Configure VPN gateway and firewall with FreeBSD

2022-08-07
  • Detail

Configuring VPN gateway and firewall with FreeBSD

in fact, it is not difficult to configure VPN (PPTP mode) on FreeBSD. It only takes 5 minutes to solve the problem. Half of the rest 99% of the time I fight with tun0, and I find that I have made a low-level error. The other half of the time I fight with ipfw, and I find that the VPN connection mechanism is quite complex

it took me four days to finish it. It's really troublesome. However, I need to explain to you that it's not difficult to configure VPN (PPTP) on FreeBSD. You can solve it in five minutes. I fought with tun0 half the rest 99% of the time. I found that I made a low-level mistake. I fought with ipfw the other half of the time. I found that the VPN connection mechanism was quite complex. Let s go

my goal is to build an ADSL dial-up gateway. MPD is used as the daemon of VPN gateway and PPTP protocol is used as the transport protocol. Since there is a samba server on this machine, I cannot open all my ports. I must block all unnecessary ports. Because of this, it took a long time to study which ports and protocols PPTP protocol needs to pass through the firewall. The purpose of configuration has been told. The following is the process of configuration

first of all, let's start with dialing ADSL via PPP. If you are already familiar with using PPP to connect to PPPoE (that is, the way ADSL uses Jinan Shijin, the earliest enterprise in our country to produce experimental machines), you can skip this paragraph and look directly at the following. Using PPP to connect to PPPoE is very simple. After FreeBSD is installed, you will see a file called NF in the/etc/ppp/directory. You can connect to PPPoE by modifying this file to the following image. The contents of the file are as follows:

the first part is to set the log method and some default information set device pppoe: you need to change the driver of your card. My file is Realtek's 8139, so it is RL0, The following is to set the maximum sending/receiving unit. PPPoE is 1492 by default, and then timeout is the timeout set when you use auto mode. After this time, the line will be disconnected. Enable DNS is to open the DNS that receives the assignment from the ISP server. The following papchap section is to set your PPPoE account information. The last two sentences are to set the routing information. Please be sure to add them. Note that the sentence behind the label should be indented. At least one space should be indented. You may not see it in the post. Please pay attention! After modifying the configuration file, you can use PPP ddial papchap to test. If you are connected to the network, there is no problem. Add the following two sentences to the NF file to start PPP dialing at startup:

ppp_ enable=“YES”

ppp_ mode=ddial

ppp_ nat=“YES”

ppp_ Profile= "papchap"

where PPP_ Mode= PPP mode is followed by auto ddial Ba, ckground, etc. the specific information can be obtained from man PPP. The above is the configuration of PPP dialing PPPoE, which is very simple

the following section is about the firewall for starting ipfw. The default kernel settings need to be modified. At the same time, the kernel needs to be modified when using MPD. Therefore, it has been modified at the same time. I use an upgraded version of ipfw, which is called ipfw2 firewall. In freebsd4 To use this firewall on X, you need to recompile ipfw, which requires you to install the source code above freebsd4.6 on your hard disk in advance, and then perform the following steps to upgrade your ipfw:

cd/usr/src/sbin/ipfwmake -dipfw2make installcd

/usr/src/lib/libaliasmake -dipfw2make

install, or add ipfw2=true to/etc/nf, and then makworld to upgrade your firewall. After upgrading ipfw, The next step is to modify the kernel. To recompile the kernel, you need to go through the following steps. First, enter the/sys/i386/conf/directory, where there are two files, one is generic, the other is lint. I won't repeat the specific instructions. I will just talk about the process of modifying the kernel

first, CP generic mykernmykern adds the following parts:

after restarting the machine, the kernel update is completed. In this way, the installation of ipfw2 has been completed. Instead of opening the firewall, we first configure MPD to establish the PPTP server. The installation of MPD is actually very simple. You can compile it manually, but I recommend that you use ports to install it, because I really can't think of any reason not to install ports:) if you install ports on your hard disk, you can complete the installation of MPD through the following steps:

after the installation, Ports will automatically create the/usr/local/etc/mpd directory and store the configuration file samples in this directory. You can modify the existing configuration file samples to complete the configuration of MPD. For example, first CP mple NF, and then modify the following parts:

this is the default configuration in the sample. The following describes the parts that need to be modified. In fact, we need to modify only three lines, The following three lines

the first line is to set the address of your local VPN. If you use NAT to distinguish the internal and external, as I did, this should be the internal address of the VPN. The latter is the address that the other party will get after dialing in. There are no special requirements for this address. First, this address needs to be in a segment with the internal, otherwise it cannot be accessed. The second line can set a mask, To control the possible range of this address. If this address is occupied, an address within the re qualified range will be allocated to the client. This range is controlled by the mask after "/"

the second line specifies the address of the DNS server used in your country. Note that this will be assigned to the user together with the internal address when the user and the country need to invest special funds. The third line is similar to the second line. It specifies the address of the NetBIOS server. If there is no wins server in this line, this line can be left blank. Finally, I added a command line. Without this command, MPD seems to work normally, But I'm not sure. I still add this line of encryption instruction set bundle enable encryption

next, we need to slightly modify the line

mple pptp:

set link type pptpset PPTP self 1.2.3.4

set PPTP enable incoming

set PPTP disable origin

above: set PPTP self 1.2.3.4, which is the PPTP specifying the MPD.The server is bound to that address, If we use PPP to dial ADSL now, we will encounter changes in the network interface and IP address, so we can't define this sentence. Therefore, in our case, we need to remove this sentence, and we don't need to change the others. Of course, we need to modify the cret file. This file defines the user name and password of the dial in user. The user name is written in front, and the password is written in quotation marks, As shown below, Fred "Fred PW" can also specify the address or segment from which the user must dial in, as shown in the following example:

joe "foobar" 192.168.1.1bob "x34foon"

192.168.1.10/24. After that, we can add a sentence to let the MPD execute PPTP by default, This part of the configuration file needs to be modified:

default:load pptps should be powered on and run once a month. Example

the file also contains samples for configuring multi-user login, so I don't need to write them. The configuration is the same. After these changes, I can start it by running mpd-b. for security reasons, I didn't write a startup script to start MPD when I started it, For firewalls, it is dangerous to open more ports when they are not in use. However, many people may need to run MPD automatically when starting up. I still provide a startup script for you, which can be placed in/usr/local/etc/rc Remember to add execution permission under the d/directory

next, we need to open the firewall to test. We need to modify the NF file to open the firewall. We need to add the following configurations.

next, we need to open the firewall to test. We need to modify the NF file to open the firewall. We need to add the following configurations.

two of them need to be explained. Firewall_ Type= I specify a file to customize the configuration. Ipfw has several other default methods, such as open, client, close, etc

we won't say it if we don't use it. Anyway, we must have the following sentence, otherwise your customs won't work normally

you have noticed that my forwarding interface is set to RL0, that is, my card, which is no problem when using PPP. However, if MPD is not used for PPPoE dialing, it must be set to the NG0 device created by MPD. At first, I thought that if I could not set the listening of PPTP on the external interface, I would use NATD to transfer the port from the outside. Who knows that PPTP also needs to connect to parts other than the port, so now NATD is basically useless. Now I'll give you my/etc/nf statement on how to make PPTP connections pass.

only these four sentences are added can the client connection be turned off. However, if only these four sentences are used, the client can't do anything. Therefore, the following two rules should be set for the client.

note that 192.168.1.30 in my configuration is the internal address I assign to the client, If your address definition is different from mine, you need to modify this address. For security reasons, I can't release all my complete configuration files to you. For other rules, please refer to iceblood's articles on sharing ADSL through FreeBSD for firewall settings or check man 8 ipfw to customize your own rules. Finally, I would like to thank my good friend and classmate platinum for helping me test and providing me with a lot of information during the configuration process, which helped me finally solve all the problems. (end)

Copyright © 2011 JIN SHI