Cubietruck and VPN via PPTP

 Uncategorized  No Responses »
Feb 112014
 

SoftEther works (see my previous post), but it needs an extra install of software, while PPTP is pretty much standard for many operating systems. So we’ll set this up.

It’s actually very easy too

Server side

Debian server: install some packges:

aptitude install pptpd

/etc/pptpd.conf (I removed all comments here):

option /etc/ppp/pptpd-options
logwtmp
localip 192.168.31.1
remoteip 192.168.31.10-249

/etc/ppp/pptpd-options (again, no comments):

name SERVERNAME
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490
ipcp-accept-remote
netmask 255.255.255.0

Add this to /etc/rc.local:

/sbin/iptables-restore </etc/iptables.save

Setting up routing and firewall:

iptables -A FORWARD -s 192.168.31.0/24 -d 192.168.31.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.31.0/24 -j REJECT

Edit /etc/sysctl.conf to enable IP fording:

net.ipv4.ip_forward=1

Enable sysctl.conf changes:

sysctl -p

Edit /etc/ppp/chap.secrets to have all accounts, e.g.:

username1<TAB>*<TAB>password<TAB>*

 

Client side

Debian: install some packages

 aptitude install pptp-linux

Create /etc/ppp/peers/BoxPPTP (BoxPPTP is the name of the connection):

pty "pptp PPTPSERVERNAME --nolaunchpppd"
name harald
remotename BoxPPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam BoxPPTP
192.168.31.10:

192.168.31.10 is the IP the client wants to have.

/etc/ppp/options.pptp:

lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Add your account in /etc/ppp/chap-secrets:

username1<TAB>BoxPPTP<TAB>password<TAB>*

Add this to /etc/network/interfaces:

auto ppp0
iface ppp0 inet ppp
  provider BoxPPTP
  post-up sleep 2 ; route add -net 192.168.31.0 netmask 255.255.255.0 gw 192.168.31.1

To enable the PPTP connection, do:

ifup ppp0

Check via:

# ip addr list ppp0
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1486 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 192.168.31.11 peer 192.168.31.1/32 scope global ppp0
# ip route list
default via 192.168.11.1 dev eth0 
192.168.11.0/24 dev eth0  proto kernel  scope link  src 192.168.11.36 
192.168.31.0/24 via 192.168.31.1 dev ppp0 
192.168.31.1 dev ppp0  proto kernel  scope link  src 192.168.31.11

At this point you can ping the PPTP server (192.168.31.1 in this case) as well as all other clients as long as they are not firewalled.

 

Cubietruck and VPN via SoftEther

 Uncategorized  No Responses »
Feb 092014
 

To do a remote backup only one things is needed: a connectable remote backup server. Which would be easy if everyone had public static IP addresses. Welcome IPv6! I wish you were here, alas we are not, so there’s extra work to do.

Possible solutions:

  • IPSec
  • OpenVPN
  • ssh tunneling
  • SoftEther

IPSec does not like NAT and is quite complex to set up. I set up OpenVPN before, which would make this a “done that, been there” solution. ssh tunneling is possible. Lacks elegance in my opinion. When I looked at SoftEther’s web page though, it’s open-source now, which makes this an interesting solution. Time to try that out.

SoftEther

Pre-requisits:

aptitude install build-essential git libreadline6-dev libncurses5-dev libssl-dev

Download source via e.g. github (see here):

git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git

Do the super-simple configure:

./configure && make && make install

This installs the various vpn commands in /usr

Server

mkdir /var/lock/subsys # Not sure this is needed. I don't think it is.
sed 's/-start/start/;s/-stop/stop/' ./debian/init.d/vpnserver > /etc/init.d/vpnserver
chmod a+x /etc/init.d/vpnserver
# add those to the top of /etc/init.d/vpnserver:
# /etc/init.d/vpnserver: set up the X server and ICE socket directories
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
update-rc.d vpnserver defaults
# Now configuring the VPN
vpncmd
# Set admin password
ServerPasswordSet
HubCreate BoxVPN
# Enter BoxVPN password
Hub BoxVPN
SecureNatEnable
#DhcpDisable
UserCreate ACCOUNT
# Empty nothing for assigned group, and full name for the next question, and nothing for Description
UserPasswordSet ACCOUNT
# Enter password (preliminary, going to use certificates later)
#NicCreate boxnic
AccountCreate boxvpn
# Enter server and its port
# Dest virtual hub is BoxVPN
# Connecting user is ACCOUNTNAME
# Used Virtual Network Adapter is boxnic
AccountPasswordSet boxvpn
# Enter password from the server
# Standard (in this case)

Client

vpnclient start
vpncmd
# Enter for localhost
NicCreate box0
AccountCreate box
# Destination Virtual Hub Name: BoxVPN
# Connecting User Name: ACCOUNT
# Used Virtual Network Adapter Name: box0
AccountPasswordSet box
# Enter password, and standard (not RADIUS)
# No compression, we transfer encrypted/compressed data mostly
AccountCompressDisable box
# Autostart when vpnclient starts:
AccountStartupSet box
# To connect:
AccountConnect box
# To check:
AccountStatusGet box

Set manually an IP

Default network is 192.168.30.0/24, with .1 being the server, and .10 the clients are starting when using DHCP.

What I ended up is this in /etc/rc.local which is being executed at the end of the init.d scripts:

( /usr/bin/vpnclient start ; sleep 10 ; ifconfig vpn_box0 192.168.xx.yy netmask 255.255.255.0 up ) &

Windows Client

That one is very simple to configure as there’s no compiling needed at all.

All you need to know:

  • Server IP/DNS and its port
  • The virtual hub name
  • Your user account and the method to authenticate (password, certificates etc.)

 

Update

If anything does not work as it should, check the date/time.