Archived
1
1
This repository has been archived on 2020-07-15. You can view files and clone it, but cannot push or open issues or pull requests.
tutes-dump/site-tutorials/PPTP.html
2020-07-11 10:24:46 +00:00

335 lines
19 KiB
HTML

<html>
<head>
<title>Connecting to the SDF VPN with PPTP</title>
</head>
<body>
<h1>Connecting to the SDF VPN with PPTP</h1>
<h2>Contents</h2>
<ul>
<li><a href="#overview">Overview</a></li>
<li><a href="#setup">Setting it up</a></li>
<li><a href="#xp">Connecting in Windows XP</a></li>
<li><a href="#vista">Connecting in Windows Vista</a></li>
<li><a href="#linux">Connecting in Linux</a></li>
<li><a href="#freebsd">Connecting in FreeBSD</a></li>
<li><a href="#osx">Connecting in Mac OS X</a></li>
<li><a href="#wrapup">The Wrap-up</a></li>
</ul>
<h2 id="overview">Overview</h2>
<p>The Virtual Private Network (VPN) provided by SDF has a number of uses. The most beneficial of that is to allow confidential communication over a public network. Basically, the SDF VPN will allow you (once routing is enabled) to communicate securely over an insecure connection such as a public Wireless Fidelity (Wi-Fi) network.</p>
<p>The major benefit of this over SSH forwarding/tunneling is that it is much easier to configure and automatically tunnels <b>all</b> connections leaving your computer, and not just those specifically configured for forwarding. Some may see this as a negative aspect of the VPN, however.</p>
<h2 id="setup">Setting it up</h2>
<p>The SDF VPN is quite easy to set up. You must first choose a VPN plan that is right for you, based on assumed bandwidth usage. Pricing and more package information is available through the shell by typing '<b>vpn</b>' without the quotes.</p>
<p>Once you've been added to the VPN membership level (you'll receive an email notification of this), you must set up your VPN access by typing '<b>setvpn</b>' in the shell, without quotes. This will allow you to configure your VPN secret (password) for connecting.</p>
<p>You should make note of the VPN's IP address when setting up your secret.</p>
<p>Once you've configured your VPN account, it's time to connect. Continue reading below for step-by-step instructions on connecting to the VPN.</p>
<h2 id="xp">Connecting in Windows XP</h2>
<ol>
<li>Open the Windows Control Panel.</li>
<li>Open the Network Connections item in Control Panel. Generally you would click the "<b>Network and Internet Connections</b>" option, then click "<b>Network Connections</b>". A list of existing dial-up and LAN connections will be displayed.</li>
<li>Click on the "<b>Create a new connection</b>" option from the left-hand side of the window. The Windows XP New Connection Wizard will come up.</li>
<li>Click the "<b>Next</b>" option to begin the wizard. Then choose the "<b>Connect to the network at my workplace</b>" option from the list and click "<b>Next</b>".</li>
<li>On the Network Connection page of the wizard, choose the "<b>Virtual Private Network connection</b>" option and click "<b>Next</b>".</li>
<li>Choose a name for this connection on the "<b>Connection Name</b>" screen. Windows will use this to reference the VPN connection.</li>
<li>Choose an option on the "<b>Public Network</b>" screen and click "<b>Next</b>". The default option, "<b>Automatically dial this initial connection</b>" can be used if the VPN connection will always be initiated when the computer is not already connected to the Internet. Otherwise, choose the "<b>Do not dial the initial connection</b>" option. This requires that the public Internet connection be established first, before this new VPN connection will be initiated. <b>Choose this option.</b></li>
<li>Enter the IP address for the VPN on the "<b>VPN Server Selection</b>" screen. This is obtained via the '<b>setvpn</b>' command (without quotes) in the shell.</li>
<li>Choose an option on the "<b>Connection Availability</b>" screen and click "<b>Next</b>". The default option, "<b>My Use Only</b>", ensures that Windows will make this VPN connection available only to the user that is currently logged in to the computer. If you don't want this, select the "<b>Anyone's use</b>" option.</li>
<li>Click "<b>Finish</b>" to complete the wizard. You may wish to select the option to create a desktop shortcut for easy access. The information for the VPN connection will be saved for current and/or future use.</li>
</ol>
<h2 id="vista">Connecting in Windows Vista</h2>
<p>Connecting to the VPN is slightly different in Windows Vista. Please use these instructions to connect to SDF's VPN through Vista.</p>
<ol>
<li>Click on the "<b>Start</b>" button and then choose "<b>Connect to</b>".</li>
<li>Click on the "<b>Set up a connection or network</b>" option on the window that follows. It's near the bottom.</li>
<li>On the window that comes up, scroll down and click on the "<b>Connect to a workplace</b>" option. Then click "<b>Next</b>".</li>
<li>A question asking "<b>Do you want to use a connection you already have?</b>" may appear. Select "<b>No, create a new connection.</b>" if it does and then click "<b>Next</b>".</li>
<li>Next you'll be asked "<b>How do you want to connect?</b>" Select "<b>Use my Internet connection (VPN)</b>".</li>
<li>You'll then be asked for the Internet address. Enter the address you remembered when accessing '<b>setvpn</b>' (without quotes) in the SDF shell.</li>
<li>Enter a name for this VPN connection in the "<b>Destination name:</b>" field. This is how Windows Vista will reference the VPN.</li>
<li>If you don't want to connect immediately, check the "<b>Do not connect now; just set it up so I can connect later.</b>" option.</li>
<li>Do not check the "<b>Use a smart card.</b>" option.</li>
<li>When finished, click "<b>Next</b>"</li>
<li>You'll then configure the username and password needed to authenticate to the VPN. The username is your SDF username and the password is the secret you set up via the '<b>setvpn</b>' command in the shell.</li>
<li>Leave the "<b>Domain</b>" field blank.</li>
<li>Click the "<b>Create</b>" button once you are done. You should then see a window pop up saying that "<b>The connection is ready to use.</b>" Click on "<b>Close</b>".</li>
</ol>
<h2 id="linux">Connecting in Linux</h2>
<ol>
<li>Make sure PPP and PPTP are installed. The can be accomplished in Debian or Ubuntu by entering '<b>sudo apt-get install pptp-linux</b>' into a terminal.</li>
<li>Create a file named sdfpptp in /etc/ppp/peers by entering '<b>sudo gedit /etc/ppp/peers</b>'. Replace gedit with your choice of text editor. Add the following to the file: (Be sure to replace <b><i>username</i></b> with your username.)<br><br>
Note: Make sure to replace <b><i>IP Address</i></b> with the IP address/hostname provided when running '<b>setvpn</b>' in the shell.<br>
<pre>
remotename sdfpptp
linkname sdfpptp
ipparam sdfpptp
pty "pptp --loglevel 0 <b><i>IP Address</i></b> --nolaunchpppd"
name <b><i>username</i></b>
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
require-mppe
nomppe-stateful
require-mppe-128
nomppe-40
noauth
nodetach
lock
bsdcomp 9,15
deflate 9,15
idle 0
</pre>
<li>Save the file.</li>
<li>Edit /etc/ppp/chap-secrets by entering '<b>sudo gedit /etc/ppp/chap-secrets</b>'. Add the line <b><i>username</i> stfpptp <i>password</i> *</b> replacing <i>username</i> and <i>password</i> with your SDF username and your password set by <b>'setvpn'</b>.</li>
<li>Make sure a specific route to the VPN exists. Run '<b>sudo route add <b><i>VPN-IP</i></b> gw <b><i>GW-IP</i></b></b>' replacing <b><i>VPN-IP</i></b> with the IP address/hostname provided when running '<b>setvpn</b>', and replace <b><i>GW-IP</i></b> with your gateway IP address. If you do not know the IP address of your gateway, enter '<b>route</b>'. It is the gateway IP next to the destination <b>default</b>.</li>
<li>Enter '<b>sudo pppd call sdfpptp</b>' into a terminal. Wait for it to show the local and remote IP addresses. You should now be connected. Do not close the terminal until you are ready to disconnect.</li>
<li>Open another terminal. Enter '<b>sudo route add -net 192.94.73.0/24 dev ppp0</b>'. This will route all your connections to SDF through the VPN.</li>
</ol>
<div style="margin-left: 40px;">Alternatively to steps 5 and 6, you might use a wrapper script like this:<br>
<pre>
#!/bin/bash
SDFVPNHOST=<b><i>IP Address</i></b>
RT=`ip route get $SDFVPNHOST | head -1`
DEV=`echo $RT | awk '{while ($num != "dev") {num++}{print $(num+1)}}'`
VIA=`echo $RT | awk '{while ($num != "via") {num++}{print $(num+1)}}'`
ip route add $SDFVPNHOST via $VIA dev $DEV
ip route add $SDFVPNHOST via $VIA dev $DEV table sdftun
pppd call sdfpptp
ip route del $SDFVPNHOST via $VIA dev $DEV
ip route del $SDFVPNHOST via $VIA dev $DEV table sdftun
</pre>
This automatically detects the default gateway and adds appropriate routes, starts the VPN and deletes the routes after VPN has been
stopped. If you do not use a custom routing table dedicated to the SDF VPN you should delete the lines ending in "table sdftun".<br>
</div>
<h3>GUI Setup With NetworkManager</h3>
<p>
Any of the newer Linux distros that use
NetworkManager (Debian, Ubuntu, Fedora, etc.) on their
default desktops have a GUI interface to PPTP VPN
configuration. You'll need to install a package to get
this capability (although this now seems to be included in the
latest Ubuntu 10.10 release):
</p>
<p>Fedora:</p>
<pre>
yum install NetworkManager-pptp
</pre>
<p>Debian/Ubuntu:</p>
<pre>
apt-get install network-manager-pptp
</pre>
<p>
Once installed, restart the NetworkManager service
(<span style="font-style:italic;">/etc/init.d/NetworkManager
restart</span>) and left-click on the network
manager icon in your
taskbar. Highlight <span style="font-weight:bold;">VPN
Connections</span> and click
on <span style="font-weight:bold;">Configure
VPN</span>:
</p>
<p align="center">
<img src="tutorials/images/vpn1.png" alt="Network Manager - Overview Settings">
<br />
<img src="tutorials/images/vpn4.png" alt="Network Manager - VPN Settings Overview">
</p>
<p>
Click on
the <span style="font-weight:bold;">Add</span>
button, and
choose <span style="font-weight:bold;">Point-to-Point
Tunneling Protocol (PPTP)</span>, then click
<span style="font-weight:bold;">Create</span>. Fill out the <span style="font-weight:bold;">User
name</span>, <span style="font-weight:bold;">Password</span>
and <span style="font-weight:bold;">Gateway</span>
fields with appropriate values
(<a href="#setup">from when you
ran <span style="font-style:italic;">setvpn</span></a>):
</p>
<p align="center">
<img src="tutorials/images/vpn2.png" alt="Network Manager Settings - VPN Settings Detail">
</p>
<p>
Now click on
<span style="font-weight:bold;">Advanced</span>:
</p>
<p align="center">
<img src="tutorials/images/vpn3.png" alt="Network Manager Settings - Advanced VPN Details">
</p>
<p>
Under
<span style="font-weight:bold;">Authentication</span>, <span style="font-weight:bold;">de-select
all the methods except MSCHAPv2</span>. Then select
<span style="font-weight:bold;">Use Point-to-Point Encryption (MPPE)</span> and choose
<span style="font-weight:bold;">128-bit (most
secure)</span> in
the <span style="font-weight:bold;">Security</span>
dropdown. Click <span style="font-weight:bold;">OK</span>, then <span style="font-weight:bold;">Apply</span>
and close all other configuration dialogs. Now when
you left-click on the network manager icon, you
should have your PPTP VPN listed
under <span style="font-weight:bold;">VPN
Connections</span>. Just select it and wait. If it
is successful, you'll see a little lock icon appear
over the usual network manager icon. If not, check
your system log for errors. This will
be <span style="font-style:italic;">/var/log/messages</span>
or <span style="font-style:italic;">/var/log/syslog</span>,
depending on your distro.
</p>
<h3>A Note on Routing</h3>
<p>
If you use network manager, all traffic will be
routed through the PPTP VPN for you once you are
connected. If that's not what you want, you can
click on <span style="font-weight:bold;">IPV4
Settings</span> and
then <span style="font-weight:bold;">Routes</span>
to have simple static routes added for you
automatically when the VPN connects. You can also
check <span style="font-weight:bold;">Use this
connection only for resources on this
network</span>, which in our case means only
connections to SDF hosts will be encrypted.
</p>
<p align="center">
<img src="tutorials/images/vpn5.png" alt="Network Manager Settings - Add Routes">
</p>
<h2 id="freebsd">Connecting in FreeBSD</h2>
<ul>
<li>Install <span style="white-space: pre; font-family: monospace;">mpd4</span> from ports or packages.
<li>Add the following section to your <span style="white-space: pre; font-family: monospace;">/usr/local/etc/mpd4/mpd4.conf</span>:
<span style="white-space: pre; font-family: monospace;">
sdfvpn:
new -i ng1 sdfvpn sdfvpn
set iface disable on-demand
set iface idle 0
# disconnect the client after 8 hours
set iface session 28800
set iface route 10.0.0.0/24
set iface route default
set bundle disable multilink
set auth authname "USERNAME"
set auth password "PASSWORD"
set link yes acfcomp protocomp
set link no eap
set link no pap
set link accept chap
set link mtu 1460
set link keep-alive 10 75
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 <local address of sdf's VPN host>
set ipcp yes req-pri-dns req-sec-dns
#
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
#
set bundle yes compression
set ccp yes mppc
set ccp yes mpp-compress
set ccp yes mpp-e128
#set bundle accept crypt-reqd
set ccp yes mpp-stateless
open
</span>
<li>You will have to replace three (3) things in this config:
<ol>
<li>Your USERNAME
<li>Your PASSWORD
<li>The local address of SDF's VPN host. This can be found in <span style="white-space: pre; font-family: monospace;">/etc/hosts</span> on SDF. The local IP will start with 10.0.0, but have the same last octet as the public IP.
</ol>
' <li>Add this in your <span style="white-space: pre; font-family: monospace;">/usr/local/etc/mpd4/mpd4.links</span> file:
<span style="white-space: pre; font-family: monospace;">
sdfvpn:
set link type pptp
set pptp peer <public address of SDF's VPN host>
set pptp enable originate outcall
set pptp disable incoming
</span>
<li>You will have to replace one (1) thing in this config:
<ol>
<li>The public address of SDF's VPN host. You can get this by running <span style="white-space: pre; font-family: monospace;">setvpn</span> at the shell.
</ol>
<li>Now, as root, run <span style="white-space: pre; font-family: monospace;">mpd4 sdfvpn</span>.
<li>You should now be connected to SDF over a layer 3 tunnel across the Internet.
<li>Your new routes are only for SDF's hosts, and use their internal IP addresses. These are the 10.0.0.x ones. I'm working on how to route to the public ones over the VPN without creating a routing loop to the VPN host. I copied SDF's /etc/hosts file to my machine so that I can run 'ssh sdf1' to connect through the tunnel.
</ul>
<h2 id="osx">Connecting in Mac OS X</h2>
<ol>
<li>Open /Applications/Internet Connect.app</li>
<li>Click on the <b>VPN</b> button.</li>
<li>Click on the Configuration dropdown and go to "<b>Edit Configurations...</b>"</li>
<li>Press the <b>+</b> button at the bottom left of the window to add a configuration.</li>
<li>Under "<b>Description</b>" put whatever you want. SDF VPN is a good choice.
<li>Under the "<b>Server Address</b>," Enter the IP address for the VPN on the "<b>VPN Server Selection</b>" screen. This is obtained via the '<b>setvpn</b>' command (without quotes) in the shell.</li>
<li>Under Username put your SDF username and the password is the secret
you set up via the '<b>setvpn</b>' command in the shell.</li>
<li>Choose "<b>Automatic</b>" encryption.</li>
<li>Click "<b>OK</b>".</li>
<li>Then, whenever you want to connect you can return to this <b>Internet Connect Application</b> and go to the VPN, choose the SDF VPN and click connect. Optionally, you can click "<b>Show VPN status in the menu bar</b>" and you can connect to the VPN from the menu bar icon.</li>
</ol>
<h2 id="ipad">Connecting On An iPad</h2>
<ol>
<li>Log into SDF and run the 'setvpn' command.
<li>Hit 'p' to set up your password.
<li>Enter your password twice. The password must be 14 characters or less, and ideally should contain letters, numbers, upper and lower case, and a special symbol, though there are no actual complexity requirements.
<li>After you have set up your password, the setvpn wizard will tell you what IP address to connect to. It will be 192.94.73.X. Write this whole IP address down. You will need it in a later step.
<li>Hit 'q' to exit the configuration.
<li>Turn on your iPad and go to the Settings.
<li>Go into the Network subsection.
<li>Go into the VPN subsection. This will bring up the 'Add Configuration' window.
<li>Select "PPTP" at the top.
<li>In the Description field, label this connection something useful to identify it, such as 'SDF VPN'.
<li>In the 'Server' field, put in the IP address that you wrote down earlier.
<li>In the 'account' field, put your SDF user name.
<li>In the 'Password' field, put the password that you set up while running the setvpn wizard in the set above. This will cause the iPad to remember your password for you. If you wish to type it in each time you connect, leave this field blank.
<li>Set the encryption level to 'Maximum'
<li>Leave the 'Send All Traffic' slider set to 'On', unless you specifically want to (and know how to) set up VPN usage in individual applications.
<li>Hit the 'Save' button at the top
<li>To turn on VPN, slide the VPN slider to 'On' for the connection called SDF and open the browser. Connect to http://whatsmyip.org and verify that the IP address it shows as your source.
</ol>
<h2 id="wrapup">The wrap-up</h2>
<p>Now that you have your VPN configured to connect, make sure that you don't forget to use it! Using the VPN while connected through a public access network (or even your home network!) will tunnel all connections through SDF and out to the Internet (once routing is enabled). Please make sure to use the VPN responsibly, as all actions and activity will be traced back to SDF.</p>
<p>Enjoy!</p>
<hr>
$Id: PPTP.html,v 1.2 2011/06/15 15:51:32 avoyager Exp $
</body>
</html>