Tag Archives: vpn

FortiGate-200D VPN users and groups operations

Publicat la 5 May 2015 No comments

Recently we bought a FortiGate-200D VPN box. I have more good things than bad things to say about this device.
Long story short. I had to remove some users and because of some voodoo type of problem I couldn't do it from UI (I will contact their support that's for sure), so I had to do it from CLI. Who worked with Citrix Netscalers will find FortiGate's CLI a piece of sh!t (documentation makes no exception), but that's a different story.

  • To display one or all users

[codesyntax lang="bash"]

fgw # config user local
fgw (local) # get | grep john.doe
fgw (local) # get john.doe
fgw (local) # get

[/codesyntax]

  • To delete a user

[codesyntax lang="bash"]

fgw # config user local
fgw (local) # delete john.doe

[/codesyntax]

 

Note: When you're receiving an error like the one bellow the user is attached to one or more user groups.
The entry is used by other 1 entries
Command fail. Return code -23

In order to remove the user you have two options:

  1. CLI:

    2. [codesyntax lang="bash"]

    fgw # config user group
fgw (group) # show
config user group
    edit "ssl-vpn_office_users"
        set member "user1" "user2" "john.doe" "user4" "user5"
    next
end
fgw (group) # edit "group_name"
fgw (group_name) # set member "user1" "user2" "user3" "user4"
fgw (group_name) # next 
fgw (group) # end

    [/codesyntax]

  2. UI:
    You will have to login to the FortiGate webinterface, navigate to User & Device > User definition, edit john.doe and uncheck Add this user to groups

Force Chrome to tunnel DNS requests through a SSH socks proxy

Publicat la 1 April 2013 No comments

Setup a socks proxy (check this page for more details) on port 8888 (the port is not that important).

Start chrome with the following parameters:

[codesyntax lang="bash"]

chrome --proxy-server="socks5://localhost:8888"

[/codesyntax]

Also we can check if this works and run the following command on the SSH server. The tcpdump will show show dns traffic for any activity in Chrome.

[codesyntax lang="bash"]

tcpdump -i eth0 port 53

[/codesyntax]

Encrypt your traffic from your Android device using a ssh tunnel

Publicat la 14 March 2013 No comments

As I said with a previous ocasion in China the goverment is filtering the internet traffic (including mobile trafic, dohh) so you can't access different websites and/or services and this thing is very annoying. Well, what do you have to do if you want to navigate to youtube.com for instance? Hmmm... you will have to encrypt your traffic somehow. Bellow I will tell you what do you need and how to accomplish this from your Android device.

First of all you will need a ssh server configured somewhere outside China (preferably on a different port).

After getting a ssh server, you will need to download from Android Market the SSH Tunnel application written by MAX LV.

All you have to do is to complete Host, Port, User and Password filds and thick Use socks proxy, Enable GFW List, Enable DNS Proxy (this one is extremly important) options.

That's it!

Encrypt your web browsing session in one command

Publicat la 3 March 2013 No comments

Recently I accepted a job proposition in Shenzhen/China. So, China here I come. Things are great here, western propaganda has nothing to do with what's going on here, except one thing: internet filtering. Google results are censured, so only "accepted" results are displayed, sites like facebook.com, twiter.com, youtube.com, thepiratebay.org, openvpn.net and so many more... What do you do to pass this filtering? The solution is to encrypt your browsing session.

Using a simple SSH command, I can encrypt all my web browsing traffic and redirect it through a trusted computer when I'm on someone else's network. Today I'll set up a local proxy server that encrypts my online activity from my desktop. Here's how:

What I'll need.

  • a SSH server to act as your proxy
  • a SSH client on the computer you're using

Note: Mac and *nix machines have SSH client built right in at the command line. Windows users can set up OpenSSH with Cygwin or PuTTY

What we are going to do.
What I am doing is setting up a "middle-person" (the SSH server which will act as a proxy) between me and the internet. Using the proxy, my browser hands off web page requests to the proxy server, which handles the request and fetches the page for me from the internet. The web site actually thinks the request is coming from the proxy server, not from my computer, which is a good way to obscure my originating IP address.

The good thing about this is my traffic is over SSH which is an encrypted protocol. This prevents wifi sniffers from seeing what I am doing online.

Setting up the server.
On the computer which is acting as desktop I am going to open up a connection to the SSH server:

[codesyntax lang="bash"]

ssh -ND 9999 user@test.org

[/codesyntax]

What this command does is hand off requests to localhost, port 9999, to the SSH server at test.org to handle.

Note:

  • if your SSH server listen on different port that standard port (22/tcp), it can changed using -p switch
  • the -N tells SSH not to open an interactive prompt, so it will just hang there, waiting. That's exactly what I want.

Setting up the client.
Once proxy's up and running, configure Firefox to use it. From Firefox's Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to "Configure how Firefox connects to the Internet" hit the "Settings" button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, it's actually coming from the proxy server over an encrypted connection.

Tips.

  • Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true.
  • For those with slower connections, you can use the -C command line option to use SSH's compression (gzip).

How to setup a VPN using ssh and pppd

Publicat la 12 February 2013 No comments

This is a step by step guide for setting up a VPN using pppd and ssh. To accomplish this you will need two Linux boxes, one acting as server and the second one as client. The "server" must have a static IP address or dynamic dns name. The firewall on both boxes must allow traffic on port that sshd listens.

Server side

1. Install some package to make our job easier later

for deb based linux boxes:
[codesyntax lang="bash"]

apt-get install ipcalc

[/codesyntax]

for rpm based linux boxes:
[codesyntax lang="bash"]

yum install whatmask

[/codesyntax]

2. Create a local account on server to be used by the clients that are connecting.

[codesyntax lang="bash"]

adduser --system --group vpn

[/codesyntax]

3. Modify /etc/passwd file
[codesyntax lang="bash"]

vim /etc/passwd
:%s/\/home\/vpn:\/bin\/false/\/home\/vpn:\/bin\/bash/g
:wq

[/codesyntax]

4. Set a password for vpn account. The vpn account password will only be used while doing the initial configuration of your VPN clients, so I strongly recommend NOT to use a weak password.
[codesyntax lang="bash"]

passwd vpn

[/codesyntax]

5. This vpn account needs rights to bring the ppp connection up and down as well as modify the system routing table. Edit your sudoers file:
[codesyntax lang="bash"]

sudo visudo

[/codesyntax]

and append the following lines to the end of the file:

vpn ALL=NOPASSWD: /usr/sbin/pppd
vpn ALL=NOPASSWD: /sbin/route

6. Finally, we need to log in as the vpn and set up a few bits in its home folder.
[codesyntax lang="bash"]

sudo su - vpn
cd ~
mkdir .ssh

[/codesyntax]

Client side

1. Assuming eth0 is network interface connected to the network determine the local network details
[codesyntax lang="bash"]

CLIENT_LAN_IF="eth0"
LOCAL_IP=`ifconfig ${CLIENT_LAN_IF} | grep inet | awk '{print $2}' | sed 's/addr://'`
LOCAL_MASK=`ifconfig ${CLIENT_LAN_IF} | grep inet | awk '{print $4}' | sed 's/Mask://' | sed 's/Scope:Link//'`
LOCAL_NETWORK=`ipcalc $LOCAL_IP $LOCAL_MASK -n -b | grep Network | awk '{print $2}'`

[/codesyntax]

2. Start vpn to server
[codesyntax lang="bash"]

sudo /usr/sbin/pppd updetach noauth passive pty "/usr/bin/ssh -P host -lvpn -i id_rsa -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn 192.168.1.238:192.168.1.237

[/codesyntax]

Note:

  • local IP address 192.168.1.238
  • remote IP address 192.168.1.237

3. Make the server our gateway
[codesyntax lang="bash"]

sudo route add -net $LOCAL_NETWORK gw 192.168.1.238

[/codesyntax]

Links:
http://tuxnetworks.blogspot.ro/2011/05/howto-easiest-vpn-setup-ever.html

How to install a PPTP server on debian squeeze

Publicat la 26 October 2012 No comments

This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.

PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.

1. Install the PPTP server package.

[codesyntax lang="bash"]

apt-get install pptpd

[/codesyntax]

2. Edit the /etc/pptpd.conf configuration file.

[codesyntax lang="bash"]

echo "localip 192.168.1.1" >> /etc/pptpd.conf
echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf

[/codesyntax]

The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.

3. Edit the /etc/ppp/pptpd-options configuration file:

name Private.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490

4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

5. Restart the connection’s daemon for the settings to take affect:

[codesyntax lang="bash"]

/etc/init.d/pptpd restart

[/codesyntax]

6. Enable Forwarding (this is an optional step).

Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.

Edit the sysctl file:

[codesyntax lang="bash"]

vim /etc/sysctl.conf

[/codesyntax]

Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

6. You can either restart the system or issue this command for the setting to take affect:

[codesyntax lang="bash"]

sysctl -p

[/codesyntax]

7. Configure Arno iptables firewall script

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/debconf.cfg

[/codesyntax]

DC_EXT_IF="eth0"

DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="1723"
DC_OPEN_UDP=""
DC_INT_IF="ppp+"
DC_NAT=0
DC_INTERNAL_NET="192.168.1.236/30"
DC_NAT_INTERNAL_NET=""
DC_OPEN_ICMP=0

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/custom-rules

[/codesyntax]

/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

8. Restart Arno iptables firewall script:

[codesyntax lang="bash"]

/etc/init.d/arno-iptables-firewall restart

[/codesyntax]

Note:

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Execute the /etc/rc.local file:

[codesyntax lang="bash"]

/etc/rc.local

[/codesyntax]

OpenVPN with pam-mysql username/password authentication

Publicat la 5 April 2012 2 comentarii

This document describes how to install openvpn with pam-mysql username/password authentication. This procedure was carried out on Debian/Ubuntu Linux, but with minor changes can be used on other Linux distributions too.

1. Install openvpn, mysql and pam-mysql
[codesyntax lang="bash"]

sudo su -
mkdir -p /root/work/openvpn
cd /etc/openvpn
apt-get install libpam-mysql openvpn mysql-server

[/codesyntax]

Note: please keep mysql-server password in mind because we are going to use it later (I will refer to this password as 'mysqlpasswd').

2. Create a new openvpn configuration
[codesyntax lang="bash"]

vim /etc/openvpn/server.conf

[/codesyntax]

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.128.127.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

max-clients 50

persist-key
persist-tun

status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20

client-cert-not-required
username-as-common-name

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

3. Follow the commands below to setup OpenVPN server

[codesyntax lang="bash"]

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
cd easy-rsa
vim vars # Edit KEY_* vars appropriately

[/codesyntax]

export KEY_COUNTRY="RO"
export KEY_PROVINCE="B"
export KEY_CITY="City"
export KEY_ORG="VPN"
export KEY_EMAIL="user@test.org"
export KEY_COMMONNAME="VPN"

[codesyntax lang="bash"]

source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server

[/codesyntax]

4. Allow traffic to be routed from clients to server
[codesyntax lang="bash"]

echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i -e 's/#net.ipv4.ip_forward/net.ipv4.ip_forward/g' /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 10.128.127.0/24 -o eth0 -j MASQUERADE
iptables-save > /root/work/openvpn/iptables_rules

[/codesyntax]

5. Configure PAM. Create a file named openvpn in /etc/pam.d directory
[codesyntax lang="bash"]

vim /etc/pam.d/openvpn

[/codesyntax]

auth optional /lib/security/pam_mysql.so user=root passwd=mysqlpasswd host=localhost db=vpn_db table=tbl_user usercolumn=username passwdcolumn=password where=active=1 sqllog=no crypt=1 verbose=0
account required /lib/security/pam_mysql.so user=root passwd=mysqlpasswd host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password where=active=1 sqllog=no crypt=1 verbose=0

6. Create the mysql database, the table where we will keep users and insert some test user.

[codesyntax lang="bash"]

mysql -u root -pmysqlpasswd

[/codesyntax]

create database vpn_db;
use vpn_db;
CREATE TABLE `tbl_user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(25) DEFAULT NULL,
  `password` varchar(25) DEFAULT NULL,
  `active` int(11) DEFAULT NULL,
  `sqllog` enum('yes','no') DEFAULT NULL,
  `crypt` int(11) DEFAULT NULL,
  `verbose` int(11) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

INSERT INTO tbl_user
SET username = "user",
    PASSWORD = Encrypt("test"),
    active = "1"; 
\q

7. Client side operations
7.1. Download and install the latest stable version of openvpn-gui from http://openvpn.se/download.html
7.2. Create a configuration file named server.conf in C:\Program Files\OpenVPN\config (for Windows 32bit version) or C:\Program Files (x86)\OpenVPN\config (for Windows 64bit version). The content of the file should look like:
client
dev tun
proto udp
remote VPN-SERVER 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cipher BF-CBC
comp-lzo
verb 4
mute 20

Note:

  • VPN-SERVER must be the IP or hostname of  the server we just configured
  • ca.crt was generated on step 3. This file must be copied from the server and given to the client