|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Point-to-Point VPN + Firewall + Router (sorta) - What should I use?
Here's the scenario:
I've got a number of remote sites that use a point-to-point VPN for WAN connectivity back to the data center. These are consistent tunnels with no restrictions provided by Cisco PIX firewalls (well, a newer one is an ASA). Now I need another point-to-point VPN - but I can't buy anything. So I thought perhaps I could configure a couple FreeBSD boxes to act, well, pretty much in place of what a PIX would do. I'll need the VPN between the two boxes, and firewall on at least one (one will be Internet-facing, the other I'm going to try putting in the DMZ of an existing PIX - but if that causes a problem with the VPN passthrough then it, too, will be Internet-facing). Internet traffic would also need to be filtered with firewall rules. And the second NIC on the boxes will need to be able to pass traffic to the inside network, of course. There's a router on the inside of both networks. Alternatively, if I can establish a P2P VPN from a single FreeBSD box directly to an existing PIX 515, that would work too. But is that really as much fun? So can I do this with existing ports for FreeBSD? If so, what recommendations do you folks have? Thanks! |
|
|||
Oh, I'm sorry, maybe this should be in Ports and Packages. I apologize if that's the case.
|
|
|||
Although on OpenBSD, and not FreeBSD, have you seen http://www.securityfocus.com/infocus/1859?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Quote:
|
|
||||
Install /usr/ports/security/openvpn on the remote server (client) and the local server (server).
If you are going to have only a single remote system, then you can stick with the standard port 1194. If you are going to have multiple remote clients connecting back to a single, central hub system, you'll need a separate UDP port for each remote system. On the client, edit /usr/local/etc/openvpn/openvpn.conf similar to: Code:
# Device to use for the connection dev tun0 # IP addresses for the tunnel (local remote) ifconfig 10.x.x.1 10.x.x.2 # Other options for the tunnel device tun-mtu 1500 # Remote IP and port to connect to remote 1.1.1.1 1194 # Pre-shared key file secret /usr/local/etc/openvpn/openvpn.key # Run the daemon as a non-privileged user user nobody group nobody daemon # Keep the tun device open and the key loaded in RAM persist-tun persist-key On the local server, install OpenVPN and configure it similar to: Code:
# Device to use for the connection dev tun0 # IP addresses for the tunnel (local remote) ifconfig 10.x.x.2 10.x.x.1 # Other options for the tunnel device tun-mtu 1500 # Remote IP and port to connect to remote 2.2.2.2 1194 # Pre-shared key file secret /usr/local/etc/openvpn/openvpn.key # Run the daemon as a non-privileged user user nobody group nobody daemon # Keep the tun device open and the key loaded in RAM persist-tun persist-key On one of the systems, run openvpn -genkey to generate a pre-shared key. Copy that to /usr/local/etc/openvpn/openvpn.key on both systems, and chown the file to root:wheel and chmod it to 600. Add openvpn_enable="YES" to /etc/rc.conf on each system. Then run /usr/local/etc/rc.d/openvpn start to establish the connection. After that, you can either:
You need to allow UDP traffic on port 1194 between the two hosts, so there shouldn't be any problems with passing traffic through the PIX firewall. And that's about it, for the simple case. |
|
|||
Awesome, thanks for taking the time to write all that! I'm working on testing this all in a virtual environment right now. I'll post my successes and tear-inducing failures here...
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wireless NIC for access point | dewarrn1 | FreeBSD General | 1 | 15th September 2009 11:01 PM |
How do I edit my .profile to permanently have an ftp site to point to | badguy | OpenBSD Packages and Ports | 12 | 19th July 2009 02:05 AM |
Is there a purpose for using pf if you have a hardware router/firewall? | guitarscn | OpenBSD Security | 9 | 23rd January 2009 12:22 AM |
OpenBSD Wi-Fi acces point | LordZ | OpenBSD General | 4 | 18th October 2008 10:33 AM |
Configuring a wireless access point | Serge | FreeBSD General | 6 | 6th June 2008 04:07 PM |