Linux - PPTP VPN Server (via GUI on Ubuntu)

 

How to Setup a “Split Tunnel” VPN (PPTP) Client on Ubuntu 10.04

Sometimes you need to use a VPN connection to grant access to remote network resources and for that you use a VPN, but if you don’t want all of your client traffic to go through the VPN link, you’ll need to setup your VPN to connect in a “split tunnel” mode. Here’s how to do it on Ubuntu.

Note: make sure that you’ve read our article covering how to setup a VPN server for Debian-based Linux, which also covers configuring the Windows client.

 

Split what the what now?

The “split tunnel” term refers to the fact that the VPN client creates a “tunnel” from the client all the way to the server for “private” communication.

Traditionally the VPN connection is set up to create “the tunnel” and once it is up all the client’s communication is routed through that “tunnel”. this was good back in the day when the VPN connection had a couple of goals that overlapped and complimented each other:

• The connection was meant to grant access for the road warrior from anywhere.
• All of  the client’s connections need to be secured by means of  going through the corporate firewall.
• The client computer must not be able to connect a potentially malicious network with the corporate network.

The way the VPN connection of the time achieved this goal, was to set the “default gateway” or “route” of the client machine to the corporate VPN server.

• This method, while affective for the above goals has several disadvantages, espeshelly if you are implementing the VPN connection only for the “grant access” point:
• It will slow down the entire surfing experience of the client computer to the speed of the VPN server’s upload speed, which is usually slow.
• It will disable access to local resources like other computers in the local network unless they are all connected to the VPN, and even then the access will be slowed down because it has to go all the way to the internet and come back.

To overcome these shortcomings we will create a regular VPN dialer with one note worthy exception, that we will set the system to NOT use it as the “Default Gateway” or “route” when connected.

Doing this will make it so that the client will use the “VPN tunnel” only for the resources behind the VPN server and will access the internet normally for everything else.

 

Let’s get cracking

The first step is to get into “Network connections” and then “Configure VPN”.

One way you can do this is by clicking the desktop icon for networking as shown in the picture.

Another way is to go to “System” > “Preferences” > “Network Connections”.

Once your on the “VPN” tab in the “Network connections” configurations window, click “Add”.

On the next window we only need to click “Create”, as the default connection type of PPTP is what we want to use.

In the next window give your dialer a name, fill in the gateway with your servers DNS-name or IP address as seen from the internet and fill in the user credentials.

If you have used the “Setting up a VPN (PPTP) server on Debian” guide for the server setup or you are using this client for a DD-WRT PPTP server setup, you also need to enable the MPPE encryption options for authentication.

Click on “Advanced”.

On the “Advanced Options” window check the first checkbox for the MPPE option, then the second checkbox to allow stateful encryption and click “OK”.

Back on the main window, click the “IPv4 Settings” tab.

On the routes configuration window check the checkbox of “Use this connection only for resources on its network”.

Activate the VPN connection client by clicking on the “Network connections” icon and selecting it.

That’s it, you can now access the resources on the VPN servers side as if you were on the same network while not sacrificing your download speed in the process…

 

Taken From: http://www.howtogeek.com/51340/setting-up-a-split-tunnel-vpn-pptp-client-on-ubuntu-10-04/

Linux - PPTP VPN Server & Win XP/7 Client

 

How to Setup a VPN (PPTP) Server on Debian Linux
(also tested on the Raspberry Pi on Raspbian)

VPN-ing into your server will allow you to connect to every possible service running on it, as if you were sitting next to it on the same network, without individually forwarding every port combination for every service you would like to access remotely.

Using a VPN connection also has the upshot of, if desired, granting access to other computers on the network as if you where in it locally from anywhere across the internet.

While not the most secure of the VPN solutions out there, PPTP is by far the simplest to install, configure and connect to from any modern system and from windows specifically as the client is a part of the OS since the XP days and you don’t need to mess with certificates (like with L2TP+IPsec or SSL VPNs) on both sides of the connection.

Did i get you interested? then let’s go :)

 

Preface

• You will need to forward port 1723 and the GRE protocol (47) from the internet to the server to enable the connection (not covered here).
• You will see me use VIM as the editor program, this is just because I’m used to it… you may use any other editor that you’d like.~

 

Server Setup

Install the pptp server package:
    sudo aptitude install pptpd

Edit the “/etc/pptpd.conf” configuration file:
    sudo vim /etc/pptpd.conf

Add to it:
    option /etc/ppp/pptpd-options
    localip 192.168.1.5
    remoteip 192.168.1.234-238,192.168.1.245

Where the “localip” is the address of the server, and the remoteip are the addresses that will be handed out to the clients, it is up to you to adjust these for your network’s requirements.

Edit the “/etc/ppp/pptpd-options” configuration file:
    sudo vim /etc/ppp/pptpd-options

Append to the end of the file, the following directives:
    ms-dns 192.168.1.1
    nobsdcomp
    noipx
    mtu 1490
    mru 1490

here we are assuming that we are editing the pptpd default options config and adding to it, but if for some reason you start with a black “pptpd-options”, you will need to enter those defaults (based on a “pptpd-options” on Raspberry Pi Runing Raspbian):

name pptpd

# BSD licensed ppp-2.4.2 upstream
# with MPPE only
refuse-pap
refuse-chap
refuse-mschap

# Require the peer to authenticate
# itself using MS-CHAPv2
require-mschap-v2

# Require MPPE 128-bit encryption
require-mppe-128

# Making the peer appear to other
# systems to be on the local ethernet
proxyarp

# Debian: do not replace the default route
# with this you get split tunelling
nodefaultroute

# Create a UUCP-style lock file for
# the pseudo-tty to ensure exclusive
lock

# Disable Van Jacobson compression
novj
nobsdcomp

# Turn off logging to stderr
nologfd

to get more detail on each item check a default “pptpd-options” file it’s has quite some detail on each item.

Where the IP used for the ms-dns directive is the DNS server for the local network your client will be connecting to and, again, it is your responsibility to adjust this to your network’s configuration.

Edit the chap secrets file:
    sudo vim /etc/ppp/chap-secrets

Add to it the authentication credentials for a user’s connection, in the following syntax:
    username <TAB> * <TAB> users-password <TAB> *

Restart the connection’s daemon for the settings to take affect:
    sudo /etc/init.d/pptpd restart

If you don’t want to grant yourself access to anything beyond the server, then you’re done on the server side.

 

Enable Forwarding (optional)

While this step is optional and could be viewed as a security risk for the extremely paranoid, it is my opinion that not doing it defeats the purpose of even having a VPN connection into your network.

By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to “jump” through the VPN server, to all other devices on the network.

To achieve this we will be flipping the switch on the “forwarding” parameter of the system.

Edit the “sysctl” file:
    sudo vim /etc/sysctl.conf

Find the “net.ipv4.ip_forward” line and change the parameter from 0 (disabled) to 1 (enabled):
    net.ipv4.ip_forward=1

You can either restart the system or issue this command for the setting to take affect:
   sudo sysctl -p

With forwarding enabled, all the server side settings are prepared.

We recommend using a “Split Tunnel” connection mode for the VPN client.

A more in depth explanation about the recommended “Split Tunnel” mode, as well as instructions for Ubuntu Linux users can be found in the “Setting up a “Split Tunnel” VPN (PPTP) Client on Ubuntu 10.04” guide.

For windows users, follow the guides below to create the VPN client on your system.

 

 

PPTP VPN Dialer Setup on XP (split tunnel)

We will create a regular VPN dialer with one note worthy exception, that we will set the system to NOT use it as the “Default Gateway” when connected.

Skipping this step will limit the connecting computer’s surfing speed to the VPN server’s upload speed (usually slow) because all of it’s traffic would be routed through the VPN connection and that’s not what we want.

We need to start the connection wizard, so we will go to control panel.

Go to “Start” and then “Control Panel”.

*If your system is setup with the “Classic Start Menu” you need to just point on the “Control Panel” icon and then select “Network Connections”.

In “Control Panel” double click “Network Connections”.

Double click “New Connection wizard”.

In the “New Connection wizard” welcome screen click “Next”.

Select the “Connect to the network at my workspace” option and then “Next”.

Select the “Virtual Private Network connection” option and then “Next”.

Give a name to the VPN connection.

Type in the name of your VPN servers DNS-name or IP address as seen from the Internet.

Optionally You may choose to “Add a shortcut to the desktop” and “Finish”.

Now comes the tricky part, it is vitally important you do NOT try to connect now and go into the dialer’s “Properties”.

Go to the networking tab and change the “Type of VPN” to “PPTP VPN” as shown in the picture below (this is optional but will shorten the time it takes to connect) then go into “Properties”.

On the next window go into “Advance” without changing anything else.

On the next window, uncheck the “Use default gateway on remote network” option.

Now enter the connection’s credentials as you set them on the server and connect.

That’s it, you should now be able to access all the computers on your network from the XP client… Enjoy.

 

 

PPTP VPN Dialer Setup on Win7 (split tunnel)

We will create a regular VPN dialer with one note worthy exception, that we will set the system to NOT use it as the “Default Gateway” when connected.

Skipping this step will limit the connecting computer’s surfing speed to the VPN server’s upload speed (usually slow) because all of it’s traffic would be routed through the VPN connection and that’s not what we want.

We need to start the connection wizard, so we will go to the “Network and Sharing Center”.

Click the network icon in the system tray and then “Open Network and Sharing Center”

In the Network center click on “Set up a new connection or network”.

Select “Connect to a workplace” and then “Next”.

Click on the first option of “Use my Internet connection (VPN)”.

Set the address of your VPN server as seen from the internet either by DNS-name or IP.

Even though it won’t connect now because we stil need to go into the dialer’s properties, Set the username and password and hit connect.

After the connection will fails to connect (that’s normal), click on “Set up the connection anyway”.

Back in the “Network Center”, click on “Change adapter settings”.

Find the dialer we have just created, right click it and select “Properties”.

While its optional, for a faster connecting dialer, set the “type” of VPN to PPTP under “the “Security” tab.

Go to the “Networking” tab, select the IPv4 protocol and go into it’s properties.

In the next window, click “Advance” without changing anything else.

On the next window, uncheck the “Use default gateway on remote network” option.

Now enter the connection’s credentials as you set them on the server and connect.

That’s it, you should now be able to access all the computers on your network from the win7 client.

Note: Be sure and read our guide to setting up a VPN client for Ubuntu Linux.

Based On; http://www.howtogeek.com/51237/setting-up-a-vpn-pptp-server-on-debian/

Windows – PPTP VPN Server (+IOS Client +Port Forward)

Here we are going to show you how to set up a Home VPN by using a user PC running windows, so that you can access you home network form almost every device. 

 

 

VPN Server (Windows – User Edition)

The configuration is identical in Windows 7/8/10 (maybe on XP to)

To create the VPN Server you should go to Control Panel > Network and Internet and then Network Connections .

Ther you should press the ALT key so that the options bar appears, next you should go to File > New Incoming Connection

Select or add the users that can access the VPN

(Optional) In case that you want to define the addresses to give to the remote machines you should click on Properties

Now you have a PPTP VPN Server that receives the tunnels and forwards the traffic to the Lan, where it’s connected.

 

Port Forwarding

On your home router you need to forward PPTP trafic to your internal PPTP VPN Server.

Your need to forward:

• PPTP Port 1723: Router Public IP ==> Internal PPTP Server
• GRE Protocol (Protocol 47) : Router Public IP ==> Internal PPTP Server

 

VPN Client

Almost every system has a PPTP client already installed (IPhone / Android / Windows / Linux)

For the IPhone just do:

• Description / Descrição: Brief description of the connection
• Server / Servidor: Router Public IP / Name (DynDNS like no-ip)
• Account / Conta: User Name
• Password / Palavra-passe: Password
• 

for the other systems the configuration is also pretty straight forward

Based on:

• http://pplware.sapo.pt/microsoft/windows/tutorial-aceda-remotamente-a-sua-rede-meo-de-casa-por-vpn/

Linux – SSH Reverse Tunnel to Bypass NAT

Have you ever wanted to reach a server via some application, for example ssh, but you couldn’t because the remote computer (LinuxB) was beind NAT, and you didn’t had access to the router (CPE2-NAT) to add a port forwarding:

but if you add another server with a Public IP (LinuxM) in the midlle you can set up a Reverse SSH Tunel between the destination (LinuxB) and the server in the middle (LinuxM) that will forward conection to a local port on LinuxM to the destination port  on LinuxB via the established ssh session that has the reverse/remote tunel configured.

To test the Reverse SSH Tunel to bypass NAT I’m going to do a proof of concept (POC), with some linux (Ubuntu) machines with private addressing, the cenario looks like this:

Linux_M – Middleman
===========================================================

## Hostname ##
sudo nano /etc/hostname
LinuxM
hostname LinuxM
hostname

sudo nano /etc/hosts
127.0.1.1       LinuxM
 
 
## Interfaces ##
sudo ifdown eth0                                                                 
sudo ifconfig eth0 192.168.1.254 netmask 255.255.255.0
sudo ifup eth0                                      

sudo ifdown eth1                                                                 
sudo ifconfig eth1 172.16.1.254 netmask 255.255.255.0
sudo ifup eth1                                      

## IP Forwarding (Routing) ##
sudo  sysctl -w net.ipv4.ip_forward=1

## Activate Gateway Ports ##
sudo nano /etc/ssh/sshd_config
GatewayPorts yes
sudo service ssh stop
sudo service ssh start

#####################################################
# When you forward a TCP port (either locally or
# remotely), by default SSH only listens for
# connections to the forwarded port on the loopback
# address (localhost, 127.0.0.1). This means only
# other programs running on the same host as the
# listening side of the forwarding can connect to
# the forwarded port. This is a security feature,
# since there is no authentication applied to such
# connections. Also, such a forwarded connection is
# potentially insecure, since a portion of it is
# carried over the network in a plain TCP connection
# and not protected by SSH.
#####################################################

       

Linux_B – Destination
===========================================================

## Hostname ##
sudo nano /etc/hostname
LinuxB
hostname LinuxB
hostname

sudo nano /etc/hosts
127.0.1.1       LinuxB
 
 
## Interface ##
sudo ifdown eth0                                                                 
sudo ifconfig eth0 172.16.1.1 netmask 255.255.255.0
sudo ifup eth0                                      

## Route (default) ##
sudo route add default gw 172.16.1.254 eth0

## Reverse/Remote SSH Tunnel ##
ssh -R 10002:localhost:22 lubuntu@172.16.1.254

######################################################
# This sets up the reverse/remote ssh tunnel
# between the destination (LinuxB) and the server
# in the middle (LinuxM) that will forward connection
# on the local port 10002 on LinuxM to the
# destination port 22 LinuxB via the established
# ssh session that has the reverse/remote tunel
# configured.
#
# After this command you will have the reverse/remote
# ssh thunnel configured and the bash/CLI of LinuxM.
#
# YOU MUST MAINTAIN THE BASH/CLI OF LinuxM ON LinuxB
# VIA SSH, FOR THE FORWARDING/TUNNELING TO WORK
#####################################################

At this point you have this:

the reverse/remote ssh tunnel wating for a connection on LinuxM on port 10002 to forward LinuxB on port 22 (ssh)

 

Linux_A – Client
===========================================================

## Hostname ##
sudo nano /etc/hostname
LinuxA
hostname LinuxA
hostname

sudo nano /etc/hosts
127.0.1.1       LinuxA

 
## Interface ##
sudo ifdown eth0                                                                 
sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo ifup eth0                                      

## Route (default) ##
sudo route add default gw 192.168.1.254 eth0   

## Connect LinuxM (will forward to LinuxB) ##
## Gateway Ports = ON on LinuxM                ##
ssh lubuntu@192.168.1.254 -p 10002

or

## Connect LinuxM (will not forward to LinuxB) ##
## Gateway Ports = OFF on LinuxM                      ##
ssh lubuntu@192.168.1.254         
ssh lubuntu@localhost -p 10002
######################################################
# Assuming the "Gateway Ports" is OFF, then the
# reverse/remote ssh tunnel will only be accessible
# on LinuxM locally
#
# So in the above commands we first connect via SSH
# to LinuxM, and from there connect local ports of the
# reverse/remote ssh tunnel so that it will forward
# the connection on the local port 10002 of LinuxM
# to the destination port 22 LinuxB
#####################################################

At this point you have this (Gateway Ports = ON):

and you should be in the bash/CLI of LinuxB

 

Related Links:

• http://www.marksanborn.net/howto/bypass-firewall-and-nat-with-reverse-ssh-tunnel/
• http://www.snailbook.com/faq/gatewayports.auto.html
  

 

Linux - Sending Email Alerts with Cron

Sending Email Alerts Through Cron

Cron is the Linux task scheduler that is responsible for making sure scripts run at their specified times. Cron is often used for things like, log rotation, backup scripts, updating file indexes, and running custom scripts. In the event a task runs into problems or errors Cron generally tries to email the local administrator of the machine. This means it tries to send an email to itself instead of an “internet accessible” email address like, ‘user@gmail.com’.

We can change this default behavior by changing the MAILTO variable.

Note: This will not work if you have not setup an email server.

 

Setting The Email Sending (Gmail and sSMTP)

Sometimes we want to enable our servers/desktops to be able to send email without setting up a full featured mail server or configuring postfix to route through Gmail.

sSmtp is an extremely simple, resource conserving, SMTP server that will allow your desktop or server to send email. In this article we are going to use sSMTP to send outgoing email through Gmail.

 

Install sSMTP

Debian/Ubuntu users can Install with this command or click here to open up apt:

sudo apt-get install ssmtp

We need to then need to edit, ‘/etc/ssmtp/ssmtp.conf’:

root=username@gmail.com mailhub=smtp.gmail.com:587 rewriteDomain= hostname=username@gmail.com UseSTARTTLS=YES AuthUser=username AuthPass=password FromLineOverride=YES

Then add each account that you want to be able to send mail from by editing, ‘/etc/ssmtp/revaliases‘:

root:username@gmail.com:smtp.gmail.com:587 localusername:username@gmail.com:smtp.gmail.com:587

 

Now try sending an email

You can send an email through your favorite email client, like ‘mutt’, or type:

sudo ssmtp someemail@email.com

You will then type your message, hit enter and ‘ctrl+d‘

Now that you have a simple outgoing email server setup, you can do all sorts of neat things:

• Configure cron jobs to send log reports to your email address
• Alert you of all kinds of system changes
• Send email alerts when your computer reaches a certain temperature
• Send email through PHP, Python, Ruby, and Perl

 

Setting the MAILTO variable

Cron relies on a simple text file to schedule commands. To edit this file just issue the crontab command:

crontab -e

To change the MAILTO variable just add ‘MAILTO=username@domain.com’ into the crontab file.

It should look something like this:

Specify Email for Each Script

If we don’t want all output to go to the same email address we can specify the output of a particular script to go to a different email address:

59 */6 * * * script.sh | mail -s "Subject of Mail" someother@address.com

 

Email Alerts for All but One

If you have a specific script in your crontab that you don’t want output or errors emailed to you, simply add, ‘>/dev/null 2>&1’ to the end of the command.

59 */6 * * * script.sh >/dev/null 2>&1

To find out what else you can do with cron check out, Learning Cron by Example.

 

Based On:

• http://www.nixtutor.com/linux/sending-email-alerts-through-cron/
• http://www.nixtutor.com/linux/send-mail-with-gmail-and-ssmtp/

Cisco - Router / Switch as an HTTP Server

You can use your Cisco router / switch as a Web server, Cisco IOS routers have HTTP interface since IOS 11.2, in IOS 12.2(15)T it was enhanced with HTTP 1.1 Web server that offers Secure Socket Layer (SSL) Version 3.

Let’s test it out, I actually did this on a switch (cisco 3560)

First let’s check current root folder for the HTTP server, in order to get a reference to restore the HTTP root path later:

DSw1#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c3560-ipservicesk9-mz.150-1.SE/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

To transfer the web page we are going to use TFTP, for the server just run TFPT32 / TFTP64 in your computer, and point it to the folder where you have the web page you want to transfer to your router / switch.

On router / switch copy the web page from the TFTP server (your PC) to your router / switch:

DSw1#copy tftp://192.168.1.52/index.html flash://index.html
Destination filename [index.html]?
Accessing tftp://192.168.1.52/index.html...
Loading index.html from 192.168.1.52 (via Vlan99): !
[OK - 15772 bytes]

 
DSw1#show flash
Directory of flash:/
     2  -rwx       15772   Mar 1 1993 00:26:36 +00:00  index.html
      3  -rwx          1276   Mar 1 1993 00:00:40 +00:00  vlan.dat
  363  drwx         256   Mar 1 1993 00:39:23 +00:00  c3560-ipservicesk9-mz.150-1.SE
  487  -rwx        4189   Mar 1 1993 00:19:41 +00:00  config.text

Now in the golbal configuration mode lets enable the HTTP server, set the path to root folder of the HTTP server, and activate local authentication, and a local user and password (if you don’t already don’t have one)

ip http server
ip http path flash://
ip http authentication local

username admin privilege 15 password 0 cisco  (the user level must be 15)

you can also have HTTPS (secure) server using by adding the following command:

ip http secure-server

Here's a list of important commands you should know. These commands are in global configuration mode and have the format “ip http xxxxx”.

• access-class: This restricts access to your Web server using an access list.
• authentication: This sets the authentication for login to the Web server to either local, enable, or tacacs.
• path: This establishes the root path where the Web server begins looking for files.
• port: This allows you to change the port number for the Web server from 80 to another port.
• server: This enables and disables the Web server.
• secure-server: This enables and disables the SSL Web server.
        

Let’s check the new root folder for the HTTP server:
   
DSw1#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path: flash:/
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
   

Now open your browser, and type:

http://<your_router_or_switch_ip_address>

you will be prompted for a local user and password, and you should get you web page shown:
   

Based On: http://www.techrepublic.com/article/take-advantage-of-the-cisco-ios-web-server-on-your-router/