VPN

Thursday October 28th, 2010By: CyrIng

[A] VPN encryption

.

1- install packages : PPP deamon, PPTP driver, IP Routing and netfilter


# sudo pacman -S ppp pptpclient iproute2 iptables

2- grant an access to the VPN


# sudo nano /etc/ppp/chap-secrets

# client        server    secret         IP addresses
[LoginName]     PPTP      [Password]     *

3- define the point to point link


# sudo nano /etc/ppp/peers/VyprVPN

pty "pptp eu1.vpn.giganews.com --nolaunchpppd"
name [LoginName]
remotename PPTP
ipparam eu1.vpn.giganews.com # will be supplied as the 6th parameter of ip-up & ip-down scripts
file /etc/ppp/options.pptp
mru 1450
mtu 1450
require-mppe-128
lcp-echo-failure 2     ## see man pppd
#lcp-echo-interval 60  ## see man pppd
persist
unit 0                 ## use ppp0 as interface name
#usepeerdns            ## do not alter /etc/resolv.conf with VyprVPN's DNS
nodefaultroute         ## do not change default route into main table

4- define a route through the VPN


# sudo nano /etc/iproute2/rt_tables

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
180     vpn

5- forward all streams through this new route beside some


# sudo nano /etc/ppp/ip-up.d/10-route2vpn.sh

#!/bin/sh
#
# 2010 Cyring
#

if [ "$IFNAME" = "ppp0" ]; then
        VPNIP=`/usr/bin/gethostip -d ${6}`
        VPNRT=`/usr/sbin/ip route show table main | /bin/grep ${VPNIP}`

        /usr/sbin/ip route add ${VPNRT} table vpn
        /usr/sbin/ip rule add fwmark 0x80 table vpn
        /usr/sbin/ip route add to default dev ${IFNAME} table vpn
fi

# EOF

# sudo nano /etc/ppp/ip-up.d/20-filter2vpn.sh

#!/bin/sh
#
# 2010 Cyring
#

. /etc/ppp/vpn-common.sh

if [ "$IFNAME" = "ppp0" ]; then
        /usr/sbin/iptables -t mangle -A OUTPUT
        -p tcp -m multiport ! --dports $TCPLIST
        -j MARK --set-mark 0x80

        /usr/sbin/iptables -t mangle -A OUTPUT
        -p udp -m multiport ! --dports $UDPLIST
        -j MARK --set-mark 0x80

        /usr/sbin/iptables -t nat -A POSTROUTING
        -p tcp -o ${IFNAME}
        -j SNAT --to-source ${IPLOCAL}

        /usr/sbin/iptables -t nat -A POSTROUTING
        -p udp -o ${IFNAME}
        -j SNAT --to-source ${IPLOCAL}
fi

# EOF

# sudo nano /etc/ppp/ip-down.d/10-filter2vpn.sh

#!/bin/sh
#
# 2010 Cyring
#

. /etc/ppp/vpn-common.sh

if [ "$IFNAME" = "ppp0" ]; then
        /usr/sbin/iptables -t nat -D POSTROUTING
        -p tcp -o ${IFNAME}
        -j SNAT --to-source ${IPLOCAL}

        /usr/sbin/iptables -t nat -D POSTROUTING
        -p udp -o ${IFNAME}
        -j SNAT --to-source ${IPLOCAL}

        /usr/sbin/iptables -t mangle -D OUTPUT
        -p tcp -m multiport ! --dports $TCPLIST
        -j MARK --set-mark 0x80

        /usr/sbin/iptables -t mangle -D OUTPUT
        -p udp -m multiport ! --dports $UDPLIST
        -j MARK --set-mark 0x80
fi

# EOF

# sudo nano /etc/ppp/ip-down.d/20-route2vpn.sh

#!/bin/sh
#
# 2010 Cyring
#

if [ "$IFNAME" = "ppp0" ]; then
        VPNIP=`/usr/bin/gethostip -d ${6}`
        VPNRT=`/usr/sbin/ip route show table main | /bin/grep ${VPNIP}`

        /usr/sbin/ip route del ${VPNRT} table vpn
        /usr/sbin/ip route del to default dev ${IFNAME} table vpn
        /usr/sbin/ip rule del fwmark 0x80 table vpn
fi

# EOF

# sudo nano /etc/ppp/vpn-common.sh

#!/bin/sh
#
# 2010 Cyring
#

FTP_DATA=20
FTP=21
SSH=22
SMTP=25
DNS=53
POP2=109
POP3=110
NNTP=119
NTP=123
IMAP=143
IMAP3=220
SMTPS=465
NNTPS=563
GANDI=587
IPP=631
IMAPS=993
POP3S=995
PPTP=1723

TCPLIST=
$FTP_DATA","
$FTP","
$SSH","
$SMTP","
$POP2","
$POP3","
$NNTP","
$IMAP","
$IMAP3","
$SMTPS","
$NNTPS","
$GANDI","
$IPP","
$IMAPS","
$POP3S

UDPLIST=
$SSH","
$NTP","
$IMAP","
$IMAP3","
$NNTPS","
$IPP

# EOF

# sudo chmod +x /etc/ppp/ip-up.d/10-route2vpn.sh
# sudo chmod +x /etc/ppp/ip-up.d/20-filter2vpn.sh
# sudo chmod +x /etc/ppp/ip-down.d/10-filter2vpn.sh
# sudo chmod +x /etc/ppp/ip-down.d/20-route2vpn.sh
# sudo chmod +x /etc/ppp/vpn-common.sh

6- start VPN at boot-up


# sudo ln -s /etc/ppp/peers/VyprVPN /etc/ppp/peers/provider

# sudo nano /etc/rc.conf

DAEMONS=( @iptables @ppp )

.

[B] SSL Tunnel

.

1- install Stunnel daemon package


# sudo pacman -S stunnel pan

2- set up a Newsgroup encrypted tunnel on a local proxy


# sudo nano /etc/stunnel/stunnel.conf

[nntp]
accept = 127.0.0.1:119
connect = news-europe.giganews.com:563

3- start daemon at boot-up


# sudo nano /etc/rc.conf

DAEMONS=( @stunnel )

4- add a local server into the Usenet newsreader


# nano ~/.pan2/servers.xml

.

<?xml version="1.0" encoding="utf-8" ?>
<server-properties>
  <server id="1">
    <host>127.0.0.1</host>
    <port>119</port>
    <username>[LoginName]</username>
    <password>[Password]</password>
    <expire-articles-n-days-old>93</expire-articles-n-days-old>
    <connection-limit>49</connection-limit>
    <newsrc>/home/[UserName]/.pan2/newsrc-1</newsrc>
    <rank>1</rank>
  </server>
</server-properties>

.

[C] DNS cache

.

1- install Bind package


# sudo pacman -S bind

2- configure named daemon with DNS IPs


# sudo nano /etc/named.conf

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named.stats";
        allow-query { localhost; };
        allow-query-cache { localhost; };
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        forward only;
        forwarders {
                        8.8.8.8;        // Google DNS
                        8.8.4.4;        // Google DNS
                        208.67.222.222; // OpenDNS
                        208.67.220.220; // OpenDNS
        };
};

logging {
        channel "syslog" {
                syslog daemon;
                severity info;
        };

        category default { syslog; };
};

3- define a local DNS server


# sudo nano /etc/resolv.conf

nameserver 127.0.0.1

4- start daemon at boot-up


# sudo nano /etc/rc.conf

DAEMONS=( @named )