Tag Archive : vpn

/ vpn

There are cases where we want to create more than one VPN tunnels between a pair of hosts. Well this is possible and this is what we want to discuss in this article.

Why Multiple Tunnels?

As the question goes, why?

With multiple tunnels, you could use each tunnel for a different purpose, achieving full isolation among traffic belonging to different tunnels. Depending on which tunnel traffic goes through, you could even apply different QoS or security policies to the underlying traffic.

Scenario

In this example, we will create two VPN tunnels between hosts Alice and Bob. Assuming that Alice serves as a tinc VPN bootstrapping point, while Bob initiates a connection to Alice. Two VPNs created between Alice and bob are named vpn1 and vpn2.

Configuration

In tinc, one tinc daemon can only manage one VPN. This means that if you want to create multiple tunnels between two hosts, you need to run as many tinc daemons on each host.

To a basic set up, you can follow this article in the configuration section.

Create VPN Configuration

Using the guide above, create two separate tinc VPNs named vpn1 and vpn2. If you follow the tinc configuration instruction, two sets of tinc configuration files will be stored in /etc/tinc/vpn1 and /etc/tinc/vpn2. Make sure to use two distinct tinc interface names (e.g., tun0, tun1) as well as two different subnets for these two VPNs.

Specifying Port

By default, listens on port 655 for incoming connections. Thus we cannot run more than one tinc daemons with the default port setting. For two VPNs vpn1 and vpn2, you can use the default port for one VPN (e.g., vpn1), but need to use another port for the other VPN (e.g., vpn2). Therefore, we need to configure a port number to use for vpn2 (in our scenario).

On both hosts alice and bob, append the following in /etc/tinc/vpn2/hosts/alice and /etc/tinc/vpn2/hosts/bob. The port number can be anything other than tinc’s default port number 655.

Port = 700

Make sure the port is available.

Starting tinc

Once tinc configurations are done, start two tinc daemons on each host as follows (using root privileges):

tincd --net=vpn1
tincd --net=vpn2

Install and Configure tinc VPN

December 9, 2015 | Article | 1 Comment

tinc is an open-source VPN daemon that uses tunnelling and encryption to create a secure private network between hosts on the internet. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others.

tinc comes with a number of powerful features not found in other VPN solutions.  For example, tinc allows peers behind NAT to communicate with one another via VPN directly, not through a third party.  Other features include full IPv6 support and path MTU discovery. For a complete list, you should go to tinc official site.

Scenario

Unlike any other article, we will use a scenario to illustrate the case we use in this article.

In this article, we will set up a VPN connection between two hosts via tinc. Let’s call these hosts as “Alice” and “Bob”. We also assume that Bob will initiate a VPN connection to host “alice”.

Installation

First, install tinc on both hosts.

Linux Package Manager Way

For Debian or its derivatives system (Ubuntu, Linux Mint):

sudo apt-get install tinc

For Red Hat or derivatives system (Fedora, CentOS, Scientific Linux, etc), you should set up Repoforge repository first and then do:

sudo yum install tinc -y

Windows Way

For a Windows system (Windows XP/Vista/7/8), there is an installation file you can use. The latest version you can find is 1.0.22.

Download and execute the file, here.

Mac OS Way

The recommended methods to install tinc on Mac OS is using macports port system. he MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the MacOSX operating system. Macports is recommended because it does not modify your system files. It keeps itself separate from your system.

XCode is required prerequisite. It must be installed before installing Macports. Download and install the Macports system from MacForge.

  • XCode (requires free online ADC Membership); it can also be obtained from original OSX installation DVD
  • Macports

After Macports is installed, close and reopen your terminal. Update the ports system and ports list.

sudo port selfupdate
sudo port sync

Then you can install tinc and all necessary dependencies by:

sudo port install tinc

All configuration files are located in /opt/local/etc/tinc.

Configuration

For each host, create a directory for tinc.

Alice machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = alice
AddressFamily = ipv4
Interface = tun0

The above example create a “session” under name “myvpn”. This is the name of the VPN network to established between Alice and Bob on this scenario. VPN name can be any alphanumeric name without containing “-”. In tinc.conf example, “Name” field indicates the name of tinc-running local host, which doesn’t have to be actual hostname. You can choose any generic name.

Next, create host configuration files which contain host-specific information on /etc/tinc/myvpn/hosts/alice with following text:

Address = 1.2.3.4
Subnet = 10.0.0.1/32

The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The “Address” field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., 1.2.3.4). The “Subnet” field indicates the VPN IP address to be assigned to alice.

Next, generate public/private pair keys (using root privileges):

tincd -n myvpn -K4096

The above command will generate 4096-bit public/private keys for host “alice”. The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.

Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated. Make sure you have them executable by chmod to 755.

Create /etc/tinc/myvpn/tinc-up for startup script:

#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

Create /etc/tinc/myvpn/tinc-down for shutdown script:

#!/bin/sh
ifconfig $INTERFACE down

Bob Machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = bob
AddressFamily = ipv4
Interface = tun0
ConnectTo = alice

Similar to Alice machine, we create a configuration for Bob. However, we remember that in this scenario Bob is initiating connection to Alice. Therefor, we put “ConnectTo” field to connect to Alice machine.

Create a file /etc/tinc/myvpn/hosts/bob with following data:

Subnet = 10.0.0.2/32

Then create a private/public key pair (using root privileges):

tincd -n myvpn -K4096

This will store the Bob’s private key as /etc/tinc/myvpn/rsa_key.priv and its public will be added to /etc/tinc/myvpn/hosts/bob.

We also need to create two script similar to alice, namely /etc/tinc/myvpn/tinc-up and /etc/myvpn/tinc-down.

On /etc/tinc/myvpn/tinc-up, write:

#!/bin/sh
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0

On /etc/tinc/myvpn/tinc-down, write:

#!/bin/sh
ifconfig $INTERFACE down

Make sure both script are executable.

Copying Both Key

Next we need to copy each host’s public key file into other host. This way, both party can connect into a VPN network.

On Alice:

scp /etc/tinc/myvpn/hosts/alice [email protected]:/etc/tinc/myvpn/hosts/

On Bob:

scp /etc/tinc/myvpn/hosts/bob [email protected]:/etc/tinc/myvpn/hosts/

Creating Connection

After finishing the configuration, you should be able to create a connection. Based on our scenario, since Bob initiates a VPN connection, you need to start tinc daemon on Alice first and then Bob. Both are using same command (use root privileges):

tincd -n myvpn

Installing OpenVPN on FreeBSD 8.3

December 5, 2015 | Article | No Comments

OpenVPN is one of open source implementation of Virtual Private Network available.

In this article we will discuss about how to install OpenVPN on FreeBSD 8.3.

Installation

Installing OpenVPN is as easy as installing any FreeBSD ports.

cd /usr/ports/security/openvpn
make install clean

Once installed, OpenVPN will store its ocnfigurations on /usr/local/share/doc/openvpn.

Make a directory /usr/local/etc/openvpn and copy all configuration files from /usr/local/share/doc/openvpn to this new directory.

mkdir /usr/local/etc/openvpn
cp /usr/local/share/doc/openvpn/sample-config/files/server.conf /usr/local/etc/openvpn
cp -a /usr/local/share/doc/openvpn/easy-rsa /usr/local/etc/openvpn

Creating RSA Key

OpenVPN is a tunneling network. Our connection made to OpenVPN through encrypted channel. Therefore, to enable OpenVPN we should create keys. In this section we will discuss about how to do it.

A good news is, we don’t have to create the key from scratch. OpenVPN has made a script to automatically create it for us. Now invoke following to do preparation:

chmod 0755 /usr/local/etc/openvpn/easy-rsa/2.0/*
cd /usr/local/etc/openvpn/easy-rsa/2.0
sh
echo 'export KEY_COUNTRY="ID"' >> vars
echo 'export KEY_PROVINCE="JB"' >> vars
echo 'export KEY_CITY="BANDUNG"' >> vars
echo 'export KEY_ORG="Celestial Being"' >> vars
echo 'export KEY_EMAIL="[email protected]"' >> vars

Now we create the certificate ca.crt

. ./vars
./clean-all
./build-ca

And then build the server.key

./build-key-server server

Next the client.key

./build-key client

Build DH parameters with 2014 bit long

./build-dh

Copy the Keys to a special purposed directory for storing keys.

mkdir /usr/local/etc/openvpn/keys
cp /usr/local/etc/openvpn/easy-rsa/2.0/keys/* /usr/local/etc/openvpn/keys
./clean-all

Configuring Server

After creating the keys, we will proceed to configuring the OpenVPN server. The file we must edit is /usr/local/etc/openvpn/server.conf. Here is sample configuration we can applied to our server:

port 1194
proto udp
dev tap
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log

Autostart on Boot

To run OpenVPN automatically at boot time, we can edit /etc/rc.conf write following:

gateway_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tap"

Enabling IP Forwarding

IP Forwarding is needed to forward IP packet which received by servers to corresponding client inside VPN.

sysctl net.inet.ip.forwarding=1

Starting OpenVPN Server

Last part, we should start the OpenVPN by:

/usr/local/etc/rc.d/openvpn start

And that’s it. You now have OpenVPN on your network

Social Share Buttons and Icons powered by Ultimatelysocial