Jump to content

Quickly create a VPN-server for your Mac or iPhone

Amuso

By Amuso,
in User Blogs

 Share
1 post in this topic

Recommended Posts

Amuso
Amuso
Posted
Posted

This task has been in the back of my head for some time now. I have used Vtund earlier to set up secure encrypted virtual tunnels to access ie. my home network or network at work. While this solution is pretty easy to implement under Tiger or Leopard versions of Mac OS, the iPhone doesnt quite want to play along since there is no Vtund client for the iPhone. At least not for a regular not jail-broken iPhone. Vtund is mentioned earlier in my ramblings for those who are interested in setting it up.

 

What I wanted to upgrade to was a L2TP or PPTP VPN tunnel that I could easily use on my Mac or iPhone. Also it is easier for other users to implement into their Mac OS enviroment. Vtund requires a bit more knowledge in the Terminal department.

 

What I will illustrate here is how you too can easily create a VPN-server. I will assume that your server is running FreeBSD. However this will work with any type of other BSD or Linux server, be it Debian, Ubuntu, OpenBSD etc. You will just need to replace the FreeBSD-specific commands such as pkg_add or ports with your OS equivalent. Where possible, I will throw you a few hints to get you going there as well.

 

This example will install poptop, an open-source version of a PPTP-server available for most OSes out there.

 

I will assume that you either have no firewall, or are passing through GRE and port 1723 TCP to your server machine. These are the ports and protocols that PPTP uses to establish and run a VPN tunnel through. In my example, I will be enabling FreeBSD firewall to operate in a "open" mode where it allows all ports in by default.

 

You will also need to substitute my example IP-ranges for both the VPN-users and public address to suit your system. All commands are carried out as the super-user root in these examples. If you are really paranoid you might want to compile and install poptop in a jailed environment. Thats beyond the scope of this example however.

 

This example does not require any graphics user interface or X11 enviroment to be installed on your server. All commands are done through a terminal remote shell connection using ssh (or telnet for the unencrypted daring users out there). They CANNOT be performed by FTP, and you WILL NEED root access and hardware access to do this. I do not think it is possible to perform these tasks on a VPS shared server. A dedicated server is required. It can however be a virtual machine in ie. VMware.

 

All this might sound complicated, but it really isnt at all. So lets get to it.

 

You can either install poptop from the ports collection, or from packages. The main difference is that ports will download the source code, apply the needed patches and compile the code on your server. While packages are precompiled, ready to install binaries "packaged" for your server. I myself prefer ports, as I find it easy to later upgrade the software and all the necessary dependant software packages.

 

Therefore this example will use the ports collection. If you choose to use packages, you will need to download the necessary packages and dependancies before running pkg_add <package> on your command line. In Debian this is often accomplished by the "apt-get install <package>" command. Note syntax might not be 100% correct, it is just a pointer to how it usually is done.

 

You should have the ports collection installed, if not please refer to the FreeBSD handbook on how to install the ports collection.

 

$ cd /usr/ports/security/poptop
$ make install clean

This will fetch, patch, compile and install poptop in the default location.

 

Now enable the FreeBSD firewall in "open mode". Please be aware you CAN lock yourself out from your system with these steps. Follow them closely and make sure you know what is going on.

 

If unfamiliar with the editor "vi" you can of course use which ever editor suits you.

 

It is VERY important that you substitute "re0" above with your servers actual Internett connection interface. You can find it by issuing the following command:

 

$ ifconfig -a

 

Here is a typical output from my server, which will resemble what you get:

 

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:1e:90:8e:60:90
inet 123.234.1.2 netmask 0xfffffff0 broadcast 123.234.1.254
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
inet6 ::1 prefixlen 128 
inet 127.0.0.1 netmask 0xff000000 
inet 10.10.10.2 netmask 0xffffff00

This output tells you that the server has 3 interfaces, re0 (physically the Internet connection with IP-address 123.234.1.2), plip0 (parallel port), lo0 (loopback) devices. Yours may have several more, but will always have at least lo0 and one physical network interface.

 

Your interface may be called fxp0, le0, en0 etc. Replace the "re0" in the /etc/rc.conf below with yours and then save the file.

 

$ vi /etc/rc.conf

Add the following lines to your rc.conf file:

 

ifconfig_lo0_alias0="inet 10.10.10.1  netmask 255.255.255.0"
defaultrouter="123.234.1.1"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="re0"
natd_flags=""
pptpd_enable="YES"

 

The first statements are important. You must provide an additional IP-range for your PPTP users that are not currently used on your server. These should also be taken from the private IP-ranges which consists of:

 

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

 

In this example I have chose 10.10.10.1 - 10.10.10.255 to provide PPTP IP traffic. Replace this with your choosing, or you can use the provided example. I have chosen to glue this VPN-range to the loopback interface (lo0) to avoid sniffing traffic on the Internet connection.

 

defaultrouter must be provided, and should be the router/gateway on your Internet connection. If you are unsure what it is, please contact your ISP.

 

To tell FreeBSD to act as a router, the gateway_enable is activated.

 

You have also reconfigured your server to enable the firewall, and enabled nat-ing (private to public address translation) which is required to get PPTP working. Also you have specified to start the PPTP daemon (service) upon boot. Note none of these changes are applied yet, and will not start to work until your next reboot.

 

If you are using any other firewall setup previous to these changes, you must learn how to open GRE and port 1723 TCP. Applying the changes above will mess up any current firewall setup you might have, so you will need to tweak the firewall statements before you continue. If you are running the generic install of FreeBSD (not compiled your own kernel) and are running no current firewall, the above setup should work fine for you.

 

Make a note of the IP-range you are providing your PPTP-users, if you change the example range. You will need to make changes to the next configurations for poptop to match these as well.

 

Poptop requires 4 more configuration files to be altered. They are:

 

/usr/local/etc/pptp.conf - The poptop general configuration

/etc/ppp/ppp.conf - PPP is used to set up the actual VPN connection, and here is how

/etc/ppp/ppp.secret - The actual username and passwords for your users

/etc/ppp/secure - Script to bind ppp to incoming "calls"

 

The /usr/local/etc/pptp.conf file should be readable by everyone, but the rest should only be read/writable by your "root" user. We will deal with that after we create these files.

 

Lets start from the top and create the necessary configuration files. If they already exist, replace their contents with only the lines below.

 

Note, replace 10.10.10.x with any other IP-range you might have preferred to use instead. 10.10.10.2 should always be the server though, and in this example IPs 101 through 109 are provided to PPTP users. The standard FreeBSD installation only permits 10 VPN-users (or tunnels) by default. Therefore the example is limited to 10 IP-addresses.

 

$ vi /usr/local/etc/pptp.conf

debug
proxyarp
localip 10.10.10.2
remoteip 10.10.10.101-109 
# Compression options
nobsdcomp
novj
novjccomp
# PID
pidfile /var/run/pptpd.pid
#refuse-pap
#refuse-chap
#refuse-mschap
#require-mschap-v2      # Ok med Mac OS
#require-mppe-128       # No go with Mac OS!
#ipcp-accept-local
#ipcp-accept-remote
#lcp-echo-failure 30
#lcp-echo-interval 5
# Handshake auth methods
+chap
+chapms
+chapms-v2
# Data encryption methods
mppe-40
mppe-128
mppe-stateless

Again in ppp.conf substitute 10.10.10.x with your IPs if you choose to make your setup different than this example. Also make sure you match the 101-109 IP-range with the IP-range in /usr/local/etc/pptp.conf. You MUST substitute the DNS IP-address in this example though. It is set by the "set dns 123.234.100.200" statement further down in ppp.conf. Replace it with your ISPs DNS address. If you have several, just use one of them and not all.

 

$ vi /etc/ppp/ppp.conf

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set ifaddr 10.10.10.2 10.10.10.101-10.10.10.109 255.255.255.0
add default HISADDR
set server /tmp/loop "" 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
enable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
set dns 123.234.100.200
set device !/etc/ppp/secure

$ vi /etc/ppp/ppp.secure

username1   password1
username2   password2

Note that you should obviously replace username1 etc with acutal usernames and plaintext passwords. It is VERY IMPORTANT that the username and password are TABulator separated, and not space separated. One TAB only, please.

 

The "secure" ppp script is very simple:

 

$ vi /etc/ppp/secure

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

Lets set the correct permissions on these files:

 

$ chmod 600 /etc/ppp/*
$ chmod 644 /usr/local/etc/pptp.conf

In theory all should be ready now. Note that all the compression and encryption options are disabled by default. They can be changed in the /usr/local/etc/pptp.conf file. All lines starting with a # is commented out, thus disabled. Removing the # will enable that specific function. Note that Mac OS does not play well with all of these options. Most are provided as examples of available options.

 

The above configuration works with Mac OS VPN connections that are set to have NO ENCRYPTION enabled, and use PASSWORD AUTHENTICATION.

 

This may seem like a very long process, but I encourage you to try it out and you will see it is not too hard.

 

Now all that remains is to reboot your server and try and set up a VPN connection from your Mac OS machine.

 

$ restart

 

Set up a Mac OS VPN connection using PPTP, connect and then open a webbrowser and point it to www.whatismyip.org to verify that your machine now is connected to the Internet through your server instead of directly. Note that there is an option in Mac OS 10.5 (Leopard) that toggles all or partial traffic over the VPN connection. If you set it to transfer all traffic you should see your server IP instead of your broadband connection IP.

 

To stop the VPN-server you can issue the command:

 

$ /usr/local/etc/rc.d/pptp stop

 

This is necessary if you change the pptp.conf or any other ppp-configuration files. To start pptp again just replace "stop" with "start". Another way to just reload the configuration is to issue a "restart" instead of the stop/start.

 

Enjoy, and I hope you have fun with your new VPN-server for Mac OS and iPhone.

 

*** Foot notes:

 

You might wonder why lo0 is assigned 10.10.10.1 while in all the other configuration files I use 10.10.10.2. The reason being that one interface must be provided an IP in the VPN-range so that FreeBSD can route those packets correctly. lo0 was chosen for security reasons, though it would perhaps have been better to create another loopback, say lo1. lo0 was used out of convenience. 10.10.10.2 is used by PPP when a user connects. The tunnel must also consist of two IPs, one on each end. Since .1 is already in use (to aid FreeBSD routing), .2 was used as the server IP on the tunneling end. Just make sure you do not mix these.

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...