Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have a lan with network 192.168.1.0/24 connected to a router DI 614+ which is connected to a cable modem. All my machines are connected to the DI 614+ either via cable or wirelessly. There is only one ethernet interface on each of the machines (except the laptop but I only use eth1 there).
I wanted to increase the security of my laptop's wireless connection to the rest of my network so I setup a vpn from it to one of my other machines in the same network (which houses my data). While it seems to work and I am able to access the other machine on the network via the vpn tunnel, I cannot seem to access the internet from the laptop anymore (well, I can access google.com and do searches with it but the other urls will not resolve, even the links that google returns). If I have ipsec disabled on the laptop, then I can access the internet without problems. This is weird because I think either all dns resolution should work or they should all fail.
There is one message from ipsec_setup when I start my connection : Warning :changing route filtering on eth1 (changing /proc/sys/net/ipv4/conf/eth1/rp_filter from 1 to 0). I dont know if that is significant.
You are currently routing through your VPN server boxes local cached DNS. You will need to set the freeswan vpn server(local box) to be a DNS server or to allow forwarding of DNS routing via the VPN server config itself. You are connected directly to your box and only your box.
The routing paths/procesesses are determined by what your box serves and by what freeswan server allows to route in/out. Security via wireless at VPN level is hard to do. There is a reason why companies use rotating keys and 128-bit RC5 hardware encryption instead of straight software VPN. It's a headache. But, if you can do it, you've just saved yourself conservatively 8K USD.
Thanks. I sort of figured it out. I think you are right, It was probably cache that I was browsing. Anyway. I was trying to increase the security of my 802.11b connection to the rest of my network. It is a machine to a machine connection in the same subnet both connecting to a D link router 614+ one via wired ethernet(mymythtv), the other via wireless(mylaptop). My router is 192.168.1.1. I have in the wired machine /etc/ipsec.conf
left=192.168.1.2 #Left is local which is mymythtv
leftsubnet=192.168.1.0/24 #subnet declaration
leftid=@mymythtv #name of this server, no dns queries
leftrsasigkey=yyyyyyy #this is the public key of mymythtv
leftnexthop= #nothing here, no router in between
right=192.168.1.100 #right is remote which is mylaptop
rightsubnet= #nothing here
rightid=@mylaptop #name of laptop, no dns queries
rightrsasigkey=xxxxxx #this is the public key of mylaptop
rightnexthop= #nothing here, no router in between
auto=add #add this configuration but dont start it automatically
And on the wireless machine /etc/ipsec.conf
left=192.168.1.100 #left is local which is the laptop
leftid=@mylaptop #name of laptop, no dns querieswith@
leftrsasigkey=xxxxxxxx...... #this is the public key of mylaptop
leftnexthop= #leave blank, there is no router between
right=192.168.1.2 #right is remote which is mymythtv
rightsubnet=192.168.1.0/24 #mylaptop is allowed to access
rightid=@mymythtv #name of server, no dns queries with@
rightrsasigkey=yyyyyyy...... #this is the public key of mymythtv
rightnexthop= #leave blank, there is no router between
auto=add #add this configuration but dont start it automatically
I was able to bring up the vpn tunnel. When I looked at the routing on mylaptop:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 * 255.255.255.0 U 0 0 0 ipsec0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 18.104.22.168 UG 0 0 0 ipsec0
22.214.171.124 192.168.1.1 126.96.36.199 UG 0 0 0 ipsec0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
Therefore, internet packets are ending in 192.168.1.2. So I decided to test this by enabling ip_forwarding in mymythtv. And that did the trick. Mylaptop now has internet access throught the vpn tunnel.
However I have another question. Looking at the output of tcpdump, I saw that there are ESP packets coming from mylaptop to mymythtv but not from mymythtv to mylaptop. Is this a problem? Can VPN encryption be only one way in the tunnel? Is this even possible or is all traffic in either direction protected in a VPN tunnel? Is my tunnel even setup correctly? Thanks.
I figured it out. My configuration was subnet to host. I needed it to be host to host. I did this by omitting the leftsubnet in mymythtv and rightsubnet in mylaptop. Esp now works in both directions. The VPN tunnel is working. I added forwardcontrol=yes in mymythtv's ipsec.conf so that it turns ipv4 forwarding when ipsec is started and turns it off when it is stopped. Now I have a secure wireless 802.11b connection between mymythtv and mylaptop. Thanks.
looking at the output of tcpdump, I notice that ESP encryption only happens when the source and destination of ip packets is excatly the endpoints of the tunnel. The docs stated this as well, but I had hoped that since mymythtv is ip forwarding packets to the router (to go to the internet), then the ip packets will be encrypted leaving the laptop and decrypted at mymythtv prior to being sent to the router. It looks like the only way to secure all wireless communication from the laptop is to make mymythtv the endpoint of all packets that need to go to the internet which means configuring it as an IP masquerade server. Is there a way to setup a vpn tunnel from any machine in the lan to the router ( a d link 614+)? Or is that a stupid question? Any thoughts? Thanks