Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Anyone know a VPN solution that is easy to setup?
I cannot get OpenVPN to work and cannot troubleshoot it as not many people use it...even on this forum.
I tried poptup but the documentation is pretty poor.
Poptop is for as far as I know by far the most easiest to configure VPN solution. As it's PPTP, it also natively supports Windows clients which can be very handy.
Poptop is for as far as I know by far the most easiest to configure VPN solution. As it's PPTP, it also natively supports Windows clients which can be very handy.
Scroll down to the area localip and remoteip. So that we can keep routing issues to a minimum, set this to a range in your local LAN. For example, I use 10.0.0.0/24 for my private LAN. 10.0.0.1 is the IP address of my router and VPN server. I set the localip value to 10.0.0.2 and the remoteip range to 10.0.0.200-220, outside the DHCP assigned range.
I also tried adding the firewall settings to me iptables but iptables failed on restart:
Quote:
FIREWALL AND ROUTING
The only issues now that need to be resolved are routing and firewall issues. This is only relevant if the VPN server is on the same server as your firewall/router. By having the VPN clients on the same subnet as the rest of the trusted LAN, it makes it easier for the client, but slightly harder to configure, as we aren’t dealing with Layer 3. We need to allow the interface ppp0 access to the trusted interface. We will assume eth0 is the trusted interface
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD-i ppp0 -o eth0 -j ACCEPT
This could also be done using the 10.0.0.0/24 range, but this will only work for unicast addresses. To make these statements safe, 10.0.0.0 should be dropped at the external interface as well if not already done so. Its good practice to drop all RFC 1918 private addresses that which have their source address incoming from the external interface. A lot of malformed and spoofed IP packets often have source addresses from the private address range.
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 10.0.0.0/24 -j ACCEPT
Now we need to allow the VPN protocols that will be used to connect and communicate with the VPN server through our firewall. The authentication part of our VPN server uses the PPTP protocol which is on TCP port 1723. Actual data is then transfered using IP protocol GRE (Genertic Routing Encapsulation). Configure the following iptables commands.
iptables -A INPUT -i $external_interface -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i $external_interface -p gre -j ACCEPT
Quote:
*filter
:INPUT DROP [10:568]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:260]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
Hmm, I guess you should read some more about TCP/IP first. For as far as I can see, your box hangs directly to the internet (eth has a 88.x.x.x address). So you have to set up a local network first, map the appropriate ports and apply the following rules to iptables:
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -s <your PPTP subnet> -j ACCEPT
If you don't need a local network, you can also skip that step and connect directly to the box from the client. What have you configured further?
Hmm, I guess you should read some more about TCP/IP first. For as far as I can see, your box hangs directly to the internet (eth has a 88.x.x.x address). So you have to set up a local network first, map the appropriate ports and apply the following rules to iptables:
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -s <your PPTP subnet> -j ACCEPT
If you don't need a local network, you can also skip that step and connect directly to the box from the client. What have you configured further?
Do I need a local network for VPN?
At the moment, the server just runs as a proxy server but I want to use it first for private VPN connections for myself and then allow extra client VPN.
Theoretically, you shouldn't need a local network. But, I have no experience with that, I've only set up poptop on a local network behind a gateway / router a few times.
But, it should work without local network. Only difference is that you skip the port mapping step at your gateway.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
