home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
BURKS 2
/
BURKS_AUG97.ISO
/
BURKS
/
LINUX
/
HOWTO
/
mini
/
vpn.txt
< prev
next >
Wrap
Text File
|
1997-07-07
|
14KB
|
399 lines
The VPN HOWTO
┴rpßd Magosßnyi <mag@bunuel.tii.matav.hu>
v0.1, 3 May 1997
This is the Linux VPN howto, a collection of information on how to set up a
Virtual Protected Network in Linux (and other unices in general).
Table of contents:
0. Blurb
0.0 Copyright
0.1 Disclaimer
0.1.1 Disclaimer
0.1 State of this document
0.2 Related documentations
1. Introduction
1.1 Naming conventions
1.2 Planning
1.3 Gathering the tools
1.4 Compile and install
2 Configure the other subsystems
3. Set up the accounts for the VPN
3.1 create an account on the slave firewall
3.2 you might create an account on the master also
3.3 generate an ssh key for your master account
3.4 set up automatic ssh login for the slave account
3.5 Tighten ssh security on the bastions.
3.6 enable execution of ppp and route for both accounts.
3.7 do the scripting
4. look at what's happening:
5. doing it by hand.
5.1 logging in
5.2 firing up ppp
5.3 together the two
5.4 pty redirecting
5.5 is anything on the device?
5.6 setting up the routes
6. set up the additional firewalling rules.
7. vulnerability analisis
0. Blurb
0.0 Copyright
This document is part of the Linux HOWTO project. The copyright notice is
the following:
Unless otherwise stated, Linux HOWTO documents are copyrighted by
their respective authors. Linux HOWTO documents may be reproduced
and distributed in whole or in part, in any medium physical or
electronic, as long as this copyright notice is retained on all
copies. Commercial redistribution is allowed and encouraged;
however, the author would like to be notified of any such
distributions.
All translations, derivative works, or aggregate works incorporating
any Linux HOWTO documents must be covered under this copyright
notice. That is, you may not produce a derivative work from a HOWTO
and impose additional restrictions on its distribution. Exceptions
to these rules may be granted under certain conditions; please
contact the Linux HOWTO coordinator at the address given below.
In short, we wish to promote dissemination of this information
through as many channels as possible. However, we do wish to retain
copyright on the HOWTO documents, and would like to be notified of
any plans to redistribute the HOWTOs.
If you have questions, please contact Greg Hankins, the Linux HOWTO
coordinator, at gregh@sunsite.unc.edu via email.
0.1 Disclaimer
As usual: the author not responsible for any damage. For the
correct wording, see the relevant part of the GNU GPL
0.1.1 Disclaimer
We are dealing with security: you are not safe if you haven't got
good security policy, and other rather boring things.
0.1 State of this document
This is very preliminary. You should have thorough knowledge of
administrating IP, at least some knowledge of firewalls, ppp and
ssh. You should know them anyway if you want to set up a VPN.
I just decided to write down my experiences not to forget them.
There are possibly some security holes indeed. To be fair I've tried
it on hosts configured as routers not firewalls, saying: It's simple
from that point.
0.2 Related documentations
- The Linux Firewall-HOWTO /usr/doc/HOWTO/Firewall-HOWTO
- The Linux PPP-HOWTO /usr/doc/HOWTO/PPP-HOWTO.gz
- The ssh documentations /usr/doc/ssh/*
- The Linux Network Admins' Guide
- NIST Computer Security Special Publications http://csrc.ncsl.nist.gov/nistpubs/
- Firewall list (majordomo@greatcircle.com)
1. Introduction
As firewalls are in more and more widely use in internet and
intranet security, the ability to do nice VPNs is important.
Here are my experiences. Comments are welcome.
1.1 Naming conventions
I will use the terms "master firewall" and "slave firewall", though
making a VPN has nothing to do with client-server architecture. I
simply refer to them as the active and passive participants of the
connection's setup. The host which is starts the setup will be
referred as the master, and the passive participant will be the
slave.
1.2 Planning
Before you start to set up your system, you should know the
networking details. I assume you have two firewalls protecting one
intranet per firewall, and they are both connected to the internet.
So now you should have two network interfaces (at least) per
firewall. Take a sheet of paper, write down their IP addresses and
network mask. You will need one more IP adresses per firewall for
the VPN you want to do now. Those addresses should be outside of
your existing subnets. I suggest using addresses from the "private"
address ranges. They are the followings:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
For the sake of example, here's a sample configuration:
The two bastions are called fellini and polanski. They have one
interface for the internet (-out), one for the intranet (-in), and
one for the vpn (-vpn). The addresses and netmasks:
fellini-out: 193.6.34.12 255.255.255.0
fellini-in: 193.6.35.12 255.255.255.0
fellini-vpn: 192.168.0.1 point-to-point
polanski-out: 193.6.36.12 255.255.255.0
polanski-in: 193.6.37.12 255.255.255.0
polanski-vpn: 192.168.0.2 point-to-point
So we have the plan.
1.3 Gathering the tools
You will need a
- Linux firewall
-kernel
-very minimal configuration
-ipfwadm
-fwtk
- Tools for the VPN
- ssh
- pppd
- sudo
- pty-redir
Current versions:
kernel: 2.0.30. Use a stable kernel, and it must be newer than
2.0.20, because the ping'o'death bug.
base system: I prefer Debian. YMMV. You absolutely don't want to use
any big packages, and you never even tought of using sendmail, of
course. You also definitely don't want to enable telnet, ftp, and
the 'r' commands (as usual in case of any other unix hosts).
ipfwadm: I've used 2.3.0
fwtk: I've used 1.3
ssh: >= 1.2.20. There are problems with the underlying protocol
in the older versions.
pppd: I've used 2.2.0f for the tests, but I'm not sure if is it
secure, this is why I turned the setuid bit off, and used
sudo to launch it.
sudo: 1.5.2 the newest I am aware of
pty-redir: It is written by me. Try
ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz. Its version
number is 0.1 now. Tell me it there is any problem with it.
1.4 Compile and install
Compile or otherwise install the gathered tools. Look at every one's
documentation (and the firewall-howto) for details.
Now we have the tools.
2 Configure the other subsystems
Configure your firewall rules, etc. You need to enable ssh traffic
between the two firewll hosts. It means a connection to port 22 on
the slave from the master. Start sshd on the slave and verify if you
can login. This step is untested, please tell me your results.
3. Set up the accounts for the VPN
3.1 create an account on the slave firewall
use your favourite tool (e.g. vi, mkdir, chown, chmod)
3.2 you might create an account on the master also
But I think you want to set up the connection at boot time, so your
ordinary root account will do. Can anyone point out risks on using the
root account on the master?
3.3 generate an ssh key for your master account
use the ssh-keygen program. Set empty password for the private key
if you want to do automatic setup of the VPN.
3.4 set up automatic ssh login for the slave account
copy the newly generated public key in the slave account under
.ssh/authorized_keys, and set up file permissions like the
following:
drwx------ 2 slave slave 1024 Apr 7 23:49 ./
drwx------ 4 slave slave 1024 Apr 24 14:05 ../
-rwx------ 1 slave slave 328 Apr 7 03:04 authorized_keys
-rw------- 1 slave slave 660 Apr 14 15:23 known_hosts
-rw------- 1 slave slave 512 Apr 21 10:03 random_seed
The first row being ~slave/.ssh, and the second is ~slave.
3.5 Tighten ssh security on the bastions.
It means the followings on my setup in sshd_conf:
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
Password authentication is turned off, so login is only poss