Outils pour utilisateurs

Outils du site


public:tutorial:vpnpppoverssh

VPN PPP over SSH

But le client initie une connexion ssh et monte une interface 'ppp0' sur le serveur. Le serveur NAT tout ce qui arrive sur cette interface sur le réseau local 'eth0' et tout se arrive sur l'interface eth0 vers ppp0.

Dans cette configuration :

  • le réseau lan est en 192.168.0.0/24
  • le réseau ppp est en 192.168.35.0/24
  • l'adresse 192.168.35.254 ne doit pas être utiliser par les clients (pas compris à quoi elle servait)

Installation

Les kernel doivent être compilé avec le support de PPP:

  • CONFIG_PPP: missing PPP support (REQUIRED)
  • CONFIG_PPP_ASYNC: missing asynchronous serial line discipline (optional, but highly recommended)
  • CONFIG_PPP_SYNC_TTY: missing synchronous serial line discipline (optional; used by 'sync' pppd option)
  • CONFIG_PPP_DEFLATE: missing Deflate compression (optional, but highly recommended)
  • CONFIG_PPP_BSDCOMP: missing BSD-Compress compression (optional, but highly recommended)
  • CONFIG_PPP_MPPE: missing MPPE encryption (optional, mostly used by PPTP links)
  • CONFIG_PPPOE: missing PPPoE support (optional, needed by rp-pppoe plugin)

net-dialup/ppp doit être installé sur les 2 machines.

Serveur

Sur le serveur, seules quelques règles iptables sont nécessaires :

#autorise les requetes du client VPN
$IPTABLES -A INPUT -s 192.168.35.0/24 -d 192.168.35.254 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.35.254 -d  192.168.35.0/24 -j ACCEPT

# NAT (LAN > VPN)
$IPTABLES -A FORWARD -i eth0 -o ppp0 -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT (VPN > VPN)
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Il faut egalement autorisé l'utilsateur 'vpn' a pourvoir lancer pppd avec les droit root et sans mot de passe via sudo.

Editer les droit sudo via 'visudo' et ajoutez :

vpn     ALL=(root)NOPASSWD:/usr/sbin/pppd

Clients

Le client doivent lancer ce script (/etc/init.d/vpnpppssh) :

#!/sbin/runscript
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

#PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPD=${PPPD:-/usr/sbin/pppd}
SSH=${SSH:-/usr/bin/ssh}

depend() {
	need net
	after sshd
	use logger dns
}

start() {
	echo -n "Starting vpn to $SERVER_HOSTNAME: "
	#echo ${PPPD} updetach noauth passive pty \"${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -p ${SERVER_PORT} -l ${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth\" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
	${PPPD} updetach noauth passive pty "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -p ${SERVER_PORT} -l ${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
	route add -net ${LAN_NETWORK} netmask ${LAN_NETMASK} gw ${SERVER_IFIPADDR} dev ppp0
	echo " vpn connected."
}

stop() {
	echo -n "Stopping vpn to $SERVER_HOSTNAME: "
	PID=`ps ax | grep "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -p ${SERVER_PORT} -l ${SERVER_USERNAME} -o" | grep -v ' passive ' | grep -v 'grep ' | awk '{print $1}'`
	if [ "${PID}" != "" ]; then
		kill $PID
	        echo "disconnected."
	else
	        echo "Failed to find PID for the connection"
	fi
}

restart() {
	stop
	start
}

et /etc/conf.d/vpnpppssh

# The host name or IP address of the SSH server that we are
# sending the connection request to:
SERVER_HOSTNAME=ceric35.net

# The TCP port used by sshd (usually 22)
SERVER_PORT=22

# The username on the VPN server that will run the tunnel.
# For security reasons, this should NOT be root.  (Any user
# that can use PPP can intitiate the connection on the client)
SERVER_USERNAME=vpn

# The VPN network interface on the server should use this address:
SERVER_IFIPADDR=192.168.35.254

# ...and on the client, this address:
CLIENT_IFIPADDR=192.168.35.1

# Lan behind vpn server uses this addresses:
LAN_NETWORK=192.168.0.0
LAN_NETMASK=255.255.255.0

# This tells ssh to use unprivileged high ports, even though it's
# running as root.  This way, you don't have to punch custom holes
# through your firewall.
LOCAL_SSH_OPTS="-P"

Sources

public/tutorial/vpnpppoverssh.txt · Dernière modification: 2014/06/07 11:30 (modification externe)