UNI-FIX Computer

Set up quick and easy VPN access using the Point-to-Point Tunneling Protocol.

The Point-to-Point Tunneling Protocol (PPTP) is basically a means to set up PPP tunnels [Hack #81] automatically without needing to manually start a PPP daemon on the remote machine. The main benefit of using PPTP is that both Windows and Mac OS X natively support the creation of VPN connections, and both provide easy-to-use GUIs for setting up the connections on the client side. Thus, you can provide a VPN solution without much effort on your users’ part.

To set up the server end, you can use PoPToP (http://www.poptop.org), an open source PPTP server. You can get a very simple PPTP VPN going with minimal effort—just download the source distribution and unpack it, then go into the directory it created.

After you’ve done that, you can run this command to compile it:

$ ./configure && make

Then become root and run this command to install PoPToP:

# make install

The PPTP daemon that this installs is called pptpd. Now you’ll need to create a configuration file for pptpd (i.e., /etc/pptpd.conf) and a pppd options file to use with it.

Here’s a suitable /etc/pptpd.conf to start out with:

option /etc/ppp/options.pptpd

localip 10.0.0.1

remoteip 10.0.0.2-100

This defines the IP address of the local end of the PPTP connection as 10.0.0.1 and creates a pool of addresses to be dynamically allocated to clients (i.e., 10.0.0.2-100). When you create your pptpd.conf file, you should use addresses from the range used by your internal network. In addition, this configuration file tells pptpd to set up the PPP interface using /etc/ppp/options.pptpd when it starts pppd. Otherwise it would use the default of /etc/ppp/options, which probably isn’t what you want.

Now you’ll need to create the aforementioned /etc/ppp/options.pptpd:

lock

name pptpd

auth

These options basically tell pppd to use authentication (auth), and indicate what entries in the /etc/ppp/chap-secrets file correspond to this instance of pppd (name pptpd). So, to finish configuring authentication for pptpd, you’ll need to create an entry for each client in the /etc/ppp/chap-secrets file.

Here’s a simple entry that allows someone with the username of andrew to connect with the password mypassword from any remote IP address:

# Secrets for authentication using CHAP

# client server secret IP addresses

andrew pptpd mypassword *

The pptpd in the server field should be replaced with whatever you used in the name directive in your /etc/ppp/options.pptpd file (if you didn’t use pptpd). You can of course limit the client to specific IP addresses by listing them.

Now that you have a basic setup for PoPToP , you can try it out by connecting to it with a Windows machine. Go to your Network Connections folder and click “Create a new connection” (this is for Windows XP; for Windows 2000, look for “Make New Connection”). After you click this, a wizard dialog should appear that looks similar to Figure 6-1.
Figure 6-1. Windows XP’s New Connection Wizard

Click Next and then select the “Connect to the network at my workplace” radio button, as shown in Figure 6-2.
Figure 6-2. Choosing the connection type

After you’ve done that, click Next again and then click the “Virtual Private Network connection” radio button. You should now see something similar to Figure 6-3.
Figure 6-3. Selecting a VPN connection

Click Next and fill in a name for the newly created connection (e.g., PoPToP Test). After you’ve done that, click Next once again and then enter the external IP address of the server running pptpd. Now click Next and then Finish. You’ll then be presented with a login dialog similar to the one shown in Figure 6-4.
Figure 6-4. The connection login dialog

Before entering the username and password that you specified in the /etc/ppp/chap-secrets file, you’ll need to click Properties and locate the Security tab. After you’ve done that, locate the “Require data encryption” checkbox and uncheck it. You should now see something similar to Figure 6-5.
Figure 6-5. Changing the security properties

Now click OK, enter your login information, and then click Connect. In a few seconds you should be connected to the PPTP server and will be allocated an IP address from the pool that you specified. You should now test the connection by pinging the remote end of the tunnel. With the PPTP connection active, all traffic leaving the client side will be encrypted and sent to the PoPToP server. From there, traffic will make its way to its ultimate destination.

Secure your traffic in Linux with FreeS/WAN.

The most popular way of configuring IPsec connections under Linux is to use the FreeS/WAN (http://www.freeswan.org) package. FreeS/WAN is made up of two components, KerneL IP Security (KLIPS) and pluto. KLIPS is the kernel-level code that actually encrypts and decrypts the data; it also manages the Security Policy Database (SPD). pluto is a user-land daemon that controls IKE negotiation.

The FreeS/WAN build process builds a new kernel and the required management utilities. Download the latest FreeS/WAN source from the project’s web site and unpack the source tree in /usr/src. The documentation that comes with FreeS/WAN is very extensive and can help you tailor the installation to suit your needs. The kernel component can be either installed as a kernel-loadable module or statically compiled directly into your kernel. In order to compile FreeS/WAN, the kernel source must be installed on your machine. During the compilation process, the kernel configuration utility will launch. This is normal. Compile FreeS/WAN using your kernel configuration method of choice (such the menu-based or X11-based options). Once the compilation is complete, install the kernel and user-land tools per the FreeS/WAN documentation (typically a make install will suffice).

FreeS/WAN configuration is controlled by two configuration files: /etc/ipsec.conf and /etc/ipsec.secrets. The examples given in this hack are very limited in scope and apply only to a wireless network. The manpages for both files are quite informative and useful for more complicated connection requirements. Another excellent resource for more information is the book Building Linux Virtual Private Networks (VPNs), by Oleg Kolesnikov and Brian Hatch (New Riders).

The ipsec.conf file breaks a VPN connection into right- and lefthand segments. This difference is merely a logical division. The lefthand side can be either the internal or external network; this allows the same configuration file to be used for both ends of a VPN network-to-network tunnel. Unfortunately, in our case, there will be differences between the client and gateway configurations.

The file is broken up into a configuration section (config) and a connection section (conn). The config section specifies basic parameters for Ipsec, such as available interfaces and specific directives to be passed to pluto. The conn section describes the various connections that are available to the VPN. There is a global conn section (conn %default) where you can specify values that are common to all connections, such as the lifetime of a key and the method of key exchange.

The following ipsec.conf encrypts all information to the Internet with a VPN endpoint on your gateway:

# /etc/ipsec.conf

# Set configuration options

config setup

interfaces=%defaultroute

# Debug parameters. Set either to “all” for more info

klipsdebug=none

plutodebug=none

# standard Pluto configuration

plutoload=%search

plutostart=%search

# make sure there are no PMTU Discovery problems

overridemtu=1443

# default configuration settings

conn %default

# Be aggressive in rekeying attempts

keyingtries=0

# use IKE

keyexchange=ike

keylife=12h

# use shared secrets

authby=secret

# setup the VPN to the Internet

conn wireless_connection1

type=tunnel

# left is the client side

left=192.168.0.104

# right is the internet gateway

right=192.168.0.1

rightsubnet=0.0.0.0/0

# automatically start the connection

auto=start

Now add the shared secret to ipsec.secrets:

192.168.0.104 192.168.0.1: PSK “supersecret”

That’s it. Once your gateway is configured, try to ping your default gateway. pluto will launch automatically and the connection should come up. If you have a problem reaching the gateway, check the syslog messages on both the client and gateway.

The gateway configuration is largely the same as the client configuration. Given the intelligence of the ipsec.conf file, very few changes need to be made. Since your gateway has more than one Ethernet interface, you should hard-set the IPsec configuration to use the right interface:

# assume internal ethernet interface is eth0

interfaces=”ipsec0=eth0″

You will then need to add a connection for each internal client. This can be handled in different ways as your network scales, but the following configuration should work for a reasonable number of clients:

…

conn wireless_connection2

type=tunnel

left=192.168.0.105

right=192.168.0.1

rightsubnet=0.0.0.0/0

auto=start

conn wireless_connection3

type=tunnel

left=192.168.0.106

right=192.168.0.1

rightsubnet=0.0.0.0/0

auto=start

…

Finally, add the shared secrets for all the clients to ipsec.secrets:

192.168.0.105 192.168.0.1: PSK “evenmoresecret”

192.168.0.106 192.168.0.1: PSK “notsosecret”

Clients should now be connecting to the Internet via a VPN tunnel to the gateway. Check the log files or turn up the debug level if the tunnel does not come up.

Make your firewall ruleset do the work for you when you want to collect statistics.

If you want to start collecting statistics on your network traffic but dread setting up SNMP, you don’t have to worry. You can use the firewalling code in your operating system to collect statistics for you.

For instance, if you were using Linux, you could use iptables commands similar to the following to keep track of bandwidth consumed by a particular machine that passes traffic through your firewall:

# iptables -N KRYTEN && iptables -A KRYTEN -j ACCEPT

# iptables -N KRYTEN_IN && iptables -A KRYTEN_IN -j KRYTEN

# iptables -N KRYTEN_OUT && iptables -A KRYTEN_OUT -j KRYTEN

# iptables -A FORWARD -s 192.168.0.60 -j KRYTEN_OUT

# iptables -A FORWARD -d 192.168.0.60 -j KRYTEN_IN

This leverages the packet and byte counters associated with each iptables rule to provide input and output bandwidth statistics for traffic forwarded through the firewall. It works by first defining a chain named KRYTEN, which is named after the host that the statistics will be collected on. This chain contains an unconditional accept rule and will be used to quickly add up the total bandwidth that kryten consumes. To itemize the downstream bandwidth kryten is using, another chain is created called KRYTEN_IN. This chain contains only one rule, which is to unconditionally jump to the KRYTEN chain in order for the inbound bandwidth to be added with the outbound bandwidth being consumed. Similarly, the KRYTEN_OUT chain tallies outbound bandwidth being consumed and then jumps to the KRYTEN chain so that the outbound bandwidth will be added to the inbound bandwidth being consumed. Finally, rules are added to the FORWARD chain that direct the packet to the correct chain, depending on whether it’s coming from or going to kryten.

After applying these rules, you can then view the total bandwidth (inbound and outbound) consumed by kryten by running a command like this:

# iptables -vx -L KRYTEN

Chain kryten (2 references)

pkts bytes target prot opt in out source destination

442 46340 ACCEPT all — any any anywhere anywhere

You can easily parse out the bytes field, and thereby generate graphs with RRDtool [Hack #62], by using a command like this:

# iptables -vx -L KRYTEN | egrep -v ‘Chain|pkts’ | awk ‘{print $2}’

To get the inbound or outbound bandwidth consumed, just replace KRYTEN with KRYTEN_IN or KRYTEN_OUT, respectively. Of course, you don’t have to limit your statistic collection criteria to just per-computer bandwidth usage. You can collect statistics on anything that you can create an iptables rule for, including ports, MAC addresses, or just about anything else that passes through your network.

Use Argus to monitor your network and to keep an audit trail of your traffic.

Wouldn’t it be nice if you could keep a complete record of everything that happened on your network? It would certainly help to track down problems and would be invaluable in the event of a security incident, but it would just take up too much space to keep all of that data around. The next best thing would be to keep a log of all the packets, but not actually keep the data. You can do this with Argus (http://www.qosient.com/argus/).

Argus, or the Audit Record Generation and Utilization System, is a tool that can log network transactions in a variety of ways and can even collect performance metrics on every connection that it is able to see. Argus also contains several utilities that can make queries against the logs, so you can easily extract the information you need. These tools allow you to generate ASCII-, RMON-, or XML-formatted information from an Argus log file. Argus also provides a Perl interface for accessing its log files, so you can easily write custom scripts to make use of the data it collects.

To set up Argus, you’ll first need to download the source distribution and unpack it. Then change into the directory that it creates:

$ tar xfz argus-2.0.5.tar.gz

$ cd argus-2.0.5

To compile Argus, run this command:

$ ./configure && make

After compilation has finished, you can install Argus by becoming root and running this command:

# make install

To get a quick demo of Argus, run it and then let it collect some data for a little while:

# argus -d -e `hostname` -w /tmp/arguslog

This command will start argus in daemon mode and have it write its logs to /tmp/argus.

After letting it collect some data, try querying it with the ra command. This will show you an ASCII representation of the packets that argus has logged:

$ ra -r /tmp/arguslog

12 Jan 04 05:42:48 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:43:09 udp 192.168.0.250.snmptrap -> 255.255.255.255.snmptrap INT

12 Jan 04 05:43:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:43:28 nvl 0:c0:2:57:98:79 -> Broadcast INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:19 udp kryten.nnc.56581 -> 255.255.255.255.2222 TIM

12 Jan 04 05:43:34 udp sunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:44:08 arp plunder.nnc who-has sirius.nnc INT

12 Jan 04 05:44:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:44:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

12 Jan 04 05:45:06 udp sunder.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm TIM

12 Jan 04 05:40:26 man pkts 734 bytes 75574 drops 0 CON

12 Jan 04 05:44:28 nvl 0:c0:2:57:98:79 -> Broadcast INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:45:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:45:09 tcp kryten.nnc.54176 ?> colossus.nnc.ssh EST

12 Jan 04 05:45:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

This is just a few minutes of logs from one host, but it is stored in a very compact manner. In fact, during testing, a whole day’s worth of logs consumed only 1.4 MB!

The ra command can also take tcpdump-style filters so that you can query the logs for packets that match a specific host, protocol, port, or any number of other characteristics.

For instance, if you wanted to query the logs for all packets sent either to or from the host named kryten, you could used a command similar to this one:

$ ra -r /tmp/argus – “host kryten”

12 Jan 04 09:26:34 udp kryten.nnc.55689 -> 255.255.255.255.2222 TIM

12 Jan 04 09:26:36 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST

12 Jan 04 09:27:37 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST

12 Jan 04 09:28:34 udp kryten.nnc.55691 -> 255.255.255.255.2222 TIM

12 Jan 04 09:28:05 icmp kryten.nnc <-> linux-vmm.nnc ECO

12 Jan 04 09:28:06 icmp kryten.nnc <-> linux-vmm.nnc ECO

12 Jan 04 09:29:06 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST

12 Jan 04 09:30:34 udp kryten.nnc.55692 -> 255.255.255.255.2222 TIM

12 Jan 04 09:32:34 udp kryten.nnc.55693 -> 255.255.255.255.2222 TIM

12 Jan 04 09:33:06 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST

12 Jan 04 09:34:34 udp kryten.nnc.55694 -> 255.255.255.255.2222

12 Jan 04 09:53:44 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST

You can also generate a new Argus log file containing only the results of your query by using the -w option to ra and specifying a file to write the results to.

To get XML output from Argus, you can use the raxml utility to make queries, much in the same way as you can with ra. For instance, here’s the first record returned by using the previous query for all packets that matched the hostname of kryten:

$ raxml -r /tmp/arguslog – “host kryten”

<ArgusFlowRecord ArgusSourceId = “192.168.0.41” SequenceNumber = “3”

Cause = “Status” StartDate = “2004-01-12” StartTime = “09:25:26”

StartTimeusecs = “319091” LastDate = “2004-01-12”

LastTime = “09:25:32” LastTimeusecs = “521982”

Duration = “6.202891” TransRefNum = “0”>

<MACAddrs SrcAddr = “0:a:95:c7:2b:10” DstAddr = “0:c:29:e2:2b:c1” />

<Flow> <IP SrcIPAddr = “192.168.0.60” DstIPAddr = “192.168.0.41”

Proto = “tcp” Sport = “56060” Dport = “22” IpId = “27b8” /> </Flow>

<FlowAttrs SrcTTL = “64” DstTTL = “64” SrcTOS = “10” DstTOS = “10” />

<ExtFlow> <TCPExtFlow TCPState = “EST” TCPOptions = “TIME”

SynAckuSecs = “0” AckDatauSecs = “0” >

<TCPExtMetrics SrcTCPSeqBase = “4204580547”

SrcTCPAckBytes = “527” SrcTCPBytes = “528”

SrcTCPRetrans = “0” SrcTCPWin = “65535” SrcTCPFlags = “PA”

DstTCPSeqBase = “3077608383” DstTCPAckBytes = “1135”

DstTCPBytes = “992” DstTCPRetrans = “0” DstTCPWin = “9792”

DstTCPFlags = “PA” />

</TCPExtFlow>

</ExtFlow>

<Metrics SrcCount = “24” DstCount = “17” SrcBytes = “2112”

DstBytes = “2258” SrcAppBytes = “528” DstAppBytes = “1136” />

</ArgusFlowRecord>

As you can see, Argus keeps track of much more information than it would seem if you were just going by the output generated by ra. This is where Argus really shines, because it can store such a large amount of information about your network traffic in a small amount of space. In addition, Argus makes it easy to convert this information into other formats, such as XML, which makes it easy to write applications that can understand the data.