Categories

Browse by

Selected Tag

Popular Tags


All Tags 6

RSS Feed

VPN avec PPP et SSH

  • Oct 6 '09
  • Posted By: Jean-Philippe Blais

Une méthode pour créer un VPN en utilisant PPP et SSH sous Linux.  Testé sous Ubuntu 8.04 LTS, Ubuntu 8.10 et bien sûr Debian.

Sources:
http://www.faqs.org/docs/Linux-mini/ppp-ssh.html
http://www.revsys.com/writings/quicktips/nat.html

==> Setup a vpn user on the server

root@server:~# useradd -U vpn

edit /etc/passwd and change vpn default shell to /bin/bash

root@server:~# mkdir -p /home/vpn/.ssh
root@server:~# chown -R vpn.vpn /home/vpn
root@server:~# passwd vpn

==> Use a generated hard to remember password. You will use it only once.

Generate root RSA keys on the client

root@client:~# ssh-keygen

Copy the client root RSA public key to the server vpn user authorized keys

root@client:~# scp .ssh/id_rsa.pub vpn@server:./.ssh/authorized_keys
root@server:~# chmod 700 /home/vpn/.ssh
root@server:~# chmod 600 /home/vpn/.ssh/authorized_keys

Test the automatic login :

root@client:~# ssh -l vpn server

==> You should get the vpn user shell without password

Setup sudo on the server to allow vpn user run the pppd command

root@server:~# visudo

Add:

Cmnd_Alias VPN=/usr/sbin/pppdvpn ALL=NOPASSWD: VPN

Test sudo :

root@server:~# su – vpn
vpn@server:~$ sudo usr/sbin/pppd noauth

==> should see pppd garbage on your terminal

The vpn-pppssh Script

Use this script in the client

Change those lines for your needs :

SERVER_HOSTNAME=eldivino.domain.com
SERVER_USERNAME=vpn
SERVER_IFIPADDR=192.168.3.2
CLIENT_IFIPADDR=192.168.3.1

#!/bin/sh
# /usr/local/bin/vpn-pppssh
#
# This script initiates a ppp-ssh vpn connection.
# see the VPN PPP-SSH HOWTO on http://www.linuxdoc.org for more information.
#
# revision history:
# 1.6 11-Nov-1996 miquels@cistron.nl
# 1.7 20-Dec-1999 bart@jukie.net
# 2.0 16-May-2001 bronson@trestle.com
#
# You will need to change these variables...
#
# The host name or IP address of the SSH server that we are
# sending the connection request to:
SERVER_HOSTNAME=eldivino.domain.com
# The username on the VPN server that will run the tunnel.
# For security reasons, this should NOT be root.  (Any user
# that can use PPP can intitiate the connection on the client)
SERVER_USERNAME=vpn
# The VPN network interface on the server should use this address:
SERVER_IFIPADDR=192.168.3.2
# ...and on the client, this address:
CLIENT_IFIPADDR=192.168.3.1
# This tells ssh to use unprivileged high ports, even though it's
# running as root.  This way, you don't have to punch custom holes
# through your firewall.
LOCAL_SSH_OPTS="-P"
#
# The rest of this file should not need to be changed.
#
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11
#
# required commands...
#
PPPD=/usr/sbin/pppd
SSH=/usr/bin/ssh
if ! test -f $PPPD  ; then echo "can't find $PPPD";  exit 3; fi
if ! test -f $SSH   ; then echo "can't find $SSH";   exit 4; fi
case "$1" in
  start)
    # echo -n "Starting vpn to $SERVER_HOSTNAME: "
    ${PPPD} updetach noauth passive pty "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ipparam vpn ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
    # echo "connected."
    ;;
  stop)
        # echo -n "Stopping vpn to $SERVER_HOSTNAME: "
        PID=`ps ax | grep "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o" | grep -v ' passive ' | grep -v 'grep ' | awk '{print $1}'`
        if [ "${PID}" != "" ]; then
          kill $PID
          echo "disconnected."
        else
          echo "Failed to find PID for the connection"
        fi
    ;;
  config)
    echo "SERVER_HOSTNAME=$SERVER_HOSTNAME"
    echo "SERVER_USERNAME=$SERVER_USERNAME"
    echo "SERVER_IFIPADDR=$SERVER_IFIPADDR"
    echo "CLIENT_IFIPADDR=$CLIENT_IFIPADDR"
  ;;
  *)
    echo "Usage: vpn {start|stop|config}"
    exit 1
    ;;
esac
exit 0

Test the VPN link

root@client:~# ./vpn-pppssh start

Should see something like :

Using interface ppp0Connect: ppp0 <--> /dev/pts/1local IP address 192.168.3.1remote IP address 192.168.3.2

Test the VPN link :

root@client:~# ping 192.168.3.1 (ping client local IP)root@client:~# ping 192.168.3.2 (ping server IP)root@server:~# ping 192.168.3.1 (ping client IP)

Setup server routing :

root@server:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@server:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@server:~# iptables -A FORWARD -i eth0 -o ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT
root@server:~# iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

Add default route on the client :

root@client:~# route add -net default gw 192.168.3.2

Test if every things work from the client :

root@client:~# ping www.google.ca

Conçu avec Apostrophe CMS
Propulsé par et