VPN using SSHVPN using SSH

Implementing a secure Unix to Implementing a secure Unix to Unix Virtual Private NetworkUnix Virtual Private Network

Gary StainburnGary Stainburn

Ringways Garages Ltd.Ringways Garages Ltd.

Andrew’s TalkAndrew’s Talk

• Excellent talk covering theory and Excellent talk covering theory and historyhistory

• Implemented pptp - most common Implemented pptp - most common use of VPNuse of VPN

• However, my way is better.However, my way is better.

Ssh is better, why?Ssh is better, why?

• Always secure - no need to patch Always secure - no need to patch kernelkernel

• true Unix to Unix connection.true Unix to Unix connection.

• Better for Lan to Lan.Better for Lan to Lan.

• ModularModular– ssh (zlib, ssl, ssh)ssh (zlib, ssl, ssh)

– port redirectorport redirector

– pppdpppd

Why VPNWhy VPN

• Look at an APN.Look at an APN.

Why VPNWhy VPN

• Look at an APN.Look at an APN.

– Existing Ringways APN (a.k.a. WAN)Existing Ringways APN (a.k.a. WAN)

Proposed Internet LinkProposed Internet Link

• Ringways were looking for an Ringways were looking for an internet linkinternet link

Suggested VPNSuggested VPN

• Suggested replacing existing lines Suggested replacing existing lines with:with:

Actually Went WithActually Went With

What if we grow?What if we grow?

What if we grow?What if we grow?

Definitely VPNDefinitely VPN

Points to Consider Points to Consider

• APNAPN

– Cost of line vs Benefits receivedCost of line vs Benefits received

– Who meets costs?Who meets costs?

• VPNVPN– No cost if link already availableNo cost if link already available

– Split cost if not already availableSplit cost if not already available

ImplicationsImplications

• Lower costs = more usesLower costs = more uses

• more uses = more connectionsmore uses = more connections

• more connections = more access more connections = more access pointspoints

SecuritySecurity

• Firewall - One point of accessFirewall - One point of access

• Multiple access pointsMultiple access points

• Weakness in remote end - Win95?Weakness in remote end - Win95?

• Other people administratingOther people administrating

• Treat VPN users as Notebook UsersTreat VPN users as Notebook Users

Security - ServerSecurity - Server

• When planning to set up a VPN When planning to set up a VPN serverserver

– Needs public accessNeeds public access

– Can be behind firewall - Ssh works over Can be behind firewall - Ssh works over NATNAT

– preferably no other accesspreferably no other access

– Can be on firewallCan be on firewall

So, how’s it work?So, how’s it work?

• Uses an existing unsecured networkUses an existing unsecured network

• runs a Ssh session over that runs a Ssh session over that connectionconnection

• redirects a pppd session over it.redirects a pppd session over it.

Ssh - So, what do I need?Ssh - So, what do I need?

• For RedHat 6 systems:For RedHat 6 systems:

– zlib-1.1.3-6.i386.rpm - already installedzlib-1.1.3-6.i386.rpm - already installed

– openssl-0.9.5a.i386.rpmopenssl-0.9.5a.i386.rpm

– openssh-2.1.1p2-1.i386.rpmopenssh-2.1.1p2-1.i386.rpm

– openssh-clients-2.1.1p2-1.i386.rpmopenssh-clients-2.1.1p2-1.i386.rpm

– openssh-server-2.1.1p2-1.i386.rpmopenssh-server-2.1.1p2-1.i386.rpm

– Pppd.Pppd.

Ssh - So, what do I need?Ssh - So, what do I need?

• For everything else:For everything else:• zlib-1.1.3.tar.gz - zlib-1.1.3.tar.gz -

ftp://ftp.cdrom.com/pub/infozip/zlibftp://ftp.cdrom.com/pub/infozip/zlib

• openssl-0.9.5a.tar.gz - openssl-0.9.5a.tar.gz - http://www.openssl.orghttp://www.openssl.org

• openssh-2.1.1p2.tar.gz - openssh-2.1.1p2.tar.gz - http://www.openssh.comhttp://www.openssh.com

• PppdPppd

Ssh - So what do I do?Ssh - So what do I do?

• For RedHat 6 systems:For RedHat 6 systems:

– rpm -i openssl-0.9.5a.i386.rpmrpm -i openssl-0.9.5a.i386.rpm

– rpm -i openssh-2.1.1p2-1.i386.rpmrpm -i openssh-2.1.1p2-1.i386.rpm

– rpm -i openssh-clients-2.1.1p2-rpm -i openssh-clients-2.1.1p2-1.i386.rpm1.i386.rpm

– rpm -i openssh-server-2.1.1p2-rpm -i openssh-server-2.1.1p2-1.i386.rpm1.i386.rpm

Ssh - So what do I do?Ssh - So what do I do?

• For everything else:For everything else:

– untar zlib-1.1.3.tar.gz untar zlib-1.1.3.tar.gz

– ./configure./configure

– makemake

– make testmake test

– make installmake install

Ssh - So what do I do?Ssh - So what do I do?

• For everything else:For everything else:

– untar openssl-0.9.5a.tar.gzuntar openssl-0.9.5a.tar.gz

– ./config./config

– makemake

– make testmake test

– make installmake install

Ssh - So what do I do?Ssh - So what do I do?

• For everything else:For everything else:

– untar openssh-2.1.1p2.tar.gzuntar openssh-2.1.1p2.tar.gz

– ./configure./configure

– makemake

– make installmake install

Ssh - So what do I do?Ssh - So what do I do?

• As root run:As root run:

– ssh-keygenssh-keygen

• This creates .ssh directory.This creates .ssh directory.

• This contains the private and public This contains the private and public keys.keys.

• Create authorized_keys from public keyCreate authorized_keys from public key

Ssh - So what do I do?Ssh - So what do I do?

• Copy the identity.pub from the client Copy the identity.pub from the client machine to the server machinemachine to the server machine

– Client = makes callClient = makes call

– Server = receives callServer = receives call

• Append this file to Append this file to /root/.ssh/authorized_keys/root/.ssh/authorized_keys

• Make sure sshd is running on the Make sure sshd is running on the serverserver

Ssh - How do I test itSsh - How do I test it

• On the clientOn the client

– ssh <servername>ssh <servername>

• If you have done everything If you have done everything correctly you should now have a Ssh correctly you should now have a Ssh session open and the command session open and the command prompt of the server machine on-prompt of the server machine on-screen.screen.

So what’s next - ServerSo what’s next - Server

• edit /etc/ppp/options to include:edit /etc/ppp/options to include:

– ipcp-accept-localipcp-accept-local

– ipcp-accept-remoteipcp-accept-remote

– proxyarpproxyarp

– noauthnoauth

So what’s next - ServerSo what’s next - Server

• Create a vpn-users group and userCreate a vpn-users group and user

– add group vpnusers to /etc/groupsadd group vpnusers to /etc/groups• vpnusers:*:504:vpnusers:*:504:

– add user vpn-users to /etc/passwdadd user vpn-users to /etc/passwd• vpnuses:*:504:405:VPN vpnuses:*:504:405:VPN

User:/home/vpnusers:/usr/sbin/pppdUser:/home/vpnusers:/usr/sbin/pppd

– mkdir /home/vpn-usersmkdir /home/vpn-users

– chown vpnusers:vpnusers chown vpnusers:vpnusers /home/vpnusers/home/vpnusers

So what’s next - ServerSo what’s next - Server

• Create the /home/vpnusers/.ssh Create the /home/vpnusers/.ssh directorydirectory

• Create the file .ssh/authorized_keysCreate the file .ssh/authorized_keys

• Add the public keys of everyone Add the public keys of everyone who needs access.who needs access.

So what’s next - ClientSo what’s next - Client

• as root run:as root run:

– mkdir /root/.sshmkdir /root/.ssh

– ssh-keygen -f /root/.ssh/identity.vpn -P ssh-keygen -f /root/.ssh/identity.vpn -P ””””

– add the new file identity.vpn.pub to the add the new file identity.vpn.pub to the authorized_keys on the server.authorized_keys on the server.

So what’s next - clientSo what’s next - client

– Get Get http://www.shinythings.com/vpnd/vpnd.tahttp://www.shinythings.com/vpnd/vpnd.tar.gzr.gz

– Unzip it into /usr/local/vpnUnzip it into /usr/local/vpn

– copy pty-redir to /usr/sbincopy pty-redir to /usr/sbin

So what’s next - clientSo what’s next - client

• as root run:as root run:

– pty-redir ssh -t -e none -o ‘Batchmode pty-redir ssh -t -e none -o ‘Batchmode yes’ -c blowfish -i /root/.ssh/identity.vpn yes’ -c blowfish -i /root/.ssh/identity.vpn -l vpnuser curly >/tmp/vpn-device-l vpnuser curly >/tmp/vpn-device

– sleep 10sleep 10

– /usr/sbin/pppd `cat /tmp/vpn-device`/usr/sbin/pppd `cat /tmp/vpn-device`

And FinallyAnd Finally

• On the client and the serverOn the client and the server

– Edit /etc/ppp/ip-up to add routes across Edit /etc/ppp/ip-up to add routes across the VPNthe VPN

– Edit/etc/ppp/ip-down to remove them Edit/etc/ppp/ip-down to remove them afterwards.afterwards.

• What’s leftWhat’s left– Modify the vpnd script match your Modify the vpnd script match your

configuration to make admin easier.configuration to make admin easier.

That’s it.That’s it.

• We’re done, so what have we doneWe’re done, so what have we done

– We’ve got ssh workingWe’ve got ssh working

– We’ve configured a server to receive We’ve configured a server to receive callscalls

– We’ve configured a client to make a We’ve configured a client to make a callcall

– We’ve routed traffic across the VPNWe’ve routed traffic across the VPN