NST comes with a script to easily setup a VPN using PPP tunnelled over a SSH session. Host and user authentication is accomplished with public-key cryptography. Default keys for user: root and user: vpn were created during the NST build process.
[root@probe root]# /usr/local/bin/vpn-pppssh -h
Usage: vpn-pppssh -r <remote NST hostname | IP address |
ssh config file "HOST" entry>
-s <remote server VPN IP address>
-c <local client VPN IP address>
[-rt [-sn <remote server network>]
[-sn-if <remote server network interface>]
[-cn <local client network>]
[-cn-if <local client network interface>]]
[-u <user name>] [-nt] [-v] [-h]
vpn-pppssh -r <remote NST hostname | IP address>
-td <remote server VPN PPP interface> [-st] [-v] [-h]
The first form of the vpn-pppssh script initiates a secure VPN
connection using PPP over a ssh session between two NST probe systems.
You may enable "IP Forwarding" and "Proxy Arp" on both systems with the
"-rt" command line switch. This will allow hosts on both sides of the
VPN networks to route packets over the secure VPN tunnel.
** Note: If access the remote sshd server listening port is not:
TCP:22 (ssh) one will need to set up a "HOST" entry with the
access ssh "Port" keyword defined in a ssh configuration file.
This needs to be done prior to running this script. One scenario
for this could be access to the sshd server from the Public
Internet is through a PAT/NATed (Port Address
Translation/Network Address Translation) address.
Example ssh configuration file: /root/.ssh/config
HOST striker
HostName=24.43.56.172
Port=20022
The second form of the vpn-pppssh script tears down an established
VPN connection using PPP over a ssh session between two NST probe systems.
This is invoked with the "-td <remote server VPN ppp interface>" command
line parameter.
The remote NST system may be referred to as the server side and the local
NST system may be referred to as the client side of the VPN respectively.
-r <remote NST hostname | IP address | ssh config file "HOST" entry> |
--remote-nst-host <remote NST hostname | IP address | ssh config file
"HOST" entry>
This is the remote NST Fully Qualified Domain Name (FQDN) hostname,
IP address (public internet address which may be a NATed IP address),
or a ssh configuration file "HOST" entry.
-s <remote VPN IP address> | --server-IP <remote VPN IP address>
This is the IP address of the remote PPP endpoint - IP address we need to
assign at the NST system that is passively waiting for an incoming VPN
connection (remote server side).
-c <local VPN IP address> | --client-IP <local VPN IP address>
This is the IP address of the local PPP endpoint - IP address we need to
assign at the NST system that initiates the VPN connection (local client
side).
-rt | --enable-ip_forward_proxy
Optional switch to enable "IP Forwarding" and "Proxy Arp" on both the
client and server NST systems. This will enable hosts on both sides of the
VPN networks to route packets over the secure VPN tunnel. If this switch is
not used, only the two NST probes will be able to send network packet between
themselves over the VPN tunnel.
-sn <remote server network> | --remote-server-net <remote server network>
If the "-rt" switch is set, this value is the network address of the remote
server system in Classless Inter-Domain Routing (CIDR) format. A static route
is configured on the client (local) VPN host to point to this remote server
network. This will allow hosts on the client's network to route packets to
the remote server network through the client VPN host.
Example: 10.133.140.0/24
-sn-if <remote server network interface> |
--remote-server-net-int <remote server network interface>
Optional value for the interface that the remote server network is physically
located on.
Default value: eth0
-cn <local client network> | --local-client-net <local client network>
If the "-rt" switch is set, this value is the network address of the local
client system in Classless Inter-Domain Routing (CIDR) format. A static route
is configured on the server (remote) VPN host to point to this local client
network. This will allow hosts on the server's network to route packets to
the local client network through the server VPN host.
Example: 192.168.1.0/24
-cn-if <local client network interface> |
--local-client-net-int <local client network interface>
Optional value for the interface that the local client network is physically
located on.
Default value: eth0
-u <user name> | --user <user name>
Optional user name that run the VPN tunnel (/usr/sbin/pppd) on the
server side of the connection.
Default value: vpn
-nt | --no-tcpip-timestamp
This optional switch disables the TCP/IP timestamp option (RFC 1323: "TCP
Extensions for High Performance") on all TCP/IP packets. The TCP/IP timestamp
option adds 12 additional bytes in the TCP/IP header for each TCP/IP packet.
By default Linux enables the TCP/IP timestamp option.
** WARNING: This is a global setting and effects all subsequent TCP sessions on
this local system. This setting is only applied on the local
system and not on the remote system. During the TCP/IP SYN/ACK
process this option is negotiated.
-td <remote server VPN PPP interface> | --teardown <remote server VPN PPP interface>
Second form of the vpn-pppssh script that tears down an established
VPN connection using PPP over a ssh session between two NST probe systems. The
remote server VPN PPP interface value is the name of network interface at the
remote server VPN PPP endpoint.
Example: ppp0
-st | --tcpip-timestamp
This optional switch enables the TCP/IP timestamp option on the local client
system. It is used with the second form: (VPN teardown "-td") for re-enabling
TCP/IP timestamps that may have been disabled during the VPN setup.
-v | --verbose
This optional switch will enable verbose mode. More information on the execution
of setting up and tearing down a VPN tunnel will be displayed. Also useful
routing information for the client and server side networks wil be displayed.
-h | --help
Displays this help information.
**Example 1)
vpn-pppssh -r 24.99.159.194 -s 172.18.1.31 -c 172.18.1.32 -rt
-sn 172.18.1.0/24 -sn-if eth1 -cn 172.29.1.0/24 -nt -v
- This example sets up a VPN using PPP over SSH between the
private RFC 1918 client network: "172.29.1.0/24" and server
network: "172.18.1.0/24". The VPN PPP network endpoints are:
local: "172.18.1.32" and remote: "172.18.1.31". The public
Internet IP address of the remote NST probe is: "24.99.159.194".
Both "IP Forwarding" and "Proxy Arp" will be enabled. The
network interface of the associated remote server network
is: "eth1". Verbose mode is enabled and TCP/IP timestamps are
disabled.
**Example 2)
vpn-pppssh -r 12.111.33.44 -td ppp0 -st
- This example tears down a VPN session enabled on the remote
NST system at public IP address: "12.111.33.44" for PPP interface:
"ppp0". TCP/IP timestamps are re-enabled if previously disabled.
**Example 3)
/root/.ssh/config:
HOST striver
HostName=65.30.77.10
Port=20022
vpn-pppssh -r striker -s 192.168.2.201 -c 192.168.2.202 -rt
-sn 192.168.2.0/24 -cn 192.168.3.0/24 -nt -v
- This example uses a ssh configuration file that was set up prior
to running the "vpn-pppssh" script. This was necessary because
access to the ssh server port was PATed to: "20022". A VPN using
PPP over SSH between the private RFC 1918 client network:
"192.168.3.0/24" and server network: "192.168.2.0/24". The VPN
PPP network endpoints are: local: "192.168.2.202" and remote:
"192.168.2.201". The public Internet IP address of the remote
NST probe (striker) is: "65.30.77.10". Both "IP Forwarding" and
"Proxy Arp" will be enabled. The network interface of the
associated remote server network is: "eth0". Verbose mode is
enabled and TCP/IP timestamps are disabled.
**Note 1) The environment variable: "LOCAL_SSH_OPTS" is used for any user
specific ssh options.
Ex: export LOCAL_SSH_OPTS "-qC"
- enable quiet mode and compression...
**Note 2) This script requires the use of public/private key authentication
via ssh for logging into the remote NST system. The public key for
the client NST "root" user must be found in the remote NST system's
"/root/.ssh/authorized_keys" for both the "root" and "VPN" user.
If one uses the [-v] verbose option, useful client and server network routing information will be displayed for each of the major Operating Systems. An example output for setting up a VPN using PPP over a SSH session is shown below.
This example sets up a VPN using PPP over SSH between the private RFC 1918 client network (Satellite Office): "192.168.1.0/24" and server network (Corporate Headquarters): "172.18.2.0/24". The VPN PPP network endpoints are: local: "172.18.2.32" and remote: "172.18.2.31". The public Internet IP address of the remote NST probe at the corporate site is: "70.22.33.10" using Port Address Translation (PAT): "70.22.33.10:20022" <=> "172.18.2.50:22" for the SSH service. Both "IP Forwarding" and "Proxy Arp" will be enabled. The network interface of the associated remote server network is: "eth0". TCP/IP timestamps will be disabled. This example is graphically layed out in Figure 6.1, “VPN: PPP tunneled over SSH”.
Since PAT is in use we need to set up a ssh configuration file for access to the remote NST probe at the Corporate Headquarters Site: A. The contents of the ssh configuration file is shown below:
[root@probe root]# cat /root/.ssh/.config
HOST nstprobe
HostName=70.222.33.10
Port=20022
We now will setup the VPN for secure remote access to CIFS services.
[root@probe root]# vpn-pppssh -r nstprobe -s 172.18.2.31 \
-c 172.18.2.32 -rt -sn 172.18.2.0/24 -cn 192.168.1.0/24 -nt -v
Success: updated /root/.ssh/authorized_keys for root on 70.22.33.10
Success: updated /home/vpn/.ssh/authorized_keys for vpn on 70.22.33.10
Starting a VPN connection to NST: 70.22.33.10
*** Disable TCP/IP timestamps on local client: 192.168.1.51...
/sbin/sysctl -w net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps = 0
/usr/sbin/pppd updetach noauth passive pty "/usr/bin/ssh -p 20022 70.22.33.10 -lvpn \
-o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam \
vpn 172.18.2.32:172.18.2.31
Using interface ppp0
Connect: ppp0 <--> /dev/ttyp1
Deflate (15) compression enabled
local IP address 172.18.2.32
remote IP address 172.18.2.31
A PPP connection was established to remote server: 70.22.33.10 on interface: ppp0
#################################################################################
########################### Client Side VPN Parameters ##########################
#################################################################################
*** Setup client side route on NST probe: 192.168.1.51...
---------------------------------------------------------------------------------
/sbin/route -v add -net 172.18.2.0/24 gw 172.18.2.32 metric 1
---------------------------------------------------------------------------------
*** Enabling "IP Forwarding" and "Proxy Arp" on client side...
---------------------------------------------------------------------------------
/sbin/sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
/sbin/sysctl -w net.ipv4.conf.eth0.proxy_arp=1
net.ipv4.conf.eth0.proxy_arp = 1
---------------------------------------------------------------------------------
*** Client side route info...
---------------------------------------------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
172.18.2.31 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
172.18.2.0 172.18.2.32 255.255.255.0 UG 0 0 0 ppp0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
---------------------------------------------------------------------------------
*** Client side ifconfig info...
---------------------------------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:40:05:86:73:E5
inet addr:192.168.1.51 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11186 errors:0 dropped:0 overruns:0 frame:0
TX packets:5590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2485574 (2.3 Mb) TX bytes:1047037 (1022.4 Kb)
Interrupt:10 Base address:0x7000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3000 (2.9 Kb) TX bytes:3000 (2.9 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.18.2.32 P-t-P:172.18.2.31 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:72 (72.0 b) TX bytes:66 (66.0 b)
---------------------------------------------------------------------------------
#################################################################################
########################### Server Side VPN Parameters ##########################
#################################################################################
*** Setup server side route on NST probe: 172.18.2.50...
---------------------------------------------------------------------------------
/usr/bin/ssh root@70.22.33.10 "/sbin/route -v add -net 192.168.1.0/24 gw 172.18.2.31 metric 1"
---------------------------------------------------------------------------------
*** Enabling "IP Forwarding" and "Proxy Arp" on server side...
---------------------------------------------------------------------------------
/usr/bin/ssh root@70.22.33.10 "/sbin/sysctl -w net.ipv4.ip_forward=1"
net.ipv4.ip_forward = 1
/usr/bin/ssh root@70.22.33.10 "/sbin/sysctl -w net.ipv4.conf.eth0.proxy_arp=1"
net.ipv4.conf.eth0.proxy_arp = 1
---------------------------------------------------------------------------------
*** Server side route info...
---------------------------------------------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
172.18.2.32 * 255.255.255.255 UH 0 0 0 ppp0
172.18.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 172.18.2.31 255.255.255.0 UG 0 0 0 ppp0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 172.18.2.1 0.0.0.0 UG 0 0 0 eth0
---------------------------------------------------------------------------------
*** Server side ifconfig info...
---------------------------------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:0A:E6:5A:B9:19
inet addr:172.18.2.50 Bcast:172.18.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70378 errors:0 dropped:0 overruns:0 frame:0
TX packets:62924 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11378048 (10.8 Mb) TX bytes:18138136 (17.2 Mb)
Interrupt:9 Base address:0xdc00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.18.2.31 P-t-P:172.18.2.32 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:246 (246.0 b) TX bytes:252 (252.0 b)
---------------------------------------------------------------------------------
Use the following static route commands on systems with the major Operating Systems
shown so that network traffic may be properly routed between the client and server
networks over the established secure VPN.
Route Commands For VPN Client Side Systems To Network: (172.18.2.0/24)
==============================================================================
Linux:
------
/sbin/route -v add -net 172.18.2.0/24 gw 192.168.1.51 metric 1
Windows:
--------
C:\WINDOWS\system32\route ADD 172.18.2.0 MASK 255.255.255.0 192.168.1.51 METRIC 1
Sun:
----
/usr/sbin/route add -net 172.18.2.0/24 192.168.1.51
Route Commands For VPN Server Side Systems To Network: (192.168.1.0/24)
==============================================================================
Linux:
------
/sbin/route -v add -net 192.168.1.0/24 gw 172.18.2.50 metric 1
Windows:
--------
C:\WINDOWS\system32\route ADD 192.168.1.0 MASK 255.255.255.0 172.18.2.50 METRIC 1
Sun:
----
/usr/sbin/route add -net 192.168.1.0/24 172.18.2.50
---------------------------------------------------------------------------------
Command to tear down the VPN tunnel: vpn-pppssh -r 70.22.33.10 -td ppp0 -st
---------------------------------------------------------------------------------