remove non-working setuid option
[l2tpns.git] / Docs / vpn / practical-vpns.xml
1 <?xml version="1.0"?>
2 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://docbook.org/xml/4.4/docbookx.dtd">
4
5 <article>
6 <articleinfo>
7 <title>Practical VPNs</title>
8 <subtitle>Implementing Full-scale VPNs</subtitle>
9
10 <author>
11 <firstname>Liran</firstname>
12 <surname>Tal</surname>
13 <affiliation>
14 <address>
15 <email>liran@enginx.com</email>
16 </address>
17 </affiliation>
18 </author>
19
20 <othercredit>
21 <firstname>Yakov</firstname>
22 <surname>Shtutz</surname>
23 <contrib>Special thanks</contrib>
24 </othercredit>
25
26 <othercredit>
27 <firstname>Shahar</firstname>
28 <surname>Fermon</surname>
29 <contrib>Testing and feedback</contrib>
30 </othercredit>
31
32 <abstract>
33 <para>This document was compiled from the administrator's point of
34 view, to explain what are VPNs, how they are deployed today
35 and to detail the necessary steps and tools to achieve and
36 create a fully working VPN solution, integrated with RADIUS
37 systems for AAA.</para>
38
39 <para>I will not dwell in this document on how to compile source
40 packages or kernel patching, and with the same tone I'm
41 assuming the reader is an exprerienced Linux user.</para>
42
43 <para>VPNs have their share amount of gossip for being a very
44 complex thing, and in some cases this may be true as they tend
45 to be more security intenssive which require adding more and
46 more layers to the scheme. With this said, we'll take a look
47 at how fairly straight-forward it is to setup VPNs and
48 maintain them with varius Open-Source tools.</para>
49 </abstract>
50 </articleinfo>
51
52 <sect1 id="overview">
53 <title>Overview of VPNs and IPsec</title>
54 <sect2 id="vpns">
55 <title>Virtual Private Networks</title>
56 <para>The purpose of a VPN is to create a secure channel ontop of an
57 un-secure medium, where a computer or a device are put in each
58 end-point in order to establish communication, each of these
59 end-points are often reffered to as Point of Presense, or POP.
60 This kind of a communication allows the capability of creating
61 a Virtual Private Network, which is accesable over a medium
62 such as the Internet and thus, extend the physical boundaries
63 of an existing local network.</para>
64
65 <para>VPNs have three forms:
66 <variablelist>
67 <varlistentry>
68 <term>Site-To-Site VPNs</term>
69 <listitem>
70 <para>
71 these setups exist in order to extend the local network
72 to create a much bigger LAN over the Internet.
73 </para>
74 </listitem>
75 </varlistentry>
76
77 <varlistentry>
78 <term>Network-To-Host or Remote access VPNs</term>
79 <listitem>
80 <para>
81 where a central VPN server is able to achieve multiple
82 connections, often reffered to as RoadWarrior VPNs.
83 (This setup is very common among ISPs)
84 </para>
85 </listitem>
86 </varlistentry>
87
88 <varlistentry>
89 <term>Network-To-Network</term>
90 <listitem>
91 <para>
92 extranet VPNs allow secure connections within branches
93 and business partners, they are an extension of a
94 Site-To-Site VPNs.
95 </para>
96 </listitem>
97 </varlistentry>
98 </variablelist>
99 </para>
100
101 <para><xref linkend="site-to-site"/> shows a Site-To-Site VPN diagram.
102 <figure id="site-to-site" float="1">
103 <title>Site to Site VPN</title>
104 <mediaobject>
105 <imageobject>
106 <imagedata fileref="site-to-site-vpn.png"/>
107 </imageobject>
108 </mediaobject>
109 </figure>
110 </para>
111
112 <para>IP/VPNs are connections which are based upon IP tunnels. A
113 tunnel is a way to encapsulate an IP packet inside another IP
114 packet or some other type of packet. Why do we need
115 tunneling? A Virtual Private Network is identified by IANA's
116 private IP assignments and so such packet can not go beyond
117 the uplink Internet interface.</para>
118
119 <para><xref linkend="tunneling-process"/> shows the tunneling process.
120 <figure id="tunneling-process" float="1">
121 <title>Tunneling Process</title>
122 <mediaobject>
123 <imageobject>
124 <imagedata fileref="tunneling-process.png"/>
125 </imageobject>
126 </mediaobject>
127 </figure>
128 </para>
129
130 <para>Several tunneling protocols are available for manifesting
131 VPNs.
132
133 <variablelist>
134 <varlistentry>
135 <term>L2F</term>
136 <listitem>
137 <para>Layer 2 Forwarding, an older implementation which assume
138 position at the link layer of the OSI. It has no
139 encryption capabilities and hence, deprecated.</para>
140 </listitem>
141 </varlistentry>
142
143 <varlistentry>
144 <term>L2TP</term>
145 <listitem>
146 <para>Layer 2 Tunneling Protocol, still no encryption
147 capabilities.</para>
148 </listitem>
149 </varlistentry>
150
151 <varlistentry>
152 <term>PPTP</term>
153 <listitem>
154 <para>Point-to-Point Tunneling Protocol, and yet again, no
155 encryption.</para>
156 </listitem>
157 </varlistentry>
158 </variablelist>
159 </para>
160
161 <para>As seen, the requirement of encryption enhancement is
162 urgent in order to assure authentication, data integrity and
163 privacy. IPsec solves this by providing a suite of security
164 measures implemented at layer 3.</para>
165 </sect2>
166
167 <sect2 id="ipsec">
168 <title>IP Security Suite (IPsec)</title>
169 <para>VPN Security is now appearing, this complex things. How so?
170 VPN tunnels by themselves are easily maintained by
171 single-standalone tools like pppd, l2tpns, stunnel and others.
172 Involving security with VPNs though requires more:
173
174 <itemizedlist>
175 <listitem>
176 <para>authentication, data integrity and privacy</para>
177 </listitem>
178
179 <listitem>
180 <para>keying management</para>
181 </listitem>
182 </itemizedlist>
183 </para>
184
185 <note>
186 <para>Keys are secrets being shared by two end-points to provide a
187 secure mean of communication against a third-party connection
188 from sniffing the actual data.</para>
189 </note>
190
191 <para>Different ways to handle key management include RADIUS (Remote
192 Authentication Dial In User Service) systems which provide AAA
193 (Authentication, Authorization and Accounting). Another
194 solution is ISAKMP/Oackly - Internet Security Association and
195 Key Management Protocol. This solution requires you to posess
196 one of the following:
197
198 <itemizedlist>
199 <listitem>
200 <para>something you have</para>
201 </listitem>
202
203 <listitem>
204 <para>something you know</para>
205 </listitem>
206
207 <listitem>
208 <para>something you are</para>
209 </listitem>
210 </itemizedlist>
211 </para>
212
213 <para>The more requirements you meet the more secure is the
214 medium, once established. Let's review, something we have is
215 like a certificate, it proves who we are. Something we know,
216 is a key, a secret password which we were told in a whisper,
217 and something we are is our-fingerprint which identifies
218 ourselves from other individuals.</para>
219
220 <sect3 id="ipsec-in-depth">
221 <title>IPsec in Depth</title>
222 <para>IPsec consists of two main protocols, an Authentication
223 Header and Encapsulation Security Payload, also known as AH
224 and ESP. Although it is not bound to these and can be
225 extended (and often is) to other standarts such as
226
227 <itemizedlist>
228 <listitem>
229 <para>Data Encryption Standart (DES and 3DES)</para>
230 </listitem>
231
232 <listitem>
233 <para>Diffie-Hellman (DH)</para>
234 </listitem>
235
236 <listitem>
237 <para>Secure Hash Algorithm-1 (SHA1)</para>
238 </listitem>
239
240 <listitem>
241 <para>Message Digest 5 (MD5)</para>
242 </listitem>
243
244 <listitem>
245 <para>Internet Key Exchange (IKE)</para>
246 </listitem>
247
248 <listitem>
249 <para>Certification Authorities (CA)</para>
250 </listitem>
251 </itemizedlist>
252 </para>
253
254 <para>We'll be deploying an IKE daemon to handle the key
255 management, which uses the Diffie- Hellman cryptography
256 protocol in order to allow two parties to establish a
257 connection based upon a shared secret key that both parties
258 posess. (Authentication within IKE is handled by MD5
259 hashing)</para>
260
261 <para>IKE is responsible for authentication of two IPsec parties,
262 negotiation of keys for encryption algorithms and security
263 associations. This process is commonly regarded as two
264 phases:
265
266 <variablelist>
267 <varlistentry>
268 <term>Phase 1: IKE Security Association</term>
269 <listitem>
270 <para>The IKE daemon authenticates against the peers in
271 order to achieve a secure channel, according to the
272 Diffie-Hellman key agreement.</para>
273 </listitem>
274 </varlistentry>
275
276 <varlistentry>
277 <term>Phase 2: IKE IPsec Negotiation</term>
278 <listitem>
279 <para>After achieving an authenticated channel, the
280 parties now negotiate a secure transform (the way to
281 encrypt and secure the medium) where the sender is
282 offering his/hers transform set after which the
283 receiver decides upon one. An IPsec session can now
284 safely begin.</para>
285 </listitem>
286 </varlistentry>
287 </variablelist>
288 </para>
289
290 <para>Just to be clear, a Security Association is an agreed
291 relation between two parties which describes how they will
292 use security services (from IPsec) to communicate.</para>
293 </sect3>
294
295 <sect3 id="ipsec-modes">
296 <title>IPsec Modes</title>
297 <para>IPsec can operate in two different modes:
298
299 <variablelist>
300 <varlistentry>
301 <term>Transport mode</term>
302 <listitem>
303 <para>takes place when two devices (like a station and a
304 gateway (now considered a host)) are establishing a
305 connection which upon they both support IPsec.</para>
306 </listitem>
307 </varlistentry>
308
309 <varlistentry>
310 <term>Tunnel mode</term>
311 <listitem>
312 <para>we require tunnel mode when we proxy IPsec
313 connetions between two stations behind the IPsec
314 gateway. For example, in a Site-to-Site VPN a
315 tunnel mode lives, since it exists in order to
316 provide the stations behind these gateways runing
317 the VPN/IPsec to communicate securely. In this
318 situation, both end-points are runing an IPsec
319 software.</para>
320 </listitem>
321 </varlistentry>
322 </variablelist>
323 </para>
324
325 <para>In definition, a tunnel mode IPsec is better secured than
326 transport. Without going too deep into the ins-and-outs of
327 the technical side, transport mode doesn't encapsulate the
328 actual IP layer but only the tcp/udp (Transport layer of the
329 OSI) where-as a tunnel mode encapsulate both the Transport
330 layer and the IP layer into a new IP packet.</para>
331
332 <para>To summarize, we need VPNs for data-exchange methods and a
333 set of IPsec tools for security reasons.</para>
334 </sect3>
335 </sect2>
336 </sect1>
337
338 <sect1 id="deployment">
339 <title>VPN Deployment</title>
340 <para>I've assembled another diagram to view the actual VPN setup.
341 <xref linkend="vpn-deployment"/> gives a general description of
342 how the network will be layed out in real-world scenario.
343
344 <figure id="vpn-deployment" float="1">
345 <title>VPN Deployment</title>
346 <mediaobject>
347 <imageobject>
348 <imagedata fileref="vpn-deployment.png"/>
349 </imageobject>
350 </mediaobject>
351 </figure>
352 </para>
353
354 <para>We notice that a single Linux box is acting as a Gateway and
355 has all the services included with it. This is a bad idea from a
356 security prespective but it's easy to just deploy the FreeRADIUS
357 and MySQL servers on another machine. Of course the L2TPns and
358 the rest of the IPsec tools suite would have to remain on the
359 Gateway box (not necessarily the Firewall).</para>
360
361 <para><xref linkend="vpn-process"/> attempts to explain the actual
362 process that the VPN takes and to detail the place that each of
363 that application-in-charge takes place.
364
365 <figure id="vpn-process" float="1">
366 <title>VPN Process</title>
367 <mediaobject>
368 <imageobject>
369 <imagedata fileref="vpn-process.png"/>
370 </imageobject>
371 </mediaobject>
372 </figure>
373 </para>
374
375 <sect2 id="deployment-requirements">
376 <title>Requirements</title>
377 <sect3 id="deployment-requirements-toolbox">
378 <title>The Toolbox</title>
379 <para>Following is a description of the requirements you will
380 have to meet:
381
382 <variablelist>
383 <varlistentry>
384 <term>A Linux box</term>
385 <listitem>
386 <para>preferably a 2.4.27 kernel or higher.</para>
387 <para>Debian is the chosen distribution which means we'll
388 be using apt-get for installation, but I'll also focus
389 on basic source tarballs installation.</para>
390
391 <para>Dependencies:
392
393 <itemizedlist>
394 <listitem>
395 <para>ipsec configuration in the kernel</para>
396 </listitem>
397 </itemizedlist>
398 </para>
399 </listitem>
400 </varlistentry>
401
402 <varlistentry>
403 <term>L2TPns</term>
404 <listitem>
405 <para>an L2TP PPP Termination tool.</para>
406 <para>
407 Dependencies:
408
409 <itemizedlist>
410 <listitem>
411 <para>libcli 1.8.0 or greater</para>
412 </listitem>
413
414 <listitem>
415 <para>tun/tap interface compiled in the kernel or
416 as a module</para>
417 </listitem>
418 </itemizedlist>
419 </para>
420 </listitem>
421 </varlistentry>
422
423 <varlistentry>
424 <term>FreeRADIUS</term>
425 <listitem>
426 <para>For authentication, and accounting.</para>
427 </listitem>
428 </varlistentry>
429
430 <varlistentry>
431 <term>MySQL</term>
432 <listitem>
433 <para>To act as a back-end database for the RADIUS.</para>
434 </listitem>
435 </varlistentry>
436
437 <varlistentry>
438 <term>OpenSwan</term>
439 <listitem>
440 <para>Provides the ipsec suite package.</para>
441 </listitem>
442 </varlistentry>
443 </variablelist>
444 </para>
445 </sect3>
446
447 <sect3 id="deployment-requirements-kernel">
448 <title>Kernel Support</title>
449 <para>Debian stock kernel 2.4.27 and up are ipsec compatible
450 although if you think otherwise check for the
451 kernel-patch-openswan package.</para>
452 </sect3>
453 </sect2>
454
455 <sect2 id="deployment-installation">
456 <title>Installation</title>
457 <sect3 id="deployment-installation-l2tpns">
458 <title>L2TPns</title>
459 <sect4 id="deployment-installation-l2tpns-install">
460 <title>Installation</title>
461 <blockquote>
462 <para>L2TPns is a layer 2 tunneling protocol network server
463 (LNS). It supports up to 65535 concurrent sessions per
464 server/cluster plus ISP features such as rate limiting,
465 walled garden, usage accounting, and more.</para>
466 </blockquote>
467
468 <para>In a personal note - L2TPns is highly configurable for
469 many cases, and extremely reliable for
470 production/commerical use.</para>
471
472 <para>
473 <variablelist>
474 <varlistentry>
475 <term>Step 1:</term>
476 <listitem>
477 <para>Make sure you have libcli-1.8 development
478 package installed:
479 <screen># apt-cache search libcli
480 libcli-dev - emulates a cisco style telnet command-line interface (dev files)
481 libcli1 - emulates a cisco style telnet command-line interface
482 # apt-get install libcli-dev</screen>
483 </para>
484 </listitem>
485 </varlistentry>
486
487 <varlistentry>
488 <term>Step 2:</term>
489 <listitem>
490 <para>Download the source from
491 <ulink url="http://sourceforge.net/projects/l2tpns/">
492 SourceForge</ulink>.</para>
493 </listitem>
494 </varlistentry>
495
496 <varlistentry>
497 <term>Step 3:</term>
498 <listitem>
499 <para>Build and install:
500 <code>make &amp;&amp; make install</code></para>
501 </listitem>
502 </varlistentry>
503 </variablelist>
504 </para>
505
506 <note>
507 <para>Alternately, you can skip these steps and simply
508 <code>apt-get install l2tpns</code>.</para>
509 </note>
510
511 <note>
512 <para>On RPM-based distributions, you should be able to make
513 packages from the libcli and l2tpns source tarballs with
514 <code>rpmbuild -ta</code>.</para>
515 </note>
516
517 <para>Once compiliation is done you will have l2tpns in
518 <filename>/usr/sbin/l2tpns</filename>, and all
519 configuration files can be found in
520 <filename>/etc/l2tpns/</filename>.</para>
521 </sect4>
522
523 <sect4 id="deployment-installation-l2tpns-config">
524 <title>Configuration</title>
525 <para>The only configuration that L2TPns takes is
526 centralized in the configuration file
527 <filename>/etc/l2tpns/startup-config</filename>.
528 <programlisting>set debug 2 # Debugging level
529 set log_file "/var/log/l2tpns" # Log file: comment out to use stderr, use
530 # "syslog:facility" for syslog
531 set pid_file "/var/run/l2tpns.pid" # Write pid to this file
532 set l2tp_secret <emphasis>"secret"</emphasis> # shared secret
533 set primary_dns <emphasis>212.117.128.6</emphasis> # Only 2 DNS server entries are allowed
534 set secondary_dns <emphasis>212.117.129.3</emphasis>
535 set primary_radius <emphasis>192.168.0.1</emphasis> # Can have multiple radius server entries,
536 # but ony one radius secret
537 set primary_radius_port 1812
538 set radius_secret <emphasis>"radius_secret"</emphasis>
539 set radius_accounting yes
540 set radius_dae_port 3799
541 set accounting_dir "/var/run/l2tpns/acct" # Write usage accounting files into specified
542 # directory
543 set peer_address <emphasis>192.168.0.1</emphasis> # Gateway address given to clients
544 load plugin "sessionctl" # Drop/kill sessions
545 load plugin "autothrottle" # Throttle/snoop based on RADIUS
546 load plugin "throttlectl" # Control throttle/snoop with nsctl
547 load plugin "snoopctl"</programlisting>
548 </para>
549
550 <para>This is the trimmed down version of probably most of
551 the common configuration and even some extra options.</para>
552
553 <para>Important configuration options are highlited and you
554 should adjust these to meet your network needs. We can
555 deploy all of the environment into one box which is of
556 course not a very good idea from a security point of view,
557 but will function just fine. Moreover, we will be using
558 aliased IP addresses so once you've decided to move the
559 FreeRADIUS daemon to another computer on the LAN it will
560 be fairly easy and won't take too much configuration into
561 it.</para>
562
563 <para>Next, we need to setup the IP pool that L2TPns will
564 provide to each VPN client. The configuration file is
565 located at <filename>/etc/l2tpns/ip_pool</filename> and
566 should look like the following:
567 <programlisting>172.16.21.0/24</programlisting>
568 </para>
569
570 <important>
571 <para>Of course you can change this pool to anything else
572 (IANA IPs assigned for private internets only) just make
573 sure it is not conflicting with your current LAN network
574 addresses. This means that if you've assigned addresses
575 of 192.168.0.1 and 192.168.0.2 to your LAN boxes you
576 can't have a pool of 192.168.0.1/24 defined since L2TPns
577 will try to route those addresses from the tun device,
578 which is needless to say a bad idea...</para>
579 </important>
580
581 <para>Next up, creating the access-list for L2TPns.</para>
582
583 <para>Add a username and password into
584 <filename>/etc/l2tpns/users</filename>:
585 <programlisting>admin:12345</programlisting>
586
587 The password may either be plain-text as above, or
588 encrypted with MD5 or DES (to distinguish DES from
589 plain-text passwords, prefix the value with
590 <code>{crypt}</code>).</para>
591
592 <para>L2TPns utilizes a terminal connection on port 23 which you
593 would feel very comfortable in if you have worked with
594 routers and switches devices before. The terminal
595 provides control over the ppp termination which is why
596 we've created an account to log on to.</para>
597 </sect4>
598 </sect3>
599
600 <sect3 id="deployment-installation-ipsec">
601 <title>IPsec</title>
602 <sect4 id="deployment-installation-ipsec-install">
603 <title>Installation</title>
604 <para>User-space IPsec tools for various IPsec implementations
605 exist for linux, among them is the port of KAME's
606 libipsec, setkey, and racoon. Others are the OpenSWAN (a
607 successor to the FreeSWAN project).</para>
608
609 <para>Getting IPsec installed is fairly easy with Debian:
610 <screen># apt-get install openswan</screen>
611 </para>
612
613 <para>The OpenSWAN project provides packages for RPM-based
614 distributions.</para>
615
616 <para>Alternately, you may download the
617 <ulink url="http://www.openswan.org/code/">source</ulink>
618 from the OpenSWAN project:
619
620 <screen># tar xvzf openswan-2.4.4.tar.gz
621 # cd openswan-2.4.4
622 # ./configure &amp;&amp; make &amp;&amp; make install</screen>
623 </para>
624 </sect4>
625
626 <sect4 id="deployment-installation-ipsec-config">
627 <title>Configuration</title>
628 <para>OpenSWAN acts as the IKE daemon (remember IKE? it's
629 job is to authenticate between the two peers and negotiate
630 a secure medium). We will be setting up the IKE daemon as
631 a RoadWarrior configuration, a term for remote access
632 VPNs.</para>
633
634 <para>We desire this approach for compatibilty because after
635 our VPN solution will be complete any user from a Windows
636 machine will be easily ready to connect without any 3rd
637 party applications, same for Linux.</para>
638
639 <para>Configuration files are placed in
640 <filename>/etc/ipsec.d/</filename>,
641 <filename>/etc/ipsec.conf</filename> and
642 <filename>/etc/ipsec.secrets</filename>.</para>
643
644 <para>Let's start by choosing the remote client and it's PSK
645 (Private Shared Key) <filename>/etc/ipsec.secrets</filename>:
646 <programlisting>hostname_or_ipaddress %any : PSK "mysecretkeyisverylong"</programlisting>
647 </para>
648
649 <para>This is an IP/key pair. The IP or FQDN defines the
650 local peer (like a SOHO branch), then the remote host.
651 Here we defined %any for all hosts, though it's possible
652 to define only a specific IP. At last, we define the key
653 associated with it.</para>
654
655 <para>A better way to create a key is to utilize /dev/random
656 for creating a unique key.
657 <screen># dd if=/dev/random count=16 bs=1 2>/dev/null | xxd -ps</screen>
658 </para>
659
660 <para>Next, let's prepare the configuration file
661 <filename>/etc/ipsec.conf</filename>:
662 <programlisting>version 2.0
663 config setup
664 nat_traversal=yes
665
666 conn l2tp
667 authby=secret
668 pfs=no
669 keyingtries=3
670 left=real_ip_address
671 leftnexthop=%defaultroute
672 leftprotoport=17/%any
673 right=%any
674 rightprotoport=17/%any
675 auto=add
676
677 include /etc/ipsec.d/examples/no_oe.conf</programlisting>
678 </para>
679
680 <para>In this file we have first defined version 2 which is
681 a must, then enabled NAT Traversal. To understand the
682 importance of this feature think of the following
683 scenario: A remote user attempts to connect while he's
684 behind a router and there-fore NATed. The router has to
685 de-encapsulate the packet, change things and then build
686 it up again and send it. IPsec doesn't like other people
687 messing with it's packet. That's why we solve this issue
688 with NAT Traversal.</para>
689
690 <para>Next up we configure authentication type (certificates,
691 psk, rsa keys, etc) then the left and right peers. The
692 default mode OpenSWAN takes is tunnel unless told
693 otherwise. I won't go into in-depth explanation of every
694 method, you can take a quick look at
695 <filename>/etc/ipsec.d/examples</filename> for more
696 explanation and other variations of working with RSA keys,
697 Certificates, host-to-host, and more.</para>
698
699 <para>In summary:
700 <itemizedlist>
701 <listitem>
702 <para>We've configured an almost complete IPsec VPN
703 setup.</para>
704 </listitem>
705
706 <listitem>
707 <para>We've installed and configured a VPN server
708 (L2TPns) and our IPsec security suite.</para>
709 </listitem>
710
711 <listitem>
712 <para>To control both of them we use:
713 <filename>/etc/init.d/l2tpns</filename> and
714 <filename>/etc/init.d/racoon</filename> (location
715 of start-up scripts may vary on non-Debian systems,
716 or if you've installed from
717 source).</para>
718 </listitem>
719 </itemizedlist>
720 </para>
721 </sect4>
722 </sect3>
723
724 <sect3 id="deployment-installation-freeradius">
725 <title>FreeRADIUS</title>
726 <para>The VPN setup needs to authenticate against something,
727 that is the users database which we chose to be a FreeRADIUS
728 server backed with a MySQL database.</para>
729
730 <sect4 id="deployment-installation-freeradius-install">
731 <title>Installation</title>
732 <blockquote>
733 <para>FreeRADIUS is the premiere open source RADIUS
734 server. While detailed statistics are not available, we
735 believe that FreeRADIUS is well within the top 5 RADIUS
736 servers world-wide, in terms of the number of people who
737 use it daily for authentication. It scales from embedded
738 systems with small amounts of memory, to systems with
739 millions of users. It is fast, flexible, configurable,
740 and supports more authentication protocols than many
741 commercial servers.</para>
742 </blockquote>
743
744 <para>Installing on Debian:
745 <screen># apt-get install freeradius freeradius-mysql</screen>
746 </para>
747
748 <para>From source: Download the latest freeradius package from
749 <ulink url="http://freeradius.org/getting.html">freeradius.org
750 </ulink>
751 <screen># tar xvzf freeradius.tar.gz
752 # cd freeradius
753 # ./configure &amp;&amp; make &amp;&amp; make install</screen>
754 </para>
755 </sect4>
756
757 <sect4 id="deployment-installation-freeradius-config">
758 <title>Configuration</title>
759 <para>This will appear a bit complex but it isn't, it's just
760 a lot of configuration.</para>
761
762 <para>Following are the configurations you need to have in your
763 <filename>/etc/freeradius/</filename> files.</para>
764
765 <para>In this section I will not give you a dump of the
766 configuration since they are very long and mostly default.
767 I'll just post which changes to make.</para>
768
769 <para>We haven't yet configured MySQL, but it'll come
770 afterwards, don't worry.</para>
771
772 <para>Make the following changes to the file
773 <filename>/etc/freeradius/sql.conf</filename>:
774 <programlisting>server = "192.168.0.1"
775 login = "radius"
776 password = "12345678"</programlisting>
777 </para>
778
779 <para>Add the following to the file
780 <filename>/etc/freeradius/clients.conf</filename>:
781 <programlisting>client 192.168.0.1 {
782 secret = my_secret
783 shortname = localhost
784 nastype = other
785 }</programlisting>
786 </para>
787
788 <para>Don't confuse the secret directive there with IPsec.
789 RADIUS server are using secret keys also to identify their
790 allowed NAS (Network Access Servers), these are the
791 clients that talk to the RADIUS server.</para>
792
793 <para>Also, change the <code>client 127.0.0.1 {}</code>
794 directive to hold the secret "my_secret" like we
795 configured for 192.168.0.1 to avoid conflicts.</para>
796
797 <para>Uncomment the <code>sql</code> directive in the
798 <code>authorize</code>, <code>accounting</code>, and
799 <code>session</code> sections of
800 <filename>/etc/freeradius/radiusd.conf</filename>.</para>
801
802 <para>Now for populating FreeRADIUS with MySQL. If you
803 don't know or haven't set root password for MySQL you can
804 do it now with:
805 <screen># mysqladmin -u root password password_here</screen>
806
807 Then add the following to
808 <filename>/root/.my.cnf</filename>:
809
810 <programlisting>[mysqladmin]
811 user = root
812 password = password_here</programlisting>
813 </para>
814
815 <para>Create the <code>radius</code> database, using the
816 schema given in
817 <filename>/usr/share/doc/freeradius/examples/db_mysql.sql.gz
818 </filename>.</para>
819
820 <note>
821 <para>It may be necessary to modify the column definition
822 of <code>id</code> in the <code>nas</code> table,
823 removing <code>DEFAULT '0'</code> such that the
824 definition reads:
825
826 <programlisting>id int(10) NOT NULL auto_increment,</programlisting>
827 </para>
828 </note>
829
830 <screen># mysqladmin create radius
831 # mysql radius
832 mysql> source db_mysql.sql
833 mysql> GRANT ALL ON * TO 'radius'@'localhost' IDENTIFIED BY 'radius_password';</screen>
834
835 <para>All the configuration is now done. Let's add a user
836 to our VPN database.
837 <screen># mysql radius
838 mysql> INSERT INTO radcheck values (0, "test", "User-Password", "==", "1234");</screen>
839 </para>
840
841 <para>We have now created a user in the database of username
842 <code>test</code> and password <code>1234</code>.</para>
843
844 <para>Testing the RADIUS setup is simple using the radtest
845 utility provided with it.
846 <screen># radtest
847 Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
848 # radtest test 1234 192.168.0.1 1812 my_secret</screen>
849 </para>
850
851 <para>radtest sends an Access-Request to the RADIUS server
852 and expects an Access-Accept back from it. If you're not
853 getting an Access-Accept from the RADIUS you're advised to
854 check the configuration again and see what you might have
855 missed.</para>
856 </sect4>
857 </sect3>
858
859 <sect3 id="deployment-installation-firewall">
860 <title>Firewall Configuration</title>
861 <para>We need to apply a few things to iptables configuration
862 and kernel networking.</para>
863
864 <para>First off, we need to accept VPN-specific packets
865 through the firewall. Of course you will have to adjust the
866 rules to fits you needs, in this case, ppp0 is the Internet
867 interface.
868 <screen># iptables --append INPUT --in-interface ppp0 -p udp --dport 1701 -j ACCEPT
869 # iptables --append INPUT --in-interface ppp0 -p udp --dport 500 -j ACCEPT
870 # iptables --append INPUT --in-interface ppp0 -p udp --dport 4500 -j ACCEPT
871 # iptables --append INPUT --in-interface ppp0 -p 50 -j ACCEPT</screen>
872 </para>
873
874 <para>If you haven't setup your Linux box as a gateway yet
875 then you have to allow forwarding/masqing for the boxes on
876 the LAN (and therefore for the VPN clients):
877 <screen># iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
878 # iptables --append FORWARD --in-interface eth0 -j ACCEPT
879 # echo 1 > /proc/sys/net/ipv4/ip_forward</screen>
880 </para>
881 </sect3>
882 </sect2>
883 </sect1>
884
885 <sect1 id="references">
886 <title>References</title>
887 <variablelist>
888 <varlistentry>
889 <term>VPN Reference</term>
890 <listitem>
891 <para>
892 <ulink url="http://www.jacco2.dds.nl/networking/freeswan-l2tp.html"></ulink>
893 </para>
894 </listitem>
895 </varlistentry>
896
897 <varlistentry>
898 <term>L2TPns Project</term>
899 <listitem>
900 <para><ulink url="http://l2tpns.sourceforge.net"></ulink></para>
901 </listitem>
902 </varlistentry>
903
904 <varlistentry>
905 <term>OpenSWAN Project</term>
906 <listitem>
907 <para><ulink url="http://www.openswan.org"></ulink></para>
908 </listitem>
909 </varlistentry>
910 </variablelist>
911 </sect1>
912 </article>