VPN - Firewall
Introduction Preparing for Installation Installation Configuration & Startup Tips and Troubleshooting Maintenance Appendix: Command Reference
I. Introduction This document will take you through the installation and configuration of a "ssh-hacque" based Virtual Private Network (VPN) installation using a FreeBSD platform and a Intel architecture. By means of example, a "two bastion" assumption will be made where two intranets, vpn1 and vpn2, are trying to network with each other through "the internet".
II. Preparing for Installation System Requirements: The minimum system hardware requirements are: Pentium PII processor - Intel architecture 32 Mb RAM 1 Gb IDE Hard Drive 2 Intel Ether Express PRO/100B Network Interface Cards (NICs) Software Requirements: FreeBSD Release 3.1 or greater with the following minimum software distributions requirements using a "custom" installation: bin compat2.2, dict doc man catman ports src (from src -select base and system src types) sudo (from security - if we are going to sudo ppp) ssh (install from ports collection - /usr/ports/security/ssh) ucdsnmp (Optional - if using snmp for network monitoring) Planning Before setting up your system, you will need know the networking details. It will be assumed you have two firewalls protecting one intranet per firewall, and they are both connected to the internet. You should have two network interfaces (at least) per firewall. Take a sheet of paper, write down their IP addresses and network mask. You will need one more set of IP addresses per firewall for the VPN you want to create. These addresses should be outside of your existing subnets. It is recommended using addresses from the "private" address ranges. They are the followings:
In the "two bastion" example used here, the two are called vpn1 and vpn2. They both have one interface for the internet (out), one for the intranet (in), and one for the vpn (vpn). Refer to Figure 1. The addresses and netmasks:
Figure 1
III. Installation FreeBSD installation: Installation instructions for FreeBSD is readily available on the internet. This document will assume the installation of FreeBSD - Release 3.1 and properly configuring it as network ready server. During installation you will have opportunities to make a few "selections" from Distributionsand Packages. Distributions to Install: bincompat2.2,dictdocmancatmanportssrc (from src - here you will select base and system src types) Packages to Install: sudo (from security - if we are going to sudo ppp) Installing ssh (from the FreeBSD "Ports Collection"): Note (Ports Collection): The FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications. Each ``port'' listed contains any patches necessary to make the original application source code compile and run on FreeBSD. Installing an application is as simple as downloading the port, unpacking it and typing makein the port directory. For more information see Ports Collection. So, with "ports" installing ssh is reduced to three simple steps. # cd /usr/ports/security/ssh# make# make install# make clean(optional) Kernel Configuration: To configure the kernel we will be copying a generic kernel configuration file and configure the new kernel by editing the "new" configuration file. For this process it will help to have two shell windows open; they will be referred to as "window-1 and window-2". Be sure to perform all configurations as the user "root" (a.k.a. superuser or administrator) The procedure is as follows: Step 1: (window-1) # cd /usr/src/sys/i386/conf# cp GENERIC VPN# vi VPN Step 2: Remove unnecessary devices not being used so that they aren't compiled into the kernel. # dmesg | grep "not" (window-2) Locates devices "not found".In your vi session (editing the file VPN, window-1) , locate these device entries and delete them. Step 3: Add a second network interface device for your second network interface card (NIC). For this step we will assume that you are using Intel Ether Express PRO/100B NICs (network interface i.d.'s fxp0 and fxp1). # ifconfig -a (window-2) If you don't know or aren't sure what NIC's you are using. This will give you the network interface i.d. which you can locate in VPN (window-1).In VPN (window-1) Keep the network interface devices you are using and delete the rest.
Step 4 (Optional): If you are planning on running Network Address Translation (NAT), you will need to add the following lines to the file VPN (window-1): options IPDIVERToptions IPFIREWALL Step 5: Compile the new kernel. # config ./VPN (in the current directory: /usr/src/sys/i386/conf)# cd ../../compile/VPN (/usr/src/sys/compile)# make depend# make# make install# make clean (optional) Server Configuration: As part of the server install, several configurations must be made. Examples and excerpts of the configurations file listed below will be presented . Configuration Files: /etc/rc.conf /usr/local/etc/sshd_config ~/.shosts Step 1 (Configure the gateway): In /etc/rc.conf add the following lines: ### Network routing options: ###defaultrouter="209.100.33.10" # Set to default gateway (or NO). [NOTE: This is the vpn1-out IP address]gateway_enable="YES" # Set to YES if this host will be a gateway. Step 2 (Configure ssh): In /usr/local/etc/sshd_config change the following default. RhostsRSAAuthentication yes # The default is "no" Step 3 (Optional; Configure NAT): In /etc/rc.conf add the following lines: firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="open" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface to use with natd. natd_flags="-f /etc/natd.conf" # Additional flags for natd. [NOTE: More about natd and natd.conf for port redirection can be found in the man pages - # man natd] network_interfaces="fxp0 fxp1 lo0" # List of network interfaces (lo0 is loopback). Step 4 (Restart your server): Reboot. Back to Top
IV. Configuration & Startup The remaining configure items to have a working VPN connection are configuring the point-to-point protocol (ppp) both the local (incoming) and remote (dialout) servers. Configuring Dial-Out PPP: (On VPN1) Configuration File: /etc/ppp/ppp.conf Start-up Script: /etc/ppp/vpn2 The configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above). file: /etc/ppp/ppp.conf
script: /etc/ppp/vpn2
Configuring Incoming PPP: (On VPN2) Configuration File: /etc/ppp/ppp.conf Again, the configuration will be done by example, editing the /etc/ppp/ppp.conffile. In this example vpn1 and vpn2 (our "two bastion" example) will be referred to as introduced in the planning portion of Section II (above). file: /etc/ppp/ppp.conf
Back to Top
V. Tips and Troubleshooting Troubleshooting your VPN connection is a relatively simple process. If you are having problems and with the VPN connection (i.e. cannot ping or trace a route, try the following: Check your routes (netstat -rn). Check for running daemons: ppp sshd (natd - if you are using NAT). Interrogate your ppp connection with ppp in "interactive" mode. Back to Top
VI. Maintenance The care and feeding of VPN is minimal. Log maintenance is handled by FreeBSD automatically. The system's administrator will only need to monitor the daemons and basic network functionality. If you wish to deploy the simple network management protocol (SNMP), this is a convenient method of performing network monitoring. All you will need to do is, at the time of installation of FreeBSD (or afterwards, using the "ports collection") install the ucdsnmp package. Back to Top
Appendix A. Command Reference The commands needed for implementation and maintenance of VPN are: ssh ppp natd (if you are implementing NAT)
These commands all have well documented man pages on your server as well as at freebsd.org. Back to Top
|