Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
16 octobre 2013 3 16 /10 /octobre /2013 20:40

We'll be seeing here how to setup a the PPTP Server and Client to use PKI certificates.
See previous part for how-to create certificates.

Some patching is involved, to have PPTP-EAPTLS support. Using non-official binaries brings many security issues. More, bugs and glitches arise all along the way. It is certainly a result of PPTP being slowly deprecated by the Linux community.
For all this reasons, this post is mostly for the sake of the PPTP geeks curiosity, only for fun. This shouldn't be used in a production environment.

This tutorial assumes the PPTP Server and PPTP Client are already set-up, like in this tutorial : Linux PPTP Server and Client with IPv4+IPv6 Support

We'll just be adding EAP-TLS Support here

 

1. Server Patching

We first need to patch the server pppd binary to support EAP-TLS :
We first check our pppd version :
sudo /usr/sbin/pppd --version

We then download the ppp sources and the ppp-eaptls patch :
sudo wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz
sudo wget http://www.nikhef.nl/~janjust/ppp/ppp-2.4.5-eaptls-mppe-0.997.patch

( make sure you download the version that match your /usr/sbin/pppd --version output )

We get openssl and libssl-dev :

sudo apt-get install openssl

sudo apt-get install libssl-dev


We apply patch and compile :

sudo tar -zxf ppp*.tar.gz

cd ppp*

 

sudo patch -p1 < /home/fjord/ppp-2.4.5-eaptls-mppe-0.997.patch

sudo ./configure

sudo make

sudo make install

sudo make install-etcppp

 

cd pppd

sudo cp pppd /usr/sbin/pppd


Server patching is done !

for other sources and patch versions, see here :

ftp://ftp.samba.org/pub/ppp/
http://www.nikhef.nl/~janjust/ppp/download.html

 

2. Client Patching

We will next need to patch the client pppd binary to support EAP-TLS.

We first need to downgrade libssl, because of a bug.
( See : http://openssl.6102.n7.nabble.com/libssl-1-0-1-breaking-program-td45714.html )
( It seems necessary to downgrade for at least one peer. I tested it downgrading the client )

sudo wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl-dev_0.9.8o-4squeeze14_i386.deb instead

sudo wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_i386.deb

 

sudo apt-get remove libssl-dev

suod apt-get remove libssl-doc

sudo dpkg -i libssl0.9.8_0.9.8o-4squeeze14_i386.deb

sudo dpkg -i libssl-dev_0.9.8o-4squeeze14_i386.deb

 


We then proceed with the same patching procedure :

We first check our pppd version :
sudo /usr/sbin/pppd --version

We then download the ppp sources and the ppp-eaptls patch :
sudo wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz
sudo wget http://www.nikhef.nl/~janjust/ppp/ppp-2.4.5-eaptls-mppe-0.997.patch

( make sure you download the version that match your /usr/sbin/pppd --version output )

We get openssl and libssl-dev :

sudo apt-get install openssl

sudo apt-get install libssl-dev


We apply patch and compile :

sudo tar -zxf ppp*.tar.gz

cd ppp*

 

sudo patch -p1 < /home/fjord/ppp-2.4.5-eaptls-mppe-0.997.patch

sudo ./configure

sudo make

sudo make install

sudo make install-etcppp

 

cd pppd

sudo cp pppd /usr/sbin/pppd


Server patching is done !

for other sources and patch versions, see here :

ftp://ftp.samba.org/pub/ppp/
http://www.nikhef.nl/~janjust/ppp/download.html

 

3. PPTP Server setup

sudo mkdir /etc/ppp/keys

We copy here the files ca.crt, dh1024.pem, server.crt and server.key :
 

we edit pptpd.conf

sudo leafpad /etc/pptpd.conf
--------------------------------------------------------------------------------------------------
ppp /usr/local/sbin/pppd

option /etc/ppp/options-pptpd-eaptls

localip 10.0.0.1

remoteip 10.0.0.10-20

--------------------------------------------------------------------------------------------------

We create a options-pptp-eaptls file :

sudo cp pptpd-options options-pptpd-eaptls


We edit it to this settings ( most important listed only ) :
--------------------------------------------------------------------------------------------------------
name server
#auth ## not used here, to try
refuse-pap

refuse-chap

refuse-mschap-v2
require-eap
require-mppe-128
ms-dns 208.67.222.222

ms-dns 208.67.220.220

proxyarp


nodefaultroute


#debug

#logfile /tmp/pppd.log

lock


nobsdcomp

--------------------------------------------------------------------------------------------------------

 


We finally edit /etc/ppp/eaptls-server to register the certificates, using [TAB] as a delimiter :
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
*<TAB>server<TAB>-<TAB>/etc/ppp/keys/server.crt<TAB>/etc/ppp/keys/ca.crt<TAB>/etc/ppp/keys/server.key<TAB>*
-------------------------------------------------------------------------------------------------------------------------------------------------------------------


We restart to apply :

sudo service pptpd restart

 

4. PPTP Client setup

We create the keys directory :
sudo mkdir /etc/ppp/keys

we copy in the needed client keys : client_kevin.crt, client_kevin.key and ca.crt in

sudo cp ca.crt /etc/ppp/keys/

sudo cp client_kevin.crt /etc/ppp/keys/
sudo cp client_kevin.key /etc/ppp/keys/


We create a options-pptp-eaptls file :

sudo cp options.pptp options-pptp-eaptls


We edit it to this settings :
----------------------------------------------------------------------------------------------------------------------------------------

name client_john                                   ## the CN= part of the client certificate

remotename server                               ## the CN= part of the server certificate

 

# Lock the port

lock

 

# Authentication

# We don't need the tunnel server to authenticate itself

noauth

 

#ipcp-accept-local

#ipcp-accept-remote

#noipdefault

nobsdcomp

nodeflate

#nopredictor1

#nopcomp

#noaccomp

 

refuse-pap

refuse-chap

refuse-mschap

refuse-mschap-v2

 

require-mppe-128

need-peer-eap # the server must authenticate using eap

 

#password 1234 # if private key is password encrypted. doesn't work yet

 

debug

logfile /tmp/pppd.log

----------------------------------------------------------------------------------------------------------------------------------------------

 

We edit a /etc/ppp/eaptls-client file to register the certificates, using [TAB] as a delimiter :
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
*<TAB>server<TAB>/etc/ppp/keys/client_kevin.crt<TAB>-<TAB>/etc/ppp/keya/ca.crt<TAB>/etc/ppp/keys/client_kevin.key


We finally create or edit a peer file :
sudo leafpad /etc/ppp/peers/MYVPN
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
pty "pptp 192.168.0.40 --nolaunchpppd"

file /etc/ppp/options-pptp-eaptls

name client_kevin
remotename server

#require-mppe-128

#require-mschap-v2

usepeerdns

noauth

ipparam MYVPN

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

 


5. PPTP Connection

The Network-manager GUI seems broken with PPTP EAP-TLS, I never managed to make it work.
Using the command line, the usual commands do work :

tunnel up :
sudo pon MYVPN

tunnel down :
sudo poff MYVPN

debug launch :
sudo pon MYVPN debug dump logfd 2 nodetach


6. Password protected keys

Although it is theorically very simple, only requiring to add 'password 1234' to the file /etc/ppp/options-pptp-eaptls, the debug list shows the password as being noticed in the debug log, but the EAP authentication fails in the end :
Adding 'password 1234' to the file /etc/ppp/peer/MYVPN shows the same result.


Trying using the GUI network-manager doesn't help either.

Maybe downgrading libssl-dev brought this issue. Downgrading the server library too may solve this.
The only small protection possible is to chmod +600 the key files ( only the owner can read or write ).

 

Partager cet article

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens