Tutorials

Products and Services

Linux Tutorials

Details: Parent Category: Tutorials; Published: 28 October 2008; Hits: 13303

In this tutorial I'll show you how to install fail2ban on CentOS.

These are just installation notes and this should not be considered a complete howto.

The fail2ban script runs as a daemon and bans an IP address after too many failed login attempts. We use it for blocking failed login attempts for SSH, ProFTP and Postfix.

Fail2ban is very effective at stopping the brute-force attacks now common to all Internet-connected hosts. We have found it reliable and functional without causing problems.

Installation on Centos 5

wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2

tar -xjvf fail2ban-0.8.1.tar.bz2

cd fail2ban-0.8.1

python setup.py install

Or you cand download the rpm for CentOS 5.x from: ftp://rpmfind.net/linux/dag/redhat/el5/en/i386/dag/RPMS/fail2ban-0.8.2-2.el5.rf.noarch.rpm and install:

rpm -ivh fail2ban-0.8.2-2.el5.rf.noarch.rpm

vi /etc/fail2ban/jail.conf

Enable only the sections you need and do them one at a time. We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.

Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients!

ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

Installation on SME 7

NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)

(SME 7 uses /var/log/messages)

Startup

cp files/redhat-initd /etc/init.d/fail2ban

chkconfig --add fail2ban

chkconfig fail2ban on

service fail2ban start

Tools

Show failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

Search for correct log file:

grep such /var/log/messages*

grep ftp /var/log/messages*

grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

Configuration

Adjust the following sample configuration files to your needs.

# Fail2Ban jail.local configuration file

################################################

# www.starhost.ro

#

# The DEFAULT allows a global definition of the options. They can be override

# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges

ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

# "bantime" is the number of seconds that a host is banned.

bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

# Don't know how well other backend options work.

backend = polling

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest= root@localhost, sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]

logpath = /var/log/secure

maxretry = 3

[proftpd-iptables]

enabled = true

filter = proftpd

action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=ProFTPD, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]

logpath = /var/log/secure

maxretry = 3

[postfix]

enabled = true

filter = postfix

action = iptables[name=Postfix, port=smtp, protocol=tcp]

sendmail-whois[name=Postfix, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]

logpath = /var/log/maillog

maxretry = 5

# Fail2Ban filter.d/postfix.local configuration file

################################################

# www.starhost.ro

#

[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554

reject: RCPT from (.*)\[<HOST>\]: 550

reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex =

# Fail2Ban action.d/sendmail-whois.local configuration file

################################################

# www.starhost.ro

#

[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started

From: Fail2Ban <<sender>>

To: <dest>\n

Hi,\n

The jail <name> has been started successfully.\n

Regards,\n

Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped

From: Fail2Ban <<sender>>

To: <dest>\n

Hi,\n

The jail <name> has been stopped.\n

Regards,\n

Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck =

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>

From: Fail2Ban <<sender>>

To: <dest>\n

Hi,\n

The IP <ip> has just been banned by Fail2Ban after

<failures> attempts against <name>.\n\n

Here are more information about <ip>:\n

`/usr/bin/dig -x <ip>`\n

Regards,\n

Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]

name = default

dest = root

sender = fail2ban

Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.

Details: Parent Category: Tutorials; Published: 07 February 2016; Hits: 1296

Today we will talk about Linux and Nginx tips and tricks that will help webmaster to tune their dedicated server to handle high traffic.

Nginx configuration nginx.conf is a file file, usually located at /etc/nginx/nginx.conf path containing configuration settings for nginx server. Cannot find the location of the file? Use locate command: >cd / then >locate nginx.conf. You may find the values in conf/extra directory.

Main parameters to tune are:

worker_processes. I usualy set to 4. Default is 1, so:

worker_processes 4;

keepalive_timeout, default is set to 0 i'm using 65:

keepalive_timeout 65;

client_max_body_size 1000M;

Another crucial parameter for increasing nginx speed is Nginx Compression. So let's see how we can serve compressed content from ngix and increase response time:

#Compression

gzip on;

gzip_static on;

gzip_comp_level 2;

gzip_min_length 1000;

gzip_buffers 32 8k;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/xml application/xml+rss;

# Disable for IE < 6 because there are some known problems

gzip_disable "MSIE [1-6].(?!.*SV1)";

# Add a vary header for downstream proxies to avoid sending cached gzipped files to IE6

gzip_vary on;

set $cache_uri $request_uri;

# POST requests and urls with a query string should always go to PHP

if ($request_method = POST) {

set $cache_uri 'null cache';

}

if ($query_string != "") {

set $cache_uri 'null cache';

}

# Don't cache uris containing the following segments

if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {

set $cache_uri 'null cache';

}

# Don't use the cache for logged in users or recent commenters

if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in") {

set $cache_uri 'null cache';

}

# Cache static files for as long as possible

location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {

expires max; log_not_found off; access_log off;

}

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

Details: Parent Category: Tutorials; Published: 10 May 2012; Hits: 3159

In this tutorial I'll show you how to install DjBDNS on Ubuntu server:

apt-get install daemontools ucspi-tcp djbdns
useradd -d /var/dnscache -s /bin/false dnscache
useradd -d /var/dnscache -s /bin/false dnslog
mkdir -p /var/dnscache
dnscache-conf dnscache dnslog /var/dnscache/dnscache 0.0.0.0
touch /var/dnscache/dnscache/root/ip/0.0.0.0
ln -sf /var/dnscache/dnscache /etc/service/

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

Details: Parent Category: Tutorials; Published: 24 November 2011; Hits: 14651

In this tutorial i'll guide you to configure your Amazon cloud sessions in order to conect to it from internet via L2TP IPSec VPN.

But first let's define some things for the new Amazon users:

EC2 Private IP Address: The internal RFC 1918 address of an instance that is only routable within the EC2 Cloud. Network traffic originating outside the EC2 network cannot route to this IP, and must use the Public IP or Elastic IP Address mapped to the instance.

EC2 Public IP Address: Internet routable IP address assigned by the system for all instances. Traffic routed to the Public IP is translated via 1:1 Network Address Translation (NAT) and forwarded to the Private IP address of an instance. The mapping of a Public IP to Private IP of an instance is the default launch configuration for all instance types. Public IP Addresses are no longer usable upon instance termination.

EC2 Elastic IP Address: Internet routable IP address allocated to an AWS EC2 account. Similar to EC2 Public Address, 1:1 NAT is used to map Elastic IP Addresses with their associated Private IP addresses. Unlike a standard EC2 Public IP Address, Elastic IP Addresses are allocated to accounts and can be remapped to other instances when desired.

This config was tested on Windows clients and they need a special adjustment on registry for AssumeUDPEncapsulationContextOnSendRule string:

Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
Click Start

Collapse this imageExpand this image, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Note You can also apply the
AssumeUDPEncapsulationContextOnSendRule
DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value Data box, type one of the following values:
- 0
  A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
- 1
  A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
- 2
  A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
Click OK, and then exit Registry Editor.
Restart the computer.

More on: http://support.microsoft.com/kb/926179/en-us

Now let's move to the Amazon server configs:

1) Openswan package install

#apt-get install openswan xl2tpd

ipsec.conf
#EC2
# /etc/ipsec.conf on remote (non-amazon) server
version 2.0

config setup
nat_traversal=yes
# we should exclude ourselves, but that's dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.224.58.229/32,%v4:!192.168.2.0/24
# amazon kernels have no KLIPS support
protostack=netkey

oe=off
nhelpers=0
interfaces=%defaultroute

conn EC2
authby=secret
pfs=no
rekey=no
type=tunnel
esp=aes128-sha1
ike=aes128-sha-modp1024
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701

right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add

ipsec.secrets:

include /var/lib/openswan/ipsec.secrets.inc
"ELASTIC_AMAZON_IP" %any: PSK "secretkey"

xl2tpd.conf:

[global]

[lns default]
ip range = 192.168.2.2-192.168.2.254
local ip = 192.168.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = openSwanVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
defaultroute
debug
lock
proxyarp
connect-delay 5000

chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"user" * "pass" 192.168.2.1/25

On a Windows XP client, we set things up for a quick test:
Control Panel > Network Connections > File > New connection...
Select Connect to the network at my workplace
Select Virtual Private Network connection
Company Name: Your Company
Select Do not dial the initial connection
Host name or IP address: ELASTIC_IP Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
Pre-shared key: secretkey Properties > Network > Type of VPN: L2TP IPSec VPN
Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

Details: Parent Category: Tutorials; Published: 23 November 2011; Hits: 482

Setting Up an IPSec L2TP VPN server on Ubuntu for Windows clients

We have a Windows network (Windows server and Windows clients) at work, with an Ubuntu server that has an external IP address. I wanted to allow certain users to be able to connect via a VPN. I also wanted to allow them to do it without any special software on their machines. Our Windows Server had a private IP address and only one network card, so the basic RRAS solution was not going to work for me.

Below is the step-by-step I went through to set up a "VPN server" that would work with the native Windows client.

Running on Ubuntu Server 10.04.3 LTS on our proxy server, so it has an external IP address and an internal IP address on two different NICs. It is assumed that you run the following commands as root when needed and that you are smart enough to know when that might be.

Windows VPN clients use either PPTP or IPSec L2TP. (Windows 7 also has IKEv2, but we won't cover it here since Openswan didn't yet support NAT for IKEv2.) In this guide, we'll use IPSec L2TP. We set things up first with Pre-shared Keys (PSK) since it's easier to test, then we step through using certificates with the default Windows Server Certificate Authority (CA). I also wanted to authenticate users off of their domain password and only if they were in a particular group.

Note: In this guide, the external IP of the machine is listed as 12.34.56.78. The gateway IP is listed as 12.34.56.1. The internal IP of the VPN server (since it has a NIC on both the inside and the outside) is 192.168.1.1 in this example. Change these for your set up.

1) Install and set up the openswan package.

This will allow the Windows clients to create an IPSec SA between itself and the VPN server.

Unfortunately, the version of Openswan that comes with Lucid is now pretty out of date, and you may have trouble getting iPhones and iPads connected to this same setup if you use their package. I realize this guide is for Windows clients, but we try to be accommodating. If you want to try the regular Ubuntu packages, see the previous version of this document. As for the rest of us, we will continue on with the latest versions of things.

Download the latest version of Openswan to your computer.
wget http://openswan.org/download/openswan-2.6.35.tar.gz

Expand the file and enter the directory
tar -zxvpf openswan-2.6.35.tar.gz cd openswan-2.6.35

In order to actually compile the program, we just need to install a few packages from the default Ubuntu repositories. Then we can compile Openswan. We do these with the commands below.
apt-get install libgmp3-dev bison flex
make programs

At this point, if there were no errors in the compiling, we can go ahead and install it. (If you have the Ubuntu version of Openswan installed, you can uninstall it first with apt-get remove openswan)
sudo make install

Congratulations! The latest version of Openswan is now installed. Now we can get on with the setup.

cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/l2tp-psk.conf
nano /etc/ipsec.d/l2tp-psk.conf

Set left=12.34.56.78 [should be set to your external IP address on the machine users will connect to]
leftnexthop=12.34.56.1 [set this to your external gateway]

nano /etc/ipsec.conf

Add: include /etc/ipsec.d/l2tp-psk.conf
Also, for Windows Vista to work properly, we need to tell it which private subnets are allowed, and which are not. In our example, since our company's internal subnet is 192.168.1.0/24, we disallow that (at the end of the line).
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.1.0/24

nano /etc/ipsec.secrets

Add: 12.34.56.78 %any: "yourSharedPSK!"

/etc/init.d/ipsec restart

At this point, your VPN server should be listening on port 500/udp and 4500/udp for connections. You can check this using netstat -antu.

2) A quick test

This will check to see if the IPSec side of things is working properly.

You'll need to allow udp/500 and udp/4500 to your external interface through the firewall on your INPUT chain. I also added protocol 50. How this looks depends on your firewall implementation, but my iptables filter rules look like this:
-A INPUT -p 50 -j ACCEPT -A INPUT -p udp -d 12.34.56.78 --dport 500 -j ACCEPT -A INPUT -p udp -d 12.34.56.78 --dport 4500 -j ACCEPT

On a Windows XP client, we set things up for a quick test:
Control Panel > Network Connections > File > New connection...
Select Connect to the network at my workplace
Select Virtual Private Network connection
Company Name: Your Company
Select Do not dial the initial connection
Host name or IP address: 12.34.56.78
Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
Pre-shared key: yourSharedPSK!
Properties > Network > Type of VPN: L2TP IPSec VPN
Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network

Pay atention to Windows clients that conects to L2TP server behind NAT:

To create and configure the

http://support.microsoft.com/kb/926179/en-us

Now, monitor /var/log/auth.log (perhaps with tail -f /var/log/auth.log) and connect with the Windows client.

In the end, the connection will fail, but you should see connection attempts on the VPN server with a STATE_QUICK_R2: IPsec SA established. This means the IPSec side of things is working with the pre-shared key.

AssumeUDPEncapsulationContextOnSendRule

registry value, follow these steps:

Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
Click Start

Collapse this imageExpand this image

, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Note You can also apply the
AssumeUDPEncapsulationContextOnSendRule
DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value Data box, type one of the following values:
- 0
  A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
- 1
  A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
- 2
  A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
Click OK, and then exit Registry Editor.
Restart the computer.

3) Install xl2tpd

Since Windows default client is more than just IPSec, it uses L2TP inside of an IPSec SA, we need a daemon to handle that. Like Openswan, there have been a few bugs fixed since the version in the Ubuntu repository. Rather than compile it though, I just download a later version from a later version of Ubuntu.

After you have the .deb file downloaded, you can install it with a command such as: dpkg -i xl2tpd_1.2.8+dfsg-1_i386.deb.

Modify /etc/xl2tpd/xl2tpd.conf so it includes at least the following:

[global]
listen-addr = 12.34.56.78

[lns default]
ip range = 192.168.1.10-192.168.1.20
local ip = 192.168.1.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

The IP range specified above should be set to IP addresses of your internal network which can be given to your VPN clients. Don't worry much that we are refusing CHAP and PAP methods, because we will require MS-CHAP v2 next.

cp /etc/ppp/options /etc/ppp/options.xl2tpd
nano /etc/ppp/options.xl2tpd

Change noauth to auth.
Set name l2tpd. You can really set it to something other than l2tpd, but you have to match it in the next file.
Set mru 1280 and mtu 1280. I had some weird trouble with Vista's Remote Desktop not working over the VPN if these were left at their defaults of 1500. 1280 is chosen because that is the minimum required if the IPv6 protocol is to work as well (although that is not covered in this document).

Modify /etc/ppp/chap-secrets

#client	server		secret		IP addresses
username	l2tpd		"password"	192.168.1.1/24
l2tpd		username	"password"	192.168.1.1/24

Match the l2tpd with the name in the previous file. You can use this to test your CHAP authentication if you want... but you'd have to temporarily change the refuse chap = yes line above. I put it here just so you know how to test it if you want.

At this point, you need to add an extra rule to your firewall. Some of the sites I reference urge you to be security-minded here because if you open up this port to the whole world, then anyone may try to authenticate without IPSec. Basically, you want to allow connections to udp/1701, but they'd better be connected via IPSec. My filter rule looks like the following:
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
This will allow L2TP traffic to connect to us ONLY if it shows up in an IPSec packet. The best information I've found about how IPSec (NETKEY) interacts with the iptables firewall was found in this post by Nigel Metheringham.

The last firewall modification we need to make for xl2tpd (which we could probably get more picky if you wanted). When an L2TP connection is made, it creates a ppp# interface on the VPN server, so we need to allow it to talk to the other interfaces.
-A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

4) Join Ubuntu to the Active Directory domain

I wanted to have the authentication based off of the Windows AD rather than some /etc/ppp/chap-secrets file.

apt-get install smbclient
apt-get install winbind

Make sure /etc/resolv.conf points to your DNS servers that have your AD information. Add an A and PTR record for the machine if you don't already have that.

apt-get install krb5-user (includes krb5-config)

Kerberos servers for your realm: windowsserver.example.local
Administrative servers for your realm: windowsserver.example.local

Edit /etc/samba/smb.conf (if not specifically listed, I just left the defaults):

workgroup = EXAMPLE interfaces = eth0 lo bind interfaces only = true security = ADS realm = EXAMPLE.LOCAL password server = windowsserver.example.local idmap uid = 10000-20000 idmap gid = 10000-20000

Edit /etc/krb5.conf (I believe this file is case-sensitive. I only list the lines here that I modified from the default.)

default-realm = EXAMPLE.LOCAL
[REALMS]
	EXAMPLE.LOCAL = {
		kdc = windowsserver.example.local
		admin_server = windowsserver.example.local
	}

Run: /etc/init.d/winbind restart

Note that the clocks of the Windows server and the VPN server must be within 5 minutes of each other for the next commands:

net ads join -U Administrator

This joins the Ubuntu server to the Windows domain. On one machine, I had to make sure that the FQDN was listed in /etc/hosts before it let me join the domain.

net ads testjoin

This line tests to see if the VPN server was properly joined to the AD domain.

5) Update xl2tpd/ppp to work with the Windows domain authentication

Edit /etc/ppp/options.xl2tpd and add:

require-mschap-v2 # We can enable MPPE for additional encryption, but all this should be coming over IPSec anyway #require-mppe-128 ms-dns 192.168.1.3 ms-dns 192.168.1.4 # The following lines let the authentication occur against the Windows domain, and require the user to be a member of the 'VPN Users' group on the 'EXAMPLE' domain. plugin winbind.so ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'

At this point, you should be able to connect using your Windows domain credentials rather than the chap-secrets file. For some people, this is all they really need and they skip step 6 and go to step 7.

6) Using Certificates instead of Pre-shared Keys

This assumes that you already have Certificate Services set up on your Windows Server. I don't go into a lot of detail here.

6.1) Getting a certificate for your VPN server

openssl req -new -out vpn.example.com.pem

Enter PEM pass phrase:
Country: US
State: State
Locality: City Name
Organization: Your Company Name
OU:
CN: vpn.example.com E-mail:
Challenge password:
Optional company name:

mv vpn.example.com.pem /etc/ssl/privatechmod 640 /etc/ssl/private/vpn.example.com.pem

Load up your Certification Authority on Windows. Right-click on the server, All Tasks > Submit new request... and give it the vpn.example.com.pem file you created.
Choose Pending Requests. Right-click the request, All Tasks > Issue
In Issued Certificates, Open the certificate
Details tab > Copy to File...
Choose DER encoded binary X.509 (.cer)
Export the certificate for the CA as well (not the private key!) using the Certificate snap-in of mmc.
Copy both to your VPN server.

openssl x509 -inform DER -in windowsserver.example.local.cer -outform PEM -out windowsserver.example.local.pem

This just converts the DER encoded file to a .PEM file.

cp windowsserver.example.local.pem /etc/ipsec.d/cacerts

IPSec needs to know the public key of the CA for verification purposes.

openssl x509 -inform DER -in vpn.example.com.cer -outform PEM -out vpn.example.com.pemcp vpn.example.com.pem /etc/ipsec.d/certs

Takes the generated certificate for our VPN server and lets openswan (IPSec) use it as needed.

6.2) Setting openswan to use certificates rather than PSKs

cp /etc/ipsec.d/examples/l2tp-cert.conf /etc/ipsec.d/l2tp-cert.conf
Edit /etc/ipsec.conf

Replace l2tp-psk.conf with l2tp-cert.conf.
Also, for Windows Vista to work properly, we need to tell it which private subnets are allowed, and which are not. In our example, since our company's internal subnet is 192.168.1.0/24, we disallow that (at the end of the line).
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.1.0/24

Edit /etc/ipsec.d/l2tp-cert.conf. Vista seems to like or need the leftid setting.

left=12.34.56.78 leftnexthop=12.34.56.1 leftid=@vpn.example.com leftcert=/etc/ipsec.d/certs/vpn.example.com.pem

openssl req -new -keyout vpn.example.com.pem

PEM passphrase: passphraseToAccessFile
This tells openssl to spit out our private key into a file.

mv vpn.example.com.pem /etc/ipsec.d/private/vpn.example.com.pem

Move this private key to a place where IPSec (openswan) can have access to it.

We need to modify /etc/ipsec.secrets to make sure it can use the private key associated with our certificate:

Comment out the pre-shared key we put in there earlier and add the line (including the colon):
: RSA vpn.example.com.pem "passphraseToAccessFile"

/etc/init.d/ipsec restart

6.3) Getting the Windows client to work with certificates

First off, we need to get a certificate for the Windows machine. With Windows XP Professional attached to a domain, this is fairly straight-forward and I believe you can even push the certificates to the machines. It may go something like this for you:

Start > Run > mmc > File > Add/Remove Snap-in... > Add... > Certificates > Select Computer account > Local computer > Close > OK
Highlight Certificates > Personal, Right-click > All Tasks > Request New Certificate...

However, I was dealing with a bunch of Windows XP Home machines, unfortunately, so I had to go about things in a different way. I had to download Windows Server 2003 SP1 Administration Tools Pack (Adminpak) KB304718.
From there, one could take certreq.exe, certutil.exe, certcli.dll, and certadm.dll to a different machine.
Create req.inf:

[NewRequest] Subject="CN=foo.example.com,C=US" KeyLength=2048 MachineKeySet=TRUE Silent=TRUE

Run: certreq.exe -new req.inf Request.pem
Take the Request.pem file to the CA, submit the request and issue the certificate. View the certificate details and Copy to File...
Transfer the certificate back to the original computer (we'll call it Issued.cer). Also transfer the certificate for the CA to the client machine (not the private key or anything like that).

We need to install both certificates in the Local Computer account store.
Command-line version looks like this:

certutil.exe -encode Issued.cer Issued.pem
certutil.exe -addstore "root" windowsserver.example.local.cer
certreq.exe -accept Issued.pem

This puts the Windows CA in the Trusted Root folder and accepts (into the Personal folder) the issued certificate that we requested earlier.

With Windows XP, you must run these commands as an administrative user. Windows Vista can use the same commands and needs to be running as an administrator as well. However, certutil.exe, etc. may need to be a different version between XP and Vista.

You should be able to connect to the VPN without using a PSK now!

7) Finished!

This setup should work even if the client is behind a NAT (using NAT-T on udp/4500). One caveat I've noticed however is that the client cannot be initially on the same subnet as your organization's internal IP range. Meaning, if your company is using 192.168.1.0/24 and your user happens to be using the same IP range at home, he or she will not be able to connect. For one, this is because Windows will not know how to route the packets. Is a particular packet to 192.168.1.100 meant to go over the VPN or stay local?

Another caveat that I noticed in previous setups is that I don't think two computers can connect to the server from behind the same NAT. I haven't tested this for a while, so it may be fixed in these later versions.

This is obviously a very brief setup guide and I don't go into lots of details on how it all works. You can read some of the sources at the bottom for more information. However, if you do see a better way to do things, let me know. My e-mail address can be deduced from the very bottom of the document.

Hope things work for you!

A Few Referenced Sources

The earlier version of this document
Compiling Openswan on Ubuntu
http://www.jacco2.dds.nl/networking/openswan-l2tp.html
http://support.real-time.com/open-source/ipsec/index.html
http://koeppe-net.de/l2tp-howto.txt
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm
http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.htm
http://www.jacco2.dds.nl/networking/certutil.html
http://lists.openswan.org/pipermail/users/2005-August/006101.html

-----
I hope this helps someone. Let me know if there are errors above and I'll update this document.
-W Gillespie (wgillespie, es2eng.com)

Last updated: 2011-08-19

www.linuxexpert.ro

Tutorials

Who's Online

Most Read

Products and Services

Home

Linux Tutorials

Setting Up an IPSec L2TP VPN server on Ubuntu for Windows clients

1) Install and set up the openswan package.

2) A quick test

3) Install xl2tpd

4) Join Ubuntu to the Active Directory domain

5) Update xl2tpd/ppp to work with the Windows domain authentication

6) Using Certificates instead of Pre-shared Keys

6.1) Getting a certificate for your VPN server

6.2) Setting openswan to use certificates rather than PSKs

6.3) Getting the Windows client to work with certificates

7) Finished!

A Few Referenced Sources