Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo
Defcon1-Logo

 VPN - Firewall


Introduction

  1. Preparing for Installation
  2. Installation
  3. Configuration & Startup
  4. Tips and Troubleshooting
  5. Maintenance

Appendix:

  1. Command Reference


I. Introduction

    This document will take you through the installation and configuration of  a  "ssh-hacque" based Virtual Private Network (VPN) installation using a FreeBSD platform and a Intel architecture.

    By means of example, a "two bastion" assumption will be made where two intranets, vpn1 and vpn2, are trying to network with each other through "the internet".



II. Preparing for Installation

    System Requirements:

    The minimum system hardware requirements are:

    • Pentium PII processor - Intel architecture
    • 32 Mb RAM
    • 1 Gb IDE Hard Drive
    • 2 Intel Ether Express PRO/100B Network Interface Cards (NICs)

    Software Requirements:

    FreeBSD Release 3.1 or greater with the following minimum software distributions requirements using a "custom" installation:

    • bin
    • compat2.2,
    • dict
    • doc
    • man
    • catman
    • ports
    • src (from src -select base and system src types)
    • sudo (from security - if we are going to sudo ppp)
    • ssh (install from ports collection - /usr/ports/security/ssh)
    • ucdsnmp (Optional - if using snmp for network monitoring)

    Planning

    Before setting up your system, you will need know the networking details. It will be assumed you have two firewalls protecting one intranet per firewall, and they are both connected to the internet. You should have two network interfaces (at least) per firewall. Take a sheet of paper, write down their IP addresses and network mask. You will need one more set of IP addresses per firewall for the VPN you want to create. These addresses should be outside of your existing subnets. It is recommended using addresses from the "private" address ranges. They are the followings:

     

      Private Address Range

      10.0.0.0/8 (netmask 255.0.0.0)

      172.16.0.0/16 (netmask 255.255.0.0)

      192.168.[0 - 254].0/24 (netmask 255.255.255.0)

    In the "two bastion" example used here, the two are called vpn1 and vpn2. They both have one interface for the internet (out), one for the intranet (in), and one for the vpn (vpn). Refer to Figure 1. The addresses and netmasks:
     

      Bastion Gateway Hostname

      Inter face Type

      Interface Address

      Interface Netmask

      vpn1

      out

      209.100.33.10

      255.255.255.0

      vpn1

      in

      10.1.1.1

      255.255.255.0

      vpn1

      vpn

      192.168.0.1

      point- to - point

      vpn2

      out

      209.100.66.20

      255.255.255.0

      vpn2

      in 

      192.168.3.1

      255.255.255.0

      vpn2

      vpn

      192.168.0.2

      point- to - point



    Figure 1


III. Installation

    FreeBSD installation:

    Installation instructions for FreeBSD is readily available on the internet.  This document will assume the installation of FreeBSD - Release 3.1 and properly configuring it as network ready server.  During installation you will have opportunities to make a few "selections" from Distributionsand Packages.

    Distributions to Install:

      bincompat2.2,dictdocmancatmanportssrc (from src - here you will select base and system src types)

    Packages to Install:

      sudo (from security - if we are going to sudo ppp)

    Installing ssh (from the FreeBSD "Ports Collection"):

    Note (Ports Collection):  The FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications.   Each ``port'' listed  contains any patches necessary to make the original application source code compile and run on FreeBSD. Installing an application is as simple as downloading the port, unpacking it and typing makein the port directory.  For more information see Ports Collection.

    So, with "ports" installing ssh is reduced to three simple steps.

      # cd /usr/ports/security/ssh# make# make install# make clean(optional)

    Kernel Configuration:

    To configure the kernel we will be copying a generic kernel configuration file and configure the new kernel by editing the "new" configuration file.

    For this process it will help to have two shell windows open; they will be referred to as "window-1 and window-2".  Be sure to perform all configurations as the user "root" (a.k.a. superuser or administrator) The procedure is as follows:

    Step 1: (window-1)

      # cd /usr/src/sys/i386/conf# cp GENERIC VPN# vi VPN

    Step 2: Remove unnecessary devices not being used so that they aren't compiled into the kernel.

      # dmesg | grep "not" (window-2)  Locates devices "not found".In your vi session (editing the file VPN, window-1) , locate these device entries and delete them.

    Step 3: Add a second network interface device for your second network interface card (NIC).  For this step we will assume that you are using Intel Ether Express PRO/100B NICs (network interface i.d.'s fxp0 and fxp1).

      # ifconfig -a  (window-2)  If you don't know or aren't sure what NIC's you are using.  This will give you the network interface i.d. which you can locate in VPN (window-1).In VPN (window-1) Keep the network interface devices you are using and delete the rest.


    Step 4 (Optional): If you are planning on running Network Address Translation (NAT), you will need to add the following lines to the file VPN (window-1):

      options IPDIVERToptions IPFIREWALL

    Step 5: Compile the new kernel.

      # config ./VPN (in the current directory: /usr/src/sys/i386/conf)# cd ../../compile/VPN (/usr/src/sys/compile)# make depend# make# make install# make clean (optional)

    Server Configuration:

    As part of the server install, several configurations must be made.  Examples and excerpts of the configurations file listed below will be presented .

    Configuration Files:

    • /etc/rc.conf
    • /usr/local/etc/sshd_config
    • ~/.shosts

    Step 1 (Configure the gateway): In /etc/rc.conf add the following lines:

      ### Network routing options: ###defaultrouter="209.100.33.10"             # Set to default gateway (or NO).
      [NOTE: This is the vpn1-out IP address]gateway_enable="YES"            # Set to YES if this host will be a gateway.

    Step 2 (Configure ssh): In /usr/local/etc/sshd_config  change the following default.

    • RhostsRSAAuthentication yes   # The default is "no"

    Step 3 (Optional; Configure NAT): In /etc/rc.conf add the following lines:

    • firewall_enable="YES"           # Set to YES to enable firewall functionality
    • firewall_type="open"            # Firewall type (see /etc/rc.firewall)
    • firewall_quiet="NO"             # Set to YES to suppress rule display
    • natd_enable="YES"                # Enable natd (if firewall_enable == YES).
    • natd_interface="fxp0"           # Public interface to use with natd.
    • natd_flags="-f /etc/natd.conf"                   # Additional flags for natd.
      [NOTE: More about natd and natd.conf  for port redirection can be found in the man pages - # man natd]
    • network_interfaces="fxp0 fxp1 lo0"      # List of network interfaces (lo0 is loopback).

    Step 4 (Restart your server): Reboot.

    Back to Top


    IV. Configuration & Startup

    The remaining configure items to have a working VPN connection are configuring the point-to-point protocol (ppp) both the local (incoming) and remote (dialout) servers.
     

    Configuring Dial-Out PPP: (On VPN1)

    Configuration File: /etc/ppp/ppp.conf
    Start-up Script:  /etc/ppp/vpn2

    The configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above).

    file: /etc/ppp/ppp.conf

    VPN1 (master) ppp configuration
    default:
     set timeout 0
     set log phase chat connect lcp ipcp command
     set device localhost:ppploop
     set dial
     set login
     set server /var/tmp/loop "" 0177

      vpn2:
       set device !/etc/ppp/vpn2
       set ifaddr 192.168.0.1 192.168.0.2
       add 192.168.0.0 255.255.255.0 HISADDR

     

    script: /etc/ppp/vpn2

    #!/bin/sh
    exec ssh -C -c blowfish 209.100.66.20 '/usr/sbin/ppp -direct vpn1'

      # NOTE: -C is for compression, and -c blowfish is the cypher. You can choose from other options.


     

    Configuring Incoming PPP: (On VPN2)

    Configuration File: /etc/ppp/ppp.conf

    Again, the configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above).

    file: /etc/ppp/ppp.conf

    VPN2 (slave) ppp configuration
    vpn1:
     set timeout 0
     set log phase lcp ipcp command
     add 10.1.1.1 255.255.0.0 HISADDR
     allow mode direct

      # NOTE: Remove network that is to be routed from comment field


     

    Back to Top


    V. Tips and Troubleshooting

    Troubleshooting your VPN connection is a relatively simple process. If you are having problems and with the VPN connection (i.e. cannot ping or trace a route, try the following:

    • Check your routes (netstat -rn).
    • Check for running daemons: ppp sshd (natd - if you are using NAT).
    • Interrogate your ppp connection with ppp in "interactive" mode.

    Back to Top


    VI. Maintenance

    The care and feeding of VPN is minimal. Log maintenance is handled by FreeBSD automatically. The system's administrator will only need to monitor the daemons and basic network functionality. If you wish to deploy the simple network management protocol (SNMP), this is a convenient method of performing network monitoring. All you will need to do is, at the time of installation of FreeBSD (or afterwards, using the "ports collection") install the ucdsnmp package.

    Back to Top


    Appendix A. Command Reference

    The commands needed for implementation and maintenance of VPN are:

    • ssh
    • ppp
    • natd (if you are implementing NAT)


    These commands all have well documented man pages on your server as well as at freebsd.org.
      Back to Top
     

Article By: Bjn  version 10.29.99

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.