Overblog Suivre ce blog
Administration Créer mon blog
16 octobre 2013 3 16 /10 /octobre /2013 20:40

We'll be seeing here how to setup a the PPTP Server and Client to use PKI certificates.
See previous part for how-to create certificates.

Some patching is involved, to have PPTP-EAPTLS support. Using non-official binaries brings many security issues. More, bugs and glitches arise all along the way. It is certainly a result of PPTP being slowly deprecated by the Linux community.
For all this reasons, this post is mostly for the sake of the PPTP geeks curiosity, only for fun. This shouldn't be used in a production environment.

This tutorial assumes the PPTP Server and PPTP Client are already set-up, like in this tutorial : Linux PPTP Server and Client with IPv4+IPv6 Support

We'll just be adding EAP-TLS Support here

 

1. Server Patching

We first need to patch the server pppd binary to support EAP-TLS :
We first check our pppd version :
sudo /usr/sbin/pppd --version

We then download the ppp sources and the ppp-eaptls patch :
sudo wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz
sudo wget http://www.nikhef.nl/~janjust/ppp/ppp-2.4.5-eaptls-mppe-0.997.patch

( make sure you download the version that match your /usr/sbin/pppd --version output )

We get openssl and libssl-dev :

sudo apt-get install openssl

sudo apt-get install libssl-dev


We apply patch and compile :

sudo tar -zxf ppp*.tar.gz

cd ppp*

 

sudo patch -p1 < /home/fjord/ppp-2.4.5-eaptls-mppe-0.997.patch

sudo ./configure

sudo make

sudo make install

sudo make install-etcppp

 

cd pppd

sudo cp pppd /usr/sbin/pppd


Server patching is done !

for other sources and patch versions, see here :

ftp://ftp.samba.org/pub/ppp/
http://www.nikhef.nl/~janjust/ppp/download.html

 

2. Client Patching

We will next need to patch the client pppd binary to support EAP-TLS.

We first need to downgrade libssl, because of a bug.
( See : http://openssl.6102.n7.nabble.com/libssl-1-0-1-breaking-program-td45714.html )
( It seems necessary to downgrade for at least one peer. I tested it downgrading the client )

sudo wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl-dev_0.9.8o-4squeeze14_i386.deb instead

sudo wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_i386.deb

 

sudo apt-get remove libssl-dev

suod apt-get remove libssl-doc

sudo dpkg -i libssl0.9.8_0.9.8o-4squeeze14_i386.deb

sudo dpkg -i libssl-dev_0.9.8o-4squeeze14_i386.deb

 


We then proceed with the same patching procedure :

We first check our pppd version :
sudo /usr/sbin/pppd --version

We then download the ppp sources and the ppp-eaptls patch :
sudo wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz
sudo wget http://www.nikhef.nl/~janjust/ppp/ppp-2.4.5-eaptls-mppe-0.997.patch

( make sure you download the version that match your /usr/sbin/pppd --version output )

We get openssl and libssl-dev :

sudo apt-get install openssl

sudo apt-get install libssl-dev


We apply patch and compile :

sudo tar -zxf ppp*.tar.gz

cd ppp*

 

sudo patch -p1 < /home/fjord/ppp-2.4.5-eaptls-mppe-0.997.patch

sudo ./configure

sudo make

sudo make install

sudo make install-etcppp

 

cd pppd

sudo cp pppd /usr/sbin/pppd


Server patching is done !

for other sources and patch versions, see here :

ftp://ftp.samba.org/pub/ppp/
http://www.nikhef.nl/~janjust/ppp/download.html

 

3. PPTP Server setup

sudo mkdir /etc/ppp/keys

We copy here the files ca.crt, dh1024.pem, server.crt and server.key :
 

we edit pptpd.conf

sudo leafpad /etc/pptpd.conf
--------------------------------------------------------------------------------------------------
ppp /usr/local/sbin/pppd

option /etc/ppp/options-pptpd-eaptls

localip 10.0.0.1

remoteip 10.0.0.10-20

--------------------------------------------------------------------------------------------------

We create a options-pptp-eaptls file :

sudo cp pptpd-options options-pptpd-eaptls


We edit it to this settings ( most important listed only ) :
--------------------------------------------------------------------------------------------------------
name server
#auth ## not used here, to try
refuse-pap

refuse-chap

refuse-mschap-v2
require-eap
require-mppe-128
ms-dns 208.67.222.222

ms-dns 208.67.220.220

proxyarp


nodefaultroute


#debug

#logfile /tmp/pppd.log

lock


nobsdcomp

--------------------------------------------------------------------------------------------------------

 


We finally edit /etc/ppp/eaptls-server to register the certificates, using [TAB] as a delimiter :
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
*<TAB>server<TAB>-<TAB>/etc/ppp/keys/server.crt<TAB>/etc/ppp/keys/ca.crt<TAB>/etc/ppp/keys/server.key<TAB>*
-------------------------------------------------------------------------------------------------------------------------------------------------------------------


We restart to apply :

sudo service pptpd restart

 

4. PPTP Client setup

We create the keys directory :
sudo mkdir /etc/ppp/keys

we copy in the needed client keys : client_kevin.crt, client_kevin.key and ca.crt in

sudo cp ca.crt /etc/ppp/keys/

sudo cp client_kevin.crt /etc/ppp/keys/
sudo cp client_kevin.key /etc/ppp/keys/


We create a options-pptp-eaptls file :

sudo cp options.pptp options-pptp-eaptls


We edit it to this settings :
----------------------------------------------------------------------------------------------------------------------------------------

name client_john                                   ## the CN= part of the client certificate

remotename server                               ## the CN= part of the server certificate

 

# Lock the port

lock

 

# Authentication

# We don't need the tunnel server to authenticate itself

noauth

 

#ipcp-accept-local

#ipcp-accept-remote

#noipdefault

nobsdcomp

nodeflate

#nopredictor1

#nopcomp

#noaccomp

 

refuse-pap

refuse-chap

refuse-mschap

refuse-mschap-v2

 

require-mppe-128

need-peer-eap # the server must authenticate using eap

 

#password 1234 # if private key is password encrypted. doesn't work yet

 

debug

logfile /tmp/pppd.log

----------------------------------------------------------------------------------------------------------------------------------------------

 

We edit a /etc/ppp/eaptls-client file to register the certificates, using [TAB] as a delimiter :
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
*<TAB>server<TAB>/etc/ppp/keys/client_kevin.crt<TAB>-<TAB>/etc/ppp/keya/ca.crt<TAB>/etc/ppp/keys/client_kevin.key


We finally create or edit a peer file :
sudo leafpad /etc/ppp/peers/MYVPN
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
pty "pptp 192.168.0.40 --nolaunchpppd"

file /etc/ppp/options-pptp-eaptls

name client_kevin
remotename server

#require-mppe-128

#require-mschap-v2

usepeerdns

noauth

ipparam MYVPN

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

 


5. PPTP Connection

The Network-manager GUI seems broken with PPTP EAP-TLS, I never managed to make it work.
Using the command line, the usual commands do work :

tunnel up :
sudo pon MYVPN

tunnel down :
sudo poff MYVPN

debug launch :
sudo pon MYVPN debug dump logfd 2 nodetach


6. Password protected keys

Although it is theorically very simple, only requiring to add 'password 1234' to the file /etc/ppp/options-pptp-eaptls, the debug list shows the password as being noticed in the debug log, but the EAP authentication fails in the end :
Adding 'password 1234' to the file /etc/ppp/peer/MYVPN shows the same result.


Trying using the GUI network-manager doesn't help either.

Maybe downgrading libssl-dev brought this issue. Downgrading the server library too may solve this.
The only small protection possible is to chmod +600 the key files ( only the owner can read or write ).

 

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article
14 octobre 2013 1 14 /10 /octobre /2013 21:08

We'll be seeing here how to setup a Public Key Infrastructure, using Debian, with some explanations about the different terms and options used.


1. PKI quick reminder
We'll be creating :

a master Certificate Authority (CA) certificate and private key,
a certificate and private key pair for the Server and each Client.

It is good practice to generate a distinct client key per user, and name them as to identify the user or computer it will be installed in, in case of leave or loss.
Extra care should be taken while transfering private keys : encrypted channel, or USB drive.

Note : certificate are also named public keys.

 

2. Easy-RSA tools install

sudo apt-get install openvpn
sudo mkdir vpn
cd vpn
sudo cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .


3. Variables setup

We'll setup the variables accordingly to our situation
sudo leafpad vars

here are the most important fields explained :

export KEY_SIZE=1024                                        Key strength, use 2048 for extra-strength

export KEY_COUNTRY="US"                               Organization Location : Country

export KEY_PROVINCE="VA"                                                                    Region
export KEY_CITY="Norfolk"                                                                       City

export KEY_ORG="FunStudios"                                            Organization Name
export KEY_EMAIL="contact@FunStudios.org"                     Organization contact email

export KEY_OU="Creation"                                                    OU ( ie department )

 


4. Keys Creation

sudo -i
. ./vars
./clean-all
./build-ca

[ ENTER ] will leave the default settings entered in vars. The only exception will be the CN :
Check you're using a unique CN.
If default is used, 'FunStudios CA' is proposed

./build-key-server server

( no challenge password )

[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'server' is proposed

No options / two 'Yes' answer for confirmations

./build-key client_kevin
[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'client_kevin' is proposed

No options / two 'Yes' answer for confirmations

( no challenge password )
(./build-key client_john )

[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'client_john' is proposed

No options / two 'Yes' answer for confirmations


We generate the Diffie Hellman parameters
./build-dh ( nb : dot/build-dh
( creates the dh1024.pem file )

 

Once again, do note that all your CNs have to be differents


Some Explainations

The Challenge password:
The Challenge password is used internally, for various uses : key revocation, …. It is not to be confused with an encrypted key passphrase, which protects the key, and is needed at each key usage by a software to unlock the key.

To create passphrase encrypted keys :
To create passphrase encrypted keys , we use ./build-key-pass client_kevin
( instead of ./build-key client_kevin )

To create Windows-friendly keys :
To create Windows-friendly keys ( PKCS #12 format), we use :
./build-key-pkcs12 client_kevin
( instead of ./build-key client_kevin )


5. Keys management and Usage

the keys are in the /keys subfolder. There are :

for the server :

ca.crt Root                                      CA certificate
server.key                                       Server Key
server.crt                                        Server Certificate
dh1024.pem                                   Diffie Hellman parameters

for the clients :

ca.crt Root                                        CA certificate
client_kevin.crt                                 client_kevin certificate
client_kevin.key                                client_kevin key
client_john.crt                                   client_john certificate
client_john.key                                  client_john key


Let's sum up the different keys, their role, and their secrecy requirements :

 

VPN 12 : Setting up a Debian Public Key Infrastructure

Source : copied from chart on openvpn.net

 

Other files found in the /key subfolder :
server.csr, client_kevin.csr, client_john.csr
They are Certificate Signing Request files


Only .key files should be kept confidential, .csr and .crt files can be sent over insecure channels ( unencrypted ).
Normally, each computer will have its own certificate/key pair.

Source : openvpn.net


6. Adding clients later

. ./vars

./build-key-pass client_tom


( we don't clean the directory with ./clean-all ).
( ./build-key-pass allows to create a password-protected key )

 

Repost 0
Published by computer outlines - dans VPN PPTP OPENVPN
commenter cet article
10 octobre 2013 4 10 /10 /octobre /2013 20:58

This study is about the practical usability of PPTP using public wifi-hotspots ( Libraries, cafes, ..) and consumers networks ( Friends networks, ... )

It is widely known that the GRE's use of PPTP makes it less reliable than pure TCP/UDP protocols like OpenVPN, as firewalls and ISPs handle GRE in a quite peculiar way.

But how does that actually shape in real life ? This survey is aimed at building a statistical chart, so to have a clear view of PPTP real-life possibilities.

VPN 8 : A PPTP wifi-hotspots usability survey

[ Tests Ongoing ]

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article
9 octobre 2013 3 09 /10 /octobre /2013 20:40

We'll see here how to protect our PPTP server with Fail2BAN, to suppress brute-forcing attacks. The OS used is RASPBIAN, but this should work with any Ubuntu or Debian variants.

VPN 7 : PPTP server protection with Fail2ban

Fail2ban monitors the system logs for failed login attemps, and dynamically builds iptables rules to block individual IPs.

Do note that using Fail2ban with pptpd is kind of a hack, due to the fanciful way pptpd performs logging.

Tested using Raspbian June 2014 / Last edited July 28 2014

 

1. Fail2Ban installation

We do the usual updates :

sudo apt-get update
sudo apt-get upgrade

We install fail2ban :

sudo apt-get install fail2ban

We create a fail2ban jail.local file to add pptp :

sudo nano /etc/fail2ban/jail.local
we create a pptp entry :
------------------------------------------------------------------------------------------------------------------
[pptp]

enabled = true
port = 1723
protocol = tcp
filter = pptp
logpath = /var/log/syslog
bantime=60
findtime=600
maxretry = 2

------------------------------------------------------------------------------------------------------------------

The last three lines are the most important, to shape your protection :

bantime : time an IP is banned, in seconds. Negative number for a permanent ban.
maxretry : number of match before an IP is banned
findtime : time, in seconds, before an IP match counter is reset to 0

 

We create the pptp failed connection detection filter, using regex :
sudo nano /etc/fail2ban/filter.d/pptp.conf :
-------------------------------------------------------------------------------------------------------
[Definition]
failregex = CTRL: Client <HOST> control connection finished
ignoreregex =
--------------------------------------------------------------------------------------------------------

We restart the fail2ban service :
sudo service fail2ban restart

Note : You may need pptp debugging, for this trick to work, if /var/log/syslog doesn't log IP addresses :
sudo nano /etc/ppp/options
and uncomment debug:
----------------------------------------------------------------------------------------------------------------
debug
----------------------------------------------------------------------------------------------------------------

This is kind of a hack, because there is no way for fail2ban to distinguish a failed login from a reguler PPTP connection termination, due to pptpd fanciful logging format. Thus, regular logins will be counted as failed-ones, and the IP will eventually get banned. ( You will need to lift the ban manually using SSH, or just cleverly design the bantime/findtime/maxretry values so to allow regular usage while preventing brute-forcing at the same time )

 

2. Fail2Ban use

Actives ban/unbans can be checked using :
cat /var/log/fail2ban.log

Another way to check active bans are with iptables :

sudo iptables -L

 

Likewise, unbanning an IP can be performed using IPtables.

 


To debug your regex expressions match :
sudo fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pptp.conf

If you're using the ignoreregex value too, use :

sudo fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pptp.conf /etc/fail2ban/filter.d/pptp.conf

 

nb : Here we are using a jail.local file instead of editing the jail.conf file. jail.local is loaded at startup and appended to jail.conf.

 

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article
8 octobre 2013 2 08 /10 /octobre /2013 03:10

I'll briefly detail here the iptables config for both the PPTP Server and the PPTP Client, and will outline the GRE protocol functioning and needs.

VPN 6 : iptables for your PPTP server and PPTP client

Tested using :

PPTP Server : Raspbian June 2014

PPTP Client : Debian 7.5 LXDE

Last Edited July 27 2014

 

1. The GRE negociation explained

After the TCP control channel has exchanged some informations, the peers start using the GRE layer ( IP protocol 47 ) : Each peer will send a Configure-Request, and wait for a Configure-Ack. If no Ack is received, the peer will reissue another Configure-Request.

If a Configure-Reject or a Configure-Nack is received, the peer will reissue a different Configure-Request.

To be noted is that the two peers issue their Configure-Request Simultaneously, there is no turn. A typical, successful sequence will look like this :

Peer 1 : Configure-Request ------------------->

<------------------- Peer 2 : Configure-Request

<------------------- Peer 2 : Configure-Ack

Peer 1 : Configure-Ack -------------------------->

 

 

2. Server Iptables configuration

 

Here is a basic PPTP Server Iptables config ( with 192.168.1.40 as the PPTP server IP ) :

------------------------------------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT

# Accept established sessions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow Pings.
iptables -A INPUT -p icmp -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow PPTP Control connection
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

# Allow GRE
iptables -A INPUT -p gre -j ACCEPT

# NAT for PPTP clients connectivity
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.40

------------------------------------------------------------------------------------------------------------

 

3. Client Iptables Configuration

The PPTP Client is nothing special. We just uncomment the last line and set the port if we're using a custom PPTP TCP port :

------------------------------------------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Accept established sessions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow Pings.
iptables -A INPUT -p icmp -j ACCEPT

# Your Hidden PPTP port
# sudo iptables -t nat -I OUTPUT -p tcp --dport 1723 -j DNAT --to-destination :57594

------------------------------------------------------------------------------------------------------------------

 

4. Iptables Boot-time Autoload

I'll briefly remind to ways to have iptables automatically loaded :

a. clear iptables file

sudo touch /etc/init.d/firewall
sudo chmod 755 /etc/init.d/firewall
sudo update-rc.d firewall defaults

sudo leafpad /etc/init.d/firewall
--------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP

etc .. ...

-----------------------------------------------------------------------------------

 

b. consolidated iptables file

sudo touch /etc/firewall.sh
sudo chmod 755 /etc/firewall.sh

 

sudo leafpad /etc/firewall.sh
--------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP

etc .. ...

-----------------------------------------------------------------------------------

 

sudo sh /etc/firewall.sh

sudo iptables-save

sudo bash -c "iptables-save > /etc/iptables.conf"

 

sudo touch /etc/init.d/firewall
sudo chmod 755 /etc/init.d/firewall
sudo update-rc.d firewall defaults

sudo leafpad /etc/init.d/firewall
--------------------------------------------------------------------------------
#!/bin/bash

iptables-restore < /etc/iptables.conf

-----------------------------------------------------------------------------------

 

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article
4 octobre 2013 5 04 /10 /octobre /2013 21:07

I'll briefly explain an easy tip to change the default TCP 1723 port of a PPTP server.

Port TCP 1723 being an easy target for network scanners, it may prove usefull to change the PPTP server listening port to a private-range port, well hidden in the dark.

Linux OS will be used for the PPTP client, as it allows for easy networking-ports manipulations, using iptables.

I'm using a Raspberry PI as the PPTP server here, but any OS will work.

I'll use the TCP 57594 port throughout this post as an exemple, do choose your own, private-range port ( 49152 to 65535 )

PPTP client used : Debian 7.5 LXDE

Edited July 8 2014

VPN 5 : PPTP server hiding - change the default port

1. PPTP Server Setup

The PPTP server setup is quite simple : As it most likely lies just before an upstream router, we will just use the port-forwarding options of the upstream router to do the tweak :

we'll forward port TCP 57594 to the PPTP server port TCP 1723.

VPN 5 : PPTP server hiding - change the default port

2. PPTP Client Setup

 

The PPTP client tweak is very easy : we'll just create an iptables rule, that uses the nat table to change the outgoing port :

sudo iptables -t nat -I OUTPUT -p tcp --dport 1723 -j DNAT --to-destination :57594

 

( this is not persistent. a script is needed to automate it )

 

VPN 5 : PPTP server hiding - change the default port

3. Global Picture, and Additional Considerations

Here is the global picture :

 

VPN 5 : PPTP server hiding - change the default port

Like always with PPTP, the heart of the matter will remain :

the Internet Gateway 1 / ISP 1/ ISP2 / Internet Gateway 2 path

 

and the way they'll treat/handle the GRE protocol. Wireshark is of great help to troubleshoot eventual problems.

 

Part 4 : PPTP server port translation

Just out of clarity, here is how to have the port translation directly performed by the PPTP server :

 

VPN 5 : PPTP server hiding - change the default port

The iptables tweak on the server-side will be :

sudo iptables -t nat -I PREROUTING -p tcp --dport 57594 -j REDIRECT --to-ports 1723

( again, this is not persistent. a script is needed to automate it )

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens