Use FreeBSD to configure the ADSL-based VPN gateway + Firewall

Source: Internet
Author: User

I 've been tossing around for four days before and after, but it's really annoying.
It is not difficult to configure the real VPN (PPTP) on FreeBSD. You only need 5 minutes to complete the configuration.
Solved the problem. I fought with tun0 in half of the remaining 99% of the time and found that I made a low-level mistake.
By mistake, I am fighting with ipfw in the other half of the time and found that the VPN connection mechanism is quite complicated. Waste now
Let's not talk much about it. lets go

My goal is to build an ADSL dial-up gateway, which uses MPD as the daemon process of the VPN gateway,
The PPTP protocol is used as the transmission protocol. Because this machine has a samba server, I cannot enable
Put all my ports, and I must block all unnecessary ports. It took a long time to study it.
The PPTP protocol must use the ports and protocols on the firewall. The purpose of the configuration has been told
The configuration process is as follows.

First of all, if you use ppp to connect to PPPoE (that is, the connection used by ADSL ),
You can skip this section and view the following section.
It is very easy to use ppp to connect to PPPoE. After FreeBSD is installed, you will go to the/etc/ppp/directory.
The following shows a file named ppp. conf. You can change this file to the following file to connect to it.
PPPoE: The file content is as follows: default:
Set log Phase Chat lcp ipcp ccp tun command
Ident user-ppp VERSION (built COMPILATIONDATE)

# Ensure that "device" references the correct serial port
# For your modem. (cuaa0 = COM1, cuaa1 = COM2)
#
Set device PPPoE: rl0
Set speed sync
Set mru 1492
Set mtu 1492
Set ctsrts off
Set timeout 60 #3 minute idle timer (the default)
Enable dns # request DNS info (for resolv. conf)

Papchap:
#
# Edit the next three lines and replace the items in caps
# The values which have been assigned by your ISP.
#

Set authname # username #
Set authkey # password #
Set timeout 60
Set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
Add default HISADDR # Add a (sticky) default route

The first part is how to set logs and some default information.
Set device PPPoE: You need to change the driver to your Nic later. I use Realtek 8139, so
The maximum sending/receiving unit is set as rl0, PPPoE is 1492 by default, and timeout is
The time-out period you set when using auto. exceeding this time will cause disconnection. Enable dns is enabled
Receive the allocated DNS from the ISP Server. The papchap section below sets your PPPoE account information. The last two sentences
Is to set route information, please be sure to add.
Note that the statement after the tag must be indented. At least one space is indented and may not be seen in the Post. Please note that!
After modifying the configuration file, you can use ppp-ddial papchap to test the problem.
No problem. Add the following two sentences to the rc. conf file to enable ppp dialing at startup: ppp_enable = "YES"
Ppp_mode = ddial
Ppp_nat = "YES"
Ppp_profile = "papchap" in which ppp_mode = is followed by the ppp method, and auto ddial background is optional.
Information can be obtained from man ppp. The above is the configuration of PPP dial PPPoE, which is very simple.

The following section describes how to enable the IPFW firewall. You need to modify the default kernel settings and use MPD.
Modify the kernel. All modifications are made here. I am using an upgraded version of IPFW, which is called
IPFW2 firewall. To use this firewall on FreeBSD4.x, you need to re-compile IPFW.
Install FreeBSD4.6 or above source code on your hard disk, and then perform the following steps to upgrade your IPFW: cd/usr/src/sbin/ipfw
Make-DIPFW2
Make install
Cd/usr/src/lib/libalias
Make-DIPFW2
Make install or add IPFW2 = TRUE in your/etc/make. conf file and then mak world to upgrade your firewall.
After IPFW is upgraded, modify the kernel. to recompile the kernel, follow these steps:
The/sys/i386/conf/directory contains two files: GENERIC and LINT.
I will not repeat the information. I will only talk about the process of modifying the kernel.
First, cp GENERIC mykern adds the following parts to edit mykern: options NETGRAPH
Options NETGRAPH_PPPOE
Options NETGRAPH_SOCKET
Options NETGRAPH_ETHER
Options IPFW2
Options IPDIVERT
Options IPFIREWALL_VERBOSE
Options IPFIREWALL_VERBOSE_LIMIT = 100
Options IPSTEALTH
Options ACCEPT_FILTER_DATA
Options ACCEPT_FILTER_HTTP exit editor config mykern
Cd.../compile/mykern
Make depend
Make
Make install and restart the machine kernel update.
In this way, the installation of IPFW2 is complete. We will not open the firewall first. We will first configure mpd to establish the PPTP server.
Server. MPD installation is actually very simple. You can compile it manually, but I recommend using ports
For installation, because I really don't have any reason to use ports for installation :)
If you have installed ports on your hard disk, follow these steps to install cd/usr/ports/net/mpd
Make install
After make clean is installed, ports automatically creates the/usr/local/etc/mpd directory.
And store the configuration file samples in this directory. You can modify the existing configuration file samples to complete the mpd
Take mpd. conf. sample as an example. First, cp mpd. conf. sample mpd. conf
Modify the following pptp:
New-I ng0 pptp
Set iface disable on-demand
Set iface enable proxy-arp
Set iface idle 1800.
Set bundle enable multilink
Set link yes acfcomp protocomp
Set link no pap chap
Set link enable chap
Set link keep-alive 10 60
Set link mtu 1460
Set ipcp yes vjcomp
Set ipcp ranges 192.168.1.1/32 192.168.1.50/32
Set ipcp dns 192.168.1.3
Set ipcp nbns 192.168.1.4
#
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc (8) netgraph node type.
#
Set bundle enable compression
Set ccp yes mppc
Set ccp yes mpp-e40
Set ccp yes mpp-e128
Set ccp yes mpp-stateless

This is the default configuration in the sample. The following describes what needs to be modified.
In fact, we only need to modify three rows, namely the following three rows: set ipcp ranges 192.168.1.1/32 192.168.1.50/32
Set ipcp dns 192.168.1.3
Set ipcp nbns 192.168.1.4 the first line is to set the address of your local VPN gateway.
This should be the Intranet address of the gateway, followed by the address that will be obtained from the Intranet after the other party dials in.
There is no special requirement on the address, that is, the address must be in the same CIDR block as the Intranet. Otherwise
No, but you can set a mask next to it to control the possible range of the address.
If the IP address is occupied, an IP address within the specified range is allocated to the client, which is hidden after "/".
Code to control.
The second line is to specify the address of the DNS server used by your intranet. Note that this will be the same
Intranet addresses are allocated to users together.
The third line is similar to the second line. It specifies the address of the Netbios server. If no WINS server exists in the Intranet
This line can be left empty. At last, I added a command line. If I didn't add this command, the mpd seems to be the same.
It works normally, but I am not at ease adding this line of encryption command set bundle enable encryption. Below we still need to slightly modify mpd. links. sample pptp:
Set link type pptp
Set pptp self 1.2.3.4
Set pptp enable incoming
Set pptp disable originate in the above section, you need to modify the set pptp self 1.2.3.4 line, this line is to specify mpd
The pptp server is bound to that address. If we use ppp to call ADSL
When the network interface changes and the IP address changes, we cannot define this sentence.
To remove this sentence, we don't need to change the other one.
Of course, we need to modify the mpd. secret file.
This file defines the user name and password of the dial-in user.
The username is written in front, and the password is written in quotation marks. as follows, fred "fred-pw" can also specify the address or CIDR block that the user must dial in, for example: joe "foobar" 192.168.1.1
After bob "x34" foo "192.168.1.10/24, we can add a sentence to let the mpd execute this set of pptp settings by default. You need to modify this
Part: default:
The load pptpsample file also contains samples configured for multi-user login, so I don't have to write them. The configuration is the same.
After these changes, you only need to run mpd-B to start it.
For security reasons, I did not write a boot script to start mpd at startup, because for the firewall
It is dangerous to open one port when it is useless, but many people may need to run it automatically at startup.
Mpd. I will provide you with a STARTUP script, which can be placed under the/usr/local/etc/rc. d/directory.
Remember to add the execution permission. #! /Bin/sh

PREFIX =/usr/local

Case "$1" in
Start)
If [-x $ {PREFIX}/sbin/mpd-
-F $ {PREFIX}/etc/mpd. conf]; then
$ {PREFIX}/sbin/mpd-B
Echo-n mpd
Fi
;;
Stop)
Killall mpd & echo-n mpd
;;
*)
Echo "Usage: basename $0 {start | stop}"> & 2
;;
Esac

Exit 0
;

Now we need to enable the firewall to test it. We need to modify the rc. conf file to enable the firewall.
We need to add the following configuration: firewall_enable = "YES"
Firewall_type = "/etc/ipfw. conf"
G

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.