Virtual Private Networks

From SarWiki
Jump to: navigation, search

Preface

This Page is also available in German.

Diese Seite ist auch auf deutsch verfügbar.

Definition

A regular phyiscally existing network consisting of cables and routers/switches/etc is called a network. You run the various known internet protocols layer 1-4 on it. You can also use those protocols to emulate a virtual network. If you secure your tunnel as well with various encryption methods one might call the tunneled data a virtual private network. This is used in various scenarios, mostly for tunneling sensitive information over an inherently insecure architecture - for example to connect two corporate LANs over the internet.

Theory

Virtualization in mostl environments is done in layer 2 (IP). You tunnel the data of the virtual network encapsulated in IP-Packets for example.

Implementation

OpenVPN

PPTP (Microsoft)

Preface

PPTP is best described in RFC 2637. In short, PPTP is used to tunnel the PPP-protocol over IP-networks. It is realized with a Client-Server architecture and works on two logically seperated channels: One control-channel that ist used to control the PPTP-connection. It runs on TCP Port 1723. Second the data-channel on wich the actuall PPP-data is exchanged, encapsulated in GRE-packets.

Authentication is done by PPP and the underlying MSCHAPv2 which is broken. Unfortunately there is no way NOT to use Login/Passwords but more secure certificates. That is the reason Microsoft doesn't encourage the use of PPTP anymore.

Only the data-tunnel is optionally encrypted with MPPE with a maximum keylength of 128bit which makes it a good goal for attacks. The lack of rekeying makes attacks obviously easier.

Servers

There are quite a few implementations of PPTP out in the wild since it's easy to implement and was pushed to market strongly by Microsoft. Most of the broadband hardware-routers support it besides PPPoE etc. We will focus on to servers here: The standard Microsoft-way on Windows 2003 Server and poptop, a userspace daemon for Linux.

Implementation Windows

Implementation Linux

The implementation basically consists of three parts: First of all the PPTP-daemon that ist needed to handle the PPTP-connections. Second a PPP-daemon that is needed to dial into the network from the remote site. Last but not least you might want to encrypt your PPTP-Datatunnel. This is accomplished on PPP-Level with mppe. Since it isn't secure and announced obsolete by Microsoft there is no strong will to implement support into the Linuxkernel itself, so you have to patch your kernel to get the module.

Poptop - The PPTP Server for Linux

I used Debian Sarge as a base system. Your mileage may vary on different platforms, the Setup on a Debian-machine is pretty straight forward. This Howto explains everything step by step:

Debian-poptop-Howto

For the mppe-patch you might wanna use this howto:

Debian-MPPE-Howto

I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2). You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built.

Just configure

/etc/modules.conf

/etc/pptpd.conf

/etc/ppp/options.pptpd

/etc/ppp/chap-secrets

to your needs. You can find some help here:

poptop Documentation

modules.conf and chap-secrets don't need to be explained here and also options.pptpd needs only a few adjustments for your personal setup. Check that the name of the service is correctly referenced in both options.pptpd and chap-secrets. The most interesting file is pptpd.conf. The options you should have a closer look at are

bcrelay <if> localip/remoteip

Check that your router is correcty routing VPN-clients between ppp0 and eth0.

Clients

Windows

Linux

pptclient

MacOS

Mac OS X supports VPN-Connections out the box since 10.3. Included are Clients for PPTP and L2TP over IPSec. Unfortunately, not all of the major open source clients seems to have been ported to this platform. But the 10.3+ Clients are well integrated into the OS and provide a basic level functionality that should be sufficient. The onboard-Clients are available via "Internet Connect.app" where you can setup new VPN-Connections.

IPSec

isakmpd (originally OpenBSD)

Freeswan

Openswan

L2TP/IPSec