VPN Server Using PPTP Protocol and FreeRadius as AAA Implementation

hmmmmm….. in this documentation, i will explain how to build VPN server using PPTP protocol. In my last documentation about VPN server, there’s a lot of problem (my friend told me), so i will revisied my last documentation in this documentation. Okay… I’m using FreeBSD 6.2-RELEASE as my PPTP server, but you can using higher version of FreeBSD. In Linux??……… long time i’m not using it. this documentation contains 3 step : 1. configuring the router, 2. configuring PPTP server itself, and 3. configuring client (Windows XP). lets start it. heres the network diagram :

1. Configuring Router :
For the router, i’m using FreeBSD, but you can also using other operating systems. of course you should change your IP forwarding to 1. I think you already know what’s that mean.
/etc/sysctl.conf

security.bsd.see_other_uids=0
net.inet.ip.fastforwarding=1
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=2

Then, config NAT. I’m using PF firewall for NAT-ing my PPTP Server. here’s some output of my pf.conf (located in /etc/pf.conf) :

table const {10.14.200.252}
x
x
x
nat on bce1 proto {tcp,udp,icmp} from to any -> 222.124.204.236
x
x
x

x means line of PF rule. You should read PF manual documentation first!
Last section, is configuring IP address. IP address config located in /etc/rc.conf. Here’s some output :

defaultrouter="222.124.x.y"
hostname="bokep.mania.com"
ifconfig_bce0="inet 10.14.200.231 netmask 255.255.255.0"
ifconfig_bce1="inet 222.124.x.x netmask 255.255.255.224"
static_routes="internal"
route_internal="-net 10.14.0.0/16 10.14.200.1"
pf_enable="YES"
pf_rules="/etc/pf.conf"

that’s all the router configuration. Now, go to step 2, configuring PPTP Server.

2. Configuring PPTP Server.
a. IP Address Configuration. ip address config located in /etc/pf.conf. here’s some output :

defaultrouter="10.14.200.231"
hostname="end-pointA.ittelkom.ac.id"
ifconfig_rl0="inet 10.14.200.252 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 172.16.1.1 netmask 255.255.255.0"
gateway_enable="YES"

b. installing pptp server and radius server.
PPTP Server :

root@end-pointA# cd /usr/ports/net/poptop/
root@end-pointA# make install clean # wait until installation process are finished.

all poptop configuration, located in /usr/local/etc/pptpd.conf and /etc/ppp/ directory. here’s the ‘ls’ output of /etc/ppp/ directory :

root@end-pointA# ls /etc/ppp/
ppp.conf ppp.conf.ngakakak ppp.secure secure
ppp.conf.backup ppp.secret radius.conf


/usr/local/etc/pptpd.conf config file :

debug
nobsdcomp
proxyarp
localip 10.14.15.36
remoteip 172.16.1.2-254
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam
mppc
#added
+chap
ipcp-accept-local
ipcp-accept-remote
deflate 0

/etc/ppp/ppp.conf config file :

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
# if you want to use NAT use private IP addresses
#set ifaddr 10.14.15.7 10.14.15.10-10.14.15.20 255.255.255.255
set ifaddr 172.16.1.1 172.16.2-172.16.1.254 255.255.255.255
add default HISADDR
set server /tmp/loop "" 0177
loop-in:
#set ifaddr 10.14.15.7 10.14.15.10-10.14.15.20 255.255.255.255
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
disable pap
# Authenticate against /etc/passwd
#enable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
set mppe * stateless
#enable mppc
disable deflate pred1
deny deflate pred1
set dns 10.14.203.7
set device !/etc/ppp/secure
set radius /etc/ppp/radius.conf


/etc/ppp/secure config file :

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in


/etc/ppp/radius.conf config file :

auth 127.0.0.1 your-password-here
acct 127.0.0.1 your-password-here

last but not least, add pptpd_enable on /etc/rc.conf file :

pptpd_enable="YES"

finishh……….. configuring PPTP Server. next, configuring radius server

c. Radius server :
As AAA implementation, i’m using FreeRadius. I think, it’s the hardest part of configuring my PPTP Server. okay.. let’s start it.
installing freeradius :

root@end-pointA# cd /usr/ports/net/freeradius/
root@end-pointA# make config #choose MYSQL With MySQL user database
root@end-pointA# make install clean

All Freeradius config, located in /usr/local/etc/raddb. okay, i will give you my config one-by-one.
/usr/local/etc/raddb/clients.conf :

client 127.0.0.1 {
secret = your-password-here
shortname = localhost
}
client 172.16.0.0/16 {
secret = your-password-here
shortname = vpn-billing
}

/usr/local/etc/raddb/clients

localhost your-password-here

okay………. and then, create freeradius database structure. here’s step by step :
1. create database radius;
2. give user mysql-user to access or modify database radius with password mysql-password (grant insert, select, delete…………….)
3. on bash shell execute : mysql -u mysql-user -p radius < /usr/local/share/examples/freeradius/db_mysql.sql
and then, edit /usr/local/etc/raddb/sql.conf file. here’s some output :

sql {
server = "localhost"
login = "mysql-user"
password = "mysql-password"
radius_db = "radius"
x
x
}

x means another config lines. there’s lot of line, so i won’t post in here.
Because lot of line in freeradius config file, i will give you a link to download my own freeradius configuration
Of course, i also creating web based aplication to maintain vpn user account. thanks to adjiexx a.k.a AllDelta for creating VPN user management web based application. here’s sample code to insert new user on freeradius database (on PHP of course) :

$iq="insert into radcheck(username,attribute,value) values ('$nama','Password','$password')";
$iq2="insert into radreply(username,attribute,op,value) values ('$nama','Framed-IP-Address',':=','$ip')";
$iq3="insert into radreply(username,attribute,op,value) values ('$nama','Framed-IP-Netmask',':=','255.255.255.255')";
$iq4="insert into radreply(username,attribute,op,value) values ('$nama','Framed-Protocol',':=','PPP')";
$iq6="insert into radcheck(username,attribute,op,value) values ('$nama','Max-Monthly-Session',':=','$quota')";

of course you must add “radiusd_enable” on /etc/rc.conf :

radiusd_enable="YES"


last, installing squid. here’s step by step :

root@end-pointA# cd /usr/ports/www/squid
root@end-pointA# make install clean

and the sample config like this (squid.conf):

http_port 172.16.1.1:8080
cache_mem 512MB
cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64
cache_access_log /dev/null
cache_store_log none
cache_log /dev/null
cache_replacement_policy GDSF
pipeline_prefetch on
refresh_pattern /.gif 4320 50% 43200
refresh_pattern /.jpg 4320 50% 43200
refresh_pattern /.jpeg 4320 50% 43200
refresh_pattern /.png 4320 50% 43200
refresh_pattern ^http://www.friendster.com/.* 720 100% 10080
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 10080
refresh_pattern ^http://*.yahoo.*/.* 720 100% 7200
refresh_pattern ^http://*.google.com/.* 720 100% 10080
refresh_pattern ^http://www.telkomspeedy.com/.* 720 100% 28800
refresh_pattern ^http://*.blogsome.com/.* 720 80% 10080
refresh_pattern ^http://*.wordpress.com/.* 720 80% 10080
refresh_pattern ^http://detik.com/.* 720 90% 2880
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl outgoing src 192.168.10.2/255.255.255.255
acl student src 192.168.0.0/255.255.255.0
acl admin src 172.16.0.0/255.255.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl xx snmp_community tuah
http_access allow manager
http_access allow localhost
http_access allow outgoing
http_access allow student
http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow localhost
icp_access allow student
icp_access allow admin
icp_access deny all

http_port 172.16.1.1:8080 means : squid will only listen to physical interface alias that we created on /etc/rc.conf file.
add “squid_enable” on /etc/rc.conf :

squid_enable="YES"


3. Client Configuration
I’m using windows XP. for connect to vpn server, make sure vpn server is located in 10.14.200.252.

finish

sorry for my bad english

poptop + squid in FreeBSD 6.2

sick of love today!!! hmmm, skarang ngejunk dokumentasi lagi . selama 2 minggu ini, pikiran gw kaco banget. mikirin ini mikirin itu, yang paling pusing mikirin gimana caranya bikin VPN server yang mekanisme nya kek di kampus gw. hohohohoho……………., kebetulan, ni juga buat projject gw. mekanisme kerja nya kek gini : user harus login terlebih dahulu sebelum dia mo surfing ke internet. hohohohohoho…..

dalam pengujian kali ini, ada tiga buah Box yang digunakan, A. 1 buah Router untuk connect ke internet (2 lan card, bge0 dan fxp0), B. 1 buah PC sebagai Proxy server dan VPN server,dan C. 1 buah PC client. karna ga ada visio di PC saia, heheheh, gambar menyusul yaa……

internet ———————– fxp0-A-bge0—————B—————-C

oke, skarang kita mulai konfigurasi masing masing Box nya.

A. box A sebagai router, menggunakan FreeBSD. digunakan sebagai nat router. fxp0 memiliki IP public, 222.124.xxx.xxx . bge0 digunakan sebagai interface buat intranet. bge0 IP Address nya adalah 10.14.200.231. IP FORWARDING telah diaktifkan. Box A menggunakan PF sebagain untuk proses NAT nya. konfigurasi nat-nya adalah sebagai berikut (di /etc/pf.conf tambahkan baris di bawah ini):

nat on fxp0 proto {tcp, udp, icmp} from 10.14.200.245 to any -> fxp0

Box A udah ready….. next BoxB

B. setting Box B rada rada susah + bingung. untuk VPN servernya menggunakan poptop , proxy menggunakan squid . kedua paket tersebut di install dari ports. spesifikasi Box B adalah sebagai berikut:

• terdiri dari 1 buah lan card : rl1. ip address nya 10.14.200.245 dan alias IP nya 172.16.1.1 lebih lengkapnya ada di file /etc/rc.conf :
  • • defaultrouter=”10.14.200.231″
    • hostname=”dhieandz.stttelkom.ac.id”
    • ifconfig_rl1=”inet 10.14.200.245 netmask 255.255.255.0″
    • ifconfig_rl1_alias0=”inet 172.16.1.1 netmask 255.255.255.0″
    • static_routes=”jalancinta”
    • route_jalancinta=”-net 10.14.3.0/24 10.14.200.1
• ipforwarding enabled, caranya tambahkan baris gateway_enable=”YES” di /etc/rc.conf
• arp proxy enabled

proses intalasi dan konfigurasi nya adalah sebagai berikut :

poptop :

cd /usr/ports/net/poptop

make install clean (tungguin aja bentar.)

konfigurasi poptop akan dijelaskan sebagai berikut :

dalam file /usr/local/etc/pptpd.conf tambahkan baris berikut ini :

debug
nobsdcomp
proxyarp
localip 10.14.200.245
remoteip 172.16.1.2-172.16.1.254
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless
#tambahan
noipparam

dalam file /etc/ppp/ppp.conf tambahkan baris berikut :

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
# if you want to use NAT use private IP addresses
set ifaddr 172.16.1.1 172.16.2-172.16.1.254 255.255.255.255
add default HISADDR
set server /tmp/loop “” 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
# Authenticate against /etc/passwd
#enable passwdauth
disable ipv6cp
enable proxy
accept dns
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
set dns 10.14.203.7
set device !/etc/ppp/secure

Pusing??? ehehehhehe……tenang, masih ada lagi. kali ini tambahkan baris di bawah ini di file /etc/ppp/ppp.secure :

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

nah, skarang tinggal bikin aja file buat nampung user ama password nya. file nya letakin di /etc/ppp/ppp.secret. contohnya :

#user #passoword
tunk wew

astro lala

raiden vani
sekarang tinggal tes poptopnya jalan ato kagak.cara ngetes nya tinggal jalanin aja pptpd di console kesayanganmu. biar lebih pasti cek aja pake socksat:

su-2.05b# sockstat |grep pptpd
root pptpd 2843 5 dgram -> /var/run/logpriv
root pptpd 2843 6 tcp4 *:1723 *:*
fyuuuuuuuuuuhhh………. poptopnya skarang dah jadi. skarang tinggal config squid nya aja

SQUID

proses installasinya lewat ports jugak. tinggal make install clean. enable delay pools.Yang paling penting dan harus di garis bawahi disini adalah Listen IP address nya. Settingan awalnya adalah sebagai berikut (sebelum ada poptopnya)

http_port 10.14.200.245:7777 ganti ke http_port 172.16.1.1:7777 (sesudah poptop nya jalan)

untuk konfigurasi squid lebih lanjut tidak akan di bahas disini. RTFM…………

Box C

hmmm……untuk konfigurasi clinet nya, gampang banget, tinggal set alamat VPN server ke 10.14.200.245 dengan user + password yang sesuai dengan di atas. waktu gw bikin ni VPN server, di client menggunakan windows XP Proffesional + linux + bsd, bisa semua. dan jangan lupa, ubah alamat proxy di web browser kamu menjadi 172.16.1.1:7777.

nah…. biar lebih yakin, skarang cek di sisi server ama di sisi client nya. ketika client men-dial up ke server. dibawah ini adalah output perintah ifconfig dari sisi server dan sisi client

server :

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1398
inet 172.16.1.1 –> 172.16.1.53 netmask 0xffffffff
Opened by PID 2911
ppp0: flags=108010<POINTOPOINT,MULTICAST,NEEDSGIANT> mtu 1500
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1498
inet 172.16.1.1 –> 172.16.1.20 netmask 0xffffffff
Opened by PID 3020

client (BSD):

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.14.15.27 netmask 0xffffff00 broadcast 10.14.15.255
ether 00:11:11:01:e2:34
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1396
inet 172.16.1.20 –> 172.16.1.1 netmask 0xffffffff

neeh log squid nya :

1195729649.843 636 172.16.1.53 TCP_MISS/200 8149 GET http://www.detiksport.com/content_images/content/2007/10/19/75/Dudek-realmadrid.jpg – DIRECT/202.158.66.94 image/jpeg
1195729847.306 25770 172.16.1.53 TCP_MISS/200 683742 GET http://sb.google.com/safebrowsing/update? – DIRECT/216.239.51.91 text/html
1195730008.795 3164 172.16.1.53 TCP_MISS/200 414 POST http://cipitunk.wordpress.com/wp-admin/admin-ajax.php – DIRECT/66.135.48.251 text/html
1195730247.836 2186 172.16.1.53 TCP_MISS/200 414 POST http://cipitunk.wordpress.com/wp-admin/admin-ajax.php – DIRECT/66.135.48.253 text/html

hohoho……….selesai sudah, tapi… masih ada yang kurang. hmmm kalo di bikin program buat management user nya, keknya mantap tuh. ehuehueheuheue……

semoga dokumentasi tadi bisa bermanfaat buat temen temen smua… keep ngoprek..

thanks to : indofreebsd.or.id, kichung a.k.a boyfriend

sorry kalo bahasanya rada rada ngaco coz dibikin saat teler abis minum 3 botol heineken