1 / 33

VPN using SSH

Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd. VPN using SSH. Andrew’s Talk. Excellent talk covering theory and history Implemented pptp - most common use of VPN However, my way is better. Ssh is better, why?.

kyran
Download Presentation

VPN using SSH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd. VPN using SSH

  2. Andrew’s Talk • Excellent talk covering theory and history • Implemented pptp - most common use of VPN • However, my way is better.

  3. Ssh is better, why? • Always secure - no need to patch kernel • true Unix to Unix connection. • Better for Lan to Lan. • Modular • ssh (zlib, ssl, ssh) • port redirector • pppd

  4. Why VPN • Look at an APN.

  5. Why VPN • Look at an APN. • Existing Ringways APN (a.k.a. WAN)

  6. Proposed Internet Link • Ringways were looking for an internet link

  7. Suggested VPN • Suggested replacing existing lines with:

  8. Actually Went With

  9. What if we grow?

  10. What if we grow?

  11. Definitely VPN

  12. Points to Consider • APN • Cost of line vs Benefits received • Who meets costs? • VPN • No cost if link already available • Split cost if not already available

  13. Implications • Lower costs = more uses • more uses = more connections • more connections = more access points

  14. Security • Firewall - One point of access • Multiple access points • Weakness in remote end - Win95? • Other people administrating • Treat VPN users as Notebook Users

  15. Security - Server • When planning to set up a VPN server • Needs public access • Can be behind firewall - Ssh works over NAT • preferably no other access • Can be on firewall

  16. So, how’s it work? • Uses an existing unsecured network • runs a Ssh session over that connection • redirects a pppd session over it.

  17. Ssh - So, what do I need? • For RedHat 6 systems: • zlib-1.1.3-6.i386.rpm - already installed • openssl-0.9.5a.i386.rpm • openssh-2.1.1p2-1.i386.rpm • openssh-clients-2.1.1p2-1.i386.rpm • openssh-server-2.1.1p2-1.i386.rpm • Pppd.

  18. Ssh - So, what do I need? • For everything else: • zlib-1.1.3.tar.gz - ftp://ftp.cdrom.com/pub/infozip/zlib • openssl-0.9.5a.tar.gz - http://www.openssl.org • openssh-2.1.1p2.tar.gz - http://www.openssh.com • Pppd

  19. Ssh - So what do I do? • For RedHat 6 systems: • rpm -i openssl-0.9.5a.i386.rpm • rpm -i openssh-2.1.1p2-1.i386.rpm • rpm -i openssh-clients-2.1.1p2-1.i386.rpm • rpm -i openssh-server-2.1.1p2-1.i386.rpm

  20. Ssh - So what do I do? • For everything else: • untar zlib-1.1.3.tar.gz • ./configure • make • make test • make install

  21. Ssh - So what do I do? • For everything else: • untar openssl-0.9.5a.tar.gz • ./config • make • make test • make install

  22. Ssh - So what do I do? • For everything else: • untar openssh-2.1.1p2.tar.gz • ./configure • make • make install

  23. Ssh - So what do I do? • As root run: • ssh-keygen • This creates .ssh directory. • This contains the private and public keys. • Create authorized_keys from public key

  24. Ssh - So what do I do? • Copy the identity.pub from the client machine to the server machine • Client = makes call • Server = receives call • Append this file to /root/.ssh/authorized_keys • Make sure sshd is running on the server

  25. Ssh - How do I test it • On the client • ssh <servername> • If you have done everything correctly you should now have a Ssh session open and the command prompt of the server machine on-screen.

  26. So what’s next - Server • edit /etc/ppp/options to include: • ipcp-accept-local • ipcp-accept-remote • proxyarp • noauth

  27. So what’s next - Server • Create a vpn-users group and user • add group vpnusers to /etc/groups • vpnusers:*:504: • add user vpn-users to /etc/passwd • vpnuses:*:504:405:VPN User:/home/vpnusers:/usr/sbin/pppd • mkdir /home/vpn-users • chown vpnusers:vpnusers /home/vpnusers

  28. So what’s next - Server • Create the /home/vpnusers/.ssh directory • Create the file .ssh/authorized_keys • Add the public keys of everyone who needs access.

  29. So what’s next - Client • as root run: • mkdir /root/.ssh • ssh-keygen -f /root/.ssh/identity.vpn -P ”” • add the new file identity.vpn.pub to the authorized_keys on the server.

  30. So what’s next - client • Get http://www.shinythings.com/vpnd/vpnd.tar.gz • Unzip it into /usr/local/vpn • copy pty-redir to /usr/sbin

  31. So what’s next - client • as root run: • pty-redir ssh -t -e none -o ‘Batchmode yes’ -c blowfish -i /root/.ssh/identity.vpn -l vpnuser curly >/tmp/vpn-device • sleep 10 • /usr/sbin/pppd `cat /tmp/vpn-device`

  32. And Finally • On the client and the server • Edit /etc/ppp/ip-up to add routes across the VPN • Edit/etc/ppp/ip-down to remove them afterwards. • What’s left • Modify the vpnd script match your configuration to make admin easier.

  33. That’s it. • We’re done, so what have we done • We’ve got ssh working • We’ve configured a server to receive calls • We’ve configured a client to make a call • We’ve routed traffic across the VPN

More Related