Download - VPN using SSH
![Page 1: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/1.jpg)
VPN using SSHVPN using SSH
Implementing a secure Unix to Implementing a secure Unix to Unix Virtual Private NetworkUnix Virtual Private Network
Gary StainburnGary Stainburn
Ringways Garages Ltd.Ringways Garages Ltd.
![Page 2: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/2.jpg)
Andrew’s TalkAndrew’s Talk
• Excellent talk covering theory and Excellent talk covering theory and historyhistory
• Implemented pptp - most common Implemented pptp - most common use of VPNuse of VPN
• However, my way is better.However, my way is better.
![Page 3: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/3.jpg)
Ssh is better, why?Ssh is better, why?
• Always secure - no need to patch Always secure - no need to patch kernelkernel
• true Unix to Unix connection.true Unix to Unix connection.
• Better for Lan to Lan.Better for Lan to Lan.
• ModularModular– ssh (zlib, ssl, ssh)ssh (zlib, ssl, ssh)
– port redirectorport redirector
– pppdpppd
![Page 4: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/4.jpg)
Why VPNWhy VPN
• Look at an APN.Look at an APN.
![Page 5: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/5.jpg)
Why VPNWhy VPN
• Look at an APN.Look at an APN.
– Existing Ringways APN (a.k.a. WAN)Existing Ringways APN (a.k.a. WAN)
![Page 6: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/6.jpg)
Proposed Internet LinkProposed Internet Link
• Ringways were looking for an Ringways were looking for an internet linkinternet link
![Page 7: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/7.jpg)
Suggested VPNSuggested VPN
• Suggested replacing existing lines Suggested replacing existing lines with:with:
![Page 8: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/8.jpg)
Actually Went WithActually Went With
![Page 9: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/9.jpg)
What if we grow?What if we grow?
![Page 10: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/10.jpg)
What if we grow?What if we grow?
![Page 11: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/11.jpg)
Definitely VPNDefinitely VPN
![Page 12: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/12.jpg)
Points to Consider Points to Consider
• APNAPN
– Cost of line vs Benefits receivedCost of line vs Benefits received
– Who meets costs?Who meets costs?
• VPNVPN– No cost if link already availableNo cost if link already available
– Split cost if not already availableSplit cost if not already available
![Page 13: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/13.jpg)
ImplicationsImplications
• Lower costs = more usesLower costs = more uses
• more uses = more connectionsmore uses = more connections
• more connections = more access more connections = more access pointspoints
![Page 14: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/14.jpg)
SecuritySecurity
• Firewall - One point of accessFirewall - One point of access
• Multiple access pointsMultiple access points
• Weakness in remote end - Win95?Weakness in remote end - Win95?
• Other people administratingOther people administrating
• Treat VPN users as Notebook UsersTreat VPN users as Notebook Users
![Page 15: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/15.jpg)
Security - ServerSecurity - Server
• When planning to set up a VPN When planning to set up a VPN serverserver
– Needs public accessNeeds public access
– Can be behind firewall - Ssh works over Can be behind firewall - Ssh works over NATNAT
– preferably no other accesspreferably no other access
– Can be on firewallCan be on firewall
![Page 16: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/16.jpg)
So, how’s it work?So, how’s it work?
• Uses an existing unsecured networkUses an existing unsecured network
• runs a Ssh session over that runs a Ssh session over that connectionconnection
• redirects a pppd session over it.redirects a pppd session over it.
![Page 17: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/17.jpg)
Ssh - So, what do I need?Ssh - So, what do I need?
• For RedHat 6 systems:For RedHat 6 systems:
– zlib-1.1.3-6.i386.rpm - already installedzlib-1.1.3-6.i386.rpm - already installed
– openssl-0.9.5a.i386.rpmopenssl-0.9.5a.i386.rpm
– openssh-2.1.1p2-1.i386.rpmopenssh-2.1.1p2-1.i386.rpm
– openssh-clients-2.1.1p2-1.i386.rpmopenssh-clients-2.1.1p2-1.i386.rpm
– openssh-server-2.1.1p2-1.i386.rpmopenssh-server-2.1.1p2-1.i386.rpm
– Pppd.Pppd.
![Page 18: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/18.jpg)
Ssh - So, what do I need?Ssh - So, what do I need?
• For everything else:For everything else:• zlib-1.1.3.tar.gz - zlib-1.1.3.tar.gz -
ftp://ftp.cdrom.com/pub/infozip/zlibftp://ftp.cdrom.com/pub/infozip/zlib
• openssl-0.9.5a.tar.gz - openssl-0.9.5a.tar.gz - http://www.openssl.orghttp://www.openssl.org
• openssh-2.1.1p2.tar.gz - openssh-2.1.1p2.tar.gz - http://www.openssh.comhttp://www.openssh.com
• PppdPppd
![Page 19: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/19.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• For RedHat 6 systems:For RedHat 6 systems:
– rpm -i openssl-0.9.5a.i386.rpmrpm -i openssl-0.9.5a.i386.rpm
– rpm -i openssh-2.1.1p2-1.i386.rpmrpm -i openssh-2.1.1p2-1.i386.rpm
– rpm -i openssh-clients-2.1.1p2-rpm -i openssh-clients-2.1.1p2-1.i386.rpm1.i386.rpm
– rpm -i openssh-server-2.1.1p2-rpm -i openssh-server-2.1.1p2-1.i386.rpm1.i386.rpm
![Page 20: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/20.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar zlib-1.1.3.tar.gz untar zlib-1.1.3.tar.gz
– ./configure./configure
– makemake
– make testmake test
– make installmake install
![Page 21: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/21.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar openssl-0.9.5a.tar.gzuntar openssl-0.9.5a.tar.gz
– ./config./config
– makemake
– make testmake test
– make installmake install
![Page 22: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/22.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar openssh-2.1.1p2.tar.gzuntar openssh-2.1.1p2.tar.gz
– ./configure./configure
– makemake
– make installmake install
![Page 23: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/23.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• As root run:As root run:
– ssh-keygenssh-keygen
• This creates .ssh directory.This creates .ssh directory.
• This contains the private and public This contains the private and public keys.keys.
• Create authorized_keys from public keyCreate authorized_keys from public key
![Page 24: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/24.jpg)
Ssh - So what do I do?Ssh - So what do I do?
• Copy the identity.pub from the client Copy the identity.pub from the client machine to the server machinemachine to the server machine
– Client = makes callClient = makes call
– Server = receives callServer = receives call
• Append this file to Append this file to /root/.ssh/authorized_keys/root/.ssh/authorized_keys
• Make sure sshd is running on the Make sure sshd is running on the serverserver
![Page 25: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/25.jpg)
Ssh - How do I test itSsh - How do I test it
• On the clientOn the client
– ssh <servername>ssh <servername>
• If you have done everything If you have done everything correctly you should now have a Ssh correctly you should now have a Ssh session open and the command session open and the command prompt of the server machine on-prompt of the server machine on-screen.screen.
![Page 26: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/26.jpg)
So what’s next - ServerSo what’s next - Server
• edit /etc/ppp/options to include:edit /etc/ppp/options to include:
– ipcp-accept-localipcp-accept-local
– ipcp-accept-remoteipcp-accept-remote
– proxyarpproxyarp
– noauthnoauth
![Page 27: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/27.jpg)
So what’s next - ServerSo what’s next - Server
• Create a vpn-users group and userCreate a vpn-users group and user
– add group vpnusers to /etc/groupsadd group vpnusers to /etc/groups• vpnusers:*:504:vpnusers:*:504:
– add user vpn-users to /etc/passwdadd user vpn-users to /etc/passwd• vpnuses:*:504:405:VPN vpnuses:*:504:405:VPN
User:/home/vpnusers:/usr/sbin/pppdUser:/home/vpnusers:/usr/sbin/pppd
– mkdir /home/vpn-usersmkdir /home/vpn-users
– chown vpnusers:vpnusers chown vpnusers:vpnusers /home/vpnusers/home/vpnusers
![Page 28: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/28.jpg)
So what’s next - ServerSo what’s next - Server
• Create the /home/vpnusers/.ssh Create the /home/vpnusers/.ssh directorydirectory
• Create the file .ssh/authorized_keysCreate the file .ssh/authorized_keys
• Add the public keys of everyone Add the public keys of everyone who needs access.who needs access.
![Page 29: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/29.jpg)
So what’s next - ClientSo what’s next - Client
• as root run:as root run:
– mkdir /root/.sshmkdir /root/.ssh
– ssh-keygen -f /root/.ssh/identity.vpn -P ssh-keygen -f /root/.ssh/identity.vpn -P ””””
– add the new file identity.vpn.pub to the add the new file identity.vpn.pub to the authorized_keys on the server.authorized_keys on the server.
![Page 30: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/30.jpg)
So what’s next - clientSo what’s next - client
– Get Get http://www.shinythings.com/vpnd/vpnd.tahttp://www.shinythings.com/vpnd/vpnd.tar.gzr.gz
– Unzip it into /usr/local/vpnUnzip it into /usr/local/vpn
– copy pty-redir to /usr/sbincopy pty-redir to /usr/sbin
![Page 31: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/31.jpg)
So what’s next - clientSo what’s next - client
• as root run:as root run:
– pty-redir ssh -t -e none -o ‘Batchmode pty-redir ssh -t -e none -o ‘Batchmode yes’ -c blowfish -i /root/.ssh/identity.vpn yes’ -c blowfish -i /root/.ssh/identity.vpn -l vpnuser curly >/tmp/vpn-device-l vpnuser curly >/tmp/vpn-device
– sleep 10sleep 10
– /usr/sbin/pppd `cat /tmp/vpn-device`/usr/sbin/pppd `cat /tmp/vpn-device`
![Page 32: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/32.jpg)
And FinallyAnd Finally
• On the client and the serverOn the client and the server
– Edit /etc/ppp/ip-up to add routes across Edit /etc/ppp/ip-up to add routes across the VPNthe VPN
– Edit/etc/ppp/ip-down to remove them Edit/etc/ppp/ip-down to remove them afterwards.afterwards.
• What’s leftWhat’s left– Modify the vpnd script match your Modify the vpnd script match your
configuration to make admin easier.configuration to make admin easier.
![Page 33: VPN using SSH](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56814374550346895daff275/html5/thumbnails/33.jpg)
That’s it.That’s it.
• We’re done, so what have we doneWe’re done, so what have we done
– We’ve got ssh workingWe’ve got ssh working
– We’ve configured a server to receive We’ve configured a server to receive callscalls
– We’ve configured a client to make a We’ve configured a client to make a callcall
– We’ve routed traffic across the VPNWe’ve routed traffic across the VPN