Virtual Private Networks: Difference between revisions
(16 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
This Page is also available in [[Virtual Private Networks (deutsch)|German]]. |
This Page is also available in [[Virtual Private Networks (deutsch)|German]]. |
||
Diese Seite ist auch |
Diese Seite ist auch auf [[Virtual Private Networks (deutsch)|deutsch]] verfügbar. |
||
=Definition= |
=Definition= |
||
A regular phyiscally existing network consisting of cables and routers/switches/etc is called a '''network'''. You run the various known internet protocols layer 1-4 on it. You can also use those protocols to emulate a '''virtual network''' |
A regular phyiscally existing network consisting of cables and routers/switches/etc is called a '''network'''. You run the various known internet protocols layer 1-4 on it. You can also use those protocols to emulate a '''virtual network'''. If you secure your tunnel as well with various encryption methods one might call the tunneled data a '''virtual private network'''. This is used in various scenarios, mostly for tunneling sensitive information over an inherently insecure architecture - for example to connect two corporate LANs over the internet. |
||
=Theory= |
=Theory= |
||
Virtualization in mostl environments is done in layer 2 (IP). You tunnel the data of the virtual network encapsulated in IP-Packets for example. |
|||
=Implementation= |
=Implementation= |
||
Line 18: | Line 20: | ||
===Preface=== |
===Preface=== |
||
PPTP is best described in RFC 2637. In short, PPTP is used to tunnel the PPP-protocol over IP-networks. It is realized with a Client-Server architecture and works on two logically seperated channels: One control-channel that ist used to control the PPTP-connection. It runs on TCP Port 1723. Second the data-channel on wich the actuall PPP-data is exchanged, encapsulated in GRE-packets. |
|||
How does it work? |
|||
Authentication is done by PPP and the underlying MSCHAPv2 which is broken. Unfortunately there is no way NOT to use Login/Passwords but more secure certificates. That is the reason Microsoft doesn't encourage the use of PPTP anymore. |
|||
Authentication |
|||
Only the data-tunnel is optionally encrypted with MPPE with a maximum keylength of 128bit which makes it a good goal for attacks. The lack of rekeying makes attacks obviously easier. |
|||
Encryption |
|||
===Servers=== |
===Servers=== |
||
There are quite a few implementations of PPTP out in the wild since it's easy to implement and was pushed to market strongly by Microsoft. Most of the broadband hardware-routers support it besides PPPoE etc. We will focus on to servers here: The standard Microsoft-way on Windows 2003 Server and poptop, a userspace daemon for Linux. |
|||
===Implementation Windows=== |
===Implementation Windows=== |
||
===Implementation |
===Implementation Linux=== |
||
The implementation basically consists of three parts: First of all the PPTP-daemon that ist needed to handle the PPTP-connections. Second a PPP-daemon that is needed to dial into the network from the remote site. Last but not least you might want to encrypt your PPTP-Datatunnel. This is accomplished on PPP-Level with mppe. Since it isn't secure and announced obsolete by Microsoft there is no strong will to implement support into the Linuxkernel itself, so you have to patch your kernel to get the module. |
|||
mppe-patch |
|||
====Poptop - The PPTP Server for Linux==== |
|||
pptpd |
|||
I used Debian Sarge as a base system. Your mileage may vary on different platforms, the Setup on a Debian-machine is pretty straight forward. This Howto explains everything step by step: |
|||
[http://poptop.sourceforge.net/dox/debian-howto.phtml Debian-poptop-Howto] |
|||
For the mppe-patch you might wanna use this howto: |
|||
[http://pptpclient.sourceforge.net/howto-debian-build.phtml Debian-MPPE-Howto] |
|||
I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2). |
|||
You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built. |
|||
Just configure |
|||
/etc/modules.conf |
|||
/etc/pptpd.conf |
|||
/etc/ppp/options.pptpd |
|||
/etc/ppp/chap-secrets |
|||
to your needs. You can find some help here: |
|||
[http://poptop.sourceforge.net/dox/ poptop Documentation] |
|||
''modules.conf'' and ''chap-secrets'' don't need to be explained here and also ''options.pptpd'' needs only a few adjustments for your personal setup. Check that the name of the service is correctly referenced in both ''options.pptpd'' and ''chap-secrets''. The most interesting file is ''pptpd.conf''. The options you should have a closer look at are |
|||
bcrelay <if> |
|||
localip/remoteip |
|||
Check that your router is correcty routing VPN-clients between ppp0 and eth0. |
|||
===Clients=== |
===Clients=== |
||
Windows |
====Windows==== |
||
Linux |
====Linux==== |
||
pptclient |
|||
MacOS |
|||
====MacOS==== |
|||
Mac OS X supports VPN-Connections out the box since 10.3. Included are Clients for PPTP and L2TP over IPSec. Unfortunately, not all of the major open source clients seems to have been ported to this platform. But the 10.3+ Clients are well integrated into the OS and provide a basic level functionality that should be sufficient. |
|||
The onboard-Clients are available via "Internet Connect.app" where you can setup new VPN-Connections. |
|||
==IPSec== |
==IPSec== |
||
Line 47: | Line 88: | ||
===Freeswan=== |
===Freeswan=== |
||
===Openswan=== |
|||
==L2TP/IPSec== |
Latest revision as of 13:49, 14 September 2005
Preface
This Page is also available in German.
Diese Seite ist auch auf deutsch verfügbar.
Definition
A regular phyiscally existing network consisting of cables and routers/switches/etc is called a network. You run the various known internet protocols layer 1-4 on it. You can also use those protocols to emulate a virtual network. If you secure your tunnel as well with various encryption methods one might call the tunneled data a virtual private network. This is used in various scenarios, mostly for tunneling sensitive information over an inherently insecure architecture - for example to connect two corporate LANs over the internet.
Theory
Virtualization in mostl environments is done in layer 2 (IP). You tunnel the data of the virtual network encapsulated in IP-Packets for example.
Implementation
OpenVPN
PPTP (Microsoft)
Preface
PPTP is best described in RFC 2637. In short, PPTP is used to tunnel the PPP-protocol over IP-networks. It is realized with a Client-Server architecture and works on two logically seperated channels: One control-channel that ist used to control the PPTP-connection. It runs on TCP Port 1723. Second the data-channel on wich the actuall PPP-data is exchanged, encapsulated in GRE-packets.
Authentication is done by PPP and the underlying MSCHAPv2 which is broken. Unfortunately there is no way NOT to use Login/Passwords but more secure certificates. That is the reason Microsoft doesn't encourage the use of PPTP anymore.
Only the data-tunnel is optionally encrypted with MPPE with a maximum keylength of 128bit which makes it a good goal for attacks. The lack of rekeying makes attacks obviously easier.
Servers
There are quite a few implementations of PPTP out in the wild since it's easy to implement and was pushed to market strongly by Microsoft. Most of the broadband hardware-routers support it besides PPPoE etc. We will focus on to servers here: The standard Microsoft-way on Windows 2003 Server and poptop, a userspace daemon for Linux.
Implementation Windows
Implementation Linux
The implementation basically consists of three parts: First of all the PPTP-daemon that ist needed to handle the PPTP-connections. Second a PPP-daemon that is needed to dial into the network from the remote site. Last but not least you might want to encrypt your PPTP-Datatunnel. This is accomplished on PPP-Level with mppe. Since it isn't secure and announced obsolete by Microsoft there is no strong will to implement support into the Linuxkernel itself, so you have to patch your kernel to get the module.
Poptop - The PPTP Server for Linux
I used Debian Sarge as a base system. Your mileage may vary on different platforms, the Setup on a Debian-machine is pretty straight forward. This Howto explains everything step by step:
For the mppe-patch you might wanna use this howto:
I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2). You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built.
Just configure
/etc/modules.conf
/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets
to your needs. You can find some help here:
modules.conf and chap-secrets don't need to be explained here and also options.pptpd needs only a few adjustments for your personal setup. Check that the name of the service is correctly referenced in both options.pptpd and chap-secrets. The most interesting file is pptpd.conf. The options you should have a closer look at are
bcrelay <if> localip/remoteip
Check that your router is correcty routing VPN-clients between ppp0 and eth0.
Clients
Windows
Linux
pptclient
MacOS
Mac OS X supports VPN-Connections out the box since 10.3. Included are Clients for PPTP and L2TP over IPSec. Unfortunately, not all of the major open source clients seems to have been ported to this platform. But the 10.3+ Clients are well integrated into the OS and provide a basic level functionality that should be sufficient. The onboard-Clients are available via "Internet Connect.app" where you can setup new VPN-Connections.