Re: npppd and pf
Hi Imre
Thanks for your reply. I successfully translated your wiki. Your notes
were very helpful. Manually adding an entry for proxy arp does seem to
make the VPN work.
Is this really the best solution for this issue though ? I would have to
add an arp entry for every IP assigned by npppd.
Would this "just work" if I put my VPN on a different subnet ?
J
On Fri, 13 Nov 2015 01:29:34 +0200
Imre Oolberg <i...@auul.pri.ee> wrote:
> Hi!
>
> I must apologize i didt read thru your text attentiatively but i
> believe it is because of arp. Although i am just an user of npppd i
> run it already for some time and i think it works very well. Here are
> my notes, see if there are some use for them, hope Google translates
> it,
> http://www.auul.pri.ee/wiki/L2TP/IPSec_serveri_kasutamine_operatsioonis%C3%BCsteemiga_OpenBSD#ARP_proxy
>
>
> Imre
>
>
> On 2015-11-13 01:18, Jeremy wrote:
> > I'm adding more functionality to my firewall (OpenBSD 5.7) and have
> > been
> > trying to configure PPTP VPN access for my Windows users. I have
> > got npppd
> > running using the config below and can successfully authenticate and
> > establish a connection.
> >
> > I am able to connect to the VPN from a windows PC but I can't reach
> > the
> > internal hosts on the network.
> > I suspect I have some conflicts over my internal subnet and various
> > pf rules.
> > If I remove the antispoof rule, I am able to ping the firewall on
> > its IP and
> > that of the pppx0 interface (192.168.7.128)
> > My internal em0 is on 192.168.7.0/24 which will overlap the pppx0
> > interface but I
> > am expecting my VPN users to appear on the same subnet. Is this
> > valid ?
> >
> > I can ping the connected client on its IP 192.168.7.118 from the
> > firewall.
> > I can occasionally ping some other hosts on the internal network
> > but this
> > seems somewhat random and most of the time I can't reach any hosts.
> > (I'm running dhcpd on this box too if that makes a difference.)
> >
> > I've scanned the man pages for npppd and pf but I think I'm missing
> > something
> > more fundamental. Could someone please take a quick look and see if
> > there is
> > anything obvious.
> >
> > Thanks in advance.
> >
> > =
> > #cat /etc/npppd/npppd.conf
> > tunnel PPTP protocol pptp
> > ipcp IPCP {
> > pool-address 192.168.7.95-192.168.7.127
> > dns-servers 192.168.7.1 8.8.8.8
> > }
> > interface pppx0 address 192.168.7.128 ipcp IPCP
> > authentication LOCAL type local {
> > users-file "/etc/npppd/npppd-users"
> > }
> > bind tunnel from PPTP authenticated by LOCAL to pppx0
> >
> >
> > =
> > # ifconfig pppx0
> > pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
> > description: jeremy
> > priority: 0
> > groups: pppx
> > inet 192.168.7.128 --> 192.168.7.118 netmask 0x
> >
> >
> >
> > # cat /etc/pf.conf
> > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
> > #
> > # See pf.conf(5) and /etc/examples/pf.conf
> >
> > # macros
> > int_if="em0"
> > ext_if="em1"
> >
> > tcp_services="{ 22, 113 }"
> > udp_services="{ 161 }"
> > mail_services="{ 25, 587, 993, 995 }"
> > web_services="{ 80, 443 }"
> > vpn_pptp="{ 1723 }"
> >
> > icmp_types="echoreq"
> >
> > web_server = "192.168.7.77"
> > mail_server = "192.168.7.77"
> >
> > # options
> > set block-policy return
> > set loginterface egress
> > set skip on lo
> >
> > # FTP Proxy rules
> > anchor "ftp-proxy/*"
> > pass in quick on $int_if inet proto tcp to any port ftp divert-to
> > 127.0.0.1 port 8021
> >
> > # match rules
> > match in all scrub (no-df random-id max-mss 1440)
> > match out on egress inet from $int_if:network to any nat-to
> > (egress:0)
> >
> > # filter rules
> > block in log
> >
> > pass out quick
> > antispoof quick for { lo $int_if }
> >
> > # Allow access to services running on the firewall
> > pass in on egress inet proto tcp from any to (egress) port
> > $tcp_services flags S/SA keep state
> > pass in on egress inet proto udp from any to (egress) port
> > $udp_services
> >
> > # VPN Rules
> > pass in quick inet proto gre all
> > pass in log on pppx
> > pass in quick on egress inet proto tcp from any to (egress) port
> > $vpn_pptp
> >
> > # Redirect traffic to the interior servers
> > pass in on egress inet proto tcp to (egress) port $web_services
> > rdr-to $web_server synproxy state
> > pass in on egress inet proto tcp to (egress) port $mail_services
> > rdr-to $mail_server
> >
> > pass in inet proto icmp all icmp-type $icmp_types
> >
> > pass in on $int_if
> > ===
npppd and pf
I'm adding more functionality to my firewall (OpenBSD 5.7) and have been
trying to configure PPTP VPN access for my Windows users. I have got npppd
running using the config below and can successfully authenticate and
establish a connection.
I am able to connect to the VPN from a windows PC but I can't reach the
internal hosts on the network.
I suspect I have some conflicts over my internal subnet and various pf rules.
If I remove the antispoof rule, I am able to ping the firewall on its IP and
that of the pppx0 interface (192.168.7.128)
My internal em0 is on 192.168.7.0/24 which will overlap the pppx0 interface but
I
am expecting my VPN users to appear on the same subnet. Is this valid ?
I can ping the connected client on its IP 192.168.7.118 from the firewall.
I can occasionally ping some other hosts on the internal network but this
seems somewhat random and most of the time I can't reach any hosts.
(I'm running dhcpd on this box too if that makes a difference.)
I've scanned the man pages for npppd and pf but I think I'm missing something
more fundamental. Could someone please take a quick look and see if there is
anything obvious.
Thanks in advance.
=
#cat /etc/npppd/npppd.conf
tunnel PPTP protocol pptp
ipcp IPCP {
pool-address 192.168.7.95-192.168.7.127
dns-servers 192.168.7.1 8.8.8.8
}
interface pppx0 address 192.168.7.128 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
bind tunnel from PPTP authenticated by LOCAL to pppx0
=
# ifconfig pppx0
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
description: jeremy
priority: 0
groups: pppx
inet 192.168.7.128 --> 192.168.7.118 netmask 0x
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# macros
int_if="em0"
ext_if="em1"
tcp_services="{ 22, 113 }"
udp_services="{ 161 }"
mail_services="{ 25, 587, 993, 995 }"
web_services="{ 80, 443 }"
vpn_pptp="{ 1723 }"
icmp_types="echoreq"
web_server = "192.168.7.77"
mail_server = "192.168.7.77"
# options
set block-policy return
set loginterface egress
set skip on lo
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1
port 8021
# match rules
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from $int_if:network to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# Allow access to services running on the firewall
pass in on egress inet proto tcp from any to (egress) port $tcp_services flags
S/SA keep state
pass in on egress inet proto udp from any to (egress) port $udp_services
# VPN Rules
pass in quick inet proto gre all
pass in log on pppx
pass in quick on egress inet proto tcp from any to (egress) port $vpn_pptp
# Redirect traffic to the interior servers
pass in on egress inet proto tcp to (egress) port $web_services rdr-to
$web_server synproxy state
pass in on egress inet proto tcp to (egress) port $mail_services rdr-to
$mail_server
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
===
Re: npppd and pf
Hi!
I must apologize i didt read thru your text attentiatively but i
believe it is because of arp. Although i am just an user of npppd i run
it already for some time and i think it works very well. Here are my
notes, see if there are some use for them, hope Google translates it,
http://www.auul.pri.ee/wiki/L2TP/IPSec_serveri_kasutamine_operatsioonis%C3%BCsteemiga_OpenBSD#ARP_proxy
Imre
On 2015-11-13 01:18, Jeremy wrote:
I'm adding more functionality to my firewall (OpenBSD 5.7) and have
been
trying to configure PPTP VPN access for my Windows users. I have got
npppd
running using the config below and can successfully authenticate and
establish a connection.
I am able to connect to the VPN from a windows PC but I can't reach
the
internal hosts on the network.
I suspect I have some conflicts over my internal subnet and various
pf rules.
If I remove the antispoof rule, I am able to ping the firewall on its
IP and
that of the pppx0 interface (192.168.7.128)
My internal em0 is on 192.168.7.0/24 which will overlap the pppx0
interface but I
am expecting my VPN users to appear on the same subnet. Is this valid
?
I can ping the connected client on its IP 192.168.7.118 from the
firewall.
I can occasionally ping some other hosts on the internal network but
this
seems somewhat random and most of the time I can't reach any hosts.
(I'm running dhcpd on this box too if that makes a difference.)
I've scanned the man pages for npppd and pf but I think I'm missing
something
more fundamental. Could someone please take a quick look and see if
there is
anything obvious.
Thanks in advance.
=
#cat /etc/npppd/npppd.conf
tunnel PPTP protocol pptp
ipcp IPCP {
pool-address 192.168.7.95-192.168.7.127
dns-servers 192.168.7.1 8.8.8.8
}
interface pppx0 address 192.168.7.128 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
bind tunnel from PPTP authenticated by LOCAL to pppx0
=
# ifconfig pppx0
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
description: jeremy
priority: 0
groups: pppx
inet 192.168.7.128 --> 192.168.7.118 netmask 0x
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# macros
int_if="em0"
ext_if="em1"
tcp_services="{ 22, 113 }"
udp_services="{ 161 }"
mail_services="{ 25, 587, 993, 995 }"
web_services="{ 80, 443 }"
vpn_pptp="{ 1723 }"
icmp_types="echoreq"
web_server = "192.168.7.77"
mail_server = "192.168.7.77"
# options
set block-policy return
set loginterface egress
set skip on lo
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to
127.0.0.1 port 8021
# match rules
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from $int_if:network to any nat-to
(egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# Allow access to services running on the firewall
pass in on egress inet proto tcp from any to (egress) port
$tcp_services flags S/SA keep state
pass in on egress inet proto udp from any to (egress) port
$udp_services
# VPN Rules
pass in quick inet proto gre all
pass in log on pppx
pass in quick on egress inet proto tcp from any to (egress) port
$vpn_pptp
# Redirect traffic to the interior servers
pass in on egress inet proto tcp to (egress) port $web_services
rdr-to $web_server synproxy state
pass in on egress inet proto tcp to (egress) port $mail_services
rdr-to $mail_server
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
===
L2TP\IPsec with npppd through PF firewall
Hello,
I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN.
My VPN server is in a DMZ an run with OpenBSD 5.3.
Client (192.168.1.137) - (192.168.1.233) OBSD FW (192.168.21.233) -
VPN (192.168.21.14)
I correctly configured NPPPD and IPsec to let my client connect directly to
the VPN server (Windows configuration VPN Server : 192.168.21.14) with an
according PF configuration.
But after, my VPN will not be available from the Internet, so i tried to
configure my FW and PF to redirect incomming L2TP/Ipsec request on
192.168.1.233 to my VPN server with these rules :
*#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14*
*pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to
192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
500 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 1701
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
1701 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 4500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
4500 rdr-to 192.168.21.14*
Seemingly, the first phase succeed but the second failed. The VPN server
try to respond to the FW and not the client :
VPN server's /var/log/messages :
*vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id
192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst:
192.168.1.137*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA
peer-default for proto 1, initiator id: 192.168.1.137, responder id:
192.168.21.14*
You can find my npppd configuration below :
*authentication LOCAL type local {*
*users-file /etc/npppd/npppd-users*
*}*
*#authentication RADIUS type radius {*
*# authentication-server {*
*# address 192.168.0.1 secret hogehoge*
*# }*
*# accounting-server {*
*# address 192.168.0.1 secret hogehoge*
*# }*
*#}*
*
*
*tunnel L2TP_ipv4 protocol l2tp {*
*listen on 0.0.0.0*
*# l2tp-require-ipsec yes*
*l2tp-accept-dialin yes*
*authentication-method mschapv2
*
*
*
*}*
*
*
*ipcp IPCP {*
*pool-address 192.168.20.1-192.168.20.254*
*dns-servers 192.168.21.16 8.8.8.8*
*}*
*
*
*# use pppx(4) interface. use an interface per a ppp session.*
*interface pppx0 address 192.168.20.1 ipcp IPCP*
*bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0*
Did i forgot to configure something ?
Regards,
--
*Bastien CERIANI*
Re: L2TP\IPsec with npppd through PF firewall
Why don't you run npppd directly on OBSD FW (192.168.21.233) ?
On 25 apr 2013, at 09:49, Bastien Ceriani bastien.ceri...@bulkypix.com wrote:
Hello,
I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN.
My VPN server is in a DMZ an run with OpenBSD 5.3.
Client (192.168.1.137) - (192.168.1.233) OBSD FW (192.168.21.233) -
VPN (192.168.21.14)
I correctly configured NPPPD and IPsec to let my client connect directly to
the VPN server (Windows configuration VPN Server : 192.168.21.14) with an
according PF configuration.
But after, my VPN will not be available from the Internet, so i tried to
configure my FW and PF to redirect incomming L2TP/Ipsec request on
192.168.1.233 to my VPN server with these rules :
*#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14*
*pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to
192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
500 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 1701
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
1701 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 4500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
4500 rdr-to 192.168.21.14*
Seemingly, the first phase succeed but the second failed. The VPN server
try to respond to the FW and not the client :
VPN server's /var/log/messages :
*vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id
192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst:
192.168.1.137*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA
peer-default for proto 1, initiator id: 192.168.1.137, responder id:
192.168.21.14*
You can find my npppd configuration below :
*authentication LOCAL type local {*
*users-file /etc/npppd/npppd-users*
*}*
*#authentication RADIUS type radius {*
*# authentication-server {*
*# address 192.168.0.1 secret hogehoge*
*# }*
*# accounting-server {*
*# address 192.168.0.1 secret hogehoge*
*# }*
*#}*
*
*
*tunnel L2TP_ipv4 protocol l2tp {*
*listen on 0.0.0.0*
*# l2tp-require-ipsec yes*
*l2tp-accept-dialin yes*
*authentication-method mschapv2
*
*
*
*}*
*
*
*ipcp IPCP {*
*pool-address 192.168.20.1-192.168.20.254*
*dns-servers 192.168.21.16 8.8.8.8*
*}*
*
*
*# use pppx(4) interface. use an interface per a ppp session.*
*interface pppx0 address 192.168.20.1 ipcp IPCP*
*bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0*
Did i forgot to configure something ?
Regards,
--
*Bastien CERIANI*
Re: L2TP\IPsec with npppd through PF firewall
Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ?
Re: L2TP\IPsec with npppd through PF firewall
Depends on hardware you are using and configuration. Use weaker crypto if you can. Like aes128 instead of aes256 and hmac-md5 instead of sha1 in ipsec.conf. Or maybe use aggressive instead of main in ipsec.conf too. To run npppd on top of 192.168.21.233 will make your life easier. On 25 apr 2013, at 14:36, Bastien Ceriani bastien.ceri...@bulkypix.com wrote: Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ?
Re: L2TP\IPsec with npppd through PF firewall
Well, our router are not powerful xD I will speak to my boss about this solution but it would be wonderful if I could make it works as I/he want :( Thx ! On Thu, Apr 25, 2013 at 2:47 PM, mxb m...@alumni.chalmers.se wrote: Depends on hardware you are using and configuration. Use weaker crypto if you can. Like aes128 instead of aes256 and hmac-md5 instead of sha1 in ipsec.conf. Or maybe use aggressive instead of main in ipsec.conf too. To run npppd on top of 192.168.21.233 will make your life easier. On 25 apr 2013, at 14:36, Bastien Ceriani bastien.ceri...@bulkypix.com wrote: Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ? -- *Bastien CERIANI* *Administrateur Systèmes et Réseau* * *tel : +33 (1) 34 65 93 34 6 Avenue de Sceaux 78000 VERSAILLES -FRANCE
