\dev\null: one more link :-)

2017-01-15T17:00:03Z

one more link :-)

Naujas puslapis

Analogiškas pradžiamokslis apie [[pptp]] ant [[FreeBSD]] [[FreeBSD VPN POPTOP|aprašytas čia]]. Tiesiog čia aprašyta apie tai kaip padaryti [[pptp]] [[VPN]] serverio implementaciją [[Linux]] serveryje, kuri plačiai naudojama [[Windows]] sistemose nuo [[Win9x]] laikų.

= Konfigūraciniai failai =

Keletas aspektų:
* eth0 - Serverio kuriame yra pptp interfeisas išeinantis į internetą
* eth2 - Vidinis pptp serverio tinklo interfeisas
* 192.168.1.0/24 bendras tinklo subnetas (žiūrėti, kad nekonfliktuotų su esama [[dhcp]] ar statinių [[ip]] konfigūracija)
Pirmiausia pro [[firewall|fajevolą]] prasileidžiame GRE (Generic Routing Encapsulation) protokolą:
[[iptables]] --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --protocol gre --out-interface eth0
[[iptables]] --insert INPUT 1 --source 0.0.0.0/0.0.0.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --protocol gre --in-interface eth0

== /etc/pptpd.conf ==
option /etc/ppp/pptpd-options
# debuginimo sumetimai galime atkomentuoti šią eilutę (pvz.: jeigu eilinį karta nepasisekė konfigūracija ir "kažkas neveikia")
#debug
logwtmp
# vėliau aprašysiu kaip veikia broadcastinimo relayus
#bcrelay eth2
localip 192.168.1.254
remoteip 192.168.1.200-240
== /etc/ppp/chap-secrets ==
Konfigūracinis failas aprašantis prisijungimų informaciją, vartotojo vardus, slaptažodžius bei priskiriamus ip
# Secrets for authentication using CHAP
# client server secret IP addresses
devnull pptpd 123456 *
Vietoj žvaigždutės galima vartotojui priskirti statinį vidinį ip pvz.: šiuo atveju galima įrašyti 192.168.1.200. Slaptažodis šiuo atveju yra 123456.
== /etc/ppp/options ==
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# Jeigu tinkle bus naudojamas [[SMB]] ([[samba]]) serveris galima nustatyti jį kaip wins serverį ([[samba]] konfige tai įjungus)
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
noauth
nodeflate
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password
# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
#show-password
# Use the modem control lines. On Ultrix, this option implies hardware
# flow control, as for the crtscts option. (This option is not fully
# implemented.)
modem
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0
# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
noipdefault
# Enables the "passive" option in the LCP. With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
passive
# vėlgi jeigu atsitiko bėda galima, eilutę apačioje atkomentuojame
#debug
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug 1
[[mtu]] 1450
[[mru]] 1450
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
proxyarp
lcp-echo-interval 10
lcp-echo-failure 10
noipx
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
#persist
# ---<End of File>---
== /etc/ppp/pptpd-options ==
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
# chap-secrets naudojama antroji eilutė kuri naurodo lokalią sistemą pagal kurią bus autentifikuojamas vartotojas
name pptpd
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# Kokį šifrą naudosime ?
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
#refuse-pap
#refuse-chap
#refuse-mschap
#require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2 # '''Jeigu norite apynormalės 128 bit šifruotės užkomentuokite šią eilute ir atkomentuokite sekančias dvi'''
'''#require-mppe-128'''
'''#require-mppe'''
# }}}
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
# Jeigu reikalingas debuginimas
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

= Paleidimas =

Rašome:
/usr/sbin/pptpd --fg
Žiūrime šiuos logus
/var/log/debug
/var/log/daemon

= Kliento sukonfigūravimas =

== Konfigūracija ==

Pirmiausia sudiegiame pptp
apt-get install pptp-linux
Užregistruojame naują klientą
pptpsetup --create PPTP --server SERVERIO_IP_ADRESAS --username devnull --password 123456 --start
Klientas po naujo serverio pridėjimo iškart turėtų jungtis.
Pakartotinai jungtis vėliau galima komanda:
pppd call PPTP
Arba debug režimu (matant kas vyksta)
pon PPTP debug dump logfd 2 nodetach
Jeigu matome kažką panašaus į žemiau esantį tekstą, mums pasisekė:
root@localhost:~# pon PPTP debug dump logfd 2 nodetach
pppd options in effect:
debug debug # (from command line)
kdebug 1 # (from /etc/ppp/options)
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/peers/PPTP)
refuse-pap # (from /etc/ppp/options)
refuse-chap # (from /etc/ppp/options)
refuse-mschap # (from /etc/ppp/options)
refuse-eap # (from /etc/ppp/options)
name devnull # (from /etc/ppp/peers/PPTP)
remotename PPTP # (from /etc/ppp/peers/PPTP)
# (from /etc/ppp/peers/PPTP)
pty pptp SERVERIO_IP --nolaunchpppd # (from /etc/ppp/peers/PPTP)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam PPTP # (from /etc/ppp/peers/PPTP)
netmask 255.255.255.0 # (from /etc/ppp/options)
nobsdcomp # (from /etc/ppp/peers/PPTP)
nodeflate # (from /etc/ppp/peers/PPTP)
noipx # (from /etc/ppp/options)
using channel 34
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1724c810> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x58caf7a0> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x58caf7a0> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1724c810> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x1724c810]
rcvd [LCP EchoReq id=0x0 magic=0x58caf7a0]
sent [LCP EchoRep id=0x0 magic=0x1724c810]
rcvd [CHAP Challenge id=0x79 <xxxxxxxxxxxxxx>, name = "pptpd"]
added response cache entry 0
sent [CHAP Response id=0x79 <xxxxxxxxxxxxxxxxxx>, name = "devnull"]
rcvd [LCP EchoRep id=0x0 magic=0x58caf7a0]
rcvd [CHAP Success id=0x79 "S=xxxxxxxxxxxxx M='''Access granted'''"]
response found in cache (entry 0)
CHAP authentication succeeded
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <addr 192.168.1.254>]
sent [IPCP ConfAck id=0x1 <addr 192.168.1.254>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 192.168.1.200>]
sent [IPCP ConfReq id=0x3 <addr 192.168.1.200>]
rcvd [IPCP ConfAck id=0x3 <addr 192.168.1.200>]
local IP address 192.168.1.200
remote IP address 192.168.1.254
Script /etc/ppp/ip-up started (pid 14850)
Script /etc/ppp/ip-up finished (pid 14850), status = 0x0
rcvd [LCP EchoReq id=0x1 magic=0x58caf7a0]

== Testavimas ==

Kaip jungtis iš kliento pusės žiūr. viršuj.

Serverio pusėje. Jeigu matome '''/var/log/debug''' arba '''/var/log/daemon''' kažką panašaus į apačioje esantį tekstą, mums vėlgi pasisekė:
Dec 30 02:31:55 blastpit pppd[21067]: using channel 1699
Dec 30 02:31:55 blastpit pppd[21067]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x15386901> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #1
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <magic 0x16d47616> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <magic 0x16d47616> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #2
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x15386901> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP EchoReq id=0x0 magic=0x15386901]
Dec 30 02:31:57 blastpit pppd[21067]: sent [CHAP Challenge id=0xab <xxxxxxxxx>, name = "pptpd"]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #3
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP EchoReq id=0x0 magic=0x16d47616]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP EchoRep id=0x0 magic=0x15386901]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #4
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP EchoRep id=0x0 magic=0x16d47616]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #5
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [CHAP Response id=0xab <xxxxxxxxxxxxxxxx>, name = "devnull"]
Dec 30 02:31:57 blastpit pppd[21067]: sent [CHAP Success id=0xab "S=xxxxxxxxxxxxxxxxxxxxxxxxxxxx M=Access granted"]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfReq id=0x1 <addr 192.168.2.254>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #6
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.5.1> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #7
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfAck id=0x1 <addr 192.168.2.254>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #8
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x2 <addr 192.168.5.1> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfNak id=0x2 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #9
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x3 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfAck id=0x3 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pppd[21067]: Script /etc/ppp/ip-up started (pid 21075)
Dec 30 02:31:57 blastpit pppd[21067]: Script /etc/ppp/ip-up finished (pid 21075), status = 0x0
Dec 30 02:31:59 blastpit pptpd[21066]: GRE: accepting packet #10
Dec 30 02:31:59 blastpit pppd[21067]: rcvd [LCP EchoReq id=0x1 magic=0x16d47616]
Dec 30 02:31:59 blastpit pppd[21067]: sent [LCP EchoRep id=0x1 magic=0x15386901]

'''Pinginam vieną hostą iš kito, jeigu pingas eina, viskas ok.''' t.y:
root@host1# ping 192.168.1.200
root@host2# ping 192.168.1.254

== Galutinis paleidimas ir naudojimas ==

Serverio pusėje paleidžiame daemoną:
/etc/init.d/pptpd start
Kliento pusėje:
echo "pppd call PPTP" >> /etc/rc.local && pppd call PPTP

== Pabaigai ==
Kol kas nematysime vidinių vieno ir kito tinklo resursų be papildomo routinimo ir keletos [[firewall|fajervolo]] taisyklių kurias aprašysiu vėliau, bet tai turi atrodyti maždaug taip:
route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0
[[iptables]] --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.1.0/24 --jump ACCEPT --out-interface ppp0
[[iptables]] --insert INPUT 1 --source 192.168.1.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0
[[iptables]] --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.1.0/24 --jump ACCEPT --out-interface ppp0
[[iptables]] --insert FORWARD 1 --source 192.168.1.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT
Nu natinimas nebūtinas nebent kartu norėsit naudoti ir pptp serverio internetus.
[[iptables]] --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE
[[iptables]] --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
Tada sumetame scriptą į /etc/ppp/ip-up.d/scriptas (nurodę kintamuosius vietoj statinių dabar parašytų interfeisų, nes kiekvienas klientas jungiantis prie pptp jų turės po vieną).
'''PASTABA!'''
Stebėtinai būtina subnetą 192.168.1.0/24 keisti į kitą visame šiame straipsnyje norint, kad viskas sklandžiai veiktų, nors galimos ir kontraversijos.

= Kaip naudoti windows sistemose kaip klientą ? =

* [https://www.my-private-network.co.uk/windows-7-pptp-setup/ skaitykite čia] (Su screenshootais!)

= Nuorodos =
Kitos susijusios nuorodos:
* [http://www.vionblog.com/debian-pptp-client-configuration/ http://www.vionblog.com/debian-pptp-client-configuration/]

[[Category:Linux]]
[[Category:Tinklas]]
[[Category:Saugumas]]
[[Category:Debian]]
[[Category:Ubuntu]]

PPTP Linux VPN Serveris - Versijų istorija

\dev\null: one more link :-)