Difference between revisions of "Tunneling Services"

From csn
Jump to navigation Jump to search
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). While it is not the most secure mechanism it does work easily on many mobile devices.
+
The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine. You could also use windows as your client VPN platform.  
  
Have a close look at the physical lab setup that we will use to complete this lab, as well as the conceptual lab setup. If you are unsure about how the topology in this lab will map to the real world
+
The reason that PPTP is discontinued in iOS as it is the least secure of the many VPN options, but it is the most simple to setup and configures. We will show you some other VPN technologies in the coming weeks, each with their own pro's and con's.
  
[[File:Tunneling_lab_setup.png|centre|thumb|x300px|alt=Physical Lab Setup|Physical Lab Setup]]
+
== Virutal Machine setup ==
  
[[File:Tunneling_Conceptual.png|centre|thumb|x300px|alt=Conceptual Lab Setup|Conceptual Lab Setup]]
+
You will be installing PPTP on your Linux Virtual machine. We want to make this available for your mobile devices and your host computer (OSX or Windows) to be able to tunnel to it.
 +
 
 +
*If you are at home on a standard WiFi network then you should configure your virtual machine in bridged mode. In virtual box, right-click on your virtual machine: Settings->Network. Then attach to Bridged adaptor and then link it to your adapter that connects to the Internet.
 +
*If you are connected to a work network or a network like eduroam then you will need two virtual machines in NAT network as demonstrated in [[Linux_Essentials_%26_VM_Networks#Create_a_Second_Virtual_Machine_and_Network]]
  
 
== Configuration of the PPTP Server ==
 
== Configuration of the PPTP Server ==
Line 16: Line 19:
 
  sudo apt install net-tools
 
  sudo apt install net-tools
  
Then, statically assign an IP address of 192.168.1.150 to the Ubuntu host that will act as the VPN server. You can use the GUI on Ubuntu for this. This interface will represent the external, Internet facing side of our companies VPN.
+
Note that if you have problems installing uml-utilities then try to add the universe repository:
  
To do this in Ubuntu, right click the network icon in the top right and do edit connections. Once you have edited the profile, you will need to enable it by clicking on the network icon then auth eth0
+
sudo add-apt-repository universe
  
Plug this Ethernet interface into your wireless AP. Ensure that you can ping your wireless AP at 192.168.1.1
+
Then, issue an:
  
We will now create our internal virtual interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.
+
ifconfig
 +
 
 +
What is the IP address of your Ubuntu machine? This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet-facing side of our companies VPN. For me, this was 192.168.88.246.
 +
 
 +
We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.
  
 
Create the internal LAN interface with:
 
Create the internal LAN interface with:
Line 77: Line 84:
 
Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.
 
Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.
  
  sudo nano /proc/sys/net/ipv4/ip_forward
+
  sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
 +
 
 +
If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied
 +
 
 +
== Connecting your client devices to the PPTP server==
  
 
Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.  
 
Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.  
Line 87: Line 98:
 
The output may help you to debug any problems.
 
The output may help you to debug any problems.
  
When you connect successfully you should see the following output.
+
Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.
  
 
  May  3 14:20:13 ciscolabLI pppd[5139]: local  IP address 10.0.0.150
 
  May  3 14:20:13 ciscolabLI pppd[5139]: local  IP address 10.0.0.150
Line 94: Line 105:
 
The remote IP address of 10.0.0.234 indicates the IP of your VPN device.
 
The remote IP address of 10.0.0.234 indicates the IP of your VPN device.
  
If you connect from a Windows or linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device
+
=== Evaluating your success ===
 +
 
 +
If you connect from a Windows or Linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device
  
If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:
+
If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your Ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:
  
 
  sudo nano /etc/ppp/chap-secrets
 
  sudo nano /etc/ppp/chap-secrets
  
Remember to restart the service
+
Remember to restart the service:
  
 
  sudo /etc/init.d/pptpd restart
 
  sudo /etc/init.d/pptpd restart
  
When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output show in a  
+
When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output shown in a:
  
 
  tail -f /var/log/syslog
 
  tail -f /var/log/syslog
  
Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression
+
Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.
 
 
If your mobile device has gone to sleep it will not respond to pings.
 
 
 
=== Extra Notes for client configuration of PPTP ===
 
 
 
Android: intuitive
 
 
 
iOS: intuitive
 
 
 
Ubuntu:
 
 
 
*Go to network connections.
 
*You need to open the advanced options and select MPPE and allow stateful encryption.
 
*When you connect, do an ifconfig and check that a ppp0 interface was connected and ping the tun0 interface on the server
 
 
 
Win 7:
 
 
 
*Open network and sharing centre,
 
*Setup a new connection or network,
 
*Setup a dial-up or vpn connection to your workplace,
 
*no create a new connection,
 
*Use my Internet connection VPN,
 
*I will setup an Internet connection later.
 
*Wait for windows to tell you you cant do it,
 
*then click on the icon in the bottom right corner and connect to the VPN anyway
 
*ping the tun0 interface on the server to verify connectivity
 
 
 
=== Challenge ===
 
 
 
Try to authenticate to the PPTP server using the dd-wrt broadband routers as a client
 

Latest revision as of 00:27, 10 September 2020

The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine. You could also use windows as your client VPN platform.

The reason that PPTP is discontinued in iOS as it is the least secure of the many VPN options, but it is the most simple to setup and configures. We will show you some other VPN technologies in the coming weeks, each with their own pro's and con's.

Virutal Machine setup

You will be installing PPTP on your Linux Virtual machine. We want to make this available for your mobile devices and your host computer (OSX or Windows) to be able to tunnel to it.

  • If you are at home on a standard WiFi network then you should configure your virtual machine in bridged mode. In virtual box, right-click on your virtual machine: Settings->Network. Then attach to Bridged adaptor and then link it to your adapter that connects to the Internet.
  • If you are connected to a work network or a network like eduroam then you will need two virtual machines in NAT network as demonstrated in Linux_Essentials_&_VM_Networks#Create_a_Second_Virtual_Machine_and_Network

Configuration of the PPTP Server

Start by installing the required Linux packages for the lab on the Linux device that will be the server:

sudo apt update
sudo apt install uml-utilities
sudo apt install pptpd
sudo apt install net-tools

Note that if you have problems installing uml-utilities then try to add the universe repository:

sudo add-apt-repository universe

Then, issue an:

ifconfig

What is the IP address of your Ubuntu machine? This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet-facing side of our companies VPN. For me, this was 192.168.88.246.

We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.

Create the internal LAN interface with:

sudo tunctl -t tap0
sudo ifconfig tap0 inet 10.0.0.1 netmask 255.255.255.0

Ensure that the interface has been created by typing:

ifconfig

Verify that you can ping it before moving on.

Configure the PPTPD server with:

sudo nano /etc/pptpd.conf

Uncomment and change the following lines to

localip 10.0.0.1
remoteip 10.0.0.234-238,10.0.0.245

Disable the logwtmp option by adding a # before it. The issue appears to have been logged as a bug here:

https://bugs.launchpad.net/ubuntu/+source/pptpd/+bug/1451419

Then have a look through:

sudo nano /etc/ppp/pptpd-options

This configuration should not need editing but it is interesting to look at as it describes the authentication and encryption parameters of your VPN

Edit the chap secrets:

sudo nano /etc/ppp/chap-secrets

This file follows the following format

<username> <IP> <users-password> <IP>

Edit it to look like:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
student         *       student                 *

The asterisk characters mean any

As with all linux servers, once the configuration has changed, you must restart the service using:

sudo /etc/init.d/pptpd restart

Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied

Connecting your client devices to the PPTP server

Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.

Before connecting to a device, monitor the logs on the server with:

tail -f /var/log/syslog

The output may help you to debug any problems.

Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.

May  3 14:20:13 ciscolabLI pppd[5139]: local  IP address 10.0.0.150
May  3 14:20:13 ciscolabLI pppd[5139]: remote IP address 10.0.0.234

The remote IP address of 10.0.0.234 indicates the IP of your VPN device.

Evaluating your success

If you connect from a Windows or Linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device

If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your Ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:

sudo nano /etc/ppp/chap-secrets

Remember to restart the service:

sudo /etc/init.d/pptpd restart

When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output shown in a:

tail -f /var/log/syslog

Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.