~# apt-get install shorewall linux-pptp
PPP
Let's create a ppp peer file:
~# vim /etc/ppp/peers/zmo
I ve successfully tried these options
# Zmo PPTP VPN configuration
remotename zmo
linkname zmo
ipparam zmo
pty "pptp 149.79.X.X --nolaunchpppd" (remote VPN endpoint)
name username
require-mppe-128
refuse-eap
noauth
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
persist
mtu 1400
mru 1400
Compile the chap-secret file
# Secrets for authentication using CHAP
# client server secret IP addresses
username zmo 2023n5t-w0re *
Network Interface
Fill the /etc/network/interfaces file. You can use the "unit x" parameter. This blessy option allows you to enumerate your ppp device (like ppp0, ppp1, ppp5 ..).
# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5
Try to get up the link, just giving
~# ifup ppp5
I raccomand to use this file (/etc/network/interfaces) even in the case you wanna add some route/net rules to your VPN device. Use the "post-up" options here.
# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5
post-up /sbin/route add 149.88.X.X gw 149.19.X.X
post-up /sbin/route add -net 150.84.X.X netmask 255.255.255.0 gw 150.84.X.X
Shorewall
Define a zone for the vpn on shorewall. I will define "zmo"
~# vim /etc/shorewall/interfaces
It should be looks like:
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
dmz eth1 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
lan eth2 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
# VPN pptp
zmo ppp5 detect tcpflags,nosmurfs,routefilter,logmartians
Allow the vpn to be reached just by the lan
~# vim /etc/shorewall/policy
...
# Zmo Pptp VPN
lan zmo ACCEPT
all zmo REJECT
...
Masquerade the VPN traffic from that interface:
~# vim /etc/shorewall/masq
# For information about entries in this file, type "man shorewall-masq"
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp5 - -
NOTE: an IP wont be needed here; shorewall will be masquerade the traffic with the interface IP address. Then we just can put a "-" in SOURCE/ADDRESS fields. The IP address would be needed if you would masquerade the traffic with a different IP address.
In the end, compile the "tunnels" shorewall file. You can retrieve a tunnels template file from the doc
~# cp /usr/share/doc/shorewall/default-config/tunnels /etc/shorewall
It should be looks like:
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpclient zmo 0.0.0.0/0
Nessun commento:
Posta un commento