Difference between revisions of "Tunneling Services"

From csn
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine.  
+
The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine. You could also use windows as your client VPN platform.
 +
 
 +
The reason that PPTP is discontinued in iOS as it is the least secure of the many VPN options, but it is the most simple to setup and configures. We will show you some other VPN technologies in the coming weeks, each with their own pro's and con's.
  
 
== Virutal Machine setup ==
 
== Virutal Machine setup ==
Line 16: Line 18:
 
  sudo apt install pptpd
 
  sudo apt install pptpd
 
  sudo apt install net-tools
 
  sudo apt install net-tools
 +
 +
Note that if you have problems installing uml-utilities then try to add the universe repository:
 +
 +
sudo add-apt-repository universe
  
 
Then, issue an:
 
Then, issue an:
Line 21: Line 27:
 
  ifconfig
 
  ifconfig
  
What is the IP address of your Ubuntu machine. This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet facing side of our companies VPN. For me this was 192.168.88.246.  
+
What is the IP address of your Ubuntu machine? This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet-facing side of our companies VPN. For me, this was 192.168.88.246.  
  
 
We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.
 
We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.
Line 78: Line 84:
 
Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.
 
Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.
  
  sudo nano /proc/sys/net/ipv4/ip_forward
+
  sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
 +
 
 +
If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied
 +
 
 +
== Connecting your client devices to the PPTP server==
  
 
Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.  
 
Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.  
Line 87: Line 97:
  
 
The output may help you to debug any problems.
 
The output may help you to debug any problems.
 
== Connnecting the Client ==
 
  
 
Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.
 
Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.
Line 97: Line 105:
 
The remote IP address of 10.0.0.234 indicates the IP of your VPN device.
 
The remote IP address of 10.0.0.234 indicates the IP of your VPN device.
  
If you connect from a Windows or linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device
+
=== Evaluating your success ===
 +
 
 +
If you connect from a Windows or Linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device
  
If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:
+
If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your Ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:
  
 
  sudo nano /etc/ppp/chap-secrets
 
  sudo nano /etc/ppp/chap-secrets
  
Remember to restart the service
+
Remember to restart the service:
  
 
  sudo /etc/init.d/pptpd restart
 
  sudo /etc/init.d/pptpd restart
  
When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output show in a  
+
When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output shown in a:
  
 
  tail -f /var/log/syslog
 
  tail -f /var/log/syslog
  
 
Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.
 
Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.

Latest revision as of 00:27, 10 September 2020

The point of this lab is to show you how you can tunnel services over an untrusted network. The tunnelling mechanism that we are using in this lab is Point-to-Point Tunneling Protocol (PPTP). Only 2 years ago this used to be the only VPN that would work out of the box on iOS mobile devices and now it seems that it is discontinued: https://developer.apple.com/forums/thread/48569 things move fast. If you don't have a client VPN platform then use a Linux virtual machine. You could also use windows as your client VPN platform.

The reason that PPTP is discontinued in iOS as it is the least secure of the many VPN options, but it is the most simple to setup and configures. We will show you some other VPN technologies in the coming weeks, each with their own pro's and con's.

Virutal Machine setup

You will be installing PPTP on your Linux Virtual machine. We want to make this available for your mobile devices and your host computer (OSX or Windows) to be able to tunnel to it.

  • If you are at home on a standard WiFi network then you should configure your virtual machine in bridged mode. In virtual box, right-click on your virtual machine: Settings->Network. Then attach to Bridged adaptor and then link it to your adapter that connects to the Internet.
  • If you are connected to a work network or a network like eduroam then you will need two virtual machines in NAT network as demonstrated in Linux_Essentials_&_VM_Networks#Create_a_Second_Virtual_Machine_and_Network

Configuration of the PPTP Server

Start by installing the required Linux packages for the lab on the Linux device that will be the server:

sudo apt update
sudo apt install uml-utilities
sudo apt install pptpd
sudo apt install net-tools

Note that if you have problems installing uml-utilities then try to add the universe repository:

sudo add-apt-repository universe

Then, issue an:

ifconfig

What is the IP address of your Ubuntu machine? This will act as the VPN server and your VPN Clients must be able to connect to or hit it. This interface will represent the external, Internet-facing side of our companies VPN. For me, this was 192.168.88.246.

We will now create our internal virtual tap0 interface. This interface and the associated subnet is going to represent the internal LAN that our remote users will have access to. You will have successfully completed the lab when your remote devices are able to ping 10.0.0.1 through your pptpd tunnel.

Create the internal LAN interface with:

sudo tunctl -t tap0
sudo ifconfig tap0 inet 10.0.0.1 netmask 255.255.255.0

Ensure that the interface has been created by typing:

ifconfig

Verify that you can ping it before moving on.

Configure the PPTPD server with:

sudo nano /etc/pptpd.conf

Uncomment and change the following lines to

localip 10.0.0.1
remoteip 10.0.0.234-238,10.0.0.245

Disable the logwtmp option by adding a # before it. The issue appears to have been logged as a bug here:

https://bugs.launchpad.net/ubuntu/+source/pptpd/+bug/1451419

Then have a look through:

sudo nano /etc/ppp/pptpd-options

This configuration should not need editing but it is interesting to look at as it describes the authentication and encryption parameters of your VPN

Edit the chap secrets:

sudo nano /etc/ppp/chap-secrets

This file follows the following format

<username> <IP> <users-password> <IP>

Edit it to look like:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
student         *       student                 *

The asterisk characters mean any

As with all linux servers, once the configuration has changed, you must restart the service using:

sudo /etc/init.d/pptpd restart

Finally, any linux server/router that will be moving packets over different subnets needs IP forwarding enabled. You must edit the following file and replace the 0 with a 1.

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied

Connecting your client devices to the PPTP server

Connect your remote devices to the AP and ensure that they can ping the Linux PPTP server at 192.168.1.150. This wireless network really represents the Internet or any network that is insecure. Try to work out to VPN to 192.168.1.1. Remember that it it a PPTP VPN. Have a play with different PCs (unix and Win), ipads/iphones, droid phones/tabs.

Before connecting to a device, monitor the logs on the server with:

tail -f /var/log/syslog

The output may help you to debug any problems.

Try connecting your phone and your regular laptop. When you connect successfully you should see the following output.

May  3 14:20:13 ciscolabLI pppd[5139]: local  IP address 10.0.0.150
May  3 14:20:13 ciscolabLI pppd[5139]: remote IP address 10.0.0.234

The remote IP address of 10.0.0.234 indicates the IP of your VPN device.

Evaluating your success

If you connect from a Windows or Linux PC you should try pinging 10.0.0.1 and 10.0.0.150 from your 'remote' device

If you are connecting from a phone or a tablet, you may need to ping or nmap the device from your Ubuntu server as some of these devices lack network troubleshooting tools. As you connect more devices add more usernames. Add more to the CHAP file:

sudo nano /etc/ppp/chap-secrets

Remember to restart the service:

sudo /etc/init.d/pptpd restart

When you have multiple devices configured, you should be able to ping between them all, get the addresses from an ifconfig/ipconfig or from the output shown in a:

tail -f /var/log/syslog

Ensure that you are only connecting users with MSCHAP and MPPE 128-bit stateless compression. If your mobile device has gone to sleep it will not respond to pings.