Академический Документы
Профессиональный Документы
Культура Документы
Search
Related Links
more by jj
An OpenBSD user since 3.2, I deploy OpenBSD on anything what I want to be secure and stable(yes, even current is STABLE, as long as you know what you are doing). This guide is split into two sections. The first and major one is server-side configuration. The second is about what should be done on client-side. I use npppd both at home and at the office. My office setup is a bit more complicated than the one described here.
Read on for the story of how one man conquered his corner of the internet.
Server
The server needs to run OpenBSD 5.1-current with /usr/src populated according documentation. npppd is in development, so it is good idea to have your sources up to date, else you might miss an important patch. 1. Compile and Install As npppd is not yet linked to the build, you have to compile it yourself:
c /s/r/s.bnnpd& mk dpn & mk & mk isal d urscursi/pp & ae eed & ae & ae ntl
2. Configuration After that it is good practice to take a look at HOWTO in the same directory - HOWTO_PIPEX_NPPPD.txt . There is no manual for npppd yet, so more info can only be gathered by reading the source code.[this should change relatively quickly - ed.] Info provided by Yasuoka in the above mentioned HOWTO covers pretty much all we need for a basic setup; however, I'll write my working Home-configuration here. Let's start with pf.conf:
ps qikpoo{ep a }fo ayt ay as uc rt s, h rm n o n ps i qiko ers poo upfo ayt aypr {0,40,10}ke sae as n uc n ges rt d rm n o n ot 50 50 71 ep tt ps o ec fo ayt ayke sae(fbud as n n0 rm n o n ep tt i-on)
Now the IPSec part; isakmpd should start at boot and load rules from ipsec.conf, thus add following to rc.conf:
iamdfas"K skp_lg=-"
Then the ipsec.conf itself. Make sure to replace IP 1.2.3.4 with your own external IP.
iepsieeptasot\ k asv s rnpr pooupfo 1234t aypr 10 \ rt d rm ... o n ot 71 mi at "mcsa"ec"ds gopmd12 \ an uh ha-h1 n 3e" ru op04 qikat "mcsa"ec"e"\ uc uh ha-h1 n as pk"asod s pswr"
Finally, npppd.conf. At home I use RADIUS for authentication for a few reasons. If you plan to use plain password file, then uncomment lines after "Local file authentication" Again, the HOWTO mentioned above provides info in how to create this file. My internal network is 192.168.78.x . The 192.168.80.0/25 is the range there clients connected through the VPN will get their addresses from. 192.168.80.1 will be their gateway to internal network.
itraels: nefc_it itraetn.pad: nefc.u0i4dr po.yapo: oldn_ol po.ol olpo: #Lclfl atetcto oa ie uhniain #uhlclramls: at.oa.el_it #uhlclramacls: at.oa.el.ctit #el.oa.ocnrt: ramlclcnetae tn u0 12188. 9.6.01 12188./5 9.6.002 12188.2/5 9.6.0182
undeadly.org/cgi?action=article&sid=20120427125048
#AISatetcto /acutn RDU uhniain conig at.aisramls: uhrdu.el_it rdu ais at.aisramsre.drs: uhrdu.el.evrades 12187.:82 9.6.8111 at.aisramsre.ert uhrdu.el.evrsce: rdu_asod aispswr at.aisramac_evrades 12187.:83 uhrdu.el.ctsre.drs: 9.6.8111 at.aisramac_evrsce: rdu_asod uhrdu.el.ctsre.ert aispswr ramrdu.ocnrt: el.aiscnetae tn u0
1/3
7/23/12
ramrdu.ocnrt: el.aiscnetae lpmu c.r: lptmot c.ieu: at.ehd uhmto: ic.n_rmr: ppdspiay ic.n_eodr: ppdsscnay ic.sinfxd ppasg_ie: ic.sinueslc: ppasg_sreet
ltdeal: 2p.nbe #2p.itnr ltdlsee: ltdi4alw 2p.p_lo: ltdrqieisc 2p.eur_pe: ltdacp_iln 2p.cetdai: ppxeald ie.nbe:
A note about l2tpd.listener: this configuration directive can be used with more advanced setups, for instance when you have a CARP:ed range of IP addresses. 3. Start up Apply the pf.conf first:
pcl- /t/fcn ft f ecp.of
All debugging, in case of misconfiguration or not working VPN, is done with isakmpd/npppd running in foreground and tcpdump listening for relevant packets on relevant interfaces.
Client
Both OSX and Win7 offer to route ALL traffic via VPN-tunnel. Usually no one wants this, thus one have to disable it and set up routing manually.Until then DNS resolves will not work, eg. for instance I'll not be able to reach my internal 192.168.78.123. I use OSX, thus I'll cover how to set up routing upon established VPN. Basically we need a helper-script. OSX will run in automatically, but on Win7 it has to be executed with Administrative permissions.
[otge][ecpp $ct/t/p/pu ro@ry /t/p] a ecppi-p #/i/h !bns PT=bn/bn/s/i:ursi AH/i:si:urbn/s/bn epr PT xot AH HM_W"9.6.01 OEG=12188." HM_E=12187./5 OENT"9.6.802" OFC_W"7.701 FIEG=121.." OFC_E=121../1 FIENT"7.6002" NT" E=" G_RMLT=icni pp|rpie|ak'pit$}` WFO_2P`fofg p0ge nt w {rn 4' i [$WFO_2P= $FIEG ] f G_RMLT = OFC_W te hn NT$FIENT E=OFC_E f i i [$WFO_2P= $OEG ] f G_RMLT = HM_W te hn NT$OENT E=HM_E f i rue-nad$E -nefc pp ot q d NT itrae p0
That's it. I'd like to thank all developers working on OpenBSD, making it polished and good looking!
Special thanks to Yasuoka Masahiko (yasuoka@) for his technical review of this submission. It should be noted, however, that there is a planned change to the npppd() configuration, which will quickly deprecate these instructions. When that time comes, we hope to provide information concerning the migration of your npppd() configurations. << Heads up: New SGI hardware supported! | | Flattened | Expanded | Rthreads Hackathon Part the Second >> Threshold:
Change
Help
Re: L2TP/IPSec with OpenBSD and npppd (mod -2/4) by Anonymous Cowbell (anon) (M8R-2m2huq@mailinator.com) on Fri Apr 27 13:52:05 2012 (GMT)
undeadly.org/cgi?action=article&sid=20120427125048 2/3
7/23/12
"cd /usr/src/usr.sbin/npppd && make depend && make && make install" This should have 'make obj' in it too.
[ Show thread ] [ Mod Up ] [ Mod Down ]
Re: L2TP/IPSec with OpenBSD and npppd (mod 0/6) by sneaker (sneaker) (sneaker@noahpugsley.net) on Fri Apr 27 15:40:27 2012 (GMT) Wow, I was just 2 weeks ago having trouble finding info on exactly this setup. Thanks!
[ Show thread ] [ Mod Up ] [ Mod Down ]
His name (mod 0/6) by Tamotsu (tamo) on Fri Apr 27 21:42:38 2012 (GMT) http://tamo.tdiary.net/ typo: s/Masohiko/Masahiko/ according to his site: http://yasuoka.net/
[ Show thread ] [ Mod Up ] [ Mod Down ]
Re: His name (0/2) by tbert on Mon Apr 30 11:20:00 2012 (GMT)
undeadly.org/cgi?action=article&sid=20120427125048
3/3