SlideShare una empresa de Scribd logo

Npppd: easy vpn with OpenBSD

Giovanni Bechis
Giovanni Bechis

This talk is about npppd, a new vpn software included with OpenBSD 5.3.

Tecnología
1 de 24
Descargar para leer sin conexión
Npppd: easy vpn with OpenBSD Giovanni Bechis giovanni@openbsd.org Institute of Biostructures and Bioimaging, Napoli, Italy Apr 6, 2013
A little presentation sysadmin and web developer at SnB, my own software house developer for OpenBSD every now and then, developer for some other open source software
The initial problem two offices and some people with their laptop who wish to use their main software remotely
The proposed solution the two offices has been connected to a Windows Server in a web farm with the terminal server connections protected by a vpn
Vpn software Vpn software that could be used for this setup on our OpenBSD firewall: iked(8) openvpn poptop npppd(8)
npppd(8) main features it is a PPP and tunneling daemon which supports PPTP, L2TP and PPPoE it can authenticate using a local file or a remote radius server it can use pipex(4) to accelerate ip packets forwarding it can use tun(4) or pppx(4) interfaces to tunnel packets
npppd(8) short story npppd(8) has been initially developed by IIJ it first appeared in OpenBSD 5.3
npppd(8) configuration the configuration file is /etc/npppd/npppd.conf the configuration file format has changed a lot during development
npppd.conf(5) ”Basic” npppd(8) configuration authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel PPTP_ipv4 protocol pptp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.100 dns-servers 192.168.0.254 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from PPTP_ipv4 authenticated by LOCAL to pppx0
npppd-users(5) npppd-users(5) file format alex: :password=alex’s password: :framed-ip-address=10.0.0.33: john: :password=john’s password:
npppd.conf(5) ”Advanced” npppd(8) configuration authentication RADIUS type radius { authentication-server { address 192.168.0.1 secret "hogehoge" } } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.100 dns-servers 192.168.0.254 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by RADIUS to pppx0
l2tp setup to setup an l2tp tunnel you have to configure both npppd.conf and ipsec.conf your pf.conf setup should be changed accordingly
ipsec.conf(5) Ipsec setup for l2tp tunnels public_ip = "1.2.3.4" ike passive esp transport proto udp from $public_ip to any port 1701 main auth "hmac-sha1" enc "aes" group modp2048 quick auth "hmac-sha1" enc "3des" psk "mysecret"
pf.conf(5) Pf setup for l2tp tunnels pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state pass on enc0 from any to any keep state (if-bound)
npppd monitoring To monitor npppd vpn sessions you can use npppctl # npppctl session all Ppp Id = 18 Ppp Id : 18 Username : giovanni Realm Name : radius Concentrated Interface : tun1 Assigned IPv4 Address : 192.168.255.205 Tunnel Protocol : PPTP Tunnel From : 151.71.144.16:31342 Start Time : 2013/02/04 11:35:24 Elapsed Time : 131 sec (2 minutes) Input Bytes : 11256 (11.0 KB) Input Packets : 130 Input Errors : 0 (0.0%) Output Bytes : 19241 (18.8 KB) Output Packets : 160 Output Errors : 17 (9.6%)
npppd monitoring If you use pppx(4) interfaces you can have some info from the ifconfig command too # ifconfig pppx0 pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360 description: giovanni priority: 0 groups: pppx inet 192.168.255.1 --> 192.168.255.205 netmask 0xffffffff
npppd monitoring As usual, with ipsec, ipsecctl is your friend # ipsecctl -s all FLOWS: flow esp in proto udp from 9.2.71.195 port l2tp to 192.168.2.250 port l2tp peer 9.2.71.195 srcid 192.168.2.250/32 dstid 192.168.1.101/32 type use flow esp out proto udp from 192.168.2.250 port l2tp to 9.2.71.195 port l2tp peer 9.2.71.195 srcid 192.168.2.250/32 dstid 192.168.1.101/32 type require SAD: esp transport from 192.168.2.250 to 9.2.71.195 spi 0x41f46e6a auth hmac-sha1 enc aes esp transport from 9.2.71.195 to 192.168.2.250 spi 0x6d7d8716 auth hmac-sha1 enc aes
Vpn gui interface
Vpn gui interface
Vpn gui interface
Microsoft tips and Microsoft bugs Microsoft, dns, kerberos and mtu
Microsoft tips and bugs ipsec nat-t support Windows Registry Editor Version 5.00 [HKLMSYSTEMCurrentControlSetServicesPolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
npppd future fixing bugs better integration with pf arp cache support
Thank you for your attention! Questions?

Recomendados

How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsUday Bhatia
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1ariesubagyo
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 

Recomendados

How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsUday Bhatia
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1ariesubagyo
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCPOlivier Bonaventure
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 
Ip sec
Ip secIp sec
Ip secShiva Krishna Chandra Shekar
 
Types of VPN
Types of VPNTypes of VPN
Types of VPNNetProtocol Xpert
 
Cisco Certified Network Associate
Cisco Certified Network AssociateCisco Certified Network Associate
Cisco Certified Network AssociateSumit K Das
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Abdullaziz Tagawy
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
Multipath TCP as Security Solution
Multipath TCP as Security SolutionMultipath TCP as Security Solution
Multipath TCP as Security SolutionNishant Pawar
 
Dotnet network prog_chap07
Dotnet network prog_chap07Dotnet network prog_chap07
Dotnet network prog_chap07Truong NGUYEN
 
XMPP, HTTP and UPnP
XMPP, HTTP and UPnPXMPP, HTTP and UPnP
XMPP, HTTP and UPnPITVoyagers
 
Paper id 25201418
Paper id 25201418Paper id 25201418
Paper id 25201418IJRAT
 
internetworking operation
internetworking operationinternetworking operation
internetworking operationSrinivasa Rao
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2pDavide Carboni
 
SCTP Tutorial
SCTP TutorialSCTP Tutorial
SCTP TutorialAlok Kumar Singh ITIL®
 
Vpn
VpnVpn
VpnKamalPreet Saluja
 
TCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial ApplicationsTCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial ApplicationsAhmed Ayadi
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206pauldeng
 
Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorYuuki Takano
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 

Más contenido relacionado

La actualidad más candente

VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 
Cisco Certified Network Associate
Cisco Certified Network AssociateCisco Certified Network Associate
Cisco Certified Network AssociateSumit K Das
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Abdullaziz Tagawy
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
Multipath TCP as Security Solution
Multipath TCP as Security SolutionMultipath TCP as Security Solution
Multipath TCP as Security SolutionNishant Pawar
 
Dotnet network prog_chap07
Dotnet network prog_chap07Dotnet network prog_chap07
Dotnet network prog_chap07Truong NGUYEN
 
XMPP, HTTP and UPnP
XMPP, HTTP and UPnPXMPP, HTTP and UPnP
XMPP, HTTP and UPnPITVoyagers
 
Paper id 25201418
Paper id 25201418Paper id 25201418
Paper id 25201418IJRAT
 
internetworking operation
internetworking operationinternetworking operation
internetworking operationSrinivasa Rao
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
TCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial ApplicationsTCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial ApplicationsAhmed Ayadi
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206pauldeng
 

La actualidad más candente (19)

Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
VPN presentation
VPN presentationVPN presentation
VPN presentation
 
Ip sec
Ip secIp sec
Ip sec
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
 
Cisco Certified Network Associate
Cisco Certified Network AssociateCisco Certified Network Associate
Cisco Certified Network Associate
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01
 
Multipath TCP as Security Solution
Multipath TCP as Security SolutionMultipath TCP as Security Solution
Multipath TCP as Security Solution
 
Dotnet network prog_chap07
Dotnet network prog_chap07Dotnet network prog_chap07
Dotnet network prog_chap07
 
XMPP, HTTP and UPnP
XMPP, HTTP and UPnPXMPP, HTTP and UPnP
XMPP, HTTP and UPnP
 
Paper id 25201418
Paper id 25201418Paper id 25201418
Paper id 25201418
 
internetworking operation
internetworking operationinternetworking operation
internetworking operation
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
 
SCTP Tutorial
SCTP TutorialSCTP Tutorial
SCTP Tutorial
 
Vpn
VpnVpn
Vpn
 
TCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial ApplicationsTCP over 6LoWPAN for Industrial Applications
TCP over 6LoWPAN for Industrial Applications
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206
 

Similar a Npppd: easy vpn with OpenBSD

Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorYuuki Takano
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes Positive Hack Days
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.pptLyVu51
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cliNetwax Lab
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Netwax Lab
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018DevOpsDays Tel Aviv
 
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)Igalia
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverTomaz Muraus
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコルRyousei Takano
 

Similar a Npppd: easy vpn with OpenBSD (20)

Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow Abstractor
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
FreeBSD VPN Server
FreeBSD VPN ServerFreeBSD VPN Server
FreeBSD VPN Server
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.ppt
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osio
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cli
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
 
MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdf
 
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 server
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコル
 

Más de Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 

Más de Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 

Último

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Último (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Npppd: easy vpn with OpenBSD

  • 1. Npppd: easy vpn with OpenBSD Giovanni Bechis giovanni@openbsd.org Institute of Biostructures and Bioimaging, Napoli, Italy Apr 6, 2013
  • 2. A little presentation sysadmin and web developer at SnB, my own software house developer for OpenBSD every now and then, developer for some other open source software
  • 3. The initial problem two offices and some people with their laptop who wish to use their main software remotely
  • 4. The proposed solution the two offices has been connected to a Windows Server in a web farm with the terminal server connections protected by a vpn
  • 5. Vpn software Vpn software that could be used for this setup on our OpenBSD firewall: iked(8) openvpn poptop npppd(8)
  • 6. npppd(8) main features it is a PPP and tunneling daemon which supports PPTP, L2TP and PPPoE it can authenticate using a local file or a remote radius server it can use pipex(4) to accelerate ip packets forwarding it can use tun(4) or pppx(4) interfaces to tunnel packets
  • 7. npppd(8) short story npppd(8) has been initially developed by IIJ it first appeared in OpenBSD 5.3
  • 8. npppd(8) configuration the configuration file is /etc/npppd/npppd.conf the configuration file format has changed a lot during development
  • 9. npppd.conf(5) ”Basic” npppd(8) configuration authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel PPTP_ipv4 protocol pptp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.100 dns-servers 192.168.0.254 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from PPTP_ipv4 authenticated by LOCAL to pppx0
  • 10. npppd-users(5) npppd-users(5) file format alex: :password=alex’s password: :framed-ip-address=10.0.0.33: john: :password=john’s password:
  • 11. npppd.conf(5) ”Advanced” npppd(8) configuration authentication RADIUS type radius { authentication-server { address 192.168.0.1 secret "hogehoge" } } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.100 dns-servers 192.168.0.254 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by RADIUS to pppx0
  • 12. l2tp setup to setup an l2tp tunnel you have to configure both npppd.conf and ipsec.conf your pf.conf setup should be changed accordingly
  • 13. ipsec.conf(5) Ipsec setup for l2tp tunnels public_ip = "1.2.3.4" ike passive esp transport proto udp from $public_ip to any port 1701 main auth "hmac-sha1" enc "aes" group modp2048 quick auth "hmac-sha1" enc "3des" psk "mysecret"
  • 14. pf.conf(5) Pf setup for l2tp tunnels pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state pass on enc0 from any to any keep state (if-bound)
  • 15. npppd monitoring To monitor npppd vpn sessions you can use npppctl # npppctl session all Ppp Id = 18 Ppp Id : 18 Username : giovanni Realm Name : radius Concentrated Interface : tun1 Assigned IPv4 Address : 192.168.255.205 Tunnel Protocol : PPTP Tunnel From : 151.71.144.16:31342 Start Time : 2013/02/04 11:35:24 Elapsed Time : 131 sec (2 minutes) Input Bytes : 11256 (11.0 KB) Input Packets : 130 Input Errors : 0 (0.0%) Output Bytes : 19241 (18.8 KB) Output Packets : 160 Output Errors : 17 (9.6%)
  • 16. npppd monitoring If you use pppx(4) interfaces you can have some info from the ifconfig command too # ifconfig pppx0 pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360 description: giovanni priority: 0 groups: pppx inet 192.168.255.1 --> 192.168.255.205 netmask 0xffffffff
  • 17. npppd monitoring As usual, with ipsec, ipsecctl is your friend # ipsecctl -s all FLOWS: flow esp in proto udp from 9.2.71.195 port l2tp to 192.168.2.250 port l2tp peer 9.2.71.195 srcid 192.168.2.250/32 dstid 192.168.1.101/32 type use flow esp out proto udp from 192.168.2.250 port l2tp to 9.2.71.195 port l2tp peer 9.2.71.195 srcid 192.168.2.250/32 dstid 192.168.1.101/32 type require SAD: esp transport from 192.168.2.250 to 9.2.71.195 spi 0x41f46e6a auth hmac-sha1 enc aes esp transport from 9.2.71.195 to 192.168.2.250 spi 0x6d7d8716 auth hmac-sha1 enc aes
  • 21. Microsoft tips and Microsoft bugs Microsoft, dns, kerberos and mtu
  • 22. Microsoft tips and bugs ipsec nat-t support Windows Registry Editor Version 5.00 [HKLMSYSTEMCurrentControlSetServicesPolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
  • 23. npppd future fixing bugs better integration with pf arp cache support
  • 24. Thank you for your attention! Questions?