PPTP VPN Server on Debian/Ubuntu

PPTP VPN Server on Debian/Ubuntu

Quick setup: Copy and Paste

This section is for the impatient. All you have to do is login to your Debian/Ubuntu server and copy paste the following commands and you’ll have a working VPN server in less than 2 mins.
In this section I assume you’re logged in as the root user, do NOT have any instance of pptpd installed now or earlier and the “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file.

apt-get install pptpd -y
update-rc.d pptpd defaults
echo "localip 192.168.1.1" >>; /etc/pptpd.conf
echo "remoteip 192.168.1.2-254" >> /etc/pptpd.conf
echo "ms-dns 8.8.8.8" >> /etc/ppp/pptpd-options
echo "ms-dns 8.8.4.4" >> /etc/ppp/pptpd-options
echo "username * Pa55w0rd *" >> /etc/ppp/chap-secrets
service pptpd restart
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

Install the PPTPD package

On Debian/Ubuntu operating systems
apt-get install pptpd -y
update-rc.d pptpd defaults

Setup VPN and DNS IP addresses

 Edit the following file
nano /etc/pptpd.conf
And add the following lines to the end
localip 192.168.1.1
remoteip 192.168.1.2-254
You can use any private IP address range just make sure it is not already used in your local network and the local IP and the remote IP are in the same range.
Edit the following file to mention DNS servers
nano /etc/ppp/pptpd-options
Add the following lines to the end
ms-dns 8.8.8.8
ms-dns 8.8.4.4
You can use any DNS server here I’m using Google Public DNS just as an example.

Add usernames and passwords

Edit the following file
nano /etc/ppp/chap-secrets
and add username/password combinations one in each line in the following format

username * password *

Example

kirthan * rsEsss *
user2 * vPnpass *

If only you are going to use this VPN server a single username/password combination is enough.

Restart the pptpd service

service pptpd restart

Enable forwarding and create iptables rules

Our main purpose of setting up this VPN server is to access website right ? So our traffic has to be forwarded out of the VPN server’s public network interface.
Enable port forwarding on Linux by editing the sysctl.conf file

nano /etc/sysctl.conf

Add or find and comment out the following line





net.ipv4.ip_forward=1

Save, close the file and run the following command to make the changes take effect.

sysctl -p

The following iptables firewall rules allow port 1723, GRE and perform NAT


iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
In the last rule replace “eth0″ with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu
Replace 192.168.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation. To save the IPTables rules 

Create a VPN connection on your computer

Open the network setting and create new vpn connection
and add the Vpn server detail like password username ip

Free OpenVPN and PPTP VPN

Click on this link : Free vpn server


 

at No comments:

SSL Authentication for website

Two Way SSL Authentication

In standard SSL connections your browser verifies the identity of the server via it's certificate. With 2 way authentication your browser also needs a certificate in order for the server to verify it and allow it access to the pages.

  Steps reqired :

  1. Creating OpenSSL certificates
  2.  Configure Apache 
  3.  Configure your browser

Creating OpenSSL certificates

Make sure OpenSSL is installed on whichever server you want to be your CA.
You will need an openssl.cnf file. Here is the one I used. 
 
#/etc/ssl/openssl.cnf

[ req ]
default_md = sha512
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Country
countryName_default = GB
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = United Kingdom
organizationName = Organization
organizationName_default = SpiderWiki
commonName = Common Name
commonName_max = 64

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl

[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
crlDistributionPoints = @crl

[ crl ]
URI=http://www.spiderwiki.org/ca.crl

So first we need a self signed certificate for our CA. 
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
openssl req -config /etc/ssl/openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Next we will generate a private SSL key for our server. 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
openssl genrsa -out server.key 2048
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To generate Certificate Signing Request (PKCS#10) run the following command. For the common name you should put the URL for the server e.g. www.spiderwiki.org 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
openssl req -config  /etc/ssl/openssl.cnf -new -key server.key -out server.req
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
With self-signed certificate authority issue server certificate with serial number 100: 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile /etc/ssl/openssl.cnf -extensions server -days 365 -outform PEM -out server.cer
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The new file contains both the certificate and the private key so we can delete the request file. 
 
rm server.req

Now that the server certificates are done we need to create the key for a client. 
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
openssl genrsa -out client.key 2048

Then the request. 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 openssl req -config /etc/ssl/openssl.cnf -new -key client.key -out client.req
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And issue certificate ID with our CA for the client.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile /etc/ssl/openssl.cnf -extensions client -days 365 -outform PEM -out client.cer
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Save client's private key and certificate in a PKCS#12 format. You will need to set a password in this command.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Then tidy up. 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
rm client.key client.cer client.req
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Configure Apache

Depending on the version of Apache and your distro this can be slightly different so as a general guide.
  • You need to tell Apache to also listen on port 443 (at least that's the default for SSL)
  • You need to enable the SSL module.
  • Set a new VirtualHost (or modify your main server to use SSL)
  • Move the required files to the location set in your virtual host.
  • Restart Apache
Here is my default-ssl virtual host config file. 
 
#vi /etc/apache2/sites-available/default-ssl 
 
<IfModule mod_ssl.c>
<VirtualHost _default_:443>

        ServerAdmin webmaster@localhost

        DocumentRoot /var/securewww/
        
                Options FollowSymLinks
        
                Options Indexes FollowSymLinks MultiViews
        

        LogLevel warn
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/server.cer
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
         
        # Below for 2 way ssl
        SSLVerifyClient require
        SSLVerifyDepth 10
        SSLCACertificateFile /etc/apache2/ssl/ca.cer



</VirtualHost>
</IfModule>

Configure your browser

Copy client.p12 file to the machine you intend to use. Install it into your browsers certificate store. This process is different on each browser.
at No comments:
Subscribe to: Posts (Atom)

Start and Stop ssh-agent

Below is the bash script used to start and stop ss-agent #!/bin/bash ## in .bash_profile SSHAGENT=`which ssh-agent` SSHAGENTARGS="...