Creating A VPN

Preparation for LAN<-&gtLAN and LAN<-&gtWorkstation:

In order to do any sort of major network configuration we should gather some of the networking information. In our LAN<->Workstation example we will want information for the VPN and will assume that you have one firewall protecting your intranet and one workstation not behind a firewall. This means that you will have two network cards invovled. One in the workstation and one in your firewall protecting your intranet. Make sure you know both of the IPs and network masks. The firewall will also have another IP for internal communication to the intranet. Typically it will be an ip in one of the following subnets:


10.255.255.255
172.16.255.255
192.168.255.255

For our LAN<->Workstation example we will call our firewall protecting our intranet fw and the workstation trying to connect ws.


fw-out: 1.2.3.4
fw-in: 1.2.3.4
fw-vpn: 192.168.0.253 (You pick this IP)
ws-out: 4.3.2.1
ws-vpn: 192.168.1.XXX (You pick this IP)

For our LAN<->LAN example we will call our firewall protecting our intranet fw1 and the second firwall fw2.


fw1-out: 1.2.3.4
fw1-in: 1.2.3.4
fw1-vpn: 192.168.0.254
fw2-out: 4.3.2.1
fw2-in: 4.3.2.1
fw2-vpn: 192.168.1.254

Next let's install the required software.

Install the Ports for LAN&lt-&gtLAN:

We are going to be using VTun available in the ports collection on both firewalls


# cd /usr/ports/net/vtun
# make all install clean

Now comes the difficult part... Configuration! In order to run the daemon you must create/modify the /usr/local/etc/vtund.conf file on fw1 and fw2. It is highly recommended that you read the man pages and sample vtund.conf file provided for additional information. In this tutorial we are going to do very little customization and just provide a minimum working example. You may modify any feature/settings/etc as you see fit once you have the VPN up and running.

# vi /usr/local/etc/vtund.conf

The next article contains a sample FW1 configuration following is a suggestion conf file that you will need to modify to match your needs. Pay close attention to the IP related information.

After you have change the conf files you may need to add some rules to your firewall:

# ipfw add 3500 pass tcp from any to 1.2.3.4 5000 ; fw1 only
# ipfw add 3500 pass udp from any to 1.2.3.4 5000 ; fw1 only
# ipfw add 3500 pass ip from any to any via tun0

To start up the daemon simply start:
# vtund -s

:: LAN&lt-&gtLAN: FW1 vtund.conf Example

#############################################
# FW1 SERVER CONFIGURATION
# /usr/local/etc/vtund.conf
#############################################
options {
port 5000; # Listen on this port.
syslog daemon; # Logging facility

# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipfw;
}

# Default session options
default {
type tun;
device tun0;
persist yes;
timeout 60;
proto udp;
encrypt yes;
keepalive yes;
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
}

# Tunnel between FW1 and FW2 - Server Entry
#
# fw1-out: 1.2.3.4
# fw1-in: 1.2.3.4
# fw1-vpn: 192.168.0.254
# fw2-out: 4.3.2.1
# fw2-in: 4.3.2.1
# fw2-vpn: 192.168.1.254
#
fw1 {
pass mysecrectpassword;
up {
ifconfig "%% 192.168.0.254 192.168.1.254 netmask 255.255.255.0";
route "add -net 192.168.1.0 255.255.255.0 192.168.1.254";
};
down {
route "delete -net 192.168.1.0";
ifconfig "%% down";
};
}

:: LAN&lt-&gtLAN: FW2 vtund.conf Example

#############################################
# FW2 SERVER CONFIGURATION
#############################################
options {
port 5000; # Listen on this port.
syslog daemon; # Logging facility

# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipfw;
}

# Default session options
default {
type tun;
device tun0;
persist yes;
timeout 60;
proto udp;
encrypt yes;
keepalive yes;
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
}

# Tunnel between FW1 and FW2 - Server Entry
#
# fw1-out: 1.2.3.4
# fw1-in: 1.2.3.4
# fw1-vpn: 192.168.0.254
# fw2-out: 4.3.2.1
# fw2-in: 4.3.2.1
# fw2-vpn: 192.168.1.254
#
fw1 {
pass mysecrectpassword;
up {
ifconfig "%% 192.168.1.254 192.168.0.254 netmask 255.255.255.0";
route "add -net 192.168.0.0 255.255.255.0 192.168.0.254";
};
down {
route "delete -net 192.168.0.0";
ifconfig "%% down";
};
}
| 2 | 20020726093644 | 2 | 20020726093608 |
| 86 | 1 | 18 | Introduction |There are many cases when you might what to join to remote networks (or just a single machine to a remote network). In this case we need to setup our own VPN. This tutorial will be a step by step guide to installing your own LAN-to-LAN VPN using VTun available at http://vtun.sourceforge.net for LAN-to-LAN connections. The second will be a guide to use mpd to install your own LAN-to-Workstation VPN. There are several different ways to create your own VPN but we will just use VTun for our example.

Please see the VTun website for minimum hardware/software requirements and any other concerns you may have.

In this tutorial we will cover the setup of a VPN where a stand-alone client workstation that is not behind a firewall and is trying to access a remote intranet. We will also cover the connection of two LAN's. Let's start the tutorial
| 2 | 20020726093644 | 2 | 20020726093644 |
| 87 | 5 | 18 | Install the Ports for LAN<-&gtWorkstation |Because there are still several Win9X machines in population we will be using MPD for our VPN. If you have only Windows 2000 servers you may want to consider going to IPSec for you VPN. This tutorial will strictly cover MPD. Install mpd from the ports collection:
# cd /usr/ports/net/mpd
# make all install clean

Now we must modify the configuration files for mpd. The configuration files are found in /usr/local/etc/mpd

# cp /usr/local/etc/mpd/mpd.conf.sample /usr/local/etc/mpd/mpd.conf
# vi /usr/local/etc/mpd/mpd.conf

Change default from "load myisp" to "load pptp". Find the pptp section and change the IP's to match your local setup using the guide provided. Please note that you can have multiple "load pptp" lines for multiple clients as mentioned in the documentation. Here is a suggestion mpd.conf for our demo setup:

#####################################
# VPN SERVER SETTINGS
# /usr/local/etc/mpd/mpd.conf
#####################################
#
# VPN Network Information
#
# fw-out: 1.2.3.4
# fw-in: 1.2.3.4
# fw-vpn: 192.168.0.253
# ws-out: 4.3.2.1
# ws-vpn: 192.168.1.XXX
default:
load pptp

pptp:
new -i ng0 pptp pptp
log -bund -chat -fsm -iface -ipcp -lcp -link -phys # Logging Optional
set bundle disable multilink
set ipcp ranges 192.168.0.253/32 192.168.1.0/24 # IP To use as VPN Router and IP Range for Remote Connection
set iface enable proxy-arp
set iface route 192.168.0.253/16 # IP Of VPN Router select in ranges
set ipcp dns 192.168.254.254 # DNS Server
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set bundle enable compression # MS P2P Encryption
set ccp yes mppc # MS P2P Encryption
set ccp yes mpp-e40 # MS P2P Encryption
set ccp yes mpp-e128 # MS P2P Encryption
set ccp yes mpp-stateless # MS P2P Encryption

Now we must modify the mpd.links

# cp /usr/local/etc/mpd/mpd.links.sample /usr/local/etc/mpd/mpd.links
# vi /usr/local/etc/mpd/mpd.links

Change the ip for the pptp name used in mpd.conf to match the VPN server external IP

######################################
# VPN SERVER INFORMATION
# /usr/local/etc/mpd/mpd.links
######################################

pptp:
set link type pptp
set pptp self 1.2.3.4
set pptp enable incoming
set pptp disable originate

Now we must modify the mpd.secret

# cp /usr/local/etc/mpd/mpd.secret.sample /usr/local/etc/mpd/mpd.secret
# vi /usr/local/etc/mpd/mpd.secret

This file has three columns: Username, Password, and IP. IP is the IP you would like to assign the workstation connecting useing the username and password provided (it can be an ip range if you wish but you will have to enable multilink. Now set the file to be root readable only

# chmod 600 /usr/local/etc/mpd/mpd.secret

If you wish to enable logging you should edit your syslog and add the two lines to the end
# vi /etc/syslog.conf

!mpd
*.* /var/log/mpd.log

# vi /etc/newsyslog.conf
/var/log/mpd.log 644 5 100 * Z

# touch /var/log/mpd.log
# kill -HUP `cat /var/run/syslog.pid`

Now we must create a script to start the service:

# vi /usr/local/etc/rc.d/mpd.sh

#! /bin/sh
pidf=/var/run/mpd.pid
case "$1" in
start|"") mpd -b;;
stop) if [ -r $pidf ]; then
kill -TERM `cat $pidf`
fi;;
*) echo "usage: $0 [start|stop]" 1>&2; exit 1;;
esac

# chmod 755 /usr/local/etc/rc.d/mpd.sh

Now all you have to do is start the service and connect from your remote workstation. Have fun

# /usr/local/etc/rc.d/mpd.sh start

Note:

If you are behind a closed firewall you will have to add some ipfw rules to allow the VPN GRE packets through the firewall into your internal network. Check the current mpd documentation and PPTP information on what needs to be allowed through a firewall for more information.