DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd July 2008
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Default Point-to-Point VPN + Firewall + Router (sorta) - What should I use?

Here's the scenario:

I've got a number of remote sites that use a point-to-point VPN for WAN connectivity back to the data center. These are consistent tunnels with no restrictions provided by Cisco PIX firewalls (well, a newer one is an ASA).

Now I need another point-to-point VPN - but I can't buy anything. So I thought perhaps I could configure a couple FreeBSD boxes to act, well, pretty much in place of what a PIX would do.

I'll need the VPN between the two boxes, and firewall on at least one (one will be Internet-facing, the other I'm going to try putting in the DMZ of an existing PIX - but if that causes a problem with the VPN passthrough then it, too, will be Internet-facing). Internet traffic would also need to be filtered with firewall rules. And the second NIC on the boxes will need to be able to pass traffic to the inside network, of course. There's a router on the inside of both networks.

Alternatively, if I can establish a P2P VPN from a single FreeBSD box directly to an existing PIX 515, that would work too. But is that really as much fun?

So can I do this with existing ports for FreeBSD? If so, what recommendations do you folks have?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 3rd July 2008
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Default

Oh, I'm sorry, maybe this should be in Ports and Packages. I apologize if that's the case.
Reply With Quote
  #3   (View Single Post)  
Old 3rd July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,167
Default

Although on OpenBSD, and not FreeBSD, have you seen http://www.securityfocus.com/infocus/1859?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 4th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

OpenVPN is very easy to setup. And once the tunnel is established and the tun device is enabled, you either configure a route to direct all traffic through the VPN interface, or you use IPFW divert rules to send specific data through the VPN link. (If you want examples on that, let me know and I'll post some from our setup at work.)
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 4th July 2008
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Default

Quote:
Originally Posted by J65nko View Post
Although on OpenBSD, and not FreeBSD, have you seen http://www.securityfocus.com/infocus/1859?
Ah, very slick. Thank you. I haven't used OpenBSD yet, but I think I'll try this out with a couple virtual boxes, see what I can see.

Quote:
Originally Posted by phoenix View Post
OpenVPN is very easy to setup. And once the tunnel is established and the tun device is enabled, you either configure a route to direct all traffic through the VPN interface, or you use IPFW divert rules to send specific data through the VPN link. (If you want examples on that, let me know and I'll post some from our setup at work.)
I'd definitely be interested in seeing some examples, thank you.
Reply With Quote
  #6   (View Single Post)  
Old 5th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Install /usr/ports/security/openvpn on the remote server (client) and the local server (server).

If you are going to have only a single remote system, then you can stick with the standard port 1194. If you are going to have multiple remote clients connecting back to a single, central hub system, you'll need a separate UDP port for each remote system.

On the client, edit /usr/local/etc/openvpn/openvpn.conf similar to:
Code:
# Device to use for the connection
dev tun0

# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.1 10.x.x.2

# Other options for the tunnel device
tun-mtu 1500

# Remote IP and port to connect to
remote 1.1.1.1 1194

# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key

# Run the daemon as a non-privileged user
user nobody
group nobody
daemon

# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
The ifconfig line configures the tun device, and gives each end of the tunnel a private IP. The remote line tells the OpenVPN daemon where to send the encrypted packets (the public IP of the hub server). The 1194 is the UDP port to be used for this connection.

On the local server, install OpenVPN and configure it similar to:
Code:
# Device to use for the connection
dev tun0

# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.2 10.x.x.1

# Other options for the tunnel device
tun-mtu 1500

# Remote IP and port to connect to
remote 2.2.2.2 1194

# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key

# Run the daemon as a non-privileged user
user nobody
group nobody
daemon

# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
Here, the ifconfig line is reversed, and the remote line has the public IP of the remote (client) system.

On one of the systems, run openvpn -genkey to generate a pre-shared key. Copy that to /usr/local/etc/openvpn/openvpn.key on both systems, and chown the file to root:wheel and chmod it to 600.

Add openvpn_enable="YES" to /etc/rc.conf on each system. Then run /usr/local/etc/rc.d/openvpn start to establish the connection.

After that, you can either:
  • add static routes that direct traffic through tun0, or
  • use IPFW fwd rules to direct specific traffic through the tunnel
You should also be able to use pf rdr rules to do the same, but I have no experience with pf.

You need to allow UDP traffic on port 1194 between the two hosts, so there shouldn't be any problems with passing traffic through the PIX firewall.

And that's about it, for the simple case.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #7   (View Single Post)  
Old 5th July 2008
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Default

Awesome, thanks for taking the time to write all that! I'm working on testing this all in a virtual environment right now. I'll post my successes and tear-inducing failures here...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless NIC for access point dewarrn1 FreeBSD General 1 15th September 2009 11:01 PM
How do I edit my .profile to permanently have an ftp site to point to badguy OpenBSD Packages and Ports 12 19th July 2009 02:05 AM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
OpenBSD Wi-Fi acces point LordZ OpenBSD General 4 18th October 2008 10:33 AM
Configuring a wireless access point Serge FreeBSD General 6 6th June 2008 04:07 PM


All times are GMT. The time now is 03:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick