diff --git a/Shorewall-docs/PPTP.xml b/Shorewall-docs/PPTP.xml new file mode 100644 index 000000000..683d3706e --- /dev/null +++ b/Shorewall-docs/PPTP.xml @@ -0,0 +1,1407 @@ + + +
+ + PPTP + + + + Tom + + Eastep + + + + 2003-11-22 + + + 2001 + + 2002 + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + + + + Shorewall easily supports PPTP in a number of configurations. + + + +
+ Overview + + + I am no longer attempting to maintain MPPE patches for current + Linux kernel's and pppd. I recommend that you refer to the following + URLs for information about installing MPPE into your kernel and pppd. + + + The Linux PPTP client + project has a nice GUI for configuring and managing VPN + connections where your Linux system is the PPTP client. This is what I + currently use. I am no longer running PoPToP but rather I use the PPTP + Server included with XP Professional (see PPTP Server running behind your Firewall + below). + + + + http://pptpclient.sourceforge.net + + + Everything you need to run a PPTP client. + + + + + http://www.poptop.org + + + The 'kernelmod' package can be used to quickly install + MPPE into your kernel without rebooting. + + + + + I am leaving the instructions for building MPPE-enabled kernels and + pppd in the text below for those who may wish to obtain the relevant + current patches and "roll their own". +
+ +
+ PPTP Server Running on your Firewall + + I will try to give you an idea of how to set up a PPTP server on + your firewall system. This isn't a detailed HOWTO but rather an + example of how I have set up a working PPTP server on my own firewall. + + The steps involved are: + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Patching and building pppd + + To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The + primary site for releases of pppd is ftp://ftp.samba.org/pub/ppp. + + You will need the following patches: + + + http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz + + http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz + + + You may also want the following patch if you want to require + remote hosts to use encryption: + + + ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff + + + Un-tar the pppd source and uncompress the patches into one + directory (the patches and the ppp-2.4.1 directory are all in a single + parent directory): + + cd ppp-2.4.1 +patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch +patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch +(Optional) patch -p1 < ../require-mppe.diff +./configure +make + + You will need to install the resulting binary on your firewall + system. To do that, I NFS mount my source filesystem and use "make + install" from the ppp-2.4.1 directory. +
+ +
+ Patching and building your Kernel + + You will need one of the following patches depending on your + kernel version: + + + http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz + + http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz + + + Uncompress the patch into the same directory where your top-level + kernel source is located and: + + cd <your GNU/Linux source top-level directory> +patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch + + Now configure your kernel. Here is my ppp configuration: + + +
+ +
+ Configuring Samba + + You will need a WINS server (Samba configured to run as a WINS + server is fine). Global section from /etc/samba/smb.conf on my WINS + server (192.168.1.3) is: + + [global] + workgroup = TDM-NSTOP + netbios name = WOOKIE + server string = GNU/Linux Box + encrypt passwords = Yes + log file = /var/log/samba/%m.log + max log size = 0 + socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 + os level = 65 + domain master = True + preferred master = True + dns proxy = No + wins support = Yes + printing = lprng + +[homes] + comment = Home Directories + valid users = %S + read only = No + create mask = 0664 + directory mask = 0775 + +[printers] + comment = All Printers + path = /var/spool/samba + printable = Yes +
+ +
+ Configuring pppd + + Here is a copy of my /etc/ppp/options.poptop file: + + ipparam PoPToP +lock +mtu 1490 +mru 1490 +ms-wins 192.168.1.3 +ms-dns 206.124.146.177 +multilink +proxyarp +auth ++chap ++chapms ++chapms-v2 +ipcp-accept-local +ipcp-accept-remote +lcp-echo-failure 30 +lcp-echo-interval 5 +deflate 0 +mppe-128 +mppe-stateless +require-mppe +require-mppe-stateless + + + + + System 192.168.1.3 acts as a WINS server so I have included + that IP as the 'ms-wins' value. + + + + I have pointed the remote clients at my DNS server -- it has + external address 206.124.146.177. + + + + I am requiring 128-bit stateless compression (my kernel is + built with the 'require-mppe.diff' patch mentioned above. + + + + + Here's my /etc/ppp/chap-secrets: + + Secrets for authentication using CHAP +# client server secret IP addresses +CPQTDM\\TEastep * <shhhhhh> 192.168.1.7 +TEastep * <shhhhhh> 192.168.1.7 + + I am the only user who connects to the server but I may connect + either with or without a domain being specified. The system I connect + from is my laptop so I give it the same IP address when tunneled in at + it has when I use its wireless LAN card around the house. + + You will also want the following in /etc/modules.conf: + + alias ppp-compress-18 ppp_mppe +alias ppp-compress-21 bsd_comp +alias ppp-compress-24 ppp_deflate +alias ppp-compress-26 ppp_deflate +
+ +
+ Configuring pptpd + + PoPTop (pptpd) is available from http://poptop.lineo.com/. + + Here is a copy of my /etc/pptpd.conf file: + + option /etc/ppp/options.poptop +speed 115200 +localip 192.168.1.254 +remoteip 192.168.1.33-38 + + + + + I specify the /etc/ppp/options.poptop file as my ppp options + file (I have several). + + + + The local IP is the same as my internal interface's + (192.168.1.254). + + + + I have assigned a remote IP range that overlaps my local + network. This, together with 'proxyarp' in my + /etc/ppp/options.poptop file make the remote hosts look like they + are part of the local subnetwork. + + + + + I use this file to start/stop pptpd -- I have this in + /etc/init.d/pptpd: + + #!/bin/sh +# +# /etc/rc.d/init.d/pptpd +# +# chkconfig: 5 12 85 +# description: control pptp server +# + +case "$1" in +start) + echo 1 > /proc/sys/net/ipv4/ip_forward + modprobe ppp_async + modprobe ppp_generic + modprobe ppp_mppe + modprobe slhc + if /usr/local/sbin/pptpd; then + touch /var/lock/subsys/pptpd + fi + ;; +stop) + killall pptpd + rm -f /var/lock/subsys/pptpd + ;; +restart) + killall pptpd + if /usr/local/sbin/pptpd; then + touch /var/lock/subsys/pptpd + fi + ;; +status) + ifconfig + ;; +*) + echo "Usage: $0 {start|stop|restart|status}" + ;; +esac +
+ +
+ Configuring Shorewall + +
+ Basic Setup + + Here' a basic setup that treats your remote users as if they + were part of your loc zone. Note that + if your primary internet connection uses ppp0, then be sure that + loc follows net + in /etc/shorewall/zones. + + + /etc/shorewall/tunnels + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + pptpserver + + net + + 0.0.0.0/0 + + + + + +
+ + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + loc + + ppp+ + + - + + + + + +
+
+ +
+ Remote Users in a Separate Zone + + If you want to place your remote users in their own zone so that + you can control connections between these users and the local network, + follow this example. Note that if your primary internet connection + uses ppp0 then be sure that vpn + follows net in /etc/shorewall/zones + as shown below. + + + /etc/shorewall/tunnels + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + pptpserver + + net + + 0.0.0.0/0 + + + + + +
+ + + /etc/shorewall/zones + + + + + ZONE + + DISPLAY + + COMMENTS + + + + + + net + + Internet + + The Internet + + + + loc + + Local + + Local Network + + + + vpn + + VPN + + Remote Users + + + +
+ + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + net + + eth0 + + 206.124.146.255 + + norfc1918 + + + + loc + + eth2 + + 192.168.10.255 + + + + + + vpn + + ppp+ + + - + + + + + +
+ + Your policies and rules may now be configured for traffic + to/from the vpn zone. +
+ +
+ Multiple Remote Networks + + Often there will be situations where you want multiple + connections from remote networks with these networks having different + firewalling requirements. + + Here's how you configure this in Shorewall. Note that if + your primary internet connection uses ppp0 then be sure that the + vpn{1-3} zones follows net in /etc/shorewall/zones as shown below. + + + /etc/shorewall/tunnels + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + pptpserver + + net + + 0.0.0.0/0 + + + + + +
+ + + /etc/shorewall/zones + + + + + ZONE + + DISPLAY + + COMMENTS + + + + + + net + + Internet + + The Internet + + + + loc + + Local + + Local Network + + + + vpn1 + + Remote1 + + Remote Network 1 + + + + vpn2 + + Remote2 + + Remote Network 2 + + + + vpn3 + + Remote3 + + Remote Network 3 + + + +
+ + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + net + + eth0 + + 206.124.146.255 + + norfc1918 + + + + loc + + eth2 + + 192.168.10.255 + + + + + + - + + ppp+ + + - + + + + + +
+ + + /etc/shorewall/hosts + + + + + ZONE + + HOST(S) + + OPTIONS + + + + + + vpn1 + + ppp+:192.168.1.0/24 + + + + + + vpn2 + + ppp+:192.168.2.0/24 + + + + + + vpn3 + + ppp+:192.168.3.0/24 + + + + + +
+ + Your policies and rules can now be configured using separate + zones (vpn1, vpn2, and vpn3) for the three remote network. +
+
+
+ +
+ PPTP Server Running Behind your Firewall + + If you have a single external IP address, add the following to your + /etc/shorewall/rules file: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DNAT + + net + + loc:<server address> + + tcp + + 1723 + + + + + + + + DNAT + + net + + loc:<server address> + + 47 + + - + + + + + + + +
+ + If you have multiple external IP address and you want to forward a + single <external address>, add the following + to your /etc/shorewall/rules file: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DNAT + + net + + loc:<server address> + + tcp + + 1723 + + - + + <external address> + + + + DNAT + + net + + loc:<server address> + + 47 + + - + + - + + <external address> + + + +
+
+ +
+ PPTP Clients Running Behind your Firewall + + You shouldn't have to take any special action for this case + unless you wish to connect multiple clients to the same external server. + In that case, you will need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. + I recommend that you also add these two lines to your + /etc/shorewall/modules file: + + loadmodule ip_conntrack_pptp +loadmodule ip_nat_pptp +
+ +
+ PPTP Client Running on your Firewall + + The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/. + Rather than use the configuration script that comes with the client, I + built my own. I also build my own kernel as + described above rather than using the mppe package that is + available with the client. My /etc/ppp/options file is mostly unchanged + from what came with the client (see below). + + The key elements of this setup are as follows: + + + + Define a zone for the remote network accessed via PPTP. + + + + Associate that zone with a ppp interface. + + + + Define rules for PPTP traffic to/from the firewall. + + + + Define rules for traffic two and from the remote zone. + + + + Here are examples from my setup: + + + /etc/shorewall/zones + + + + + ZONE + + DISPLAY + + COMMENTS + + + + + + cpq + + Compaq + + Compaq Intranet + + + +
+ + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + - + + ppp+ + + + + + + + +
+ + + /etc/shorewall/hosts + + + + + ZONE + + HOST(S) + + OPTIONS + + + + + + - + + ppp+:!192.168.1.0/24 + + + + + +
+ + + /etc/shorewall/rules (For Shorewall versions up to and including + 1.3.9b) + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + fw + + net + + tcp + + 1723 + + + + + + + + ACCEPT + + fw + + net + + 47 + + - + + + + + + + +
+ + + /etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later) + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + pptpclient + + net + + 0.0.0.0/0 + + + + + +
+ + I use the combination of interface and hosts file to define the + 'cpq' zone because I also run a PPTP server on my firewall (see + above). Using this technique allows me to distinguish clients of my own + PPTP server from arbitrary hosts at Compaq; I assign addresses in + 192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918 + Class C subnet. + + I use this script in /etc/init.d to control the client. The reason + that I disable ECN when connecting is that the Compaq tunnel servers + don't do ECN yet and reject the initial TCP connection request if I + enable ECN :-( + + #!/bin/sh +# +# /etc/rc.d/init.d/pptp +# +# chkconfig: 5 60 85 +# description: PPTP Link Control +# +NAME="Tandem" +ADDRESS=tunnel-tandem.compaq.com +USER='Tandem\tommy' +ECN=0 +DEBUG= + +start_pptp() { + echo $ECN > /proc/sys/net/ipv4/tcp_ecn + if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then + touch /var/lock/subsys/pptp + echo "PPTP Connection to $NAME Started" + fi +} + +stop_pptp() { + if killall /usr/sbin/pptp 2> /dev/null; then + echo "Stopped pptp" + else + rm -f /var/run/pptp/* + fi + + # if killall pppd; then + # echo "Stopped pppd" + # fi + + rm -f /var/lock/subsys/pptp + + echo 1 > /proc/sys/net/ipv4/tcp_ecn +} + + +case "$1" in +start) + echo "Starting PPTP Connection to ${NAME}..." + start_pptp + ;; +stop) + echo "Stopping $NAME PPTP Connection..." + stop_pptp + ;; +restart) + echo "Restarting $NAME PPTP Connection..." + stop_pptp + start_pptp + ;; +status) + ifconfig + ;; +*) + echo "Usage: $0 {start|stop|restart|status}" + ;; +esac + + Here's my /etc/ppp/options file: + + # +# Identify this connection +# +ipparam Compaq +# +# Lock the port +# +lock +# +# We don't need the tunnel server to authenticate itself +# +noauth + ++chap ++chapms ++chapms-v2 + +multilink +mrru 1614 +# +# Turn off transmission protocols we know won't be used +# +nobsdcomp +nodeflate + +# +# We want MPPE +# +mppe-128 +mppe-stateless + +# +# We want a sane mtu/mru +# +mtu 1000 +mru 1000 + +# +# Time this thing out of it goes poof +# +lcp-echo-failure 10 +lcp-echo-interval 10 + + My /etc/ppp/ip-up.local file sets up the routes that I need to route + Compaq traffic through the PPTP tunnel: + + #/bin/sh + +case $6 in +Compaq) + route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1 + route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1 + route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1 + ... + ;; +esac + + Finally, I run the following script every five minutes under crond + to restart the tunnel if it fails: + + #!/bin/sh +restart_pptp() { + /sbin/service pptp stop + sleep 10 + if /sbin/service pptp start; then + /usr/bin/logger "PPTP Restarted" + fi +} + +if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then + exit 0 +fi + +echo "Attempting to restart PPTP" + +restart_pptp > /dev/null 2>&1 & + + Here's + a scriptand corresponding ip-up.local from Jerry Vonau + jvonau@home.com that controls two PPTP connections. +
+ +
+ PPTP Client running on your Firewall with PPTP Server in an ADSL + Modem + + Some ADSL systems in Europe (most notably in Austria) feature a PPTP + server built into an ADSL "Modem". In this setup, an ethernet + interface is dedicated to supporting the PPTP tunnel between the firewall + and the "Modem" while the actual internet access is through PPTP + (interface ppp0). If you have this type of setup, you need to modify the + sample configuration that you downloaded as described in this section. + These changes are in addition to those described in + the QuickStart Guides. + + Lets assume the following: + + + + ADSL Modem connected through eth0 + + + + Modem IP address = 192.168.1.1 + + + + eth0 IP address = 192.168.1.2 + + + + The changes you need to make are as follows: + + + + Add this entry to /etc/shorewall/zones: + + + /etc/shorewall/zones + + + + + ZONE + + DISPLAY + + COMMENTS + + + + + + modem + + Modem + + ADSL Modem + + + +
+ + That entry defines a new zone called 'modem' which will + contain only your ADSL modem. +
+ + + Add the following entry to /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + modem + + eth0 + + 192.168.1.255 + + dhcp + + + +
+ + You will of course modify the 'net' entry in + /etc/shorewall/interfaces to specify 'ppp0' as the interface + as described in the QuickStart Guide corresponding to your setup. +
+ + + Add the following to /etc/shorewall/tunnels: + + + /etc/shorewall/tunnels + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + pptpclient + + modem + + 192.168.1.1 + + + + + +
+ + That entry allows a PPTP tunnel to be established between your + Shorewall system and the PPTP server in the modem. +
+
+
+
\ No newline at end of file