Category Archives: VPN - Page 2

How to install a PPTP server on debian squeeze

Publicat la 26 October 2012 No comments

This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.

PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.

1. Install the PPTP server package.

[codesyntax lang="bash"]

apt-get install pptpd

[/codesyntax]

2. Edit the /etc/pptpd.conf configuration file.

[codesyntax lang="bash"]

echo "localip 192.168.1.1" >> /etc/pptpd.conf
echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf

[/codesyntax]

The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.

3. Edit the /etc/ppp/pptpd-options configuration file:

name Private.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490

4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

5. Restart the connection’s daemon for the settings to take affect:

[codesyntax lang="bash"]

/etc/init.d/pptpd restart

[/codesyntax]

6. Enable Forwarding (this is an optional step).

Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.

Edit the sysctl file:

[codesyntax lang="bash"]

vim /etc/sysctl.conf

[/codesyntax]

Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

6. You can either restart the system or issue this command for the setting to take affect:

[codesyntax lang="bash"]

sysctl -p

[/codesyntax]

7. Configure Arno iptables firewall script

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/debconf.cfg

[/codesyntax]

DC_EXT_IF="eth0"

DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="1723"
DC_OPEN_UDP=""
DC_INT_IF="ppp+"
DC_NAT=0
DC_INTERNAL_NET="192.168.1.236/30"
DC_NAT_INTERNAL_NET=""
DC_OPEN_ICMP=0

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/custom-rules

[/codesyntax]

/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

8. Restart Arno iptables firewall script:

[codesyntax lang="bash"]

/etc/init.d/arno-iptables-firewall restart

[/codesyntax]

Note:

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Execute the /etc/rc.local file:

[codesyntax lang="bash"]

/etc/rc.local

[/codesyntax]

OpenVPN with pam-mysql username/password authentication

Publicat la 5 April 2012 2 comentarii

This document describes how to install openvpn with pam-mysql username/password authentication. This procedure was carried out on Debian/Ubuntu Linux, but with minor changes can be used on other Linux distributions too.

1. Install openvpn, mysql and pam-mysql
[codesyntax lang="bash"]

sudo su -
mkdir -p /root/work/openvpn
cd /etc/openvpn
apt-get install libpam-mysql openvpn mysql-server

[/codesyntax]

Note: please keep mysql-server password in mind because we are going to use it later (I will refer to this password as 'mysqlpasswd').

2. Create a new openvpn configuration
[codesyntax lang="bash"]

vim /etc/openvpn/server.conf

[/codesyntax]

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.128.127.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

max-clients 50

persist-key
persist-tun

status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20

client-cert-not-required
username-as-common-name

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

3. Follow the commands below to setup OpenVPN server

[codesyntax lang="bash"]

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
cd easy-rsa
vim vars # Edit KEY_* vars appropriately

[/codesyntax]

export KEY_COUNTRY="RO"
export KEY_PROVINCE="B"
export KEY_CITY="City"
export KEY_ORG="VPN"
export KEY_EMAIL="user@test.org"
export KEY_COMMONNAME="VPN"

[codesyntax lang="bash"]

source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server

[/codesyntax]

4. Allow traffic to be routed from clients to server
[codesyntax lang="bash"]

echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i -e 's/#net.ipv4.ip_forward/net.ipv4.ip_forward/g' /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 10.128.127.0/24 -o eth0 -j MASQUERADE
iptables-save > /root/work/openvpn/iptables_rules

[/codesyntax]

5. Configure PAM. Create a file named openvpn in /etc/pam.d directory
[codesyntax lang="bash"]

vim /etc/pam.d/openvpn

[/codesyntax]

auth optional /lib/security/pam_mysql.so user=root passwd=mysqlpasswd host=localhost db=vpn_db table=tbl_user usercolumn=username passwdcolumn=password where=active=1 sqllog=no crypt=1 verbose=0
account required /lib/security/pam_mysql.so user=root passwd=mysqlpasswd host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password where=active=1 sqllog=no crypt=1 verbose=0

6. Create the mysql database, the table where we will keep users and insert some test user.

[codesyntax lang="bash"]

mysql -u root -pmysqlpasswd

[/codesyntax]

create database vpn_db;
use vpn_db;
CREATE TABLE `tbl_user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(25) DEFAULT NULL,
  `password` varchar(25) DEFAULT NULL,
  `active` int(11) DEFAULT NULL,
  `sqllog` enum('yes','no') DEFAULT NULL,
  `crypt` int(11) DEFAULT NULL,
  `verbose` int(11) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

INSERT INTO tbl_user
SET username = "user",
    PASSWORD = Encrypt("test"),
    active = "1"; 
\q

7. Client side operations
7.1. Download and install the latest stable version of openvpn-gui from http://openvpn.se/download.html
7.2. Create a configuration file named server.conf in C:\Program Files\OpenVPN\config (for Windows 32bit version) or C:\Program Files (x86)\OpenVPN\config (for Windows 64bit version). The content of the file should look like:
client
dev tun
proto udp
remote VPN-SERVER 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cipher BF-CBC
comp-lzo
verb 4
mute 20

Note:

  • VPN-SERVER must be the IP or hostname of  the server we just configured
  • ca.crt was generated on step 3. This file must be copied from the server and given to the client