OpenVPN

OpenVPN is a web-scale networking platform enabling the next wave of VPN services (openvpn.com).

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.

OpenVPN combines security with ease-of-use

OpenVPN's lightweight design sheds many of the complexities that characterize other VPN implementations. The OpenVPN security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

Looking Ahead

OpenVPN Technologies, Inc. is committed to both OpenVPN community edition and enterprise edition and is working on a full range of services and products to meet your specific needs.

Getting Started

For a good conceptual introduction to OpenVPN, see the program notes for James Yonan's talk at Linux Fest Northwest 2004 -- Understanding the User-Space VPN: History, Conceptual Foundations, and Practical Usage.

You may also wish to read OpenVPN and the SSL VPN Revolution by Charlie Hosner.

OpenVPN software can create additional revenue streams:

OpenVPN software is available as a commercial version for firms who would like to redistribute OpenVPN with their own proprietary applications.

Learn more about OpenVPN Commercial Licensing; <Licensing>

OpenVPN runs on:

Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. An OpenVPN PocketPC port is under development.

With OpenVPN, you can:

• tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
• configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
• use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
• use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
• choose between static-key based conventional encryption or certificate-based public key encryption,
• use static, pre-shared keys or TLS-based dynamic key exchange,
• use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
• tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
• tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
• tunnel networks over NAT,
• create secure ethernet bridges using virtual tap devices, and
• control OpenVPN using a GUI on Windows or Mac OS X.

What distinguishes OpenVPN from other VPN packages?

• OpenVPN's principal strengths include cross-platform portability across most of the known computing universe, excellent stability, scalability to hundreds or thousands of clients, relatively easy installation, and support for dynamic IP addresses and NAT.
• OpenVPN provides an extensible VPN framework which has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, or supporting alternative authentication methods via OpenVPN's plugin module interface (For example the openvpn-auth-pam module allows OpenVPN to authenticate clients using any PAM authentication method -- such methods may be used exclusively or combined with X509 certificate-based authentication).
• OpenVPN offers a management interface which can be used to remotely control or centrally manage an OpenVPN daemon. The management interface can also be used to develop a GUI or web-based front-end application for OpenVPN.
• On Windows, OpenVPN can read certificates and private keys from smart cards which support the Windows Crypto API.
• OpenVPN uses an industrial-strength security model designed to protect against both passive and active attacks. OpenVPN's security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP. OpenVPN supports the X509 PKI (public key infrastructure) for session authentication, the TLS protocol for key exchange, the OpenSSL cipher-independent EVP interface for encrypting tunnel data, and the HMAC-SHA1 algorithm for authenticating tunnel data.
• OpenVPN is built for portability. At the time of this writing, OpenVPN runs on Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP. Because OpenVPN is written as a user-space daemon rather than a kernel module or a complex modification to the IP layer, porting efforts are dramatically simplified.
• OpenVPN is easy to use. In general, a tunnel can be created and configured with a single command (and without any required configuration files). OpenVPN's documentation contain examples illustrative of its ease of use.
• OpenVPN has been rigorously designed and tested to operate robustly on unreliable networks. A major design goal of OpenVPN is that it should be as responsive, in terms of both normal operations and error recovery, as the underlying IP layer that it is tunneling over. That means that if the IP layer goes down for 5 minutes, when it comes back up, tunnel traffic will immediately resume even if the outage interfered with a dynamic key exchange which was scheduled during that time.
• OpenVPN has been built with a strongly modular design. All of the crypto is handled by the OpenSSL library, and all of the IP tunneling functionality is provided through the TUN/TAP virtual network driver. The benefits of this modularity can be seen, for example, in the way that OpenVPN can be dynamically linked with a new version of the OpenSSL library and immediately have access to any new functionality provided in the new release. For example, when OpenVPN is built with the latest version of OpenSSL (0.9.7), it automatically has access to new ciphers such as AES-256 (Advanced Encryption Standard with 256 bit key) and the encryption engine capability of OpenSSL that allows utilization of special-purpose hardware accelerators to optimize encryption, decryption, and authentication performance. In the same way, OpenVPN's user-space design allows straightforward porting to any OS which includes a TUN/TAP virtual network driver.

• OpenVPN is fast. Running Redhat 7.2 on a Pentium II 266mhz machine, using TLS-based session authentication, the Blowfish cipher, SHA1 authentication for the tunnel data, and tunneling an FTP session with large, precompressed files, OpenVPN achieved a send/receive transfer rate of 1.455 megabytes per second of CPU time (combined kernel and user time).
• While OpenVPN provides many options for controlling the security parameters of the VPN tunnel, it also provides options for protecting the security of the server itself, such as --chroot for restricting the part of the filesystem the OpenVPN daemon has access to, --user and --group for downgrading daemon privileges after initialization, and --mlock to ensure that key material and tunnel data is never paged to disk where it might later be recovered.

Why choose TLS as OpenVPN's underlying authentication and key negotiation protocol?

TLS is the latest evolution of the SSL family of protocols developed originally by Netscape for their first secure web browser. TLS and its SSL predecessors have seen widespread usage on the web for many years and have been extensively analyzed for weaknesses. In turn, this analysis has led to a subsequent strengthening of the protocol such that today, SSL/TLS is considered to be one of the strongest and most mature secure protocols available. As such, we believe TLS is an excellent choice for the authentication and key exchange mechanism of a VPN product.

Does OpenVPN support IPSec or PPTP?

There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP.

The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating system requires its own independent implementation of IPSec.

By contrast, OpenVPN's user-space implementation allows portability across operating systems and processor architectures, firewall and NAT-friendly operation, dynamic address support, and multiple protocol support including protocol bridging.

There are advantages and disadvantages to both approaches. The principal advantages of OpenVPN's approach are portability, ease of configuration, and compatibility with NAT and dynamic addresses. The learning curve for installing and using OpenVPN is on par with that of other security-related daemon software such as ssh.

Historically, one of IPSec's advantages has been multi-vendor support, though that is beginning to change as OpenVPN support is beginning to appear on dedicated hardware devices.

While the PPTP protocol has the advantage of a pre-installed client base on Windows platforms, analysis by cryptography experts has revealed security vulnerabilities.

Is OpenVPN standards-compliant?

As a user-space VPN daemon, OpenVPN is compatible with with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.

OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.

Can OpenVPN tunnel over a TCP connection?

Yes, starting with version 1.5.

Can I use a web browser as an OpenVPN client?

No. While OpenVPN uses the SSL/TLS protocol for security, OpenVPN is not a web application proxy. It is an OSI layer 2 or 3 full-mesh internetwork tunneling solution and requires that OpenVPN be installed on both client and server.

Building OpenVPN

OpenVPN can easily be built from source for Linux and BSD variants. Building OpenVPN for Windows is more complex, therefore a pre-built installer is available for Windows on the OpenVPN download site.

OpenVPN can be built:

• with both the OpenSSL Crypto and SSL libraries (version 0.9.6 or higher required), offering certificate-based authentication, public key encryption, and TLS-based dynamic key exchange,
• with only the OpenSSL Crypto library, offering static-key based conventional encryption and authentication, or
• standalone, with support for unencrypted UDP tunnels.

OpenVPN can also be linked with the LZO real-time compression library. OpenVPN supports adaptive compression, meaning that it will enable link compression only when the tunnel data stream is found to be compressible.

OpenVPN runs entirely in user space and does not require any special kernel components other than the TUN/TAP virtual network driver available for Windows, Linux, and BSD variants.

The OpenVPN project

OpenVPN is entirely a community-supported effort under the GPL, and your support can go a long way towards ensuring OpenVPN's continuing development, including staying on top of security issues, maintaining a rigorous testing program, adding new features, improving documentation, and providing technical support.

Read More...

How to Configure Point to Point Tunnel Protocol (PPTP) using VPN MIKROTIK

Summary
PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes support fot PPTP client and server.
General applications of PPTP tunnels:
* For secure router-to-router tunnels over the Internet
* To link (bridge) local Intranets or LANs (when EoIP is also used)
* For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client – or, for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.
Description
PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows).

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.
PPTP Client Setup
Submenu level : /interface pptp-client
Property Description
name (name; default: pptp-out1) – interface name for reference
mtu (integer; default: 1460) – Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) – Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU to 1460 to avoid fragmentation of packets)
connect-to (IP address)- the IP address of the PPTP server to connect to
user (string)- user name to use when logging on to the remote server
password (string; default: “”)- user password to use when logging to the remote server
profile (name; default: default) – profile to use when connecting to the remote server
add-default-route (yes | no; default: no) – whether to use the server which this client is connected to as its default router (gateway)
Example
To set up PPTP client named test2 using username john with password john to connect to the 10.1.1.12 PPTP server and use it as the default gateway:

[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\… user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X – disabled, R – running
0 X name=”test2″ mtu=1460 mru=1460 connect-to=10.1.1.12 user=”john”
password=”john” profile=default add-default-route=yes

[admin@MikroTik] interface pptp-client> enable 0

Monitoring PPTP Client
Command name : /interface pptp-client monitor
Property Description
Statistics:

uptime (time) – connection time displayed in days, hours, minutes, and seconds
encoding (string) – encryption and encoding (if asymmetric, separated with ‘/’) being used in this connection
status (string) – status of the client:
# Dialing – attempting to make a connection
# Verifying password… – connection has been established to the server, password verification in progress
# Connected – self-explanatory
# Terminated – interface is not enabled or the other side will not establish a connection

Example
Example of an established connection:

[admin@MikroTik] interface pptp-client> monitor test2
uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>

PPTP Server Setup
Submenu level : /interface pptp-server server

[admin@MikroTik] interface pptp-server server> print
enabled: no
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

Description
The PPTP server supports unlimited connections from clients. For each current connection, a dynamic interface is created.
Property Description
enabled (yes | no; default: no) – defines whether PPTP server is enabled or not
mtu (integer; default: 1460) – Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) – Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) – authentication algorithm
default-profile (name; default: default) – default profile to use
Example
To enable PPTP server:

[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

PPTP Server Users
Submenu level : /interface pptp-server
Description
There are two types of items in PPTP server configuration – static users and dynamic connections. A dynamic connection can be established if the user database or the default-profile has its local-address and remote-address set correctly. When static users are added, the default profile may be left with its default values and only P2P user (in /ppp secret) should be configured. Note that in both cases P2P users must be configured properly.
Property Description
name – interface name
user – the name of the user that is configured statically or added dynamically

Statistics:

mtu – shows (cannot be set here) client’s MTU
client-address – shows (cannot be set here) the IP of the connected client
uptime – shows how long the client is connected
encoding (string) – encryption and encoding (if asymmetric, separated with ‘/’) being used in this connection
Example
To add a static entry for ex1 user:

[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X – disabled, D – dynamic, R – running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 DR ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>

In this example an already connected user ex is shown besides the one we just added.
PPTP Router-to-Router Secure Tunnel Example
The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are two routers in this example:

* [HomeOffice]
Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24

Each router is connected to a different ISP. One router can access another router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X – disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==”"

[admin@HomeOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X – disabled, D – dynamic, R – running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 pptp-in1 ex
[admin@HomeOffice] interface pptp-server>

And finally, the server must be enabled:

[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@HomeOffice] interface pptp-server server>

Add a PPTP client to the RemoteOffice router:

[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\… password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X – disabled, R – running
0 R name=”pptp-out1″ mtu=1460 mru=1460 connect-to=192.168.80.1 user=”ex”
password=”lkjrht” profile=default add-default-route=no

[admin@RemoteOffice] interface pptp-client>

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables ‘direct’ communication between the routers over third party networks.

To route the local Intranets over the PPTP tunnel – add these routes:

[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the PPTP server it can alternatively be done using routes parameter of the user configuration:

[admin@HomeOffice] ppp secret> print detail
Flags: X – disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==”"

[admin@HomeOffice] ppp secret> set 0 routes=”10.150.1.0/24 10.0.103.2 1″
[admin@HomeOffice] ppp secret> print detail
Flags: X – disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes=”10.150.1.0/24 10.0.103.2 1″

[admin@HomeOffice] ppp secret>

Test the PPTP tunnel connection:

[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:

[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please see the example in the ‘EoIP’ section of the manual. To set the maximum speed for traffic over this tunnel, please consult the ‘Queues’ section.

Connecting a Remote Client via PPTP Tunnel
The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over eoip tunnels)

Please, consult the respective manual on how to set up a PPTP client with the software You are using.

The router in this example:

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X – disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==”"

[admin@RemoteOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@RemoteOffice] interface pptp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface pptp-server> print
Flags: X – disabled, D – dynamic, R – running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 FromLaptop ex
[admin@RemoteOffice] interface pptp-server>

And the server must be enabled:

[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface pptp-server server>

Finally, the proxy APR must be enabled on the ‘Office’ interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X – disabled, R – running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

ref: http://www.mikrotik.com/documentation//manual_2.7/Interface/PPTP.html

keywords:PPTP mikrotik, vpn

Read More...

How to configure LINUX point to point tunneling PPTP VPN client for Microsoft PPTP vpn server

With this tip you will be able to work from home using VPN and that too from Linux / FreeBSD system for the proprietary Microsoft Point-to-Point vpn server.

Different organization uses different VPN connection options such as SSL, PPTP or IPSEC. When you need to access corporate network and its services, you need to login using VPN.

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. It works on Data link layer (#2 layer) on TCP/IP model. Personally I prefer IPSEC. PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers.

But many originations use PPTP because it is easy to use and works with Windows, Mac OS X, Linux/*BSD and other handled devices.

Compatibility note

I’ve tested instructions and pptp on:
[a] CentOS / RHEL / Fedora Core Linux running 2.6.15+ kernel
[b] Ubuntu and Debian Linux running 2.6.15+ kernel
[c] FreeBSD etc

I've found that pptp client is 100% compatible with the following servers/products:
[a] Microsoft Windows VPN Server
[b] Linux PPTP Server
[c] Cisco PIX etc

How do I install PPTP client under Linux?

By default most distro installs PPTP client called PPTP-linux which is the client for the proprietary Microsoft Point-to-Point Tunneling. Use apt-get or yum command to install pptp client:
$ sudo apt-get install pptp-linux network-manager-pptp
Fedora Core user can install client using rpm command:
# rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm
# yum --enablerepo=pptp-stable install pptpconfig


[a] network-manager-pptp or pptpconfig - A gui network management framework (PPTP plugin) for network-admin tool (frontend)
[b] pptp-linux - Point-to-Point Tunneling Protocol (PPTP) command line client

How to configure client using command line (cli)?

You need to edit / create following configuration files

• /etc/ppp/chap-secrets - Add your login name / password for authentication using CHAP. Pppd stores secrets for use in authentication in secrets files.
• /etc/ppp/peers/myvpn-name - A dialup connection authenticated with PAP / CHAP configuration file. You need to add your dialup server name and other information in this file.

Sample configuration data

1. PPTP server name: pptp.vpn.nixcraft.com
2. VPN User Name : vivek
3. VPN Password: VpnPassword
4. Connection name: delhi-idc-01

Open /etc/ppp/chap-secrets file:
# vi /etc/ppp/chap-secrets
OR
$ sudo vi /etc/ppp/chap-secrets
Append line as follows:
vivek PPTP VpnPassword *

Save and close the file.

Create a connection file called /etc/ppp/peers/delhi-idc-01 (replace delhi-idc-01 with your connection name such as office or vpn):
# vi /etc/ppp/peers/delhi-idc-01
Append configuration data as follows:
pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd"
name vivek
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam delhi-idc-01


Close and save the file. Where,

• pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd": Specifies that the command script is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The script will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the record option is used in conjunction with the pty option, the child process will have pipes on its standard input and output.). In this case we are using pptp client to establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). pptp.vpn.nixcraft.com is my host name (or IP address) for the PPTP server. --nolaunchpppd option means do not launch pppd but use stdin as the network connection. Use this flag when including pptp as a pppd connection process using the pty option.
• name vivek: VPN username
• remotename PPTP: Set the assumed name of the remote system for authentication purposes to name. If you don't know name ask to network administrator
• require-mppe-128: Require the use of MPPE, with 128-bit encryption. You must encrypt traffic using encryption.
• file /etc/ppp/options.pptp: Read and apply all pppd options from options.pptp file. Options used by PPP when a connection is made by a PPTP client.
• ipparam delhi-idc-01 : Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts (optional).

Route traffic via ppp0

To route traffic via PPP0 interface add following route command to /etc/ppp/ip-up.d/route-traffic
# vi /etc/ppp/ip-up.d/route-traffic
Append following sample code (modify NET an IFACE as per your requirments):
#!/bin/bash
NET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}
Save and close the file:
# chmod +x /etc/ppp/ip-up.d/route-traffic

Task: connect to PPTP server

Now you need to dial out to your office VPN server. This is the most common use of pppd. This can be done with a command such as:
# pppd call delhi-idc-01
If everything is went correctly you should be online and ppp0 should be up. Remote server will assign IP address and other routing information. Here is the message from my /var/log/messages file:
# tail -f /var/log/messages
Output:

Jun 11 23:38:00 vivek-desktop pppd[30088]: pppd 2.4.4 started by root, uid 0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Using interface ppp0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Connect: ppp0 <--> /dev/pts/4
Jun 11 23:38:03 vivek-desktop pppd[30088]: CHAP authentication succeeded
Jun 11 23:38:03 vivek-desktop kernel: [37415.524398] PPP MPPE Compression module registered
Jun 11 23:38:03 vivek-desktop pppd[30088]: MPPE 128-bit stateless compression enabled
Jun 11 23:38:05 vivek-desktop pppd[30088]: local  IP address 10.5.3.44
Jun 11 23:38:05 vivek-desktop pppd[30088]: remote IP address 10.0.5.18

Task: Disconnect PPTP server vpn connection

Simply kill pppd service, enter:
# killall pppd
OR
# kill {pppd-PID}

How to configure PPTP client using GUI tools?

If you are using Debian / Ubuntu, just click on Network configuration Icon on taskbar > VPN Connection > Configure VPN > Add:

Select PPTP tunnel > Forward:

Enter Connection Name, VPN Server / Gateway hostname/IP address > Click on diffrent tabs to configure other parameters > Forward >

Save and close the dialog box. To connect via VPN click on Network Icon > Select VPN Connection > Connection name (Mumbai VSNL IDC) > Enter your VPN username and password and click on Ok.

If you are using Fedora core Linux, run pptpconfig as root and just follow on screen instructions:
# pptconfig &

Troubleshooting hints

If the connection fails, you might need to gather more information and try out following troubleshooting tips.

Q. I'm authenticated successfully but cannot route traffic..

A. Use route command to add route manually:
# ip route add {NETWORK} dev ppp0
# ip route add 10.0.0.0/8 dev ppp0
Or use route command:
# route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

Q. I'm authenticated successfully, I can ping to remote gateway but cannot access host by name...

A. Setup correct DNS server names in /etc/resolv.conf file:
# cat /etc/resolv.conf
Output:
search nixcraft.com
nameserver 10.0.6.1
nameserver 10.0.6.2
nameserver 208.67.222.222

Q. How do I open my local network (laptop, desktop and other system) to talk with any computer behind VPN server via this local Linux ppp0 interface (i.e. act this computer as router)...?

A. Append following two rules in your existing iptables rules to turn on routing (adjust IP address range as per your setup):
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

Q. Point-to-Point Encryption is not working and I'm not able to connect to remote PPTP server...

A. Make sure you are using 2.6.15 or above kernel. If you are using old kernel version upgrade to latest version and compile support for ppp_mppe kernel module. If you are using latest version, load driver using modprobe:
# modprobe ppp_mppe
# pppd call myoffice

Note: You can always get more information by reading pptp diagnosis howto here.

A note to readers

As I said earlier I prefer to use open source solution such as OpenVPN or IPsec as they are more secure. The PPTP is not secure enough for some information security policies. Next time I will write about OpenVPN and IPsec.

source: http://www.cyberciti.biz
keywords: linux PTP tunneling VPN, setting vpn client

Read More...

How to Find VPN MAC Address

The method used to find a MAC address depends on the type of network device involved. All popular network operating systems contain utility programs that allow you to find (and sometimes change) MAC address settings.

Find a MAC Address in Windows

In Windows 95, Windows 98 and Windows ME, the winipcfg utility displays the computer's MAC address. Use the ipconfig utility (with the /all option) in Windows NT and any newer versions of Windows.

Both 'winipcfg' and 'ipconfig' may display multiple MAC addresses for one computer. One MAC address exists for each installed network card. Additionally, Windows maintains one or more MAC addresses that are not associated with hardware cards.

For example, Windows dial-up networking uses virtual MAC addresses to manage the phone connection as if it were a network card. Some Windows VPN clients likewise have their own MAC address. The MAC addresses of these "virtual" network adapters are the same length and format as true hardware addresses.

Find a MAC Address in Unix or Linux

The specific command used in Unix to find a MAC address varies depending on the version of the operating system. In Linux and in some forms of Unix, the command "ifconfig -a" returns MAC addresses.

You can also find MAC addresses in Unix and Linux in the boot message sequence. These operating systems display the computer's MAC address on-screen as the system reboots. Additionally, boot-up messages are retained in a log file (usually "/var/log/messages" or "/var/adm/messages").

Find a MAC Address on the Macintosh

You can find MAC addresses on the Macintosh in the TCP/IP Control Panel. If the system is running Open Transport, the MAC address appears under the "Info" or "User Mode/Advanced" screens. If the system is running MacTCP, the MAC address appears under the "Ethernet" icon.

Read More...

Secure Socket Layer a.k.a SSL

SSL is one method of data encryption in a communication made by Netscape Communications Corporation. As described in the SSL Protocol Internet Draft (The SSL Protocol, Version 3.0 by ALAN O. Freier and Paul C. Kocher, can you open the http://home.netscape.com/eng/ssl3/ssl-toc.html.

SSL is a layered protocol. In each layers, consisting of a long data, descriptions and content. SSL retrieve data to be sent, broken into blocks of order, then compressed, if necessary, apply the MAC, encrypted, and the results delivered. At the destination, data is decrypted, verified, decompress, and reassembled. The result is sent to the client on it. (free translation).

SSL will encrypt only data that is sent via http. How SSL walking can be described as follows:

* At the time the connection started to walk, the client and server create and share a secret key, which is used to encrypt data to be communicated. Although the session between the client and the server diintip other parties, but the data seem difficult to read because it is encrypted.
* SSL support public key cryptography, so the server can authenticate with the method commonly known as RSA and Digital Signature Standard (DSS).
* SSL may verify the integrity of the current session by using a digest algorithm such as MD5 and SHA. This avoids a session hijacking.

Read More...

Remote Accees Servers a.k.a RAS

Remote Access Server (RAS) is the gateway used to access a server located in a particular domain name is positioned behind the RAS using public telephone network access Switch Telephone Network (PSTN).

Read More...

VPN over IPsec vs SSL

In years gone by if a remote office needed to connect with a central computer or network at company headquarters it meant installing dedicated leased lines between the locations. These dedicated leased lines provided relatively fast and secure communications between the sites, but they were very costly.

To accommodate mobile users companies would have to set up dedicated dial-in remote access servers (RAS). The RAS would have a modem, or many modems, and the company would have to have a phone line running to each modem. The mobile users could connect to the network this way, but the speed was painstakingly slow and made it difficult to do much productive work.

With the advent of the Internet much of that has changed. If a web of servers and network connections already exists, interconnecting computers around the globe, then why should a company spend money and create administrative headaches by implementing dedicated leased lines and dial-in modem banks. Why not just use the Internet?

Well, the first challenge is that you need to be able to choose who gets to see what information. If you simply open up the whole network to the Internet it would be virtually impossible to implement an effective means of keeping unauthorized users from gaining access to the corporate network. Companies spend tons of money to build firewalls and other network security measures aimed specifically at ensuring that nobody from the public Internet can get into the internal network.

How do you reconcile wanting to block the public Internet from accessing the internal network with wanting your remote users to utilize the public Internet as a means of connecting to the internal network? You implement a Virtual Private Network (VPN). A VPN creates a virtual “tunnel” connecting the two endpoints. The traffic within the VPN tunnel is encrypted so that other users of the public Internet can not readily view intercepted communications.

By implementing a VPN, a company can provide access to the internal private network to clients around the world at any location with access to the public Internet. It erases the administrative and financial headaches associated with a traditional leased line wide-area network (WAN) and allows remote and mobile users to be more productive. Best of all, if properly implemented, it does so without impacting the security and integrity of the computer systems and data on the private company network.

Traditional VPN’s rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the Network Layer of the OSI Model- securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is “virtually” a full member of the corporate network- able to see and potentially access the entire network.

The majority of IPSec VPN solutions require third-party hardware and / or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed. This is both a pro and a con.

The pro is that it provides an extra layer of security if the client machine is required not only to be running the right VPN client software to connect to your IPSec VPN, but also must have it properly configured. These are additional hurdles that an unauthorized user would have to get over before gaining access to your network.

The con is that it can be a financial burden to maintain the licenses for the client software and a nightmare for tech support to install and configure the client software on all remote machines- especially if they can’t be on site physically to configure the software themselves.

It is this con which is generally touted as one of the largest pros for the rival SSL (Secure Sockets Layer) VPN solutions. SSL is a common protocol and most web browsers have SSL capabilities built in. Therefore almost every computer in the world is already equipped with the necessary “client software” to connect to an SSL VPN.

Another pro of SSL VPN’s is that they allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.

A con of SSL VPN’s though is that you are accessing the application(s) through a web browser which means that they really only work for web-based applications. It is possible to web-enable other applications so that they can be accessed through SSL VPN’s, however doing so adds to the complexity of the solution and eliminates some of the pros.

Having direct access only to the web-enabled SSL applications also means that users don’t have access to network resources such as printers or centralized storage and are unable to use the VPN for file sharing or file backups.

SSL VPN’s have been gaining in prevalence and popularity; however they are not the right solution for every instance. Likewise, IPSec VPN’s are not suited for every instance either. Vendors are continuing to develop ways to expand the functionality of the SSL VPN and it is a technology that you should watch closely if you are in the market for a secure remote networking solution. For now, it is important to carefully consider the needs of your remote users and weigh the pros and cons of each solution to determine what works best for you.

source: about.com

Read More...