- In order to keep everything isolated, I created a new user/group (linvpn/linvpn) on mia and zidler. Instructions for creating users using command line options can be found here. I have also set up passwordless login using SSH. PLease refer to this document for the HowTo. However, I still execute linvpn daemon as root. Use sudo appropriately if you want to execute it as any other user.
- LinVPN basically creates a PPP-over-SSL tunnel. However it provides an easy to use interface to the user.
- Properly configure the PPP software on all participating nodes; i.e Make sure you have the right
configuration in:
- /etc/ppp/options: This is the default options file for the PPP daemon. I mainly use the following
options :
------------------------------------- PPP-Client PPP-Server ------------------------------------- lock X X noauth X X debug X dump X logfd 2 X updetach X noccp X X ** novj X X ** novjccomp X X ** nopcomp X X ** noaccomp X X ****comment out the option if you want compression enabled in PPP. - /etc/ppp/(ip-up,ip-up.local): This script is called when the PPP interface comes up. I use it to set the routing table, firewall rules. Use it as approprriate.
- /etc/ppp/(ip-down,ip-down.local): This script is called when the PPP interface goes down. Use it appropriately.
- /etc/ppp/options: This is the default options file for the PPP daemon. I mainly use the following
options :
- Download the LinVPN tarball
and compile it. I used some special compilation flags, since I wanted all the binaries and config files,
to be in /home/linvpn directory.
NOTE: You may need to add -I/usr/kerberos/include to the CFLAGS variable (in configure) for RedHat 9.0 (or systems that contain OpenSSL 0.9.7).
The command's I used are as follows:~linvpn#>tar -xvzf LinVPN-version.tar.gz ~linvpn#>cd LinVPN-version ~linvpn#>mkdir /home/linvpn/etc; mkdir /home/linvpn/sbin ~linvpn#>./configure --prefix=/home/linvpn --config=/home/linvpn/etc ~linvpn#>make; make install
- Because, of the --prefix=/home/linvpn flag during configure, all the executables are installed in
/home/linvpn/sbin. I already had another vpnd (VPN Daemon) program installed in /usr/local/sbin,
and LinVPN has a similarly named program. Hence I decided to keep this seperate.
Thus to run any LinVPN related program, i have to use the full path name. - LinVPN comes with 4 programs. Below is a listing:
shashank@zidler:/home/linvpn/sbin# ls | more vpn-wrapper #wrapper program to execute certain commands like route, similar to sudo vpnd #Program to be run by the server vpncd #program to be run by the client vpndel #NOT REQUIRED. Same functionality availavle in vpncd and vpnd. vpnadd #Used to create a self-signed certificate. I Do not use this method.
You can also get good explanation of setting up a linux-to-linux vpn by reading the How-To that comes with tarball, and this recipe will serve as a good supplement. - I am asssuming that we are using the following setup with mia
as the client and zidler as the server .
- The first thing you need to do is get a good name for your VPN. I will name this vpn as testVPN.
- Before starting the actual configuration, you will need to get a
signed certificate for your server. This can be done in the following
two ways. The second method of getting a certificate signed from a CA is more complicated, and involves
extra configuration steps than the first method. I will explain the second method here. However, you can skip
the appropriate steps, if you wish to follow the first method.
- Create a self signed certificate for the server. This can be done using the
vpnadd command. Use the following command:
linvpn@zidler:/home/linvpn/sbin# ./vpnadd server testVPN 192.168.254.201:192.168.254.200 1024 Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ..++++++ ..........................................++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Illinois]: Locality Name (eg, city) [Chicago]: Organization Name (eg, company) [UIC]: Organizational Unit Name (eg, section) [ECE]: Common Name (eg, your name or your server's hostname) []:linvpn Email Address []:linvpn@zidler.ece.uic.edu Adding VPN testVPN on server: done!
At the end, you will get a cert.pem file, in /home/linvpn/sbin that you can send to the peer. - The second method, is to generate a certificate request and get it signed from a Certificate Authority,
(like Verisign).
I have set up my own Certification Authority, which can sign and approve user generate request. Steps to set up a CA, generating a user certificate request and getting it signed from this CA can be found here.
- Create a self signed certificate for the server. This can be done using the
vpnadd command. Use the following command:
- Use the following sequence of commands to set up the server (zidler)
- I will assume that the user has generated a certificate request + private key (key.pem), and received a signed certifcate (cert.pem) from the CA. You can refer to steps viii, ix, x, xi... of this document for doing this.
- Once u get a signed certificate (cert.pem), just append it to the end of the
private key (key.pem). After appending,
the key.pem file should look like:
linvpn@zidler:/home/linvpn/sbin# cat key.pem -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCXX7qha8ZZRK1XzObWodf8m8SbmNLN0vKb6P7vPk81iTASV9Ok VlsBRVVEYsugRoM9iekCQGk9lqJ1DVvw3slJXrD//COqO/pmLDIoyf4cBDwg18FG wTnlVxGxO/iQ9vB/c/nNVJVIETqyQirg+ltx70XEfyo= --SNIP-- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDJzCCAg+gAwIBAgIBDzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0 Bcn3QAUVbzbTkRT06UH23Uc3Q/gQAfabSFPmKUznN7muoyBCfDPDEOXSWw== --SNIP-- -----END CERTIFICATE-----
NOTE: The blank line between the certificate and the private key. - Place the (Private Key + Certificate) combination file (key.pem) in the same directory as your vpnd program, viz. /home/linvpn/sbin
- Send the certificate file (cert.pem) to any peer who wishes to set up a VPN with you, using scp.
- Now use the following set of commands to start the daemon and
to set the various parameters for our VPN. Use vpnd --help for getting help.
1. linvpn@zidler:/home/linvpn/sbin# ./vpnd daemon ------------------------------------------------------------------------------- 2. linvpn@zidler:/home/linvpn/sbin# ./vpnd --help usage: ./vpnd [command [option(s)]] Avaliable commands: insert vpn_name local:remote : Insert a new entry remove vpn_name : Remove an existing entry fetch vpn_name : Fetch an existing entry change vpn_name local:remote : Change an existing entry list : Show all entries stats : Show connected clients disconnect vpn_name : Disconnect a client event vpn_name [conn|disco] : Edit VPN events setkey vpn_name keyfile.pem : Set RSA private key dumpkey vpn_name : Dump key to stdout daemon : Run daemon --version : Show version --help : This help ------------------------------------------------------------------------------- 3. linvpn@zidler:/home/linvpn/sbin# ./vpnd insert testVPN 192.168.254.201:192.168.254.200 Entry testVPN has been added successfully! ------------------------------------------------------------------------------- 4. linvpn@zidler:/home/linvpn/sbin# ./vpnd setkey testVPN key.pem Keyfile of testVPN has been saved successfully! ------------------------------------------------------------------------------- 5. linvpn@zidler:/home/linvpn/sbin# ./vpnd dumpkey testVPN -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCXX7qha8ZZRK1XzObWodf8m8SbmNLN0vKb6P7vPk81iTASV9Ok gF4v9OZBADj2wKeuE7Ex5j8+LzfN2Lch/P2ntQMZy/te6i+0YPSVTLOF57nswdn1 --SNIP-- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDJzCCAg+gAwIBAgIBDzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB --SNIP-- -----END CERTIFICATE----- ------------------------------------------------------------------------------- 6. linvpn@zidler:/home/linvpn/sbin# setenv EDITOR pico 7. linvpn@zidler:/home/linvpn/sbin# ./vpnd event testVPN conn 8. linvpn@zidler:/home/linvpn/sbin# ./vpnd event testVPN disco -------------------------------------------------------------------------------The last two commands (7, 8) will open up the editor and you can add appropriate routing commands to it. For example, I added the following commands (though this did not work for me):+/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 dev $i
- Use the following sequece of commands to set up the client (mia).
- Remember that the server has sent us a certificate file (cert.pem). Make sure that it is residing in the same directory as your vpncd executable. In our case this is /home/linvpn/sbin.
- Now use the following sequence of commands at the client:
1. linvpn@mia:/home/linvpn/sbin# ./vpncd --help usage: ./vpncd command [option(s)] Avaliable commands: insert vpn_name remote_host : Insert a new entry remove vpn_name : Remove an existing entry fetch vpn_name : Fetch an existing entry change vpn_name remote_host : Change an existing entry list : Show all entries connect vpn_name [retry=#] : Make your VPN connection event vpn_name [conn|disco] : Edit VPN events setcert vpn_name cert.pem : Set a Certificate --version : Show version --help : This help ------------------------------------------------------------------------------- 2. linvpn@mia:/home/linvpn/sbin#./vpncd insert testVPN 131.193.50.184 Entry testVPN has been added successfully! ------------------------------------------------------------------------------- 3. linvpn@mia:/home/linvpn/sbin#./vpncd setcert testVPN cert.pem Keyfile for testVPN has been saved successfully! ------------------------------------------------------------------------------- 4. linvpn@mia:/home/linvpn/sbin# setenv EDITOR pico 5. linvpn@mia:/home/linvpn/sbin# ./vpnd event testVPN conn 6. linvpn@mia:/home/linvpn/sbin# ./vpnd event testVPN disco ------------------------------------------------------------------------------- 7. linvpn@mia:/home/linvpn/sbin# ./vpncd connect testVPNThe two commands (5, 6) will open up the editor and you can add appropriate routing commands to it. For example, I added the following commands (though this did not work for me):+/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 dev $i
[shashank@mia sbin]# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.254.200 P-t-P:192.168.254.201 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:56 (56.0 b) TX bytes:56 (56.0 b)
shashank@zidler:# route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0 --------------------------------------------------------------------------- shashank@mia:# route add -net 192.168.2.0 netmask 255.255.255.0 dev ppp0
Comments and corrections are appreciated and can be sent to papers@mia.ece.uic.edu. Click here for ©opyright information.