Changes

Jump to navigation Jump to search
12,698 bytes added ,  2 years ago
Added SOCAT
Line 1: Line 1: −
[[Category:How to]]
+
 
 
[[Category:VPN]]
 
[[Category:VPN]]
 +
[[Category:Node Configuration]]
 
[[Category:Administration]]
 
[[Category:Administration]]
 
[[Category:Networking]]
 
[[Category:Networking]]
[[category:Software]]
+
[[Category:Software]]
 +
{{Infobox PTTLink
 +
| image = Cyber-security-4072712 1920.jpg
 +
| caption = VPN Security
 +
| category = How to
 +
}}
 
{{ Note|'''This document is a work in progress and is still being updated by the author.''' }}
 
{{ Note|'''This document is a work in progress and is still being updated by the author.''' }}
= VPN =
+
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular software packages and hardware devices.  
{{go to top}}
  −
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular packages.  
      
== IPSEC ==
 
== IPSEC ==
Line 209: Line 213:  
== GRE Tunnel ==
 
== GRE Tunnel ==
 
{{go to top}}
 
{{go to top}}
 +
GRE Tunnels
 +
 +
===Public/Private VM tunnel===
 +
GRE tunnels are useful for connecting a VM in a private/home network to the internet via a public server/VM.  The following information will connect Server A (public server) to Server B (private server), and allow requests to Server B to be passed to Server A's resources for use on the Internet.
 +
 +
====Configuration====
 +
'''IP addresses'''
 +
* Server A will have a public IP of 30.30.30.30/24 and the GRE interface will be assigned 192.168.168.1/30
 +
* Server B will have a private IP of 10.0.0.50/24, a public IP of 40.40.40.40/24 and the GRE interface will be assigned 192.168.168.2/30
 +
'''Ports'''
 +
* Ports 22, 80 and 443 will be forwarded over the GRE tunnel
 +
 +
=====Server A (Public)=====
 +
Copy the following to /etc/gre.sh
 +
<syntaxhighlight lang="bash">
 +
#!/bin/sh
 +
ip tunnel add gre1 mode gre local 10.0.0.50 remote 40.40.40.40 ttl 255
 +
ip add add 192.168.168.1/30 dev gre1
 +
ip link set gre1 up
 +
 +
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source 30.30.30.30
 +
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
 +
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
 +
 +
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.168.2
 +
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.168.2
 +
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.168.2
 +
</syntaxhighlight>
 +
 +
=====Server B (Private)=====
 +
* Add the following to /etc/iproute2/rt_tables<syntaxhighlight lang="text">
 +
100 GRE</syntaxhighlight>
 +
* Copy the following to /etc/gre.sh
 +
<syntaxhighlight lang="bash">
 +
#!/bin/sh
 +
iptunnel add gre1 mode gre local 10.0.0.50 remote 30.30.30.30 ttl 255
 +
ip addr add 192.168.168.2/30 dev gre1
 +
ip link set gre1 up
 +
 +
ip rule add from 192.168.168.0/30 table GRE
 +
ip route add default via 192.168.168.1 table GRE
 +
</syntaxhighlight>
    
==L2TP Ethernet Pseudowires==
 
==L2TP Ethernet Pseudowires==
 
{{go to top}}
 
{{go to top}}
 +
===Cisco===
 +
The following configuration will setup L2TPv3 between two Cisco Routers - R1 and R2.
 +
 +
====R1 - Router Config====
 +
pseudowire-class test
 +
encapsulation l2tpv3
 +
ip local interface Loopback0
 +
ip pmtu
 +
ip tos value 10
 +
!
 +
!
 +
interface Loopback0
 +
ip address 1.1.1.1 255.255.255.255
 +
!
 +
interface FastEthernet0/0.1
 +
encapsulation dot1Q 5
 +
xconnect 2.2.2.2 1 encapsulation l2tpv3 pw-class test
 +
!
 +
interface FastEthernet0/0.2
 +
encapsulation dot1Q 2
 +
xconnect 2.2.2.2 2 encapsulation l2tpv3 pw-class test
 +
 +
====R2 - Router Config====
 +
pseudowire-class test
 +
encapsulation l2tpv3
 +
ip local interface Loopback0
 +
ip pmtu
 +
ip tos value 10
 +
!
 +
!
 +
interface Loopback0
 +
ip address 2.2.2.2 255.255.255.255
 +
!
 +
!
 +
interface FastEthernet0/1.1
 +
encapsulation dot1Q 5
 +
xconnect 1.1.1.1 1 encapsulation l2tpv3 pw-class test
 +
!
 +
interface FastEthernet0/1.2
 +
encapsulation dot1Q 2
 +
xconnect 1.1.1.1 2 encapsulation l2tpv3 pw-class test
    
===Linux===
 
===Linux===
Line 354: Line 441:     
'''''NOTE:  THERE IS NO ENCRYPTION WITH AN L2TP TUNNEL.  ALL LAYER 2 DATA THAT IS VISIBLE TO EACH SIDE OF THE TUNNEL WILL NORMALLY BE SENT OVER THE LINK AND BE SEEN BY THE OTHER SIDE.'''''
 
'''''NOTE:  THERE IS NO ENCRYPTION WITH AN L2TP TUNNEL.  ALL LAYER 2 DATA THAT IS VISIBLE TO EACH SIDE OF THE TUNNEL WILL NORMALLY BE SENT OVER THE LINK AND BE SEEN BY THE OTHER SIDE.'''''
 +
 +
===Between Cisco and Linux===
 +
{{go to top}}
 +
You can use L2TPv3 between Cisco and Linux utilizing the following script from Leif Sawyer.
 +
 +
*Script repository: https://github.com/akhepcat/Miscellaneous
 +
*Direct download link: https://raw.githubusercontent.com/akhepcat/Miscellaneous/master/l2tpv3-cisco.sh
 +
 +
This script will bring up the Linux side of the connection and generate the Cisco side config.
 +
 +
====Configuration====
 +
*Edit the variables '''TUNNEL_ID''', '''SESSION_ID''', '''LOCAL''', and '''REMOTE''' to values that are suitable for your environment.
 +
 +
====Commands====
 +
*Start the tunnel with '''l2tpv3-cisco.sh start'''
 +
*Stop the tunnel with '''l2tpv3-cisco.sh stop'''
 +
*Restart the tunnel with '''l2tpv3-cisco.sh restart'''
 +
*Generate Cisco config with '''l2tpv3-cisco.sh config'''
 +
 +
====l2tpv3-cisco.sh====
 +
  #!/bin/bash
 +
  # (c) 2020 Leif Sawyer
 +
  # License: GPL 3.0 (see https://github.com/akhepcat/)
 +
  # Permanent home:  https://github.com/akhepcat/Miscellaneous/
 +
  # Direct download: https://raw.githubusercontent.com/akhepcat/Miscellaneous/master/l2tpv3-cisco.sh
 +
  #
 +
  # using l2tpV3 between linux and cisco is sometimes weird.
 +
  # this script is how I get the linux side up.
 +
  # This will also auto-generate the cisco-side config.
 +
  ################################
 +
 
 +
  TUNNEL_ID=101
 +
  REMOTE_TUNNEL_ID=${TUNNEL_ID}
 +
 
 +
  SESSION_ID=101
 +
  REMOTE_SESSION_ID=${SESSION_ID}
 +
 
 +
  LOCAL=10.1.1.1
 +
  REMOTE=10.100.100.1
 +
 
 +
  ################################
 +
  PATH=/sbin:$PATH
 +
  IPV=$(ip -V | sed 's/.*-ss//')
 +
 
 +
  if [ ${IPV:-0} -lt 130716 ]
 +
  then
 +
  echo "Please install a newer version of iproute2 ( 3.10 or (>= 2013-07-16))"
 +
  echo "  from https://www.kernel.org/pub/linux/utils/net/iproute2/"
 +
  exit
 +
  fi
 +
 
 +
 
 +
  modules() {
 +
    for module in l2tp_core l2tp_netlink l2tp_eth l2tp_ip
 +
  do
 +
  modprobe $i
 +
  done
 +
  }
 +
 
 +
  tunnel_up() {
 +
  ip l2tp add tunnel remote ${REMOTE} local ${LOCAL} tunnel_id $TUNNEL_ID peer_tunnel_id $REMOTE_TUNNEL_ID encap ip
 +
  ip l2tp add session tunnel_id $TUNNEL_ID session_id $SESSION_ID peer_session_id $REMOTE_SESSION_ID l2spec_type none
 +
  ip link set l2tpeth0 up mtu 1488
 +
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1448:1536 -j TCPMSS --set-mss 1448
 +
  }
 +
 
 +
  tunnel_down() {
 +
  iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1448:1536 -j TCPMSS --set-mss 1448
 +
  ip link set l2tpeth0 down
 +
  ip l2tp del session tunnel_id $TUNNEL_ID session_id $SESSION_ID
 +
  ip l2tp del tunnel tunnel_id $TUNNEL_ID
 +
  }
 +
 
 +
  cisco_config() {
 +
  cat <<EOF
 +
  ! Global config
 +
  !
 +
      pseudowire-class Linux-L2TP
 +
  encapsulation l2tpv3
 +
  interworking ethernet
 +
  protocol none
 +
  ip local interface $REMOTE
 +
  ip pmtu
 +
  ip tos value 41
 +
  ip ttl 100
 +
  !
 +
  ! Interface config
 +
  !
 +
      interface \$L2interface
 +
  xconnect $LOCAL $REMOTE_TUNNEL_ID encapsulation l2tpv3 manual pw-class Linux-L2TP
 +
      l2tp id $SESSION_ID $REMOTE_SESSION_ID
 +
 
 +
  EOF
 +
  }
 +
 
 +
  case $1 in
 +
  start|up) tunnel_up
 +
  ;;
 +
  stop|down) tunnel_down
 +
  ;;
 +
  restart|reload) stop; start
 +
  ;;
 +
  config|cisco|cisco-config) cisco_config
 +
  ;;
 +
  *) echo "$0  (start|up || stop|down || restart|reload || config|cisco|cisco-config)"
 +
  ;;
 +
  esac
    
== OpenVPN ==
 
== OpenVPN ==
Line 622: Line 816:  
     └── NoMoreSecrets
 
     └── NoMoreSecrets
 
         ├── hosts
 
         ├── hosts
         │   ├── server1
+
         │  ├── server1
         │   ├── server2
+
         │  ├── server2
         │   └── server3
+
         │  └── server3
 
         ├── rsa_key.priv
 
         ├── rsa_key.priv
 
         ├── tinc.conf
 
         ├── tinc.conf
Line 630: Line 824:  
         └── tinc-up
 
         └── tinc-up
 
</pre>
 
</pre>
 +
 +
==== FreeBSD Note ====
 +
FreeBSD will use the '''/usr/local/etc/tinc''' directory structure instead of the Linux '''/etc/tinc''' as shown above.  Adjust the paths below accordingly.  Additionally, the '''tinc-up''' and '''tinc-down''' files will differ. See the section below the '''Server 3''' example for notes on these differences.
    
====Individual node setup and configuration====
 
====Individual node setup and configuration====
Line 726: Line 923:  
     ip addr del 10.0.0.3/32 dev $INTERFACE
 
     ip addr del 10.0.0.3/32 dev $INTERFACE
 
     ip link set $INTERFACE down
 
     ip link set $INTERFACE down
 +
 +
====== FreeBSD Note ======
 +
The '''tinc-up''' and '''tinc-down''' files will differ from those listed above as follows:
 +
 +
* /usr/local/etc/tinc/NoMoreSecrets/tinc-up:
 +
    #!/bin/sh
 +
    ifconfig "$INTERFACE" up
 +
    ifconfig "$INTERFACE" inet 10.0.0.3 netmask 255.255.255.255
 +
    route add -net 10.0.0.0 10.0.0.3
 +
 +
Note:  Substitute '''route add -host <remote tinc ip> <local tinc ip>''' in place of the last line above for a two node setup
 +
 +
* /usr/local/etc/tinc/NoMoreSecrets/tinc-down:
 +
    #!/bin/sh
 +
    ifconfig "$INTERFACE" destroy
 +
    exit
    
=====Create keypair=====
 
=====Create keypair=====
Line 751: Line 964:     
=====Start tinc=====
 
=====Start tinc=====
 +
'''Linux:'''
 
* On all servers enable and start tinc
 
* On all servers enable and start tinc
 
     systemctl enable tinc@NoMoreSecrets
 
     systemctl enable tinc@NoMoreSecrets
 
     systemctl start tinc@NoMoreSecrets
 
     systemctl start tinc@NoMoreSecrets
 +
 +
'''FreeBSD:'''
 +
 +
You will need to ensure that tincd is properly configured on '''/etc/rc.conf''' before you attempt to start it:
 +
*Add the following to your /etc/rc.conf:
 +
  #tinc
 +
  tincd_enable="YES"
 +
  tincd_cfg="NoMoreSecrets"
 +
  tincd_flags="-d 2 -L"
 +
*Start tinc with:
 +
  service tincd start
    
Once tinc is up and running on all three servers you should be able to communicate over the 10.0.0.0/24 network.  
 
Once tinc is up and running on all three servers you should be able to communicate over the 10.0.0.0/24 network.  
Line 815: Line 1,040:     
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
 
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
 +
 +
== SOCAT ==
 +
SOCAT can be used to create a simple virtual network between two hosts using UDP and TUN devices. 
 +
 +
'''Note: It is possible to use TCP for this as well, but without the nodelay option it might cause problems.  You can also replace UDP with DTLS to add security to the connection.'''
 +
 +
*IP addresses used in this example:
 +
{| class="wikitable" style="text-align: center; width: 35%"
 +
! Host
 +
! Address
 +
! Mask
 +
|-
 +
| Physical server address
 +
| 1.2.3.4
 +
| N/A
 +
|-
 +
| Physical client address
 +
| N/A
 +
| N/A
 +
|-
 +
| TUN device on server
 +
| 192.168.255.1
 +
| 255.255.255.0
 +
|-
 +
| TUN device on client
 +
| 192.168.255.2
 +
| 255.255.255.0
 +
|}
 +
 +
Note: UDP connections will use PORT 11443.
 +
 +
=== Create TUN devices ===
 +
*TUN Server<syntaxhighlight lang="text">
 +
socat -d -d UDP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up</syntaxhighlight>
 +
 +
*TUN Client<syntaxhighlight lang="text">
 +
socat UDP:1.2.3.4:11443 TUN:192.168.255.2/24,up</syntaxhighlight>
 +
 +
Executing these two commands will result in a connection being established from the client to the server via TUN devices.
 +
 +
=== Troubleshooting ===
 +
The following are common errors that you may encounter when using SOCAT to create a VPN.
 +
*Missing TUN/TAP Support<syntaxhighlight lang="text">
 +
... E unknown device/address "tun"</syntaxhighlight>
 +
 +
The SOCAT binary probably does not provide TUN/TAP support.  Reasons include not using Linux and using an older version of SOCAT.
 +
 +
*Missing Kernel Support<syntaxhighlight lang="text">
 +
,,, E open("/dev/net/tun", 02, 0666): No such file or directory</syntaxhighlight>
 +
 +
This incidates that your kernel does not have TUN/TAP support compiled in.
 +
 +
*TUN Cloning Device Permissions<syntaxhighlight lang="text">
 +
... E open("/dev/net/tun", 02, 0666): Permission denied</syntaxhighlight>
 +
 +
This indicates that you do not have sufficient permission to read or write to the TUN cloning device.  Check the device's permssions and ownership.
    
== SoftEther ==
 
== SoftEther ==
Line 1,059: Line 1,340:     
*You can run it again to add/remove users or completely uninstall WireGuard
 
*You can run it again to add/remove users or completely uninstall WireGuard
 +
 +
=== Mikrotik Wireguard Road Warrior Config ===
 +
From: https://forum.mikrotik.com/viewtopic.php?t=174417#<ref>Mikrotik Forums - MikroTik Wireguard server with Road Warrior clients [https://forum.mikrotik.com/viewtopic.php?t=174417#]</ref>
 +
 +
The following information will show you how to setup a Mikrotik Wireguard server with Road Warrior clients.
 +
 +
==== Network topology ====
 +
The network used in this examples is 192.168.66.0/24.  A Mikrotik device will be the server and client can be any device running the Wireguard software.
 +
{| class="wikitable" style="text-align: center; width: 35%"
 +
! System
 +
! IP Address
 +
|-
 +
| Wireguard server
 +
| 192.168.66.1
 +
|-
 +
| Wireguard client(s)
 +
| 192.168.66.[2-254]
 +
|}
 +
 +
==== Mikrotik Configuration ====
 +
<syntaxhighlight lang="text">
 +
# a private and public key will be automatically generated when adding the wireguard interface
 +
/interface wireguard
 +
add listen-port=13231 mtu=1420 name=wireguard1
 +
 +
/interface wireguard peers
 +
# the first client added here is ipv4 only
 +
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="*** replace-with-public-key-of-first-client ***"
 +
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
 +
add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="*** replace-with-public-key-of-second-client-dual-stack ***"
 +
 +
/ip address
 +
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
 +
 +
/ipv6 address
 +
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
 +
</syntaxhighlight>
 +
 +
==== Client configuration ====
 +
<syntaxhighlight lang="text">
 +
Interface: (whatever name you want to specify)
 +
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
 +
Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64          (note these are different subnet masks than in the server config)
 +
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1
 +
 +
Peer:
 +
Public key - get the public key from the wireguard interface on the Mikrotik device and place here
 +
Endpoint - mydyndns.whatever:13231
 +
Allowed IPs: 0.0.0.0/0, ::/0
 +
</syntaxhighlight>
 +
 +
This client configuration will result in all traffic being forwarded via the Mikrotik Wireguard server.  You will need to ensure:
 +
*Create an input chain firewall rule to allow UDP traffic in on port 13231
 +
<syntaxhighlight lang="text">
 +
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
 +
</syntaxhighlight>
 +
*Ensure the Mikrotik firewall is allowing traffic from 192.168.66.0/24 and that you are NATing this traffic.  If your device is based off the default Mikrotik config and using the LAN interface list, you can add the Wireguard interface to this list to allow traffic through and NATing it as it leaves your network.  Otherwise, you will need to modify your configuration accordingly.
 +
 +
==== Get/Set Wireguard Peers ====
 +
*Get Mikrotik Wireguard peers list
 +
<syntaxhighlight lang="text">
 +
/interface wireguard peers print
 +
</syntaxhighlight>
 +
 +
*Set Mikrotik Wireguard peers list
 +
<syntaxhighlight lang="text">
 +
/interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse
 +
</syntaxhighlight>
    
== VPNC ==
 
== VPNC ==

Navigation menu