VPN networking with Leopard and FreeBSD

[Amuso]

I earlier got Tiger to talk fine with my FreeBSD vtun-server so that I could access shares, printers and more at the office or home from anywhere on the run.

 

Now I have tried out the system with the new Leopard package from the same authors.

 

This was tested on a MacBook MB061 with the latest software updates as of March 13th 2008. ie. Running 10.5.2.

 

Why VTUN ? Well, as opposed to PPTP and Microsofts solutions, when you use VTUN you access the Internet using your regular connection, but can access your home/office network on a need to use basis. Microsofts PPTP solution route all traffic through your home/office gateway. VTUN can, but in this example does not so I do not burden my home/office link with extra traffic except to access the servers and printers on that network. Also VTUN is fairly easy to set up and manage. Unfortunately no GUIs I am aware of exists for the Mac side though.

 

Here is what you need:

 

The TUN/TAP network devices/drivers

 

Tiger and Leopard versions can be found there, be sure you grab the right one (Tiger for 10.4 and Leopard for 10.5) and that you get the tar.gz - not src.tar.gz!

 

vtund 2.5 for Mac OS X

 

Be sure to get the compiled version 2.5 with LZO library.

 

A bit of Terminal knowledge, but I will guide you through it all.

 

vtund is out in a much newer version 3.x, but I have not bothered to get that to work yet since 2.5 does the job for me.

 

I will not get into configuring your vtund-server, and assume you know your way around that, and how to configure vtun clients. It is not hard at all, one simple configuration file (vtund.conf) and choosing an open port to use for your clients to connect to your server.

 

First, get the TUN/TAP driver/devices. Once downloaded, just double-click the .tar.gz file if Finder hasnt unpacked it for you already. You should then get a folder with a package you can install. Just go ahead and double click the installer and let it do its thing. You may want to reboot afterwards to enable the TUN/TAP devices.

 

NOTE! I am using Safari for these instructions, but any other browser will do fine. Just keep in mind ie. Firefox can be configured not to unpack downloaded files and may keep the .gz extension after vtun.2.5.tar. Adjust the commands below accordingly if your file is named vtun.2.5.tar.gz.

 

Now, DO NOT double click the vtun.2.5.bin.tar file! Leave it as is as it is much easier to install via the Terminal.

 

Move the downloaded vtun-file to your harddrive main directory. This is the one you get to when you double click your desktop icon for your harddrive.

 

Open up a Terminal window and type in the following commands:

 

sudo su -
(enter your users password - it must be an administrator user)
cd /
tar -zxvpf /vtun.2.5.tar

 

This unpacks all the contents of the vtun-archive into /usr/local on your harddrive.

 

To start vtund the following command can be issued:

 

/usr/local/sbin/vtund

 

The configurationfile for vtund (which you MUST edit before starting vtun) is located in:

 

/usr/local/etc/vtund.conf

 

and is only accessible by an administrator user. I am familiar with vi, but you may use any editor you feel comfortable with, even TextEdit! However to access the file via the Finder is not very easy. It is best done via Terminal and an editor there. Much more about how to configure and use vtun can be found on their homepage.

 

For the curious ones I will include a sample setup. First the configuration file on my FreeBSD box.

 

#
# VTUNd Server Side Configuration
#
options {
port 12345;
syslog daemon;
ifconfig /sbin/ifconfig;
route /sbin/route;
}

default {
compress no;
}

amuso {
passwd mysecretpassword;
device tun1;
type tun;
proto tcp;
compress no;
encrypt yes;
keepalive yes;
multi no;
compress lzo:9;

up {
 ifconfig "%% 10.10.10.1 10.10.10.2 netmask 255.255.255.252 mtu 1450";
}

down {
 ifconfig "%% down";
 ifconfig "%% delete";
};
}

And that is it. Most settings are self-explanatory, but the important thing to remember is the UP-clause. It contains several IP-adresses and a netmask. To enlighten you all, use a private network range here. Be it 10.x.x.x, 172.16.x.x, 192.168.x.x. But they must be unique for each session you want to concurrently keep.

 

The first IP adress is the adress that will be assigned to the servers virtual network (tun1), 10.10.10.1 in this case. The second one is the remote users IP adress. 10.10.10.2 in this case. The minimum netmask usable is 255.255.255.252 which assigns 4 IP-adresses to the range. This way you can assign more in the same range. For instance 4 through 7 for the next user. You can use 255.255.255.0 of course, but then you assign the whole range to one user that just needs 1 IP... But it is up to you.

 

The DOWN clause contains the commands issued when the connection is taken down. It removes the virtual interface completely in this case.

 

If you want to add more remote users, just copy the amuso { - clause and append more at the end. Of course rename the session name to unique names and change the IP adresses. And assign it another tun-device, ie. tun2. Do NOT use the same TUN-device for several users.

 

The client side is much the same, just a bit simpler actually.

 

This is an example of your Macs /usr/local/etc/vtund.conf confiuration file to match the above server settings. Adjust to match your preferences:

 

#
# VTUNd Mac Client Sample configuraiton
#
options {
port 12345;   # MUST match the servers listening port above
timeout 60;

ifconfig /sbin/ifconfig;
route /sbin/route;
}

amuso {
passwd mysecretpassword;
device tun1;
persist yes;

up {
 ifconfig "%% 10.10.10.2 10.10.10.1 netmask 255.255.255.252 mtu 1450";
 #route "add -net 192.168.1.0/24 10.10.10.1";
};

down {
 ifconfig "%% down";
 ifconfig "%% delete";
 #route "delete -net 192.168.1.0/24";
};
}

As you see it is much the same. Notice that the IP-adresses in the UP-clause has switched place since this is at the remote users side. I also added a sample route command which can be usefull to tell your Mac what your home or office IP-range is and how to access it.

 

The above example suggest that the home/office IP-range is 192.168.1.1 through .255. That is your machines as home use these IP adresses. So it is important that you dont have the same IP-range at home and the remote machine with this setup. One setup I have not tried out yet is to use the TAP-device to bridge networks, which probably is more suited for such setups, and will integrate your machine into the home/office network more seamlessly.

 

But these are just starters to get you rolling. Read up on vtun and I hope you will find this usefull.

 

A final note. Configuration files with # just contains comments after the # and do not influence the setup. To activate the route commands, just remove the # at the beginning of the line.

 

There are a bunch of sample setups in the original vtund.conf that comes with vtund.

 

And this even works over Mobile GSM networking such as 3G/GPRS/UMTS/EDGE. I am writing and using this using just such a setup.