Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
| VPN Server?
Hello Folks,
I
am configuring a VPN server and I'd like to use Linux rather than
Microsoft RRAS due to the much lower overhead. I know how to set up a
basic Linux server and make it a VPN server, but I'm wondering if there
are any distributions geared toward just being a PPTP/IPSec VPN server?
I'll have Windows/Mac/Linux clients connecting, so I'll need both PPTP
and IPSec.
I am specifically interested in a distro (or even a
tool for the usual suspects) that will allow me to monitor currently
connected users, time connected, amount of data transferred ... things
of that nature. If it offers a web GUI and HTTP proxy that would be
phenomenal!
Thanks for any help you can provide. |
|
ropeguru
Premium
join:2001-01-25
Hollywood, FL
clubs: | Never have looked for one before but I found this one pretty quick.
»openvpn.net/index.php/home.html |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| Unfortunately OpenVPN will not work as it requires a proprietary client. |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | m0n0wall would meet your basic needs, but not all your requirements.
»m0n0.ch/wall/ |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| Thanks graysonf  .
I'm keeping m0n0 and pfSense in the back of my mind. I know I could
configure them to do what I need, or configure a basic CentOS system as
well. I was just hoping someone tackled the problem with a custom
distro.
Actually, m0n0 or pfSense plus OpenRADIUS may be the
type of solution I'm looking for if OpenRADIUS provides the type of
accounting and monitoring I would like to have. Does m0n0 support any
sort of web proxy like Squid? I believe pfSense has a squid package
that can be installed. |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| m0n0 is not extensible unless you rebuild it yourself. pfsense would be better that way.
But
nothing can be everything to everybody out of the box. If you must have
what you say you do, then you are going to have to start with something
and beat it into the shape you want yourself. |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| said by graysonf :m0n0 is not extensible unless you rebuild it yourself. pfsense would be better that way. But
nothing can be everything to everybody out of the box. If you must have
what you say you do, then you are going to have to start with something
and beat it into the shape you want yourself. Thanks for the tip on m0n0.
And
yes, I figured I would have to connect the dots on this if I wanted to
go the Open Source route. This really is basic, basic VPN functionality
though (minus the Squid stuff) so I just had my fingers crossed that
someone has put a package together that integrated it all.
When
I dive in it may wind up being extremely simple to integrate which is
why no one has seen the need to create anything custom. |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
| reply to Matt
said by Matt :Unfortunately OpenVPN will not work as it requires a proprietary client. I'm confused. What's proprietary about OpenVPN? Something about the licensing? »openvpn.net/index.php/licensing.html
--
nohup rm -fr /& |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| said by sempergoofy :said by Matt :Unfortunately OpenVPN will not work as it requires a proprietary client. I'm confused. What's proprietary about OpenVPN? Something about the licensing? » openvpn.net/index.php/licensing.html Everything.
You have to install the OpenVPN client to talk to the OpenVPN server.
You can't use the VPN clients that are built into various operating
systems to talk to an OpenVPN server. |
|
jhboricua
ExMod 2000-01
join:2000-06-06
Minneapolis, MN
clubs:
1 edit | said by Matt :Everything.
You have to install the OpenVPN client to talk to the OpenVPN server.
You can't use the VPN clients that are built into various operating
systems to talk to an OpenVPN server. I wasn't aware that Windows had a built-in IPSEC VPN client. On the linux end, this is a non-issue though.
--
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." - Albert Einstein
Jose A. Hernandez * System Admin * MPLS, Minnesota, USA * |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
2 edits | reply to Matt
said by Matt :Everything.
You have to install the OpenVPN client to talk to the OpenVPN server.
You can't use the VPN clients that are built into various operating
systems to talk to an OpenVPN server. I don't think I have ever heard proprietary used in the context you are using it. And it does not seem to match this common explanation of proprietary software
as I understand it. Given the free download for OpenVPN and open source
availability of it, I don't get the exclusive proprietary aspect.
Nevertheless,
I think I better understand that you don't want to install any software
on any system that uses the VPN you wish establish. Is that correct?
Edit: After reading more deeply, I think I see the proprietary aspect.
Adding: I use OpenVPN a lot. Works for me.
--
nohup rm -fr /& |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| reply to jhboricua
said by jhboricua :said by Matt :Everything.
You have to install the OpenVPN client to talk to the OpenVPN server.
You can't use the VPN clients that are built into various operating
systems to talk to an OpenVPN server. I wasn't aware that Windows had a built-in IPSEC VPN client. On the linux end, this is a non-issue though. It does. Vista has an SSTP client and Windows 7 has SSTP and IKEv2. |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| reply to sempergoofy
said by sempergoofy :Nevertheless,
I think I better understand that you don't want to install any software
on any system that uses the VPN you wish establish. Is that correct? Yep,
that's exactly right. I'd LOVE to use OpenVPN, but I must have the
ability to utilize the clients built into Windows and OS X. |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL |
Most practical way is to have VPN servers as the endpoints. Clients
behind them don't need anything special on them at all. But this is not
suited to "road warrior" type settings |
|
rugby
I think I know it all.
VIP
join:2000-09-26
Camby, IN
 ·Comcast
 ·Callcentric
| reply to Matt
If you want an appliance, the McAfee UTM Firewall series are great.
They used to be Secure Computing, and then Cyberguard, and before that
they were SnapGear.
The devices run UClinux and support both PPTP to Macs/Windows and IPSec to Macs running IPSecuritas. |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
|
Thanks for the tips guys. I am leaning toward running a Windows RRAS
server because usage reporting is built-in and they offer a free tool
in the Resource Kit that runs a report and combines user stats into a
single file, which I can dump to a Linux box to work some magic on and
format it for the web.
I couldn't seem to find the right
combination of words to source a Linux package that would allow me to
track the bandwidth usage of each user's PPTP session. I'd still rather
go open source, does anyone know of one?
In case anyone is
wondering what I am doing, I'm starting a business offering VPN and Web
Proxy services since I have tons of hardware and tons of bandwidth
laying around. So per-user usage reporting is a must. |
|
greEd
join:2001-05-28
Odenton, MD
1 edit | reply to Matt
I recently started trying to setup poptop (»www.poptop.org/) pptpd on a CentOS 5.3 server.
What
a headache this has turned into. I configured the server with a public
external and private internal IP. I wanted the server to authenticate
against active directory using winbind, samba, and kerberos so I setup
krb5.conf and smb.conf accordingly.
Everything worked great up
until the actual connection to the internal application. The connection
was dog slow. I'm still messing with it, but for now the users are
still using the RRAS server which is working great.
I like you wanted a linux alternative to RRAS and I'm firing blanks.
--
»www.computerglitch.net |
|
Matt
Quitting Caffeine - Argh
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
1 edit | said by greEd :I recently started trying to setup poptop (» www.poptop.org/) pptpd on a CentOS 5.3 server. What
a headache this has turned into. I configured the server with a public
external and private internal IP. I wanted the server to authenticate
against active directory using winbind, samba, and kerberos so I setup
krb5.conf and smb.conf accordingly. Everything worked great up
until the actual connection to the internal application. The connection
was dog slow. I'm still messing with it, but for now the users are
still using the RRAS server which is working great. I like you wanted a linux alternative to RRAS and I'm firing blanks. CentOS
5.3 and poptop was the first solution I tried actually! While I was
able to get it working without much fuss (I wasn't authenticating
against AD, just local PAM accounts) I couldn't source a tool to allow
me to see individual user's usage.
Let me know where you end up,
I'm still at a point where an open source solution would be great and I
could switch gears to install one -- I just don't have any more time to
research since RRAS does everything I need, albeit with a little work
and admittedly isn't as scalable. |
|
greEd
join:2001-05-28
Odenton, MD
| reply to Matt
Well, the VPN seems to be running pretty stable. My biggest hurdle right now is trying to get SAMBA/WINBIND
to recognize AD accounts as having remote dial-in access. As it stands right now it allows ALL users VPN access
regardless if dial-in has been allowed or not through AD (which isn't a good thing).
I'm still messing with it and have much more configuration to do before I can toss this thing into production
but here's where I'm at:
The server being used for the VPN has the following NIC setup:
eth0(internal)-192.168.0.10
eth2(external)-p.u.bl.ic
•First check to see if ppp is installed. In to install it.
#rpm -qa | grep ppp
ppp-2.4.4-2.el5
•Install poptop. I downloaded the rpm from the site and installed it but ran into errors, so I did some
digging and found this guy (Wing S Kwok) had recompiled pptpd to work error free on Fedora 8. So I tried
it on CentOS 5.3 and it worked great.
URL for his rpm: »rapidshare.com/files/147328050/p···i386.rpm
Before I used that rpm I was getting errors like: Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd
version 2.4.3, this is 2.4.4 ... in /var/log/messages; his binary fixed it.
•Next configured SAMBA. Heres a sample of my /etc/samba/smb.conf:
- [global]
- workgroup = MYDOMAIN
- realm = MYDOMAIN.COM
- server string = vpn
- load printers = no
- log file = /var/log/samba/%m.log
- security = ads
- socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
- local master = no
- domain master = no
- preferred master = no
- dns proxy = no
- winbind uid = 10000-20000
- winbind gid = 10000-20000
- winbind use default domain = yes
- interfaces = 192.168.0.10 lo
•Setup kerberos. Sample /etc/krb5.conf:
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
- [libdefaults]
- default_realm = MYDOMAIN.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- forwardable = yes
-
- [realms]
- MYDOMAIN.COM = {
- kdc = ads.mydomain.com:88
- admin_server = ads.mydomain.com:749
- default_domain = mydomain.com
- }
-
- [domain_realm]
- .mydomain.com = MYDOMAIN.COM
- mydomain.com = MYDOMAIN.COM
-
- [appdefaults]
- pam = {
- debug = false
- ticket_lifetime = 36000
- renew_lifetime = 36000
- forwardable = true
- krb4_convert = false
- }
•Test Kerberos to make sure its working as expected:
#kinit -V administrator@MYDOMAIN.COM
Password for administrator@MYDOMAIN.COM:
Authenticated to Kerberos v5
•Check kerberos tickets:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM
Valid starting Expires Service principal
06/03/09 11:04:57 06/03/09 21:06:36 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 06/04/09 11:04:57
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
•Join the AD Domain:
#net join -U administrator@MYDOMAIN.COM
Using short domain name -- MYDOMAIN
Joined 'VPN' to realm 'MYDOMAIN.COM'
•Enable winbind:
#service winbind start
•Test that winbind is working:
#wbinfo -t
checking the trust secret via RPC calls succeeded
#wbinfo -u (should list user accounts in AD)
•Configure pptpd (two files /etc/pptpd.conf & /etc/ppp/options.pptpd)
The only lines I paid attention to in /etc/pptpd.conf were:
- localip 192.168.0.10
- 192.168.0.211-212
Here is /etc/ppp/options.pptpd:
- name pptpd
- refuse-pap
- refuse-chap
- refuse-mschap
- require-mschap-v2
- require-mppe-128
- ms-dns 192.168.0.6
- proxyarp
- lock
- nobsdcomp
- novj
- novjccomp
- nologfd
- auth
- nodefaultroute
- plugin winbind.so
- ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
#echo 1 > /proc/sys/net/ipv4/ip_forward
Also edit in /etc/sysctl.conf for reboots.
Resources:
»www.members.optushome.com.au/~ws···to_1.htm
»4sysops.com/archives/poptop-linu···ng-pptp/
»www.poptop.org/
»pptpclient.sourceforge.net/howto···is.phtml
»poptop.sourceforge.net/dox/repla···to.phtml
--
»www.computerglitch.net |
|
greEd
join:2001-05-28
Odenton, MD
 from:
Matt
| said by greEd :Well, the VPN seems to be running pretty stable. My biggest hurdle right now is trying to get SAMBA/WINBIND to recognize AD accounts as having remote dial-in access. As it stands right now it allows ALL users VPN access regardless if dial-in has been allowed or not through AD (which isn't a good thing). Ok, I was able to fix this issue. I now have it setup so the user must be part of a specific group in AD to have VPN access.
The way to do it is:
•Add the following line to /etc/samba/smb.conf:
winbind separator = +
•Next edit the following line in /etc/ppp/options.pptpd:
It should currently read:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Append the following (shown in italic):
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=MYDOMAIN+vpngroupname"
This will make it so that the user must be a member of the AD group "vpngroupname"
--
»www.computerglitch.net |
|
¬¬¬¬
Following (Stop) 
Sitemark