A word about our WAN/LAN deployment:
We have multiple offices around the world and deploy Netgear VPN routers (FVS and the like) to provide our Intranet infrastructure. We needed the ability for people outside the office location to access our entire LAN/WAN when they connected to any VPN server.
The VPN service (pptpd) will be the DHCP system to connecting clients - even if you already have a DHCP server on your LAN. Most instructions want you to use a completely separate sub-net for your VPN (pptpd) network. We found this to be tedious for our WAN/LAN environment. We opted instead to assign the same local IP sub-net addresses as the local DHCP server (a Netgear router). By utilizing IP addresses from the local sub-net it frees us from having to configure all the routers to service different sub-nets. This tutorial shows how we do it. Obviously you can improvise and modify to your needs.
We utilize the 10.0.0.0 network for our corporate Intranet infrastructure.
corporate: 10.0.0.0/8 (further sub-netted locally)
location01: 10.1.1.0/24
location02: 10.1.2.0/24
location03: 10.1.3.0/24
(and so on)
Our IP schema for our locations is typically:
10.1.x.1-9 is reserved for routers (.1 is usually the default gateway)
10.1.x.10-19 is reserved for computer servers
10.1.x.20-49 is reserved for other fixed appliances (printers, access-points, etc)
10.1.x.50-199 is reserved for local area network devices (assigned by DHCP)
10.1.x.200-254 is reserved for pptpd services (assigned by pptpd)
In this example, we will be configuring an Ubuntu 12.04 PPTP server for location03 (i.e. 10.1.3.0/24).
At this point, I will assume you have installed and configured Ubuntu and that your network (WAN/LAN) is properly configured and working.
1) Install the pptpd (VPN) software
sudo apt-get install pptpd
2A) Define your DNS server(s).
Typically this will be your company's DNS servers. You should have at least one entry. These entries will be assigned to the client via DHCP when the client connects. Scroll down and find the sample ms-dns entry and modify accordingly, for example:
ms-dns 10.1.3.10 # Primary: Corporate/Local DNS server
ms-dns 10.1.3.1 # Secondary: Local LAN router as backupHint: We assign two DNS servers: One is directly to the local (or closest) company DNS server and the other is always the local router as a backup. The router usually is also pointed to our company DNS servers with a backup to a third party provider such as Google or OpenDNS.
2B) (Optional) Define a WINS server(s).
If you use WINS then you may want to define a WINS server. These entries will be assigned to the client via DHCP when the client connects. Scroll down and find the sample ms-wins entry and modify accordingly:
ms-wins 10.1.3.11 # Primary: Corporate/Local WINS server
3) Edit /etc/pptpd.conf
Take special care as this is where we defined the IP addresses to assign to the VPN clients when the connect. Note how we use the blocked off portion of the local area network sub-net. In this case, it's 10.1.3.200-250/24. At the end of this file we add:
localip 10.1.3.200 # Local pptpd network interface (ppp0) ip address
remoteip 10.1.3.201-254 # Assigned to clients Hint: On some appliances (routers, servers, and such) you may need to carve out the of DHCP the block of IP addresses you want to assign to your VPN clients. See my IP schema at the top - notice that we carved out 200-254.
4) Edit /etc/ppp/chap-secrets
Note: We utilize LDAP for authentication. Configuring LDAP authentication is a lot more involved and we will not cover it here.
This file is where you maintain your users and their passwords for PPTP connectivity. You must maintain thie file. pptpd does not natively use any Linux authentication (like PAM or LDAP). The file format is:
[username] [service] [password] [permitted ip address]Example entries:
jsmith pptpd 4Gt9jxVjSa *jdoe pptpd ad9F9dfjZ *NOTE: the password is cAsE sEnSiTiVe!
5) Restart the pptpd service
You need to restart the pptpd service:
sudo service pptpd restart6) Edit /etc/sysctl.conf
Most people usually get this far and stumble. They don't know why they cannot access services on their network. This is because IP forwarding is off by default in most Linux distro's. You need add/un-comment the following line in "/etc/sysctl.conf":
net.ipv4.ip_forward=1To make this change effective now you need to reload the configuration by:
sudo sysctl -pAnd that's it. Use a client to connect and test.
Linux client configuration:
- only enable MSCHAPv2
- DO use point-to-point encryption (MPPE), security ALL.
- DO use Allow stateful encryption
- DO use Allow BSD data compression
- DO use Allow Deflate data compression
- DO use TCP header compression
No comments:
Post a Comment