VPN Setup
Hi, I plan to setup a VPN gateway using OpenVPN. However, the setup is a little bit weird. Here it is: Priv. Network A<->FreeBSD Server< ->Linksys Router(NAT) <-- INTERNET -->Cisco VPN Concentrator--> Priv. Network B (OpenVPN Gateway) I'm a newbie in this kind of thing so I would it appreciate it very much if anyone can tell me what is wrong with this setup. You may be wondering why the Linksys router is still there when the Freebsd server can serve as the router as well. The answer is very much convoluted and I'd rather not go into it now. :-( By the way, the Linksys router can do port forwarding. My big question is: Is the above setup feasible and if so, could you send me some references (on the Internet) where I can find more info/solution on this problem? thanks, Rene smime.p7s Description: S/MIME Cryptographic Signature
VPN Setup
Hello, Our firewall is running FreeBSD 3.4-RELEASE #3. and need to setup a VPN connection. Is there step by step instruction on how to do this? I am new at this. Thanks, Marcos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
VPN setup question
Hi everyone. I'm looking for a tutorial on how to setup a VPN server on Freebsd. Since I'm unfamiliar with VPN, a guide that is as simple as possible would be preferred. Thanks in advance for any help you can offer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: VPN setup question
hi... > Hi everyone. I'm looking for a tutorial on how to setup a VPN server > on > Freebsd. Since I'm unfamiliar with VPN, a guide that is as simple as > possible would be preferred. Thanks in advance for any help you can offer. first you should consider the following questions: - what kind of VPN do you wanna use? (SSL or IPSec based) - what kind of authentication? (user or certificate based) - what kind of traffic do you wanna protect? - do you wanna transport data between two host, from host-to-network or networ-to-network? regards olli ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: VPN setup question
At 10:53 PM 5/18/2008 +0200, Mister Olli wrote: first you should consider the following questions: - what kind of VPN do you wanna use? (SSL or IPSec based) From what I remember of my security training years ago, IPSec was always better. So I'd likely go with that. - what kind of authentication? (user or certificate based) Definitely user, unless you think certificate is better. - what kind of traffic do you wanna protect? Everything if possible. Basically I'm trying to create a protected Internet connection by using the VPN to allow me to connect to my vpn server at my home office over an insecure public connection. I would then use that vpn connection to securely securely surf the web from anywhere in the US or the world. - do you wanna transport data between two host, from host-to-network or networ-to-network? I'm not sure which would be best. Can you suggest one based on the previous answer? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: VPN setup question
On Sun, May 18, 2008 at 06:02:14PM -0400, Steve Lake wrote: > At 10:53 PM 5/18/2008 +0200, Mister Olli wrote: > > >- what kind of traffic do you wanna protect? > > Everything if possible. Basically I'm trying to create a > protected Internet connection by using the VPN to allow me to connect to my > vpn server at my home office over an insecure public connection. I would > then use that vpn connection to securely securely surf the web from > anywhere in the US or the world. From what I'm reading, it looks like you want a secure proxy rather than a VPN, per se. SSH can be used to provide that functionality very simply: http://blogs.techrepublic.com.com/security/?p=408 That explains how to use SSH for remote proxy service with Firefox, but it's simple enough to do the same thing with Pidgin for IMs and a number of other applications. Would that solve the problems you want solved? -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] MacUser, Nov. 1990: "There comes a time in the history of any project when it becomes necessary to shoot the engineers and begin production." pgpiC7CaLFTSZ.pgp Description: PGP signature
Re: VPN setup question
From what I'm reading, it looks like you want a secure proxy rather than a VPN, per se. SSH can be used to provide that functionality very simply: http://blogs.techrepublic.com.com/security/?p=408 That explains how to use SSH for remote proxy service with Firefox, but it's simple enough to do the same thing with Pidgin for IMs and a number of other applications. Would that solve the problems you want solved? Hmm, this may just work. I never thought of using an SSH remote proxy before. I'll definitely look into it and see if that does the job for me. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: VPN setup question
On Sun, May 18, 2008 at 08:35:26PM -0400, Steve Lake wrote: > > >From what I'm reading, it looks like you want a secure proxy rather than > >a VPN, per se. SSH can be used to provide that functionality very > >simply: > > > > http://blogs.techrepublic.com.com/security/?p=408 > > > >That explains how to use SSH for remote proxy service with Firefox, but > >it's simple enough to do the same thing with Pidgin for IMs and a number > >of other applications. Would that solve the problems you want solved? > > Hmm, this may just work. I never thought of using an SSH remote > proxy before. I'll definitely look into it and see if that does the job > for me. Thanks. Glad to be of service. Sometimes, the answer we really need is easier than the one we think we need. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] John Kenneth Galbraith: "If all else fails, immortality can always be assured through spectacular error." pgpCPjSMjZ5vF.pgp Description: PGP signature
Re: VPN setup question
Steve Lake wrote: At 10:53 PM 5/18/2008 +0200, Mister Olli wrote: first you should consider the following questions: - what kind of VPN do you wanna use? (SSL or IPSec based) From what I remember of my security training years ago, IPSec was always better. So I'd likely go with that. - what kind of authentication? (user or certificate based) Definitely user, unless you think certificate is better. - what kind of traffic do you wanna protect? Everything if possible. Basically I'm trying to create a protected Internet connection by using the VPN to allow me to connect to my vpn server at my home office over an insecure public connection. I would then use that vpn connection to securely securely surf the web from anywhere in the US or the world. - do you wanna transport data between two host, from host-to-network or networ-to-network? I'm not sure which would be best. Can you suggest one based on the previous answer? Thanks. If you're going to do this with IPSec it should be fairly simple to set up the connection. Given that you control both ends of the IPSec tunnel, you can just use a shared secret. You need to set up some security policy definitions using setkey(1) -- the man page is full of acronyms and jargon but what setkey does is define what traffic should be encrypted based on the end point IPs, port numbers and some other data. [Note: in order for setkey to work, you need a kernel config with OPTIONS IPSEC added]. Finally, the third part of setting up an IPSec connection is to configure a method of key exchange -- this is the only part not actually built into the system, so you should install ipsec-tools or equivalent from ports. On the question of tunnel vs transport mode -- most of the tutorials you can find on the net are all about setting up /tunnel/ mode -- ie. to use a pair of routers as IPSec endpoints to connect two private networks. In your case, I think you do need tunnel mode, despite it requiring a degenerate form of network with only one host at each end -- something that naturally screams transport mode -- since you need the capability to route traffic from elsewhere via the VPN link. Two handy references: Setting up a simple transport mode tunnel between two hosts: http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html Step by step guide to setting up a tunnel. http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html It's a bit dated now, as the kernel configuration instructions apply to pre-6.x systems. In 7.0+ (which uses what was previously called FAST_IPSEC), all you need is to add the following: device crypto device cryptodev options IPSEC Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
VPN setup problem - proxy arp I think
Hi all, I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to setup my VPN. However, I'm having a problem which I think is proxy-ARP not working. I like to ask you to see if you know what's going on. When I ping 10.77.1.1 from windows XP machine the packets get to the 10.77.1.1 machine, but they don't have a return path to get back. When I do ping the windows machine from 10.77.1.1 I get: ping: sendto: Host is down When I add static route to 10.77.1.1 the machines can talk to each other. (route add 10.77.1.50/32 10.77.1.2) But I don't think I need to setup a static route if Proxy ARP worked! I've included my config files in this email. Please note that the I get a message back saying "[pptp1] no interface to proxy arp on for 10.77.1.50" could this be my problem? how can I fix it? Thanks very much, ~koroush = I network looks as follows Freebsd 4.6 IP 10.77.1.1/24 | | fxp0:10.77.1.2/24 Freebsd 4.8 (DELL2) (only 1 network card) ng0: 10.77.13 | | Windows XP machine with tunnel. 10.77.1.50 == Config files for Dell 2: DELL2# ifconfig -a fxp0: flags=8843 mtu 1500 inet 129.197.244.10 netmask 0xfff0 broadcast 129.197.244.15 inet 10.0.0.249 netmask 0xff00 broadcast 10.0.0.255 inet 10.77.1.2 netmask 0xff00 broadcast 10.77.1.255 inet 10.77.2.2 netmask 0xff00 broadcast 10.77.2.255 inet 10.77.3.2 netmask 0xff00 broadcast 10.77.3.255 inet 10.77.4.2 netmask 0xff00 broadcast 10.77.4.255 inet 10.77.5.2 netmask 0xff00 broadcast 10.77.5.255 ether 00:07:e9:87:ca:4f media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 lo1: flags=8008 mtu 16384 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 ng0: flags=88d1 mtu 1256 inet 10.77.1.2 --> 10.77.1.50 netmask 0x ng1: flags=8890 mtu 1500 ng2: flags=8890 mtu 1500 ng3: flags=8890 mtu 1500 ng4: flags=8890 mtu 1500 === DELL2# pwd /usr/local/etc/mpd DELL2# cat mpd.conf default: load client1 load client2 load client3 load client4 load client5 pptp_common_settings: set link type pptp set pptp enable incoming set pptp disable originate set iface disable on-demand set iface enable proxy-arp # set iface idle 1800 set bundle enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap # set link keep-alive 10 60 set link mtu 1260 set ipcp yes vjcomp # set ipcp ranges 10.77.1.1/32 10.77.1.50/32 # set ipcp dns 10.77.1.1 # set ipcp nbns 10.77.1.1 set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 # set ccp yes mpp-e128 set ccp yes mpp-stateless client1: new -i ng0 pptp1 pptp1 set ipcp range 10.77.1.2/24 10.77.1.50/24 load pptp_common_settings client2: new -i ng1 pptp2 pptp2 set ipcp range 10.77.2.2/32 10.77.2.50/32 load pptp_common_settings client3: new -i ng2 pptp3 pptp3 set ipcp range 10.77.3.3/32 10.77.3.50/32 load pptp_common_settings client4: new -i ng3 pptp4 pptp4 set ipcp range 10.77.4.3/32 10.77.4.50/32 load pptp_common_settings client5: new -i ng4 pptp5 pptp5 set ipcp range 10.77.5.3/32 10.77.5.50/32 load pptp_common_settings DELL2# = DELL2# cat mpd.secret demo1 "demo1" 10.77.1.50/24 demo2 "demo2" 10.77.2.50/24 demo3 "demo3" 10.77.3.50/24 demo4 "demo4" 10.77.4.50/24 demo5 "demo5" 10.77.5.50/24 RUN TIME DELL2# mdp default mdp: Command not found. DELL2# mpd default Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 281, version 3.13 ([EMAIL PROTECTED] 09:44 23-Jun-2003) [pptp1] ppp node is "mpd281-pptp1" mpd: local IP address for PPTP is 129.197.244.10 [pptp1] using interface ng0 [pptp1] device type already set to pptp [pptp2] ppp node is "mpd281-pptp2" [pptp2] using interface ng1 [pptp2] device type already set to pptp [pptp3] ppp node is "mpd281-pptp3" [pptp3] using interface ng2 [pptp3] device type already set to pptp [pptp4] ppp node is "mpd281-pptp4" [pptp4] using interface ng3 [pptp4] device type already set to pptp [pptp5] ppp node is "mpd281-pptp5" [pptp5] using interface ng4 [pptp5] device type already set to pptp [pptp5:pptp5] mpd: PPTP connection from 129.197.244.12:1127 pptp0: attached to connection with 129.197.244.12:1127 [pptp1] IFACE: Open event [pptp1] IPCP: Open event [pptp1] IPCP: state change Initial --> Starting [pptp1] IPCP: LayerStart [pptp1] IPCP: Open event [pptp1] bundle: OPEN event in state CLOSED [pptp1] opening link "pptp1"... [pptp1] link: OPEN event [pptp1] LCP: Open ev
RE: VPN setup problem - proxy arp I think
Set gateway="YES" in rc.conf and reboot. Then look into ipfw so you don't end up passing bogus traffic. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Koroush Saraf > Sent: Monday, June 30, 2003 7:09 PM > To: [EMAIL PROTECTED] > Subject: VPN setup problem - proxy arp I think > > > > > > Hi all, > > I read the setup at > http://www.blackh0le.net/articles/vpn-dun-howto.html to setup > my VPN. However, I'm having a problem which I think is > proxy-ARP not working. I like to ask you to see if you know > what's going on. When I ping 10.77.1.1 from windows XP > machine the packets get to the 10.77.1.1 machine, but they > don't have a return path to get back. When I do ping the > windows machine from 10.77.1.1 I get: > ping: sendto: Host is down > > When I add static route to 10.77.1.1 the machines can talk to > each other. > (route add 10.77.1.50/32 10.77.1.2) > But I don't think I need to setup a static route if Proxy ARP worked! > > I've included my config files in this email. Please note > that the I get a message back saying "[pptp1] no interface to > proxy arp on for 10.77.1.50" could this be my problem? how > can I fix it? Thanks very much, ~koroush > > > = > > > I network looks as follows > > Freebsd 4.6 > IP 10.77.1.1/24 > | > | > fxp0:10.77.1.2/24 > Freebsd 4.8 (DELL2) (only 1 network card) > ng0: 10.77.13 > | > | > Windows XP machine with tunnel. > 10.77.1.50 > > > > == > Config files for Dell 2: > DELL2# ifconfig -a > fxp0: flags=8843 mtu 1500 > inet 129.197.244.10 netmask 0xfff0 broadcast > 129.197.244.15 > inet 10.0.0.249 netmask 0xff00 broadcast 10.0.0.255 > inet 10.77.1.2 netmask 0xff00 broadcast 10.77.1.255 > inet 10.77.2.2 netmask 0xff00 broadcast 10.77.2.255 > inet 10.77.3.2 netmask 0xff00 broadcast 10.77.3.255 > inet 10.77.4.2 netmask 0xff00 broadcast 10.77.4.255 > inet 10.77.5.2 netmask 0xff00 broadcast 10.77.5.255 > ether 00:07:e9:87:ca:4f > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff00 > lo1: flags=8008 mtu 16384 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > ng0: > flags=88d1 mtu 1256 > inet 10.77.1.2 --> 10.77.1.50 netmask 0x > ng1: flags=8890 mtu 1500 > ng2: flags=8890 mtu 1500 > ng3: flags=8890 mtu 1500 > ng4: flags=8890 mtu 1500 > > === > > DELL2# pwd > /usr/local/etc/mpd > DELL2# cat mpd.conf > default: > load client1 > load client2 > load client3 > load client4 > load client5 > > pptp_common_settings: > set link type pptp > set pptp enable incoming > set pptp disable originate > set iface disable on-demand > set iface enable proxy-arp > # set iface idle 1800 > set bundle enable multilink > set link yes acfcomp protocomp > set link no pap chap > set link enable chap > # set link keep-alive 10 60 > set link mtu 1260 > set ipcp yes vjcomp > # set ipcp ranges 10.77.1.1/32 10.77.1.50/32 > # set ipcp dns 10.77.1.1 > # set ipcp nbns 10.77.1.1 > set bundle enable compression > set ccp yes mppc > set ccp yes mpp-e40 > # set ccp yes mpp-e128 > set ccp yes mpp-stateless > > client1: > new -i ng0 pptp1 pptp1 > set ipcp range 10.77.1.2/24 10.77.1.50/24 > load pptp_common_settings > > client2: > new -i ng1 pptp2 pptp2 > set ipcp range 10.77.2.2/32 10.77.2.50/32 > load pptp_common_settings > > client3: > new -i ng2 pptp3 pptp3 > set ipcp range 10.77.3.3/32 10.77.3.50/32 > load pptp_common_settings > > client4: > new -i ng3 pptp4 pptp4 > set ipcp range 10.77.4.3/32 10.77.4.50/32 > load pptp_common_settings > > client5: > new -i ng4 pptp5 pptp5 > set ipcp range 10.77.5.3/32 10.77.5.50/32 > load pptp_common_settings > > DELL2# > = > DELL2# cat mpd.secret > demo1 "demo1" 10.77.1.50/24 > demo2 "demo2" 10.77.2.50/24 > demo3 "demo3" 10.77.3.50/24 > demo4 "demo4" 10.77.4.50/24 > demo5 "demo5" 10.7
VPN setup with OpenVPN (was: mpd pptp server?)
On Sun, Mar 23, 2008 at 10:45:57PM +0100, Jon Theil Nielsen wrote: > 2008/3/23, Alex de Kruijff <[EMAIL PROTECTED]>: > > On Wed, Mar 19, 2008 at 12:43:58AM +0100, Jon Theil Nielsen wrote: > > > I have tried some different ways to make a working VPN server on FreeBSD > > 7.0. > > > The main goal is to make it possible for Windows clients to access their > > > Samba home shares. I'm not sure if mpd is the best solution, but I will > > give > > > it a try. > > > I have installed /usr/ports/mpd4 and have the following configuration: > > > > I run openvpn on FreeBSD and Windows XP. > > > I have now succeeded in establishing connections from Windows to a VPN > server based on mpd4. But it has some severe limitations: I have to define > every single connection in the conf file (not a major problem). And I don't > see any option to authenticate against neither UNIX or Samba passwords. Is > that different through openvpn? Could you give some brief hints on the > configuration or maybe a reference to a useful howto? Giving you the program name ought to be enove of a hint. http://www.google.com/search?q=openvpn The openvpn site has a very nice howto. I can tell you the setup I have. I don't authenticate against UNIX or Samba passwords. I don't see what good it will do to require such autentication. It might even post a security risk. It might be posible. I do use certificates (standard) so I can cut off machines. Users need to authenticate when the connect to the services of a machine. I have a firewall on each computer. I have a VPN tunnel beteen sites and a road warrior setup for laptops. And I have a setup that allows me to take a server down without disrupting traffic flow beteen sites. -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"