Tags

arm arpaname autoinstall bin_sh blocage blosxom bsd bsdfrance cblog certification chroot cluster cos dg834 dhcp diffusion dns dnsmasq dom0 domU dovecot fail-over fail2ban fibre firefox fossil freebsd ftp git guruplug install ipsec ipv6 jail kernel kimsufi lex libre linutop liste makefile mikrotik ml150 mohawk mprdmqja nanojail netbook netbsd nginx npppd ntp ntp.org openbsd openntpd openrd opensmtpd openwrt optique orke pkgng poudriere privee proxy pxe python rc.conf rescue reverse rmll routage route rrdcgi sendmail serial sieve sjail sl2009 ssd sshd symon unbound update usb var_empty vimperator vpn world xen yacc zfs

Powered by

blOg
maRkdown
awK
shEll

16/06/2017

[ mprdmqja vpn ipsec npppd ]

201706162015 mprdmqja vpn ipsec npppd

OpenBSD

Ou comment monter un serveur vpn avec 4 fichiers de configuration. C'est bô.

OpenBSD - /etc/ipsec.conf

ike passive esp transport \
  proto udp from ip.du.server.vpn to any port 1701 \
  main auth "hmac-sha1" enc "aes" group modp1024 \
  quick auth "hmac-sha1" enc "aes" group modp1024 \
  psk "MonSuperMotDePasse"

OpenBSD - /etc/npppd.npppd.conf

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
        l2tp-require-ipsec yes
}

ipcp IPCP {
        pool-address 10.19.19.20-10.19.19.200
        dns-servers 10.19.19.1
}

interface pppx0 address 10.19.19.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0

OpenBSD - /etc/npppd/npppd-users

pouet:\
        :password=UnAutreSuperMotDePasse=:\
        :framed-ip-address=172.19.19.25:

A priori j'avais une typo dans ce fichier (172 au lieu de 10) mais le tunnel se monte quand même.

OpenBSD - /etc/pf.conf

ext_if = vio0

table <ssh_ipv4> persist file "/home/dsx/etc/pf.conf.d/ssh.ipv4"
table <ssh_ipv6> persist file "/home/dsx/etc/pf.conf.d/ssh.ipv6"

set skip on { lo, enc }
set loginterface $ext_if

match out on egress nat-to (egress) received-on pppx

block in log on egress
pass out quick

pass in quick proto icmp
pass in quick proto icmp6

pass in quick on egress inet  proto tcp from <ssh_ipv4> to port ssh
pass in quick on egress inet6 proto tcp from <ssh_ipv6> to port ssh

pass in quick on egress inet proto { esp, ah }
pass in quick on egress inet proto udp to port { isakmp, ipsec-nat-t }

pass in quick on egress inet proto tcp from <ssh_ipv4> to port 3128 rdr-to 127.0.0.1

pass in quick on pppx inet proto { udp, tcp } to port domain rdr-to 127.0.0.1
pass in quick on pppx inet proto tcp to port 3128 rdr-to 127.0.0.1

Les 2 dernières lignes permettent au(x) client(s) vpn d'accéder à un unbound et un squid qui n'écoutent que sur l'interface locale:

$ grep ^http_port /etc/squid/squid.conf
http_port localhost:3128
$ doas unbound-control get_option interface
127.0.0.1
::1

Mikrotik - l2tp-client

/interface l2tp-client
add add-default-route=yes allow=chap connect-to=ip.du.server.vpn disabled=no ipsec-secret="MonSuperMotDePasse" name=vpn-pr0xm0x300 password="UnAutreSuperMotDePasse" use-ipsec=yes user=pouet

Mikrotik - route

/ip route print  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          82.xxx.159.254           10
 1 ADS  0.0.0.0/0                          10.19.19.1                0
 2  DS  0.0.0.0/0                          86.xxx.112.1              1
 3 ADC  10.19.19.1/32      10.19.19.119    vpn-pr0xm0x300            0
 4 ADS  31.xxx.24.70/32                    86.xxx.112.1              0
...

On peut voir la route vers l'adsl qui "coûte plus cher" (0) et les routes installées par le client l2tp (1,3,4) et le client dhcp (2).

La suite

Le point d'accès wifi, le commutateur et les trucs rigolos.


Lien vers ce billet