WIXLIB

This material is based on work supported by theNational Science Foundation under Grant No. 0802551Any opinions, findings, and conclusions or recommendations expressed in this material are those ofthe author (s) and do not necessarily reflect the views of the National Science FoundationC5L2S1

A virtual private network (VPN ) is a special connection betweencomputers that allows a user to connect remotely to othercomputer systems or networks using a private, secure, encryptedchannel that prevents others from viewing the contents of thecommunication between the computers.VPN is a very useful technology for employees working remotelyor employees who need to connect to remote computer systemsU thein a secure manner. VPN may be used on local networks or acrossthe Internet. Consequently, it is a very important tool.In this lesson, you will explore virtual private networks,tunneling, SSH, installation of a VPN server, and other relatedtechnologies. Understanding VPN technology and the variousways it is implemented and used is a necessary skill for Linuxadministrators. A misconfigured VPN can pose serious threats toan organization. So learn it well!C5L2S2

You should know what will be expected of you whenyou complete this lesson. These expectations arepresented as objectives. Objectives are shortstatements of expectations that tell you what youmust be able to do, perform, learn, or adjust afterreviewing the lesson.U theLesson Objective:Given the need to secure data communications, thestudent will be able to propose appropriate tools tosecure data during remote data transmissionsbetween two or more systems and will be able toconfigure VPN service between computer systemsacross the Internet to facilitate secure transmissions.C5L2S3

In this lesson, you will explore: Virtual Private NetworksIPSec Virtual Private NetworksPPTP Virtual Private NetworksSSH / SSL TunnelsThe PPTPD VPN ServerC5L2S4

This lesson uses Fedora Linux for demonstration. Tocomplete this lesson successfully, you must haveaccess to: Fedora Linux on bare metal or as a virtual install 10 Gb of hard drive space dedicated to theoperating system’s use A command shell Internet for research Word processorResources: Download Virtualbox Virtualbox for Linux Hosts Install Fedora to Virtualbox Virtualbox manual Using Virtualbox with Ubuntu(process similar to Fedora)Use the resources on the right to configure yoursystem for Fedora.C5L2S5

This lesson includes a tutorial on installation and configuration ofa virtual private network (VPN). It is critical you only attempt tofollow these instructions on your personal home network or anetwork provided in a computer lab by your school for thispurpose.Do not attempt VPN install or configuration on a public schoolnetwork or your employer’s network . Failure to take heed mayresult in your termination or loss of employment.The VPN setup and the firewall changes demonstrated could beseen as a FERPA and/or HIPAA violation if configured incorrectlyor without permission in certain settings. If done on youremployer’s network, you may also be in violation of thecompany’s computer usage agreement.Most networks have a single VPN setup and monitored by the ITdepartment—not rogue Linux Administration students practicingtheir VPN setups. Be wise!C5L2S6

When Internet communications first started, information was unencrypted andsent via text. Services such as Telnet, FTP, and even email where left open tointerception and copying (theft) of data at multiple points along the way.As the use of the Internet grew, so did the need for secure communications.Credit card transactions, banking transactions, and any other personalinformation required the need for security, so a firewall was used. The firewallwas installed to keep un-wanted people away from private data. Employeeswithin the company would be able to access the Internet, but users outside wouldnot be able to access information within.This updated security created additional problems for remote users. For instance,employees working from home or from clients’ sites or other locations would nolonger have access to the company’s internal network or to resources available tousers in the main office (those within the network) because the firewall wouldblock access.Required Reading Why Use VPN? VPNThe goal of VPN is to provide a secure method for remote users to access aninternal network, or specific internal networked resources. The data is sent in anencrypted format, and anyone who tries to copy the data stream would only getnonsensical data or gibberish.C5L2S7

There are two types of VPN’s:The first is the Remote-Access type. This type of VPN is commonly usedfor an individual to access a central network. We will call this a User-toLAN connection. The user connects to the Internet from any ISP (InternetService Provider) and then creates a secure connection to the centralnetwork. Once that secure connection is created, he or she can accessthe the resources on that central network.The second type of VPN is a Site-To-Site VPN. With this VPN, an entirelocation (or remote network) may be connected to a main network. Anexample of this would be a bank with several connected branches. Themain office would have a network and then each branch would have asecure connection (VPN) into the man office so communications andsharing of resources between the two sites would be secure.Recommended Reading How Does VPN Work?Both of these networks allow the user(s) in the remote location to be afull part of the internal central network without fear of security and databreaches.C5L2S8

The well designed VPN is both fast and secure. It will contain as many of the following features aspossible:Data Security: This is the most important service that any VPN provides. All Internet traffic is routedover public networks and is visible to all computers in it’s path. Therefore data encryption andconfidentiality is critical. Encryption is the process of taking all the data that one computer istransmitting and encoding it into a form that only the other computer will be able to decode.Data Integrity: Data must not be changed while it is in transit, and the reliable VPN includes checks toensure that data does not change. Data changing during transmission is a sign of tampering.Data Origin Authentication: The VPN must verify the source of the data. The identity of the sender canbe spoofed (or faked) and the VPN server must know the true source of the data.Anti Replay: The VPN server must be able to detect and reject replayed (or duplicated) packets andthis helps prevent spoofing.Data Tunneling/Traffic Flow Confidentiality: Tunneling is the process of encapsulating (or hiding) anentire packet of data inside of another packet while sending it over the network. Data tunneling ishelpful when you may wish to hide the identity of the sending device. Only the trusted peer (orreceiving system) is able to identify the true source of data.C5L2S9

Most VPN’s use one of these protocols to provide encryption:IPSec: Internet Protocol Security Protocol (IPSec) provides enhancedsecurity features such as stronger encryption algorithms and morecomprehensive authentication. IPSec has two encryption modes: Tunneland Transport.The tunnel mode encrypts the header and the payload of each packetwhile the transport mode only encrypts the payload. The payload is thedata being sent, and the header is the identifying information for eachpacket. Only systems that are IPsec compliant can use this protocol. Allof the devices must have a common key or certificate and must havevery similar security policies setup.Recommended Reading How Stuff WorksPPTP/MPPE: PPTP was created by the PPTP Forum, a consortium whichincludes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics.PPTP supports multi-protocol VPNs with 40-bit and 128-bit encryptionusing a protocol called Microsoft Point-to-Point Encryption (MPPE). It isimportant to realize that by itself, PPTP does not provide dataencryption.Continued on next screen . . .C5L2S10

L2TP/IPsec: Commonly called L2TP over IPSec, this provides the securityof the IPsec protocol over the tunneling of Lay 2 Tunneling Protocol(L2TP). L2TP is the product of a partnership between the members ofthe PPTP forum, Cisco, and the Internet Engineering Task Force (IETF).This protocol is primarily used for remote access with VPN’s since theWindows 2000 operating system. Internet Service Providers (ISPs) canalso provide L2TP connections for dial-in users, and then encrypt thattraffic with IPsec between their access-point and the remote officenetwork server.Recommended Reading How Stuff WorksSSH/SSL: SSL stands for Secure Socket Layer, and SSH is a secure shell. Itis possible to create a tunnel between two computers by using acombination of SSH and SSL. The client (or remote) computer wouldstart an SSH session to a computer on the main network. In turn, thisclient would tunnel all of it’s communication over this tunnel, thusencrypting the flow of data.C5L2S11

There are several VPN products available including: Desktop software client for each remote user Dedicated hardware such as a VPN concentrator orFirewall Dedicated VPN server for dial-up services Network Access Server (NAS) used by service provider forremote user VPN access Private network and policy management center.Recommended Reading Choosing VPNThe Linux VPN we will setup is a cross between the DedicatedVPN server and the Desktop Software client for each remoteuser.C5L2S12

Setup and Configuration

You will need to gather and document the following before settingup your VPN: Server External IP address: This is the external or public IPaddress of your server. Server Internal IP address: This is the internal IP address of theserver. Server Gateway address: Your outbound gateway IP address,sometimes called the “next hop” Server DNS: The Domain Name Service IP addresses provided byyour ISP. Client’s IP Address: Helpful information to know.Recommended Reading IP LookupYou can get the external IP addresses for both client and server byusing a web browser on the respective machine and going s.comOnce you have this information, you may continue the lesson.C5L2S14

If you use VirtualBox to setup your VPN, you MUST have two physicalnetwork cards on the test computer or you must have access to a dedicatedFedora server that has a public IP address. If your test machine has twonetwork cards, follow these directions:1.2.3.4.5.6.7.8.9.Open VirtualBox, but do not start the machine.From VirtualBox manager, select (highlight) your virtual Fedora installand then click the Settings icon on the menu bar.Click the Networks icon on the menu bar.Change the Attached to combo box to Bridged Adapter for any activenetwork interfaces.Do the same for the second virtual machine. (I will be using a VM runningWindows XP.)Make sure both virtual machines are found using a separate connectionand thus on two separate networks.Save your settings.Start your Fedora virtual machine.Log in. We will continue the installation on the next screen.Select PLAY below for avideo on Virtual Boxsettings.View ded Reading VirtualBox NetworkThe setting of the Bridged Adapter allows the virtual machine to interact withthe network on its own and not share the IP address of the host machine.C5L2S15

Bridged networksettings for VirtualBoxC5L2S16