| Datacenter VPN server I am a linux and VPN newbie and I need to have a completely secure linux server which I can drop in a datacenter.
Home clients need to make a VPN connection to this server. They have to be able to “talk” with the server (ping, browse, vnc, etc.). They should not see is each other. (not even ping).
Servicedesk clients also need to connect to the server through VPN, but should see all the other clients and be able to “Talk” to them.
I also need a webserver on that server.
In my research I found out that L2TP/IPSec is the most secure type of VPN. OpenSwan is a VPN server application which does that.
My questions:
- Can OpenSwan handle the 2 groups with 1 restricted, 1 full access connectiontype?
- What kind of security measures do in need to implement in my server. What kind of firewall/antivirus/etc. Usually I do home installations, and than you have a home router+firewall… |
|
Reviews:
 ·ntlworld
| A few pointers...
OpenSWAN is an IPSec VPN server. It doesn't do the L2TP (windows authentication) bit (you would need an L2TP server in addition). This is do-able but less simple. However there are how-to documents on the web (eg »wiki.openswan.org/index.php/Openswan/L2TP)
Or you can use an IPSec client (rather than an L2TP/IPSec client) on your clients. (You might have to pay for that though.)
I suggest you install a linux distribution on an old PC and try this out before you try to deploy.
Firewall - linux has good built-in firewall (and router) capabilities, though you'll have to learn how to configure it. The term you need to search for is iptables. It's very flexible and what you want to do should be possible between iptables and openswan, but you'll need to learn it.
Since the server is doing the VPN and hence needs to be exposed to the internet I'd suggest it might as well be its own firewall otherwise you're just going to be spending time figuring out another stage in the routing to get traffic to/from the VPN.
My experience (getting rusty now) in helping people with their VPN setups is that they normally get the basic IP routing wrong rather than the VPN configuration.
Bob |
|
| reply to VPN newbie
How big a setup is this datacenter / VPN you're looking to build? How many users altogether?
If you're a complete newbie to both of this, I'd focus on building / testing this in a lab
environment rather than jumping right in and putting this into production... especially
right in the middle of business hours.
The various *nix distros should be able to offer you a combination of what you need -- firewall,
VPN, webserver. Commerically, I think Windows Server with IIS and ISA could something like this
as well. It's up to you whether you want to put your eggs into one basket or seperate
this into several boxes, but good security practice is to segregate and compartamentalize
functionality as much as possible.
To answer your questions
- I don't know, but you're basically looking at a AAA /Radius solution for that kind of function
seperation in your groups. The actual implementation is going to depend on the final setup
you decide to go with.
- see my point above.
Regards |
|
| @rjs1003:
I wanted to combine the OpenSWAN IPSec with xl2tpd L2TP, because xl2tpd is also written by the OpenSWAN Team. In my head I already combined them. sorry.
I will look up the iptables suggestion. No idea how that works, but i could wrap the whole project in those words. research, research, research...
@HELLFIRE
I planned to use one box. Here in The Netherlands you can rent dedicated space in a data center per U (1u, 2u, 4u, 8u, etc.)
On the "How many users altogether" question I can't give a conclusive answer. We start at about 200 users I think, and maybe within 5 years it will be 2000. What do they do: most of the time: Nothing... just have a connection. Once a day it sends a textfile to the server with a few lines status report. The connecting machines are dedicated linux/vispro machines in factory's all over the world which are connected to machines in the field. Every once in a while the servicedesk needs to check them by taking over the KVM with VNC. Never more than a few at once...
We need to be sure that a machine operator with a little knowledge of linux and terminals cannot connect to a machine on the other side of the world, and check the competitors status reports. That is why client-client traffic is out of the question. On the other hand: the servicedesk clients do need to have traffic with all of the clients! That is why I want the two groups.
btw, I hope you all understand my English. It is not my first language, so there will be some strange sentences I think  |
|
| reply to VPN newbie
said by VPN newbie :On the "How many users altogether" question I can't give a conclusive answer. We start at about 200 users I think, and maybe within 5 years it will be 2000. What do they do: most of the time: Nothing... just have a connection. Once a day it sends a textfile to the server with a few lines status report. The connecting machines are dedicated linux/vispro machines in factory's all over the world which are connected to machines in the field. Every once in a while the servicedesk needs to check them by taking over the KVM with VNC. Never more than a few at once... If you need that scalable a solution, then you want to do this right the first time,
so I'd definately lab this up and/or go out to a consulting firm with alittle more experience
at this.
From a highlevel view, this should all be doable, but like I said, you want to do
this right the first time, not do a hack of a hack of a hack, and have no idea what
you're doing.
Just my 00000010bits anyways.
Regards |
|
Reviews:
·ntlworld
| Agree - if it's going to be this big you definitely need to either do this yourself in a lab setup before you get as far as a remote box in a datacentre, and/or get some outside assistance even if just to check your design.
Do make sure your "lab" goes across the internet at some point, too, even if it's just from your house to your office or a friend's house.
You might still get caught by a few things as you scale up but you need to prove to yourself that the network setup and firewall rules work before you end up trying to support it on a remote server where you have to be so careful not to cut your own access off when adjusting the firewall rules!
Oh, and your English is great - don't worry about that.
Bob |
|
| First off all, thanks for your compliment on my English. I try to check every sentence I produce, but I'm still learning...
now, on-topic again:
Off course I will first try to set this up at home. I need to have a reliable system before it will ship off to the data center.
right now I have the server up and running. vpn is running (pptp first, but I'll try ipsec/l2tp later on) and right now I am stuck at the iptables part. To make client2client traffic possible i need to set net.ipv4.ip_forward to 1. But that means that all the traffic to all the clients is open. How do I make the separation between users that can access other clients, and those who can't? When you only allow the clients to the server ip, and block the rest in that range, the server itself happily forwards all the packages to the rest of the range....  |
|
Reviews:
·ntlworld
| OK, setting ip_forward to 1 allows routing between network interfaces - that's the first step. Now you need to setup the firewall - basically apply rules or filters on this routing.
The first time I did it I found
»www.netfilter.org/documentation/
to be useful. I think you want the 2nd set of documents - the packet filtering how-to. It is available in several languages too, including Dutch. Hopefully that will get you going.
I am getting forgetful but it may also be possible to do some filtering in the openvpn configuration. You probably need to look up how to filter traffic between tunnels, anyway - someone will have covered it if you search, I'm sure.
Bob |
|
1 edit | reply to HELLFIRE
Not sure how I poeted here - but I believe it was in error. Sorry |
|
 leiboldPremium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:2
 ·SONIC.NET
·Pacific Bell - SBC
| reply to VPN newbie
said by VPN newbie :To make client2client traffic possible i need to set net.ipv4.ip_forward to 1. But that means that all the traffic to all the clients is open. How do I make the separation between users that can access other clients, and those who can't?
There is more then one way you can go about this. One approach is what you are already suggesting yourself and that is have the datacenter VPN server act as router between the attached clients by turning on IP-forwarding. To keep the iptables rules simple, setup your pptp vpn server to assign IP addresses in one netblock to the home clients and IP addresses in a different netblock to the servicedesk clients. Then setup iptables to allow all already established connections but only allow new connections to be established from:
a.) servicedesk client to VPN server (tunnel endpoint).
b.) servicedesk client to home client.
c.) home client to VPN server (tunnel endpoint), but only for the services you are hosting on the VPN server for the home clients (you mention a webserver).
d.) optionally servicedesk clients to other servicedesk clients (it isn't fully clear from your posted requirements whether this is needed or not; it may be if the servicedesk people are at different locations and the VPN server is also used to provide the connection between them).
The advantage of this approach is that with very little effort you are able to handle almost every client to client communication because the connections are normal routed IP connections. However because of the routed connections a small mistake in the firewall rules can have big consequences. I know of a customer service organization that did something like this and inadvertently routed traffic from different clients (competitors!) to each other (not enough connectivity for real harm, but enough to scare the clients)!
Another approach leaves IP-forwarding turned off and instead for every type of communication between servicedesk clients and home clients you setup application level gateways (proxies). This approach takes more effort to setup when there are a lot of different types of applications that need to be supported. Some applications may not even have suitable gateways/proxies that are readily available for your purpose. However application level gateways/proxies usually offer a higher degree of control over exactly what servicedesk and home clients are permitted to do to each other. They are also much better at logging what really was done when there is any complaint that needs to be investigated.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! |
|
| @leibold: I already started with the IPtables option, so I'll stick to that.
It took me a while to figure out, but I think I did it. In the pptp chap-secrets file you put the username, the connection, the password and "the ip-address the client uses to connect". In my english newbie state, I read that as: the only allowed client home ip-address (the ip you get from your isp). after a while I figured out you can also read this as: the requested ip for the vpn connection. when that became clear I just configured a few servicedesk clients to get a 192.168.0.* ip-address, the same range as the server (pptp local-ip). the rest of the clients get a dhcp ip-address (pptp remote-ip) in the 192.168.1-10.* ranges.
in IPtables I configured to allow input traffic from any client to the server (192.168.0.1) and drop the rest, forward traffic from the 0 range to all the other ranges, from all the other ranges to the 0 range, and drop the rest:
iptables -A INPUT-s 192.168.0.0/16 -d 192.168.0.1/32 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/16 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -j DROP
The fact that a client can do everything with a servicedesk machine does not matter. They have their own firewall.
besides the client-client traffic I needed to allow traffic from the outside world to the webserver (port 80), the vnc repeater (port 5900), the pptp vpn server (port 1723 and "protocol 47" (it took me a while to figure that out)). that was all quite easy.
Now the next problem is heating my head:
there are config files and log files on the clients that a webserver client needs to download and upload. i'm trying to find a solution for that.... |
|
| Time for an update!
L2TP/IPsec and PPTP are both up and running now. Server and service clients have an ip address in the 192.168.0.xxx range.
PPTP clients get an ip address between 192.168.1.xxx and 192.168.10.xxx.
L2TP clients get an ip address between 192.168.11.xxx and 192.168.20.xxx.
On ip-up, the ip and one "up" Boolean are pushed to a mysql database, which has all clients with uuid and mac address in a table. On ip-down, the ip field is cleared and the "up" Boolean is set to down. This way I can check if the connections are up, and which clients are up, uniquely identified by the uuid and mac address. At first I used the "who" command to see which clients where connected, because the PPTP server uses a pluggin that pushes the connecting user up to the log-wtmp. Unfortunately XL2TP does not have that pluggin, so I only saw halve of my clients...
Right now I'm trying to get the VNC repeater and x11vnc servers up and running. it seems the x11vnc server gets the wrong display from the display manager. When in go into text mode off my ubuntu client, the vnc client gets a connected, but has a black screen.(seems normal). When I go to the graphic X layer, the repeater barfs all kinds off errors about not being able to read the socket and no data coming in.
why does everything go wrong all the time... |
|
| said by VPN newbie:Right now I'm trying to get the VNC repeater and x11vnc servers up and running. it seems the x11vnc server gets the wrong display from the display manager. When in go into text mode off my ubuntu client, the vnc client gets a connected, but has a black screen.(seems normal). When I go to the graphic X layer, the repeater barfs all kinds off errors about not being able to read the socket and no data coming in.
why does everything go wrong all the time...
Found it. MTU and MRU where to high. For instance, standard MTU for PPTP is 1464. That should be enough. By going down by 2 every try, I came to 1450. (changed them to 1450 for PPTP and 1410 for L2TP/IPsec)
VNC packets inside the VPN headers where overflowing the standard MTU/MRU of 1500. Why? I dont know... I guess it has to do with the DSL Connection's MTU, which is not 1500, but less...
yeah  |
|
|
|
leiboldPremium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:2 | Tunnels inside tunnels! Eventually there is not enough space in the pipe |
|
| reply to VPN newbie
For a while now, the test setup is running like a charm. Yesterday I started the new phase in the test: multiple ipsec tunnels behind the same NAT to the server behind NAT
machine 1---------|____NAT---(internet)---NAT---- server
ipad--------------|
Android phone-----|
The above setup works. But when I add another machine:
machine 1---------|____NAT---(internet)---NAT---- server
machine 2---------|
ipad--------------|
Android phone-----|
The first machine gets disconnected the moment machine 2 gets his tunnel. After halve a minute the first machine detects his tunnel is down and tries to reconnect. And it does. But than the second tunnel gets disconnected again. After halve a minute the second machine detects his tunnel is down and tries to reconnect. And it does. But than the first tunnel gets disconnected again.
this goes back and forth until I shut down one off the machines. than the other machine keeps his tunnel up. Meanwhile the ipad and phone still are connected and had no hiccups or whatsoever...
Anyone an idea? I can't find the problem. |
|
