Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

VPN - Firewall

Preparing for Installation
Configuration & Startup
Tips and Troubleshooting
Command Reference

I. Introduction
This document will take you through the installation and configuration of  a  "ssh-hacque" based Virtual Private Network (VPN) installation using a FreeBSD platform and a Intel architecture.
By means of example, a "two bastion" assumption will be made where two intranets, vpn1 and vpn2, are trying to network with each other through "the internet".

II. Preparing for Installation
System Requirements:
The minimum system hardware requirements are:
Pentium PII processor - Intel architecture
32 Mb RAM
1 Gb IDE Hard Drive
2 Intel Ether Express PRO/100B Network Interface Cards (NICs)
Software Requirements:
FreeBSD Release 3.1 or greater with the following minimum software distributions requirements using a "custom" installation:
src (from src -select base and system src types)
sudo (from security - if we are going to sudo ppp)
ssh (install from ports collection - /usr/ports/security/ssh)
ucdsnmp (Optional - if using snmp for network monitoring)
Before setting up your system, you will need know the networking details. It will be assumed you have two firewalls protecting one intranet per firewall, and they are both connected to the internet. You should have two network interfaces (at least) per firewall. Take a sheet of paper, write down their IP addresses and network mask. You will need one more set of IP addresses per firewall for the VPN you want to create. These addresses should be outside of your existing subnets. It is recommended using addresses from the "private" address ranges. They are the followings:

In the "two bastion" example used here, the two are called vpn1 and vpn2. They both have one interface for the internet (out), one for the intranet (in), and one for the vpn (vpn). Refer to Figure 1. The addresses and netmasks:

Figure 1

III. Installation
FreeBSD installation:
Installation instructions for FreeBSD is readily available on the internet.  This document will assume the installation of FreeBSD - Release 3.1 and properly configuring it as network ready server.  During installation you will have opportunities to make a few "selections" from Distributionsand Packages.
Distributions to Install:
bincompat2.2,dictdocmancatmanportssrc (from src - here you will select base and system src types)
Packages to Install:
sudo (from security - if we are going to sudo ppp)
Installing ssh (from the FreeBSD "Ports Collection"):
Note (Ports Collection):  The FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications.   Each ``port'' listed  contains any patches necessary to make the original application source code compile and run on FreeBSD. Installing an application is as simple as downloading the port, unpacking it and typing makein the port directory.  For more information see Ports Collection.
So, with "ports" installing ssh is reduced to three simple steps.
# cd /usr/ports/security/ssh# make# make install# make clean(optional)
Kernel Configuration:
To configure the kernel we will be copying a generic kernel configuration file and configure the new kernel by editing the "new" configuration file.
For this process it will help to have two shell windows open; they will be referred to as "window-1 and window-2".  Be sure to perform all configurations as the user "root" (a.k.a. superuser or administrator) The procedure is as follows:
Step 1: (window-1)
# cd /usr/src/sys/i386/conf# cp GENERIC VPN# vi VPN
Step 2: Remove unnecessary devices not being used so that they aren't compiled into the kernel.
# dmesg | grep "not" (window-2)  Locates devices "not found".In your vi session (editing the file VPN, window-1) , locate these device entries and delete them.
Step 3: Add a second network interface device for your second network interface card (NIC).  For this step we will assume that you are using Intel Ether Express PRO/100B NICs (network interface i.d.'s fxp0 and fxp1).
# ifconfig -a  (window-2)  If you don't know or aren't sure what NIC's you are using.  This will give you the network interface i.d. which you can locate in VPN (window-1).In VPN (window-1) Keep the network interface devices you are using and delete the rest.

Step 4 (Optional): If you are planning on running Network Address Translation (NAT), you will need to add the following lines to the file VPN (window-1):
Step 5: Compile the new kernel.
# config ./VPN (in the current directory: /usr/src/sys/i386/conf)# cd ../../compile/VPN (/usr/src/sys/compile)# make depend# make# make install# make clean (optional)
Server Configuration:
As part of the server install, several configurations must be made.  Examples and excerpts of the configurations file listed below will be presented .
Configuration Files:
Step 1 (Configure the gateway): In /etc/rc.conf add the following lines:
### Network routing options: ###defaultrouter=""             # Set to default gateway (or NO).
[NOTE: This is the vpn1-out IP address]gateway_enable="YES"            # Set to YES if this host will be a gateway.
Step 2 (Configure ssh): In /usr/local/etc/sshd_config  change the following default.
RhostsRSAAuthentication yes   # The default is "no"
Step 3 (Optional; Configure NAT): In /etc/rc.conf add the following lines:
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_type="open"            # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
natd_enable="YES"                # Enable natd (if firewall_enable == YES).
natd_interface="fxp0"           # Public interface to use with natd.
natd_flags="-f /etc/natd.conf"                   # Additional flags for natd.
[NOTE: More about natd and natd.conf  for port redirection can be found in the man pages - # man natd]
network_interfaces="fxp0 fxp1 lo0"      # List of network interfaces (lo0 is loopback).
Step 4 (Restart your server): Reboot.
Back to Top

IV. Configuration & Startup
The remaining configure items to have a working VPN connection are configuring the point-to-point protocol (ppp) both the local (incoming) and remote (dialout) servers.
Configuring Dial-Out PPP: (On VPN1)
Configuration File: /etc/ppp/ppp.conf
Start-up Script:  /etc/ppp/vpn2
The configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above).
file: /etc/ppp/ppp.conf

script: /etc/ppp/vpn2

Configuring Incoming PPP: (On VPN2)
Configuration File: /etc/ppp/ppp.conf
Again, the configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above).
file: /etc/ppp/ppp.conf

Back to Top

V. Tips and Troubleshooting
Troubleshooting your VPN connection is a relatively simple process. If you are having problems and with the VPN connection (i.e. cannot ping or trace a route, try the following:
Check your routes (netstat -rn).
Check for running daemons: ppp sshd (natd - if you are using NAT).
Interrogate your ppp connection with ppp in "interactive" mode.
Back to Top

VI. Maintenance
The care and feeding of VPN is minimal. Log maintenance is handled by FreeBSD automatically. The system's administrator will only need to monitor the daemons and basic network functionality. If you wish to deploy the simple network management protocol (SNMP), this is a convenient method of performing network monitoring. All you will need to do is, at the time of installation of FreeBSD (or afterwards, using the "ports collection") install the ucdsnmp package.
Back to Top

Appendix A. Command Reference
The commands needed for implementation and maintenance of VPN are:
natd (if you are implementing NAT)

These commands all have well documented man pages on your server as well as at
  Back to Top

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail