Tunneling Services
The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine. You could also use windows as your client VPN platform.
The reason that PPTP is discontinued in iOS as it is the least secure of the many VPN options, but it is the most simple to setup and configures. We will show you some other VPN technologies in the coming weeks, each with their own pro's and con's.
Contents
Virutal Machine setup
You will be installing PPTP on your Linux Virtual machine. We want to make this available for your mobile devices and your host computer (OSX or Windows) to be able to tunnel to it.
- If you are at home on a standard WiFi network then you should configure your virtual machine in bridged mode. In virtual box, right-click on your virtual machine: Settings->Network. Then attach to Bridged adaptor and then link it to your adapter that connects to the Internet.
- If you are connected to a work network or a network like eduroam then you will need two virtual machines in NAT network as demonstrated in Linux_Essentials_&_VM_Networks#Create_a_Second_Virtual_Machine_and_Network
Configuration of the PPTP Server
Start by installing the required Linux packages for the lab on the Linux device that will be the server:
sudo apt update sudo apt install uml-utilities sudo apt install pptpd sudo apt install net-tools
Note that if you have problems installing uml-utilities then try to add the universe repository:
sudo add-apt-repository universe
Then, issue an:
ifconfig
What is the IP address of your Ubuntu machine? This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet-facing side of our companies VPN. For me, this was 192.168.88.246.
We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.
Create the internal LAN interface with:
sudo tunctl -t tap0
sudo ifconfig tap0 inet 10.0.0.1 netmask 255.255.255.0
Ensure that the interface has been created by typing:
ifconfig
Verify that you can ping it before moving on.
Configure the PPTPD server with:
sudo nano /etc/pptpd.conf
Uncomment and change the following lines to
localip 10.0.0.1 remoteip 10.0.0.234-238,10.0.0.245
Disable the logwtmp option by adding a # before it. The issue appears to have been logged as a bug here:
https://bugs.launchpad.net/ubuntu/+source/pptpd/+bug/1451419
Then have a look through:
sudo nano /etc/ppp/pptpd-options
This configuration should not need editing but it is interesting to look at as it describes the authentication and encryption parameters of your VPN
Edit the chap secrets:
sudo nano /etc/ppp/chap-secrets
This file follows the following format
<username> <IP> <users-password> <IP>
Edit it to look like:
# Secrets for authentication using CHAP # client server secret IP addresses student * student *
The asterisk characters mean any
As with all linux servers, once the configuration has changed, you must restart the service using:
sudo /etc/init.d/pptpd restart
Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied
Connecting your client devices to the PPTP server
Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.
Before connecting to a device, monitor the logs on the server with:
tail -f /var/log/syslog
The output may help you to debug any problems.
Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.
May 3 14:20:13 ciscolabLI pppd[5139]: local IP address 10.0.0.150 May 3 14:20:13 ciscolabLI pppd[5139]: remote IP address 10.0.0.234
The remote IP address of 10.0.0.234 indicates the IP of your VPN device.
Evaluating your success
If you connect from a Windows or Linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device
If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your Ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:
sudo nano /etc/ppp/chap-secrets
Remember to restart the service:
sudo /etc/init.d/pptpd restart
When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output shown in a:
tail -f /var/log/syslog
Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.
