_base b/release/src-rt-6.x.4708/router/busybox/config_base
index e832149584..d87cd021d1 100644
--- a/release/src-rt-6.x.4708/router/busybox/config_base
+++ b/release/src-rt-6.x.4708/router/busybox/config_base
@@ -609,8 +609,8 @@ CONFIG_FEATURE_GPT_LABEL=y
 # CONFIG_IPCRM is not set
 # CONFIG_IPCS is not set
 # CONFIG_LOSETUP is not set
-# CONFIG_LSPCI is not set
-# CONFIG_LSUSB is not set
+CONFIG_LSPCI=y
+CONFIG_LSUSB=y
 # CONFIG_MDEV is not set
 # CONFIG_FEATURE_MDEV_CONF is not set
 # CONFIG_FEATURE_MDEV_RENAME is not set
@@ -915,7 +915,7 @@ CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS=""
 # CONFIG_UDPSVD is not set
 CONFIG_VCONFIG=y
 CONFIG_WGET=y
-# CONFIG_FEATURE_WGET_STATUSBAR is not set
+CONFIG_FEATURE_WGET_STATUSBAR=y
 CONFIG_FEATURE_WGET_AUTHENTICATION=y
 # CONFIG_FEATURE_WGET_LONG_OPTIONS is not set
 CONFIG_FEATURE_WGET_TIMEOUT=y

From 3ec1e58b806adae123de763342643f970356a9f8 Mon Sep 17 00:00:00 2001
From: pedro <pedro311@gmail.com>
Date: Sat, 14 Dec 2019 22:32:04 +0100
Subject: [PATCH 6/9] GUI: OpenVPN Client: cosmetic

- as suggested by @rs232: https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm-development-thread.74117/post-309967
---
 release/src-rt-6.x.4708/router/www/vpn-client.asp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/www/vpn-client.asp b/release/src-rt-6.x.4708/router/www/vpn-client.asp
index d39f34715c..94ac55ad70 100644
--- a/release/src-rt-6.x.4708/router/www/vpn-client.asp
+++ b/release/src-rt-6.x.4708/router/www/vpn-client.asp
@@ -474,6 +474,9 @@ for (i = 0; i < tabs.length; ++i)
 			{ name: 'vpn_'+t+'_addr', type: 'text', maxlen: 60, size: 17, value: eval( 'nvram.vpn_'+t+'_addr' ) },
 			{ name: 'vpn_'+t+'_port', type: 'text', maxlen: 5, size: 7, value: eval( 'nvram.vpn_'+t+'_port' ) } ] },
 		{ title: 'Firewall', name: 'vpn_'+t+'_firewall', type: 'select', options: [ ['auto', 'Automatic'], ['custom', 'Custom'] ], value: eval( 'nvram.vpn_'+t+'_firewall' ) },
+		{ title: 'Create NAT on tunnel', name: 'f_vpn_'+t+'_nat', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_nat' ) != 0,
+			suffix: '<span style="font-style: italic" id=\''+t+'_nat_warn_text\'>&nbsp<small>Routes must be configured manually.<\/small><\/span>' },
+		{ title: 'Inbound Firewall', name: 'f_vpn_'+t+'_fw', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_fw' ) != 0 },
 		{ title: 'Authorization Mode', name: 'vpn_'+t+'_crypt', type: 'select', options: [ ['tls', 'TLS'], ['secret', 'Static Key'], ['custom', 'Custom'] ], value: eval( 'nvram.vpn_'+t+'_crypt' ),
 			suffix: '<span id=\''+t+'_custom_crypto_text\'>&nbsp;<small>(must configure manually...)<\/small><\/span>' },
 		{ title: 'TLS control channel security <small>(tls-auth/tls-crypt)<\/small>', name: 'vpn_'+t+'_hmac', type: 'select', options: [ [-1, 'Disabled'], [2, 'Bi-directional Auth'], [0, 'Incoming Auth (0)'], [1, 'Outgoing Auth (1)'], [3, 'Encrypt Channel'] ], value: eval( 'nvram.vpn_'+t+'_hmac' ) },
@@ -485,9 +488,6 @@ for (i = 0; i < tabs.length; ++i)
 		{ title: 'Auth digest', name: 'vpn_'+t+'_digest', type: 'select', options: digests, value: eval( 'nvram.vpn_'+t+'_digest' ) },
 		{ title: 'Server is on the same subnet', name: 'f_vpn_'+t+'_bridge', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_bridge' ) != 0,
 			suffix: '<span style="color: red" id=\''+t+'_bridge_warn_text\'>&nbsp<small>Warning: Cannot bridge distinct subnets. Defaulting to routed mode.<\/small><\/span>' },
-		{ title: 'Create NAT on tunnel', name: 'f_vpn_'+t+'_nat', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_nat' ) != 0,
-			suffix: '<span style="font-style: italic" id=\''+t+'_nat_warn_text\'>&nbsp<small>Routes must be configured manually.<\/small><\/span>' },
-		{ title: 'Inbound Firewall', name: 'f_vpn_'+t+'_fw', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_fw' ) != 0 },
 		{ title: 'Local/remote endpoint addresses', multi: [
 			{ name: 'vpn_'+t+'_local', type: 'text', maxlen: 15, size: 17, value: eval( 'nvram.vpn_'+t+'_local' ) },
 			{ name: 'vpn_'+t+'_remote', type: 'text', maxlen: 15, size: 17, value: eval( 'nvram.vpn_'+t+'_remote' ) } ] },

From 9183aae8b4cb1f198c8052ade2abad3505c98438 Mon Sep 17 00:00:00 2001
From: Aditya Bhargava <rightaditya@gmail.com>
Date: Tue, 17 Dec 2019 03:19:17 -0500
Subject: [PATCH 7/9] Add forgotten conditional mdu libcurl dep

---
 release/src-rt-6.x.4708/router/Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/release/src-rt-6.x.4708/router/Makefile b/release/src-rt-6.x.4708/router/Makefile
index 50488e8d97..5cf867e855 100644
--- a/release/src-rt-6.x.4708/router/Makefile
+++ b/release/src-rt-6.x.4708/router/Makefile
@@ -885,7 +885,11 @@ openssl-install:
 
 mssl:	openssl
 
+ifneq ($(TCONFIG_BBT)$(TCONFIG_NGINX),)
+mdu:	shared libcurl
+else
 mdu:	shared mssl
+endif
 
 rc: nvram$(BCMEX) shared
 

From a14d9cb9bcedbb4c3bad9cf6eb698c8865ad7d39 Mon Sep 17 00:00:00 2001
From: pedro <pedro311@gmail.com>
Date: Wed, 18 Dec 2019 00:38:44 +0100
Subject: [PATCH 8/9] router: rc: mdu: mdu.c: cosmetic, stay as close as
 possible to MIPS version

---
 release/src-rt-6.x.4708/router/mdu/mdu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/mdu/mdu.c b/release/src-rt-6.x.4708/router/mdu/mdu.c
index 8dfd860c94..f1557fef7b 100644
--- a/release/src-rt-6.x.4708/router/mdu/mdu.c
+++ b/release/src-rt-6.x.4708/router/mdu/mdu.c
@@ -234,7 +234,7 @@ static int curl_dump(CURL *handle, curl_infotype type, char *data, size_t size,
 	const char *prefix;
 	FILE *f_out;
 	size_t i;
-	char c;
+	unsigned char c;
 	int is_info;
 
 	is_info = 0;
@@ -287,7 +287,7 @@ static int curl_dump(CURL *handle, curl_infotype type, char *data, size_t size,
 			fputs(prefix, f_out);
 		}
 		else
-			fputc(c >= 0x20 && c < 0x80 ? c : '.', f_out);
+			fputc((c >= 0x20 && c < 0x80) ? c : '.', f_out);
 	}
 	fputc('\n', f_out);
 
@@ -333,7 +333,7 @@ static struct curl_slist *curl_headers(const char *header)
 {
 	char *sub;
 	struct curl_slist *headers = NULL;
-	struct curl_slist *tmp;
+	struct curl_slist *tmp = NULL;
 	size_t n = strlen(header);
 
 	if (!header)

From eebf810cb14c7d6cfa059fa0f963e3772bd2a162 Mon Sep 17 00:00:00 2001
From: pedro <pedro311@gmail.com>
Date: Thu, 19 Dec 2019 01:39:29 +0100
Subject: [PATCH 9/9] VPN PPTP: changes and improvements (part 2) - tested on
 Android and MIPS/ARM routers in different configurations, working (both: lan
 access and internet)

- change default MTU/MRU to 1400 (client/pptpd)
- change 'Stateless MPPE' to enabled (client)

These two above changes are essential to get working VPN connection with MIPS routers!

Client:
- GUI: add usage and notes about MTU/MRU problems

PPTPD:
- GUI: add option to choose Auth method (Auto/MS-CHAPv1/MS-CHAPv2)
- move working directory to "/etc/vpn/" (the same as for pptpc_client)
- move MTU clamping rule to the top, so it will be processed before the ACCEPT rule, otherwise it will never be used
- more changes and fixes for pptpd code, configuration, etc (thanks @Merlin)
---
 release/src-rt-6.x.4708/router/httpd/pptpd.c  |   2 +-
 release/src-rt-6.x.4708/router/httpd/tomato.c |   1 +
 .../src-rt-6.x.4708/router/rc/pptp_client.c   |  38 +-
 release/src-rt-6.x.4708/router/rc/pptpd.c     | 428 ++++++++----------
 .../src-rt-6.x.4708/router/shared/defaults.c  |   6 +-
 .../router/www/vpn-pptp-server.asp            |   8 +-
 .../src-rt-6.x.4708/router/www/vpn-pptp.asp   |  14 +-
 7 files changed, 237 insertions(+), 260 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/httpd/pptpd.c b/release/src-rt-6.x.4708/router/httpd/pptpd.c
index 3a51ac1ac9..98b3285a56 100644
--- a/release/src-rt-6.x.4708/router/httpd/pptpd.c
+++ b/release/src-rt-6.x.4708/router/httpd/pptpd.c
@@ -19,7 +19,7 @@
 #include "tomato.h"
 
 #ifndef PPTP_CONNECTED
-#define PPTP_CONNECTED	"/tmp/pptp_connected"
+#define PPTP_CONNECTED	"/etc/vpn/pptpd_connected"
 #endif
 
 #ifndef IF_SIZE
diff --git a/release/src-rt-6.x.4708/router/httpd/tomato.c b/release/src-rt-6.x.4708/router/httpd/tomato.c
index 77de4a45df..7b316f8fea 100644
--- a/release/src-rt-6.x.4708/router/httpd/tomato.c
+++ b/release/src-rt-6.x.4708/router/httpd/tomato.c
@@ -1841,6 +1841,7 @@ wl_ap_ssid
 	{ "pptp_client_custom",		V_NONE				},
 	{ "pptp_client_dfltroute",	V_01				},
 	{ "pptp_client_stateless",	V_01				},
+	{ "pptpd_chap",			V_RANGE(0,2)			},
 #endif
 
 	{ NULL }
diff --git a/release/src-rt-6.x.4708/router/rc/pptp_client.c b/release/src-rt-6.x.4708/router/rc/pptp_client.c
index df8b08e29e..9dfa1220d2 100644
--- a/release/src-rt-6.x.4708/router/rc/pptp_client.c
+++ b/release/src-rt-6.x.4708/router/rc/pptp_client.c
@@ -8,7 +8,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 
-//#define PPPD_DEBUG
+//#define PPTPC_DEBUG
 #define BUF_SIZE 128
 
 /* Line number as text string */
@@ -85,26 +85,33 @@ void start_pptp_client(void)
 			"maxfail 0\n"
 			"persist\n"
 			"plugin pptp.so\n"
-			"pptp_server %s\n"
+			"pptp_server '%s'\n"
 			"idle 0\n"
-			"ipparam kelokepptpd\n",
+			"ipparam kelokepptpd\n"
+			"ktune\n"
+			"default-asyncmap nopcomp noaccomp\n"
+			"novj nobsdcomp nodeflate\n"
+			"holdoff 10\n"
+			"lcp-echo-adaptive\n"
+			"ipcp-accept-remote ipcp-accept-local noipdefault\n",
 			srv_addr);
 
 		if (nvram_get_int("pptp_client_peerdns"))	/* 0: disable, 1 enable */
 			fprintf(fd, "usepeerdns\n");
 
 		/* MTU */
+		/* see KB Q189595 -- historyless & mtu */
 		if ((p = nvram_get("pptp_client_mtu")) == NULL)
-			p = "1450";
+			p = "1400";
 		if (!nvram_get_int("pptp_client_mtuenable"))
-			p = "1450";
+			p = "1400";
 		fprintf(fd, "mtu %s\n", p);
 
 		/* MRU */
 		if ((p = nvram_get("pptp_client_mru")) == NULL)
-			p = "1450";
+			p = "1400";
 		if (!nvram_get_int("pptp_client_mruenable"))
-			p = "1450";
+			p = "1400";
 		fprintf(fd, "mru %s\n", p);
 
 		/* Login */
@@ -124,15 +131,20 @@ void start_pptp_client(void)
 		switch (nvram_get_int("pptp_client_crypt"))
 		{
 			case 1:
-				fprintf(fd, "nomppe\n");
+				fprintf(fd, "nomppe nomppc\n");
 				break;
 			case 2:
-				fprintf(fd, "nomppe-40\n");
-				fprintf(fd, "require-mppe-128\n");
+				fprintf(fd,
+					"nomppe-40\n"
+					"require-mppe\n"
+					"require-mppe-128\n");
 				break;
 			case 3:
-				fprintf(fd, "require-mppe-40\n");
-				fprintf(fd, "require-mppe-128\n");
+				fprintf(fd,
+					"require-mppe\n"
+					"require-mppe-40\n"
+					"require-mppe-56\n"
+					"require-mppe-128\n");
 				break;
 			default:
 				break;
@@ -167,7 +179,7 @@ void start_pptp_client(void)
 			system(buffer);
 		}
 
-#ifdef PPPD_DEBUG
+#ifdef PPTPC_DEBUG
 		sprintf(buffer, "/etc/vpn/pptpclient file /etc/vpn/pptpc_options debug");
 #else
 		sprintf(buffer, "/etc/vpn/pptpclient file /etc/vpn/pptpc_options");
diff --git a/release/src-rt-6.x.4708/router/rc/pptpd.c b/release/src-rt-6.x.4708/router/rc/pptpd.c
index 1a91f1aef9..b29a6a40d4 100644
--- a/release/src-rt-6.x.4708/router/rc/pptpd.c
+++ b/release/src-rt-6.x.4708/router/rc/pptpd.c
@@ -1,5 +1,5 @@
 /*
- * pptp.c
+ * pptpd.c
  *
  * Copyright (C) 2007 Sebastian Gottschall <gottschall@dd-wrt.com>
  *
@@ -26,153 +26,129 @@
 #include <shutils.h>
 #include <utils.h>
 #include <syslog.h>
-#include <signal.h>
 #include <errno.h>
 #include <sys/stat.h>
 
-void get_broadcast(char *ipaddr, char *netmask)
-{
-        int ip2[4], mask2[4];
-        unsigned char ip[4], mask[4];
-
-        if (!ipaddr || !netmask)
-                return;
 
-        sscanf(ipaddr, "%d.%d.%d.%d", &ip2[0], &ip2[1], &ip2[2], &ip2[3]);
-        sscanf(netmask, "%d.%d.%d.%d", &mask2[0], &mask2[1], &mask2[2],
-               &mask2[3]);
-        int i = 0;
-
-        for (i = 0; i < 4; i++) {
-                ip[i] = ip2[i];
-                mask[i] = mask2[i];
-                ip[i] = (ip[i] & mask[i]) | (0xff & ~mask[i]);
-        }
+char *ip2bcast(char *ip, char *netmask, char *buf)
+{
+	struct in_addr addr;
 
-        sprintf(ipaddr, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+	addr.s_addr = inet_addr(ip) | ~inet_addr(netmask);
+	if (buf)
+		sprintf(buf, "%s", inet_ntoa(addr));
 
-        //fprintf(stderr, "get_broadcast return %s\n", value);
+	return buf;
 }
 
 void write_chap_secret(char *file)
 {
-        FILE *fp;
-        char *nv, *nvp, *b;
-        char *username, *passwd;
-//        char buf[64];
-
-        fp=fopen(file, "w");
-
-        if (fp==NULL) return;
-
-//        nv = nvp = strdup(nvram_safe_get("pptpd_clientlist"));
-        nv = nvp = strdup(nvram_safe_get("pptpd_users"));
-
-        if(nv) {
-            	while ((b = strsep(&nvp, ">")) != NULL) {
-                	if((vstrsep(b, "<", &username, &passwd)!=2)) continue;
-	                if(strlen(username)==0||strlen(passwd)==0) continue;
-        	        fprintf(fp, "%s * %s *\n", username, passwd);
-            	}
-            	free(nv);
-        }
-        fclose(fp);
+	FILE *fp;
+	char *nv, *nvp, *b;
+	char *username, *passwd;
+
+	if ((fp = fopen(file, "w")) == NULL) {
+		perror(file);
+		return;
+	}
+
+	nv = nvp = strdup(nvram_safe_get("pptpd_users"));
+
+	if (nv) {
+		while ((b = strsep(&nvp, ">")) != NULL) {
+			if ((vstrsep(b, "<", &username, &passwd) != 2))
+				continue;
+
+			if (*username =='\0' || *passwd == '\0')
+				continue;
+
+			fprintf(fp, "%s * %s *\n", username, passwd);
+		}
+		free(nv);
+	}
+	fclose(fp);
 }
 
 void start_pptpd(void)
 {
-	int ret = 0, mss = 0, manual_dns = 0;
-//	char *lpTemp;
 	FILE *fp;
-
-//	int pid = getpid();
-//	_dprintf("start_pptpd: getpid= %d\n", pid);
-
-//	if(getpid() != 1) {
-//		notify_rc("start_pptpd");
-//		return;
-//	}
+	int count = 0, ret = 0, nowins = 0, pptpd_opt;
+	char bcast[32];
+	char options[] = "/etc/vpn/pptpd_options";
+	char conffile[] = "/etc/vpn/pptpd.conf";
 
 	if (!nvram_match("pptpd_enable", "1")) {
 		return;
 	}
-	// cprintf("stop vpn modules\n");
-	// stop_vpn_modules ();
-
-	// Create directory for use by pptpd daemon and its supporting files
-	mkdir("/tmp/pptpd", 0744);
-	cprintf("open options file\n");
-	// Create options file that will be unique to pptpd to avoid interference 
-	// with pppoe and pptp
-	fp = fopen("/tmp/pptpd/options.pptpd", "w");
-	fprintf(fp, "logfile /var/log/pptpd-pppd.log\ndebug\n");
-/*
-	if (nvram_match("pptpd_radius", "1"))
-		fprintf(fp, "plugin radius.so\nplugin radattr.so\n"
-			"radius-config-file /tmp/pptpd/radius/radiusclient.conf\n");
-*/
-	cprintf("check if wan_wins = zero\n");
-	int nowins = 0;
-
-	if (nvram_match("wan_wins", "0.0.0.0")) {
-		nvram_set("wan_wins", "");
-		nowins = 1;
+
+	/* Make sure vpn directory exists */
+	mkdir("/etc/vpn", 0700);
+
+	/* Create unique options file */
+	if ((fp = fopen(options, "w")) == NULL) {
+		perror(options);
+		return;
 	}
-	if (strlen(nvram_safe_get("wan_wins")) == 0)
-		nowins = 1;
 
-	cprintf("write config\n");
+	fprintf(fp,
+		"logfile /var/log/pptpd-pppd.log\n"
+		"debug\n");
+
+#if 0
+	if (nvram_match("pptpd_radius", "1") && nvram_invmatch("pptpd_radserver", "") && nvram_invmatch("pptpd_radpass", "")) {
+		fprintf(fp,
+			"plugin radius.so\n"
+			"plugin radattr.so\n"
+			"radius-config-file /etc/vpn/radius/radiusclient.conf\n");
+#endif
+
 	fprintf(fp, "lock\n"
 		"name *\n"
 		"proxyarp\n"
 //		"ipcp-accept-local\n"
 //		"ipcp-accept-remote\n"
-		"minunit 10\n"			// AB !! - we leave ppp0-ppp3 for WAN and/or other ppp connections (PPTP client, ADSL, etc... perhaps)?
-		"nobsdcomp\n"
 		"lcp-echo-failure 10\n"
 		"lcp-echo-interval 5\n"
-//		"deflate 0\n" "auth\n" "-chap\n" "-mschap\n" "+mschap-v2\n");
+		"lcp-echo-adaptive\n"
+		"auth\n"
+		"nobsdcomp\n"
 		"refuse-pap\n"
 		"refuse-chap\n"
-		"refuse-mschap\n"
-		"require-mschap-v2\n");
-
-//	if (nvram_match("pptpd_forcemppe", "none")) {
-	if (nvram_match("pptpd_forcemppe", "0")) {
-//		fprintf(fp, "-mppc\n");
-		fprintf(fp, "nomppe\n");
-	} else {
-//		fprintf(fp, "+mppc\n");
-/*		if (nvram_match("pptpd_forcemppe", "auto")) {
-			fprintf(fp, "+mppe-40\n");
-			fprintf(fp, "+mppe-56\n");
-			fprintf(fp, "+mppe-128\n");
-		}
-		else if (nvram_match("pptpd_forcemppe", "+mppe-40")) {
-                        fprintf(fp, "+mppe\n");
-                        fprintf(fp, "+mppe-40\n");
-			fprintf(fp, "-mppe-56\n");
-			fprintf(fp, "-mppe-128\n");
-                }
-                else if (nvram_match("pptpd_forcemppe", "+mppe-128")) {
-                        fprintf(fp, "+mppe\n");
-			fprintf(fp, "-mppe-40\n");
-			fprintf(fp, "-mppe-56\n");
-                        fprintf(fp, "+mppe-128\n");
-*/
-			fprintf(fp, "require-mppe-128\n");
-                }
-		fprintf(fp, "nomppe-stateful\n");
-//	}
-
-	fprintf(fp, "ms-ignore-domain\n"
-		"chap-secrets /tmp/pptpd/chap-secrets\n"
-		"ip-up-script /tmp/pptpd/ip-up\n"
-		"ip-down-script /tmp/pptpd/ip-down\n"
-		"mtu %s\n" "mru %s\n",
-		nvram_get("pptpd_mtu") ? nvram_get("pptpd_mtu") : "1450",
-		nvram_get("pptpd_mru") ? nvram_get("pptpd_mru") : "1450");
-	//WINS Server
+		"nomppe-stateful\n");
+
+	pptpd_opt = nvram_get_int("pptpd_chap");
+	fprintf(fp, "%s-mschap\n", (pptpd_opt == 0 || pptpd_opt & 1) ? "require" : "refuse");
+	fprintf(fp, "%s-mschap-v2\n", (pptpd_opt == 0 || pptpd_opt & 2) ? "require" : "refuse");
+
+	if (nvram_match("pptpd_forcemppe", "0"))
+		fprintf(fp, "nomppe nomppc\n");
+	else
+		fprintf(fp, "require-mppe-128\n");
+
+	fprintf(fp,
+		"ms-ignore-domain\n"
+		"chap-secrets /etc/vpn/chap-secrets\n"
+		"ip-up-script /etc/vpn/pptpd_ip-up\n"
+		"ip-down-script /etc/vpn/pptpd_ip-down\n"
+		"mtu %d\n"
+		"mru %d\n",
+		nvram_get_int("pptpd_mtu") ? : 1400,
+		nvram_get_int("pptpd_mru") ? : 1400);
+
+	/* DNS Server */
+	if (nvram_invmatch("pptpd_dns1", ""))
+		count += fprintf(fp, "ms-dns %s\n", nvram_safe_get("pptpd_dns1")) > 0 ? 1 : 0;
+	if (nvram_invmatch("pptpd_dns2", ""))
+		count += fprintf(fp, "ms-dns %s\n", nvram_safe_get("pptpd_dns2")) > 0 ? 1 : 0;
+	if (count == 0 && nvram_invmatch("lan_ipaddr", ""))
+		fprintf(fp, "ms-dns %s\n", nvram_safe_get("lan_ipaddr"));
+
+	/* WINS Server */
+	if (nvram_match("wan_wins", "0.0.0.0") || (strlen(nvram_safe_get("wan_wins")) == 0)) {
+		nvram_set("wan_wins", "");
+		nowins = 1;
+	}
+
 	if (!nowins) {
 		fprintf(fp, "ms-wins %s\n", nvram_safe_get("wan_wins"));
 	}
@@ -182,143 +158,121 @@ void start_pptpd(void)
 	if (strlen(nvram_safe_get("pptpd_wins2"))) {
 		fprintf(fp, "ms-wins %s\n", nvram_safe_get("pptpd_wins2"));
 	}
-	//DNS Server
-	if (strlen(nvram_safe_get("pptpd_dns1"))) {
-		fprintf(fp, "ms-dns %s\n", nvram_safe_get("pptpd_dns1"));
-		manual_dns=1;
-	}
-	if (strlen(nvram_safe_get("pptpd_dns2"))) {
-		fprintf(fp, "ms-dns %s\n", nvram_safe_get("pptpd_dns2"));
-		manual_dns=1;
-	}
-	if(!manual_dns && !nvram_match("lan_ipaddr", ""))
-                fprintf(fp, "ms-dns %s\n", nvram_safe_get("lan_ipaddr"));
-
-	fprintf(fp, "%s\n\n", nvram_safe_get("pptpd_custom"));
-
-	// Following is all crude and need to be revisited once testing confirms
-	// that it does work
-	// Should be enough for testing..
-/*	if (nvram_match("pptpd_radius", "1")) {
-		if (nvram_get("pptpd_radserver") != NULL
-		    && nvram_get("pptpd_radpass") != NULL) {
-
-			fclose(fp);
-
-			mkdir("/tmp/pptpd/radius", 0744);
-
-			fp = fopen("/tmp/pptpd/radius/radiusclient.conf", "w");
-			fprintf(fp, "auth_order radius\n"
-				"login_tries 4\n"
-				"login_timeout 60\n"
-				"radius_timeout 10\n"
-				"nologin /etc/nologin\n"
-				"servers /tmp/pptpd/radius/servers\n"
-				"dictionary /etc/dictionary\n"
-				"seqfile /var/run/radius.seq\n"
-				"mapfile /etc/port-id-map\n"
-				"radius_retries 3\n"
-				"authserver %s:%s\n",
-				nvram_get("pptpd_radserver"),
-				nvram_get("pptpd_radport") ?
-				nvram_get("pptpd_radport") : "radius");
-
-			if (nvram_get("pptpd_radserver") != NULL
-			    && nvram_get("pptpd_acctport") != NULL)
-				fprintf(fp, "acctserver %s:%s\n",
-					nvram_get("pptpd_radserver"),
-					nvram_get("pptpd_acctport") ?
-					nvram_get("pptpd_acctport") :
-					"radacct");
-			fclose(fp);
-
-			fp = fopen("/tmp/pptpd/radius/servers", "w");
-			fprintf(fp, "%s\t%s\n", nvram_get("pptpd_radserver"),
-				nvram_get("pptpd_radpass"));
-			fclose(fp);
-
-		} else
-			fclose(fp);
-	} else
-*/		fclose(fp);
-
-	// Create pptpd.conf options file for pptpd daemon
-	fp = fopen("/tmp/pptpd/pptpd.conf", "w");
-	fprintf(fp, "bcrelay %s\n", nvram_safe_get("pptpd_broadcast"));
-	fprintf(fp, "localip %s\n"
-		"remoteip %s\n", nvram_safe_get("lan_ipaddr"),
-		nvram_safe_get("pptpd_remoteip"));
+
+	fprintf(fp,
+		"minunit 10\n"		/* force ppp interface starting from 10 */
+		"%s\n\n", nvram_safe_get("pptpd_custom"));
 	fclose(fp);
 
-	// Create ip-up and ip-down scripts that are unique to pptpd to avoid
-	// interference with pppoe and pptp
-	/*
-	 * adjust for tunneling overhead (mtu - 40 byte IP - 108 byte tunnel
-	 * overhead) 
+	/* Following is all crude and need to be revisited once testing confirms that it does work
+	 * Should be enough for testing..
 	 */
-	if (nvram_match("mtu_enable", "1"))
-		mss = atoi(nvram_safe_get("wan_mtu")) - 40 - 108;
-	else
-		mss = 1500 - 40 - 108;
-	char bcast[32];
+#if 0
+	if (nvram_get_int("pptpd_radius") && nvram_invmatch("pptpd_radserver", "") && nvram_invmatch("pptpd_radpass", "")) {
+		mkdir("/etc/vpn/radius", 0700);
+
+		fp = fopen("/etc/vpn/radius/radiusclient.conf", "w");
+		fprintf(fp,
+			"auth_order radius\n"
+			"login_tries 4\n"
+			"login_timeout 60\n"
+			"radius_timeout 10\n"
+			"nologin /etc/nologin\n"
+			"servers /etc/vpn/radius/servers\n"
+			"dictionary /etc/dictionary\n"
+			"seqfile /var/run/radius.seq\n"
+			"mapfile /etc/port-id-map\n"
+			"radius_retries 3\n"
+			"authserver %s:%s\n",
+			nvram_get("pptpd_radserver"),
+			nvram_get("pptpd_radport") ? nvram_get("pptpd_radport") : "radius");
+
+		if ((nvram_get("pptpd_radserver") != NULL) && (nvram_get("pptpd_acctport") != NULL))
+			fprintf(fp,
+				"acctserver %s:%s\n",
+				nvram_get("pptpd_radserver"),
+				nvram_get("pptpd_acctport") ? nvram_get("pptpd_acctport") : "radacct");
+		fclose(fp);
+
+		fp = fopen("/etc/vpn/radius/servers", "w");
+		fprintf(fp,
+			"%s\t%s\n",
+			nvram_get("pptpd_radserver"),
+			nvram_get("pptpd_radpass"));
+		fclose(fp);
+#endif
+
+	/* Create pptpd.conf options file for pptpd daemon */
+	fp = fopen(conffile, "w");
+	fprintf(fp,
+		"localip %s\n"
+		"remoteip %s\n"
+		"bcrelay %s\n",
+		nvram_safe_get("lan_ipaddr"),
+		nvram_safe_get("pptpd_remoteip"),
+		nvram_safe_get("pptpd_broadcast"));
+	fclose(fp);
 
-	strcpy(bcast, nvram_safe_get("lan_ipaddr"));
-	get_broadcast(bcast, nvram_safe_get("lan_netmask"));
+	ip2bcast(nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), bcast);
 
-	fp = fopen("/tmp/pptpd/ip-up", "w");
-//	fprintf(fp, "#!/bin/sh\n" "startservice set_routes\n"	// reinitialize 
-	fprintf(fp, "#!/bin/sh\n" //"startservice set_routes\n"	// reinitialize 
-		"echo $PPPD_PID $1 $5 $6 $PEERNAME `date +%%s`>> /tmp/pptp_connected\n" 
-		"iptables -I FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" 
+	/* Create ip-up and ip-down scripts that are unique to pptpd to avoid interference with pppoe and pptpc */
+	fp = fopen("/etc/vpn/pptpd_ip-up", "w");
+	fprintf(fp,
+		"#!/bin/sh\n"
+		"echo \"$PPPD_PID $1 $5 $6 $PEERNAME $(date +%%s)\" >> /etc/vpn/pptpd_connected\n"
 		"iptables -I INPUT -i $1 -j ACCEPT\n"
 		"iptables -I FORWARD -i $1 -j ACCEPT\n"
-		"iptables -I FORWARD -o $1 -j ACCEPT\n" // AB!!
-		"iptables -t nat -I PREROUTING -i $1 -p udp -m udp --sport 9 -j DNAT --to-destination %s\n"	// rule for wake on lan over pptp tunnel
-		"%s\n", bcast,
+		"iptables -I FORWARD -o $1 -j ACCEPT\n"
+		"iptables -I FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"
+		"iptables -t nat -I PREROUTING -i $1 -p udp -m udp --sport 9 -j DNAT --to-destination %s\n"	/* rule for wake on lan over pptp tunnel */
+		"%s\n",
+		bcast,
 		nvram_get("pptpd_ipup_script") ? nvram_get("pptpd_ipup_script") : "");
 	fclose(fp);
-	fp = fopen("/tmp/pptpd/ip-down", "w");
-	fprintf(fp, "#!/bin/sh\n" "grep -v $1  /tmp/pptp_connected > /tmp/pptp_connected.new\n" 
-		"mv /tmp/pptp_connected.new /tmp/pptp_connected\n" 
-		"iptables -D FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" 
-		"iptables -D INPUT -i $1 -j ACCEPT\n" 
-		"iptables -D FORWARD -i $1 -j ACCEPT\n" 
-		"iptables -D FORWARD -o $1 -j ACCEPT\n" // AB!!
-		"iptables -t nat -D PREROUTING -i $1 -p udp -m udp --sport 9 -j DNAT --to-destination %s\n"	// rule for wake on lan over pptp tunnel
-		"%s\n", bcast,
+
+	fp = fopen("/etc/vpn/pptpd_ip-down", "w");
+	fprintf(fp,
+		"#!/bin/sh\n" "grep -v $1 /etc/vpn/pptpd_connected > /etc/vpn/pptpd_connected.new\n"
+		"mv /etc/vpn/pptpd_connected.new /etc/vpn/pptpd_connected\n"
+		"iptables -D FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"
+		"iptables -D INPUT -i $1 -j ACCEPT\n"
+		"iptables -D FORWARD -i $1 -j ACCEPT\n"
+		"iptables -D FORWARD -o $1 -j ACCEPT\n"
+		"iptables -t nat -D PREROUTING -i $1 -p udp -m udp --sport 9 -j DNAT --to-destination %s\n"	/* rule for wake on lan over pptp tunnel */
+		"%s\n",
+		bcast,
 		nvram_get("pptpd_ipdown_script") ? nvram_get("pptpd_ipdown_script") : "");
 	fclose(fp);
-	chmod("/tmp/pptpd/ip-up", 0744);
-	chmod("/tmp/pptpd/ip-down", 0744);
 
-	// Extract chap-secrets from nvram
-	write_chap_secret("/tmp/pptpd/chap-secrets");
+	chmod("/etc/vpn/pptpd_ip-up", 0744);
+	chmod("/etc/vpn/pptpd_ip-down", 0744);
+
+	/* Extract chap-secrets from nvram */
+	write_chap_secret("/etc/vpn/chap-secrets");
 
-	chmod("/tmp/pptpd/chap-secrets", 0600);
+	chmod("/etc/vpn/chap-secrets", 0600);
 
-	// Execute pptpd daemon
-	ret =
-	    eval("pptpd", "-c", "/tmp/pptpd/pptpd.conf", "-o",
-		 "/tmp/pptpd/options.pptpd",
-		 "-C", "50");
+	/* Execute pptpd daemon */
+	ret = eval("pptpd", "-c", conffile, "-o", options, "-C", "50");
 
 	_dprintf("start_pptpd: ret= %d\n", ret);
-	//dd_syslog(LOG_INFO, "pptpd : pptp daemon successfully started\n");
-	return;
 }
 
 void stop_pptpd(void)
 {
 	FILE *fp;
+	int argc;
+	char *argv[7];
 	int ppppid;
 	char line[128];
 
-	eval("cp", "/tmp/pptp_connected", "/tmp/pptp_shutdown");
+	eval("cp", "/etc/vpn/pptpd_connected", "/etc/vpn/pptpd_shutdown");
 
-	fp = fopen("/tmp/pptp_shutdown", "r");
-	if (fp) {
+	if ((fp = fopen("/etc/vpn/pptpd_shutdown", "r")) != NULL) {
 		while (fgets(line, sizeof(line), fp) != NULL) {
-			if (sscanf(line, "%d %*s %*s %*s %*s %*d", &ppppid) != 1) continue;
+			if (sscanf(line, "%d %*s %*s %*s %*s %*d", &ppppid) != 1)
+				continue;
+
 			int n = 10;
 			while ((kill(ppppid, SIGTERM) == 0) && (n > 1)) {
 				sleep(1);
@@ -327,15 +281,19 @@ void stop_pptpd(void)
 		}
 		fclose(fp);
 	}
-	unlink("/tmp/pptp_shutdown");
-
-//	if (getpid() != 1) {
-//		notify_rc("stop_pptpd");
-//	}
 
 	killall_tk("pptpd");
 	killall_tk("bcrelay");
-	return;
+
+	/* Delete all files for this server */
+	unlink("/etc/vpn/pptpd_shutdown");
+	memset(line, 0, sizeof(line));
+	sprintf(line, "rm -rf /etc/vpn/pptpd.conf /etc/vpn/pptpd_options /etc/vpn/pptpd_ip-down /etc/vpn/pptpd_ip-up /etc/vpn/chap-secrets");
+	for (argv[argc = 0] = strtok(line, " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
+	_eval(argv, NULL, 0, NULL);
+
+	/* Attempt to remove directory. Will fail if not empty */
+	rmdir("/etc/vpn");
 }
 
 void write_pptpd_dnsmasq_config(FILE* f) {
diff --git a/release/src-rt-6.x.4708/router/shared/defaults.c b/release/src-rt-6.x.4708/router/shared/defaults.c
index 1ff8d55166..3f1e914819 100644
--- a/release/src-rt-6.x.4708/router/shared/defaults.c
+++ b/release/src-rt-6.x.4708/router/shared/defaults.c
@@ -1201,9 +1201,9 @@ struct nvram_tuple router_defaults[] = {
 	{ "pptp_client_usewan",		"wan"				, 0 },
 	{ "pptp_client_peerdns",	"0"				, 0 },
 	{ "pptp_client_mtuenable",	"0"				, 0 },
-	{ "pptp_client_mtu",		"1450"				, 0 },
+	{ "pptp_client_mtu",		"1400"				, 0 },
 	{ "pptp_client_mruenable",	"0"				, 0 },
-	{ "pptp_client_mru",		"1450"				, 0 },
+	{ "pptp_client_mru",		"1400"				, 0 },
 	{ "pptp_client_nat",		"0"				, 0 },
 	{ "pptp_client_srvip",		""				, 0 },
 	{ "pptp_client_srvsub",		"10.0.0.0"			, 0 },
@@ -1213,6 +1213,8 @@ struct nvram_tuple router_defaults[] = {
 	{ "pptp_client_crypt",		"0"				, 0 },
 	{ "pptp_client_custom",		""				, 0 },
 	{ "pptp_client_dfltroute",	"0"				, 0 },
+	{ "pptp_client_stateless",	"1"				, 0 },
+	{ "pptpd_chap",			"0"				, 0 },	/* 0/1/2 (Auto/MS-CHAPv1/MS-CHAPv2) */
 #endif
 
 #ifdef TCONFIG_TINC
diff --git a/release/src-rt-6.x.4708/router/www/vpn-pptp-server.asp b/release/src-rt-6.x.4708/router/www/vpn-pptp-server.asp
index 032342c676..8412c7b10f 100644
--- a/release/src-rt-6.x.4708/router/www/vpn-pptp-server.asp
+++ b/release/src-rt-6.x.4708/router/www/vpn-pptp-server.asp
@@ -29,7 +29,7 @@ textarea {
 </style>
 <script type="text/javascript" src="interfaces.js"></script>
 <script type="text/javascript">
-//	<% nvram("lan_ipaddr,lan_netmask,pptpd_enable,pptpd_remoteip,pptpd_forcemppe,pptpd_broadcast,pptpd_users,pptpd_dns1,pptpd_dns2,pptpd_wins1,pptpd_wins2,pptpd_mtu,pptpd_mru,pptpd_custom");%>
+//	<% nvram("lan_ipaddr,lan_netmask,pptpd_enable,pptpd_remoteip,pptpd_chap,pptpd_forcemppe,pptpd_broadcast,pptpd_users,pptpd_dns1,pptpd_dns2,pptpd_wins1,pptpd_wins2,pptpd_mtu,pptpd_mru,pptpd_custom");%>
 
 if (nvram.pptpd_remoteip == '') nvram.pptpd_remoteip = '172.19.0.1-6';
 if (nvram.pptpd_forcemppe == '') nvram.pptpd_forcemppe = '1';
@@ -168,6 +168,7 @@ function verifyFields(focused, quiet) {
 	E('_pptpd_wins2').disabled = c;
 	E('_pptpd_mtu').disabled = c;
 	E('_pptpd_mru').disabled = c;
+	E('_pptpd_chap').disabled = c;
 	E('_pptpd_forcemppe').disabled = c;
 	E('_pptpd_broadcast').disabled = c;
 	E('_f_pptpd_startip').disabled = c;
@@ -324,13 +325,14 @@ createFieldTable('', [
 		{ name: 'f_pptpd_endip', type: 'text', maxlen: 15, size: 17, value: nvram.dhcpd_endip, suffix: ' <i id="pptpd_count"><\/i>' }
 	] },
 	{ title: 'Broadcast Relay Mode', name: 'pptpd_broadcast', type: 'select', options: [['disable','Disabled'], ['br0','LAN to VPN Clients'], ['ppp','VPN Clients to LAN'], ['br0ppp','Both']], value: nvram.pptpd_broadcast },
+	{ title: 'Authentication', name: 'pptpd_chap', type: 'select', options: [[0, 'Auto'], [1, 'MS-CHAPv1'], [2, 'MS-CHAPv2']], value: nvram.pptpd_chap },
 	{ title: 'Encryption', name: 'pptpd_forcemppe', type: 'select', options: [[0, 'None'], [1, 'MPPE-128']], value: nvram.pptpd_forcemppe },
 	{ title: 'DNS Servers', name: 'pptpd_dns1', type: 'text', maxlen: 15, size: 17, value: nvram.pptpd_dns1 },
 	{ title: '', name: 'pptpd_dns2', type: 'text', maxlen: 15, size: 17, value: nvram.pptpd_dns2 },
 	{ title: 'WINS Servers', name: 'pptpd_wins1', type: 'text', maxlen: 15, size: 17, value: nvram.pptpd_wins1 },
 	{ title: '', name: 'pptpd_wins2', type: 'text', maxlen: 15, size: 17, value: nvram.pptpd_wins2 },
-	{ title: 'MTU', name: 'pptpd_mtu', type: 'text', maxlen: 4, size: 6, value: (nvram.pptpd_mtu ? nvram.pptpd_mtu : 1450)},
-	{ title: 'MRU', name: 'pptpd_mru', type: 'text', maxlen: 4, size: 6, value: (nvram.pptpd_mru ? nvram.pptpd_mru : 1450)},
+	{ title: 'MTU', name: 'pptpd_mtu', type: 'text', maxlen: 4, size: 6, value: (nvram.pptpd_mtu ? nvram.pptpd_mtu : 1400)},
+	{ title: 'MRU', name: 'pptpd_mru', type: 'text', maxlen: 4, size: 6, value: (nvram.pptpd_mru ? nvram.pptpd_mru : 1400)},
 	{ title: '<a href="http://poptop.sourceforge.net/" class="new_window">Poptop<\/a><br />Custom configuration', name: 'pptpd_custom', type: 'textarea', value: nvram.pptpd_custom }
 ]);
 </script>
diff --git a/release/src-rt-6.x.4708/router/www/vpn-pptp.asp b/release/src-rt-6.x.4708/router/www/vpn-pptp.asp
index 0bbc391a4a..a13361a92d 100644
--- a/release/src-rt-6.x.4708/router/www/vpn-pptp.asp
+++ b/release/src-rt-6.x.4708/router/www/vpn-pptp.asp
@@ -37,7 +37,7 @@ function toggle(service, isup) {
 	E('_' + service + '_button').disabled = true;
 	form.submitHidden('service.cgi', {
 		_redirect: 'vpn-pptp.asp',
-		_sleep: '3',
+		_sleep: '5',
 		_service: service + (isup ? '-stop' : '-start')
 	});
 }
@@ -49,12 +49,12 @@ function verifyFields(focused, quiet) {
 
 	var f = E('_pptp_client_mtuenable').value == '0';
 	if (f) {
-		E('_pptp_client_mtu').value = '1450';
+		E('_pptp_client_mtu').value = '1400';
 	}
 	E('_pptp_client_mtu').disabled = f;
 	f = E('_pptp_client_mruenable').value == '0';
 	if (f) {
-		E('_pptp_client_mru').value = '1450';
+		E('_pptp_client_mru').value = '1400';
 	}
 	E('_pptp_client_mru').disabled = f;
 
@@ -128,12 +128,12 @@ createFieldTable('', [
 /* MULTIWAN-BEGIN */
 			['wan3','WAN3'],['wan4','WAN4'],
 /* MULTIWAN-END */
-			['none','none']], value: nvram.pptp_client_usewan },
+			['none','none']], value: nvram.pptp_client_usewan, suffix: '&nbsp; <small>In Wireless Client or WET mode, disable bind (set to <i>none<\/i>)<\/small>' },
 	{ title: 'Server Address', name: 'pptp_client_srvip', type: 'text', maxlen: 50, size: 27, value: nvram.pptp_client_srvip },
 	{ title: 'Username: ', name: 'pptp_client_username', type: 'text', maxlen: 50, size: 54, value: nvram.pptp_client_username },
 	{ title: 'Password: ', name: 'pptp_client_passwd', type: 'password', maxlen: 50, size: 54, value: nvram.pptp_client_passwd },
 	{ title: 'Encryption', name: 'pptp_client_crypt', type: 'select', value: nvram.pptp_client_crypt,
-		options: [['0', 'Auto'],['1', 'None'],['2','Maximum (128 bit only)'],['3','Required (128 or 40 bit)']] },
+		options: [['0', 'Auto'],['1', 'None'],['2','Maximum (128 bit only)'],['3','Required (128, 56 or 40 bit)']] },
 	{ title: 'Stateless MPPE connection', name: 'f_pptp_client_stateless', type: 'checkbox', value: nvram.pptp_client_stateless != 0 },
 	{ title: 'Accept DNS configuration', name: 'pptp_client_peerdns', type: 'select', options: [[0, 'Disabled'],[1, 'Yes'],[2, 'Exclusive']], value: nvram.pptp_client_peerdns },
 	{ title: 'Redirect Internet traffic', name: 'f_pptp_client_dfltroute', type: 'checkbox', value: nvram.pptp_client_dfltroute != 0 },
@@ -158,7 +158,9 @@ createFieldTable('', [
 <div class="section-title">Notes</div>
 <div class="section">
 	<ul>
-		<li><b>Do not change and save</b> the settings when client <b>is running</b> - you may end up with a downed firewall or broken routing table!</li>
+		<li><b>Do not change (and save)</b> the settings when client <b>is running</b> - you may end up with a downed firewall or broken routing table!</li>
+		<li>In case of connection problems, reduce the MTU and/or MRU values.</li>
+		<li>To boost connection performance, you can try to increase MTU/MRU values.</li>
 	</ul>
 </div>