Presentation is loading. Please wait.

Presentation is loading. Please wait.

VPN using SSH Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd.

Published byViviana Batts Modified over 10 years ago

Similar presentations

Presentation on theme: "VPN using SSH Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd."— Presentation transcript:

1 VPN using SSH Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd.

2 Andrew’s Talk Excellent talk covering theory and history Excellent talk covering theory and history Implemented pptp - most common use of VPN Implemented pptp - most common use of VPN However, my way is better. However, my way is better.

3 Ssh is better, why? Always secure - no need to patch kernel Always secure - no need to patch kernel true Unix to Unix connection. true Unix to Unix connection. Better for Lan to Lan. Better for Lan to Lan. Modular Modular – ssh (zlib, ssl, ssh) – port redirector – pppd

4 Why VPN Look at an APN. Look at an APN.

5 Why VPN Look at an APN. Look at an APN. – Existing Ringways APN (a.k.a. WAN)

6 Proposed Internet Link Ringways were looking for an internet link Ringways were looking for an internet link

7 Suggested VPN Suggested replacing existing lines with: Suggested replacing existing lines with:

8 Actually Went With

9 What if we grow?

10

11 Definitely VPN

12 Points to Consider APN APN – Cost of line vs Benefits received – Who meets costs? VPN VPN – No cost if link already available – Split cost if not already available

13 Implications Lower costs = more uses Lower costs = more uses more uses = more connections more uses = more connections more connections = more access points more connections = more access points

14 Security Firewall - One point of access Firewall - One point of access Multiple access points Multiple access points Weakness in remote end - Win95? Weakness in remote end - Win95? Other people administrating Other people administrating Treat VPN users as Notebook Users Treat VPN users as Notebook Users

15 Security - Server When planning to set up a VPN server When planning to set up a VPN server – Needs public access – Can be behind firewall - Ssh works over NAT – preferably no other access – Can be on firewall

16 So, how’s it work? Uses an existing unsecured network Uses an existing unsecured network runs a Ssh session over that connection runs a Ssh session over that connection redirects a pppd session over it. redirects a pppd session over it.

17 Ssh - So, what do I need? For RedHat 6 systems: For RedHat 6 systems: – zlib-1.1.3-6.i386.rpm - already installed – openssl-0.9.5a.i386.rpm – openssh-2.1.1p2-1.i386.rpm – openssh-clients-2.1.1p2-1.i386.rpm – openssh-server-2.1.1p2-1.i386.rpm – Pppd.

18 Ssh - So, what do I need? For everything else: For everything else: zlib-1.1.3.tar.gz - ftp://ftp.cdrom.com/pub/infozip/zlib zlib-1.1.3.tar.gz - ftp://ftp.cdrom.com/pub/infozip/zlib openssl-0.9.5a.tar.gz - http://www.openssl.org openssl-0.9.5a.tar.gz - http://www.openssl.org openssh-2.1.1p2.tar.gz - http://www.openssh.com openssh-2.1.1p2.tar.gz - http://www.openssh.com Pppd Pppd

19 Ssh - So what do I do? For RedHat 6 systems: For RedHat 6 systems: – rpm -i openssl-0.9.5a.i386.rpm – rpm -i openssh-2.1.1p2-1.i386.rpm – rpm -i openssh-clients-2.1.1p2-1.i386.rpm – rpm -i openssh-server-2.1.1p2-1.i386.rpm

20 Ssh - So what do I do? For everything else: For everything else: – untar zlib-1.1.3.tar.gz –./configure – make – make test – make install

21 Ssh - So what do I do? For everything else: For everything else: – untar openssl-0.9.5a.tar.gz –./config – make – make test – make install

22 Ssh - So what do I do? For everything else: For everything else: – untar openssh-2.1.1p2.tar.gz –./configure – make – make install

23 Ssh - So what do I do? As root run: As root run: – ssh-keygen This creates.ssh directory. This creates.ssh directory. This contains the private and public keys. This contains the private and public keys. Create authorized_keys from public key Create authorized_keys from public key

24 Ssh - So what do I do? Copy the identity.pub from the client machine to the server machine Copy the identity.pub from the client machine to the server machine – Client = makes call – Server = receives call Append this file to /root/.ssh/authorized_keys Append this file to /root/.ssh/authorized_keys Make sure sshd is running on the server Make sure sshd is running on the server

25 Ssh - How do I test it On the client On the client – ssh – ssh If you have done everything correctly you should now have a Ssh session open and the command prompt of the server machine on-screen. If you have done everything correctly you should now have a Ssh session open and the command prompt of the server machine on-screen.

26 So what’s next - Server edit /etc/ppp/options to include: edit /etc/ppp/options to include: – ipcp-accept-local – ipcp-accept-remote – proxyarp – noauth

27 So what’s next - Server Create a vpn-users group and user Create a vpn-users group and user – add group vpnusers to /etc/groups vpnusers:*:504: vpnusers:*:504: – add user vpn-users to /etc/passwd vpnuses:*:504:405:VPN User:/home/vpnusers:/usr/sbin/pppd vpnuses:*:504:405:VPN User:/home/vpnusers:/usr/sbin/pppd – mkdir /home/vpn-users – chown vpnusers:vpnusers /home/vpnusers

28 So what’s next - Server Create the /home/vpnusers/.ssh directory Create the /home/vpnusers/.ssh directory Create the file.ssh/authorized_keys Create the file.ssh/authorized_keys Add the public keys of everyone who needs access. Add the public keys of everyone who needs access.

29 So what’s next - Client as root run: as root run: – mkdir /root/.ssh – ssh-keygen -f /root/.ssh/identity.vpn -P ”” – add the new file identity.vpn.pub to the authorized_keys on the server.

30 So what’s next - client – Get http://www.shinythings.com/vpnd/vpnd.tar.gz – Unzip it into /usr/local/vpn – copy pty-redir to /usr/sbin

31 So what’s next - client as root run: as root run: – pty-redir ssh -t -e none -o ‘Batchmode yes’ - c blowfish -i /root/.ssh/identity.vpn -l vpnuser curly >/tmp/vpn-device – sleep 10 – /usr/sbin/pppd `cat /tmp/vpn-device`

32 And Finally On the client and the server On the client and the server – Edit /etc/ppp/ip-up to add routes across the VPN – Edit/etc/ppp/ip-down to remove them afterwards. What’s left What’s left – Modify the vpnd script match your configuration to make admin easier.

33 That’s it. We’re done, so what have we done We’re done, so what have we done – We’ve got ssh working – We’ve configured a server to receive calls – We’ve configured a client to make a call – We’ve routed traffic across the VPN

Download ppt "VPN using SSH Implementing a secure Unix to Unix Virtual Private Network Gary Stainburn Ringways Garages Ltd."

Similar presentations

SOI-ASIA Unofficial Operators Meeting 10 May 2004.

SOI-ASIA Unofficial Operators Meeting 10 May 2004.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
Winconnect Server XP by John Mackenzie. What is Winconnect Server XP WinConnect Server XP is software for installation onto Windows XP Pro, which transforms.

Winconnect Server XP by John Mackenzie. What is Winconnect Server XP WinConnect Server XP is software for installation onto Windows XP Pro, which transforms.
Computer networks Fundamentals of Information Technology Session 6.

Computer networks Fundamentals of Information Technology Session 6.
1 Automated SFTP Windows and SUN Linux and SUN. 2 Vocabulary  Client = local=the machine generating the SFTP request  Server = remote = the machine.

1 Automated SFTP Windows and SUN Linux and SUN. 2 Vocabulary  Client = local=the machine generating the SFTP request  Server = remote = the machine.
By: Lloyd Albin 9/28/2012. We are not talking about a Raspberry Pie.

By: Lloyd Albin 9/28/2012. We are not talking about a Raspberry Pie.
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
DHCP -Ameeta and Haripriya -cmsc 691x. DHCP ► Dynamic Host Configuration Protocol ► It controls vital networking parameters of hosts with the help of.

DHCP -Ameeta and Haripriya -cmsc 691x. DHCP ► Dynamic Host Configuration Protocol ► It controls vital networking parameters of hosts with the help of.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Similar presentations

Ads by Google