vpn using ssh
DESCRIPTION
Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd. VPN using SSH. Andrew’s Talk. Excellent talk covering theory and history Implemented pptp - most common use of VPN However, my way is better. Ssh is better, why?. - PowerPoint PPT PresentationTRANSCRIPT
VPN using SSHVPN using SSH
Implementing a secure Unix to Implementing a secure Unix to Unix Virtual Private NetworkUnix Virtual Private Network
Gary StainburnGary Stainburn
Ringways Garages Ltd.Ringways Garages Ltd.
Andrew’s TalkAndrew’s Talk
• Excellent talk covering theory and Excellent talk covering theory and historyhistory
• Implemented pptp - most common Implemented pptp - most common use of VPNuse of VPN
• However, my way is better.However, my way is better.
Ssh is better, why?Ssh is better, why?
• Always secure - no need to patch Always secure - no need to patch kernelkernel
• true Unix to Unix connection.true Unix to Unix connection.
• Better for Lan to Lan.Better for Lan to Lan.
• ModularModular– ssh (zlib, ssl, ssh)ssh (zlib, ssl, ssh)
– port redirectorport redirector
– pppdpppd
Why VPNWhy VPN
• Look at an APN.Look at an APN.
Why VPNWhy VPN
• Look at an APN.Look at an APN.
– Existing Ringways APN (a.k.a. WAN)Existing Ringways APN (a.k.a. WAN)
Proposed Internet LinkProposed Internet Link
• Ringways were looking for an Ringways were looking for an internet linkinternet link
Suggested VPNSuggested VPN
• Suggested replacing existing lines Suggested replacing existing lines with:with:
Actually Went WithActually Went With
What if we grow?What if we grow?
What if we grow?What if we grow?
Definitely VPNDefinitely VPN
Points to Consider Points to Consider
• APNAPN
– Cost of line vs Benefits receivedCost of line vs Benefits received
– Who meets costs?Who meets costs?
• VPNVPN– No cost if link already availableNo cost if link already available
– Split cost if not already availableSplit cost if not already available
ImplicationsImplications
• Lower costs = more usesLower costs = more uses
• more uses = more connectionsmore uses = more connections
• more connections = more access more connections = more access pointspoints
SecuritySecurity
• Firewall - One point of accessFirewall - One point of access
• Multiple access pointsMultiple access points
• Weakness in remote end - Win95?Weakness in remote end - Win95?
• Other people administratingOther people administrating
• Treat VPN users as Notebook UsersTreat VPN users as Notebook Users
Security - ServerSecurity - Server
• When planning to set up a VPN When planning to set up a VPN serverserver
– Needs public accessNeeds public access
– Can be behind firewall - Ssh works over Can be behind firewall - Ssh works over NATNAT
– preferably no other accesspreferably no other access
– Can be on firewallCan be on firewall
So, how’s it work?So, how’s it work?
• Uses an existing unsecured networkUses an existing unsecured network
• runs a Ssh session over that runs a Ssh session over that connectionconnection
• redirects a pppd session over it.redirects a pppd session over it.
Ssh - So, what do I need?Ssh - So, what do I need?
• For RedHat 6 systems:For RedHat 6 systems:
– zlib-1.1.3-6.i386.rpm - already installedzlib-1.1.3-6.i386.rpm - already installed
– openssl-0.9.5a.i386.rpmopenssl-0.9.5a.i386.rpm
– openssh-2.1.1p2-1.i386.rpmopenssh-2.1.1p2-1.i386.rpm
– openssh-clients-2.1.1p2-1.i386.rpmopenssh-clients-2.1.1p2-1.i386.rpm
– openssh-server-2.1.1p2-1.i386.rpmopenssh-server-2.1.1p2-1.i386.rpm
– Pppd.Pppd.
Ssh - So, what do I need?Ssh - So, what do I need?
• For everything else:For everything else:• zlib-1.1.3.tar.gz - zlib-1.1.3.tar.gz -
ftp://ftp.cdrom.com/pub/infozip/zlibftp://ftp.cdrom.com/pub/infozip/zlib
• openssl-0.9.5a.tar.gz - openssl-0.9.5a.tar.gz - http://www.openssl.orghttp://www.openssl.org
• openssh-2.1.1p2.tar.gz - openssh-2.1.1p2.tar.gz - http://www.openssh.comhttp://www.openssh.com
• PppdPppd
Ssh - So what do I do?Ssh - So what do I do?
• For RedHat 6 systems:For RedHat 6 systems:
– rpm -i openssl-0.9.5a.i386.rpmrpm -i openssl-0.9.5a.i386.rpm
– rpm -i openssh-2.1.1p2-1.i386.rpmrpm -i openssh-2.1.1p2-1.i386.rpm
– rpm -i openssh-clients-2.1.1p2-rpm -i openssh-clients-2.1.1p2-1.i386.rpm1.i386.rpm
– rpm -i openssh-server-2.1.1p2-rpm -i openssh-server-2.1.1p2-1.i386.rpm1.i386.rpm
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar zlib-1.1.3.tar.gz untar zlib-1.1.3.tar.gz
– ./configure./configure
– makemake
– make testmake test
– make installmake install
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar openssl-0.9.5a.tar.gzuntar openssl-0.9.5a.tar.gz
– ./config./config
– makemake
– make testmake test
– make installmake install
Ssh - So what do I do?Ssh - So what do I do?
• For everything else:For everything else:
– untar openssh-2.1.1p2.tar.gzuntar openssh-2.1.1p2.tar.gz
– ./configure./configure
– makemake
– make installmake install
Ssh - So what do I do?Ssh - So what do I do?
• As root run:As root run:
– ssh-keygenssh-keygen
• This creates .ssh directory.This creates .ssh directory.
• This contains the private and public This contains the private and public keys.keys.
• Create authorized_keys from public keyCreate authorized_keys from public key
Ssh - So what do I do?Ssh - So what do I do?
• Copy the identity.pub from the client Copy the identity.pub from the client machine to the server machinemachine to the server machine
– Client = makes callClient = makes call
– Server = receives callServer = receives call
• Append this file to Append this file to /root/.ssh/authorized_keys/root/.ssh/authorized_keys
• Make sure sshd is running on the Make sure sshd is running on the serverserver
Ssh - How do I test itSsh - How do I test it
• On the clientOn the client
– ssh <servername>ssh <servername>
• If you have done everything If you have done everything correctly you should now have a Ssh correctly you should now have a Ssh session open and the command session open and the command prompt of the server machine on-prompt of the server machine on-screen.screen.
So what’s next - ServerSo what’s next - Server
• edit /etc/ppp/options to include:edit /etc/ppp/options to include:
– ipcp-accept-localipcp-accept-local
– ipcp-accept-remoteipcp-accept-remote
– proxyarpproxyarp
– noauthnoauth
So what’s next - ServerSo what’s next - Server
• Create a vpn-users group and userCreate a vpn-users group and user
– add group vpnusers to /etc/groupsadd group vpnusers to /etc/groups• vpnusers:*:504:vpnusers:*:504:
– add user vpn-users to /etc/passwdadd user vpn-users to /etc/passwd• vpnuses:*:504:405:VPN vpnuses:*:504:405:VPN
User:/home/vpnusers:/usr/sbin/pppdUser:/home/vpnusers:/usr/sbin/pppd
– mkdir /home/vpn-usersmkdir /home/vpn-users
– chown vpnusers:vpnusers chown vpnusers:vpnusers /home/vpnusers/home/vpnusers
So what’s next - ServerSo what’s next - Server
• Create the /home/vpnusers/.ssh Create the /home/vpnusers/.ssh directorydirectory
• Create the file .ssh/authorized_keysCreate the file .ssh/authorized_keys
• Add the public keys of everyone Add the public keys of everyone who needs access.who needs access.
So what’s next - ClientSo what’s next - Client
• as root run:as root run:
– mkdir /root/.sshmkdir /root/.ssh
– ssh-keygen -f /root/.ssh/identity.vpn -P ssh-keygen -f /root/.ssh/identity.vpn -P ””””
– add the new file identity.vpn.pub to the add the new file identity.vpn.pub to the authorized_keys on the server.authorized_keys on the server.
So what’s next - clientSo what’s next - client
– Get Get http://www.shinythings.com/vpnd/vpnd.tahttp://www.shinythings.com/vpnd/vpnd.tar.gzr.gz
– Unzip it into /usr/local/vpnUnzip it into /usr/local/vpn
– copy pty-redir to /usr/sbincopy pty-redir to /usr/sbin
So what’s next - clientSo what’s next - client
• as root run:as root run:
– pty-redir ssh -t -e none -o ‘Batchmode pty-redir ssh -t -e none -o ‘Batchmode yes’ -c blowfish -i /root/.ssh/identity.vpn yes’ -c blowfish -i /root/.ssh/identity.vpn -l vpnuser curly >/tmp/vpn-device-l vpnuser curly >/tmp/vpn-device
– sleep 10sleep 10
– /usr/sbin/pppd `cat /tmp/vpn-device`/usr/sbin/pppd `cat /tmp/vpn-device`
And FinallyAnd Finally
• On the client and the serverOn the client and the server
– Edit /etc/ppp/ip-up to add routes across Edit /etc/ppp/ip-up to add routes across the VPNthe VPN
– Edit/etc/ppp/ip-down to remove them Edit/etc/ppp/ip-down to remove them afterwards.afterwards.
• What’s leftWhat’s left– Modify the vpnd script match your Modify the vpnd script match your
configuration to make admin easier.configuration to make admin easier.
That’s it.That’s it.
• We’re done, so what have we doneWe’re done, so what have we done
– We’ve got ssh workingWe’ve got ssh working
– We’ve configured a server to receive We’ve configured a server to receive callscalls
– We’ve configured a client to make a We’ve configured a client to make a callcall
– We’ve routed traffic across the VPNWe’ve routed traffic across the VPN