Install PoPToP Point to Point Tunneling Server:
1 |
sudo apt-get install pptpd |
Edit /etc/pptpd.conf file:
1 |
sudo joe /etc/pptpd.conf |
Uncomment the following lines (replace IP range if you like)
1 2 |
localip 192.168.0.1 remoteip 192.168.1.1-255 |
Save and exit.
Edit /etc/ppp/pptpd-options file
1 |
sudo joe /etc/ppp/pptpd-options |
Make sure you have this:
1 2 3 4 5 6 7 8 9 10 11 12 |
refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 proxyarp nodefaultroute lock nobsdcomp noipx ## you don't need IPX mtu 1490 ## may help your linux client from disconnecting mru 1490 ## may help your linux client from disconnecting |
Save and exit.
Next step is to add users who can use this connection.
1 |
sudo joe /etc/ppp/chap-secrets |
The file should look like this:
1 2 3 4 |
# Secrets for authentication using CHAP # client server secret IP addresses cviorel pptpd my_secret_password * another_user pptpd his_secret_password * |
Now we need to configure IP Masquerading on the VPN server.
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading.
ufw Masquerading
IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.
The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.
a) First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
1 |
DEFAULT_FORWARD_POLICY="ACCEPT" |
Then edit /etc/ufw/sysctl.conf and uncomment:
1 |
net.ipv4.ip_forward=1 |
Similarly, for IPv6 forwarding uncomment:
1 |
net.ipv6.conf.default.forwarding=1 |
b) Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
1 2 3 4 5 6 7 8 9 |
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT |
The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:
1 2 |
# don't delete the 'COMMIT' line or these rules won't be processed COMMIT |
First, since we trust pptpd completely, I would accept all traffic to/from my pptpd. I added this lines at the beginning of the filter section.
1 2 |
-A ufw-before-input -i ppp+ -j ACCEPT -A ufw-before-output -i ppp+ -j ACCEPT |
Additionally, I must forward traffic to/from my pptpd. These lines was also added after the above lines.
1 2 |
-A ufw-before-forward -s 192.168.0.0/24 -j ACCEPT -A ufw-before-forward -d 192.168.0.0/24 -j ACCEPT |
c) Finally, disable and re-enable ufw to apply the changes:
1 |
sudo ufw disable && sudo ufw enable |
IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be
added to the ufw-before-forward chain.
iptables Masquerading
iptables can also be used to enable masquerading.
a) Similar to ufw, the first step is to enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:
1 |
net.ipv4.ip_forward=1 |
If you wish to enable IPv6 forwarding also uncomment:
1 |
net.ipv6.conf.default.forwarding=1 |
– Next, execute the sysctl command to enable the new settings in the configuration file:
1 |
sudo sysctl -p |
– IP Masquerading can now be accomplished with a single iptables rule, which may differ slightly based on your network configuration:
1 |
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE |
The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:
- -t nat — the rule is to go into the nat table
- -A POSTROUTING — the rule is to be appended (-A) to the POSTROUTING chain
- -s 192.168.0.0/16 — the rule applies to traffic originating from the specified address space
- -o ppp0 — the rule applies to traffic scheduled to be routed through the specified network device
- -j MASQUERADE — traffic matching this rule is to “jump” (-j) to the MASQUERADE target to be manipulated as described above
b) Also, each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:
1 2 |
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT |
The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.
c) If you want masquerading to be enabled on reboot, which you probably do, edit /etc/rc.local and add any commands used above. For example add the first command with no filtering:
1 |
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE |
Logs
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).
If you are using ufw, you can turn on logging by entering the following in a terminal:
1 |
sudo ufw logging on |
To turn logging off in ufw, simply replace on with off in the above command.
If using iptables instead of ufw, enter:
1 |
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: " |
A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:
1 |
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 |
The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.
NOTE: Documentation for this article is taken from https://help.ubuntu.com/8.04/serverguide/C/firewall.html.
If I don’t want client machines to pass their DNS requests through the tunnel can I ommit the IP masquerading section?
The masquerading part is for your firewall.
If you want to specify your own DNS, edit your config files inside /etc/ppp.
I’ve been researching this VPN tunnel stuff – seems far superior to proxies – and I get it, but… I want the host to be remote (outside my ISP).
I want to do this:
• Buy/Rent a [ ] Dedicated [ ] Virtual machine from some webhost (rackspace, etc.)
• Install ubuntu on it?
• Install web-app server (RoR, LAMP, etc.) on it?
• Install a mail server on it?
• blog engine, moveable type, etc?
• LDAP server
• Have all this crap work together? (obviously, I know dedicated servers for all this would be better, but I’m not imagining anything real intense)
This is mainly for:
• web privacy
• keeping my gadgets/mail/contacts/files synched up
• me f.ing around, getting my nerd on, getting my programming feet wet, etc.
So, is that how you get a _remote_ VPN tunnel going? Or do you need to sign up for some service and use theirs…. AND…. BIG AND….
Which hosting providers (U.S. based) can be trusted for privacy? or, in the alternative, which VPN tunneling hosts are a good value/trustworthy?
Any help at all, I’ve literally been searching for weeks, but everyone stops at how to set this sh_t up without saying WHERE to set it up. I don’t just want to get at my machine from work or my high school computer lab so I can get on myspace.
Sorry for the gianormous post. Be happy to post elsewhere if anyone can point!
Thanks!
Sorry for the late reply.
Ubuntu, or any other linux distro is suited for your needs (web server, mail server, LDAP, etc).
The main reason you would use VPN is privacy. The method I described in the article does not require any action from your ISP. We suppose they do not filter the ports you decide to use on your VPN server configuration.
Ok so i followed your instructions in this nice how-to but i still cant get ufw to let my pptp traffic through. if i disable ufw then it lets me connect but then masqurading doesnt work. any ideas? anything i should add to ufw? im trying to set this up at work so i need to get this going sooner rather than later.
thanks
ok i added an execption in ufw to allow the pptp port through:
sudo ufw allow 1723
this allows me to connect the the vpn server but IP Masquerading isn’t working, i cant access any websites or anything on the internetfor that matter while connected to the vpn. anythoughts? again i need to get this running asap for work.
@ LilJohn
Do you have the right network in your /etc/ufw/before.rules file?
ok i found the issue, at the begining you use these perameters:
localip 192.168.0.1
remoteip 192.168.1.1-255
and then for ufw masq you use this rule to route the pptp clients traffic:
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
192.168.0.0/24 (aka 255.255.255.0) will not route the 192.168.1.1-255 ipaddress range you must use 192.168.0.0/16 (aka 255.255.0.0)
the following rule will work:
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
i need help please, im on this step right now:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
COMMIT
before i continue i have a question that way i wont have future problems, in the localip i put my server local ip address wich is 192.168.1.110 and in the remoteip i only change the 0 for a 1, is that ok? im kind of confuse now, here the reason why i dont want to continue is because this is a Asterisk Server that i build and is working with a SIP Trunk perfect and i dont want to mess it up, so far i have been accessing thru SSH, but i will love to use a VPN connection, any help, thanks in advance!
@ramon
Here is all the info you need:
http://quozl.linux.org.au/pptp/pptpd.conf.5.html#OPTIONS
how I can connect RADIUS and VPN??
@arie
Check this article about radius based VPN:
http://www.debian-administration.org/article/Creating_a_radius_based_VPN_with_support_for_Windows_clients
How would one go about setting up a VPN that only passes certain data through for a certain service. I want to set up a VPN so my remote machines will use their local connection for all web traffic and only antivirus updates go through the VPN.
@disturbingprod
You can create a normal VPN and using your firewall rules you can define wich traffic goes where.
HI, thanks for this beautiful article.
Can i access my home computer [ inside my lan ] from outside the lan?? ie from some public computer which is connected to internet.
My computer is also connected
@nithin shetty
Yeap.
I have a client workstation which must connect to a VPN through squid3 proxy server. The client workstation and the proxy server (computer with ubuntu 12.0.4 server and DNS, firewall, mail etc. services) are at my location and have access to them, but the VPN server is in another location and I do not have access to it. What can I do to allow traffic from the client workstation to the VPN server through http proxy ? If you want more details and some schematics, you can ask me : dragos.dragomir at gmail.com (in english or romanian)
@ddrazvi, you have to allow VPN traffic through squid.
That was my question … how to allow VPN traffic through squid …?
@ddrazvi http://bit.ly/1nTcdm1
I already did that (I strongly believe that Google is my friend 😎 ), but so far I haven’t find a suitable solution.
Maybe I searched for the wrong solution to my problem … instead of redirecting VPN traffic through proxy, how about bypassing proxy only for the IP of VPN server ? … should that solve my problem ?