(Purpose is to enable road warriors, telecommuters, iPhones or iPads to access servers and network resources behind a company firewall.
If this setup gets too complicated, use commercial grade dedicated server hosting )
If this setup gets too complicated, use commercial grade dedicated server hosting )
Pros and Cons of setting up (and using) PPTP VPN:
Pros:
(1) PPTP VPN client comes native with all Windows XP and Vista, and iPhone.
(2) PPTP VPN uses TCP port 1723 (plus some nasty called GRE 47 protocol). Port 1723 is a standard well-know port used by Microsoft PPTP VPN clients/servers, hence it is unlikely that this port is blocked by wire-line ISPs. (However, cellular and wireless operators cleverly mess up / block VPN traffic unless you pay them an extra monthly ransom fee to have the VPN traffic un-messed or unblocked).
(3) Software cost for a PPTP VPN server using
Linux is low. For example, Windows Server 2003 with 5 client-access has a price tag of US $999, Microsoft ISA Server 2004 has a street price of US $1975 (but of course these products comes with many, many more other features).
(4) Hardware cost is low - Linux can run happily on very low end hardware platforms.
Cons:
(1) In developing countries and small towns where log cabins and garden sheds are plentiful, hotels may use old routers that allows zero or one PPTP VPN session per hotel. If your road warriors are in these locations, only zero or one user can use PPTP VPN at any given time. Reason: PPTP VPN uses the nasty GRE 47 routing protocol which does not work with old NAT routers. See this diagram.
(2) User authentication depends completely on password, hence the security of the network depends on users having good passwords.
(3) A fact of life, the remote user will experience a performance hit, depends on the network conditions.
Useful hint: For files that are on share network drives, grab the file from remote to local desktop, then do editing, then drag the edited file back to remote server.
Pros:
(1) PPTP VPN client comes native with all Windows XP and Vista, and iPhone.
(2) PPTP VPN uses TCP port 1723 (plus some nasty called GRE 47 protocol). Port 1723 is a standard well-know port used by Microsoft PPTP VPN clients/servers, hence it is unlikely that this port is blocked by wire-line ISPs. (However, cellular and wireless operators cleverly mess up / block VPN traffic unless you pay them an extra monthly ransom fee to have the VPN traffic un-messed or unblocked).
(3) Software cost for a PPTP VPN server using
Linux is low. For example, Windows Server 2003 with 5 client-access has a price tag of US $999, Microsoft ISA Server 2004 has a street price of US $1975 (but of course these products comes with many, many more other features).(4) Hardware cost is low - Linux can run happily on very low end hardware platforms.
Cons:
(1) In developing countries and small towns where log cabins and garden sheds are plentiful, hotels may use old routers that allows zero or one PPTP VPN session per hotel. If your road warriors are in these locations, only zero or one user can use PPTP VPN at any given time. Reason: PPTP VPN uses the nasty GRE 47 routing protocol which does not work with old NAT routers. See this diagram.
(2) User authentication depends completely on password, hence the security of the network depends on users having good passwords.
(3) A fact of life, the remote user will experience a performance hit, depends on the network conditions.
Useful hint: For files that are on share network drives, grab the file from remote to local desktop, then do editing, then drag the edited file back to remote server.
Caveats emptor: -Assuming you have an externally accessible IP address, some ISPs do not give out externally accessible IP address.
-Assuming that your ISP allows you to set up a server in your network.
-Depends on the type of firewall/router, the road warrior may or may not be able to access the Internet while VPN. See thiscombination.
-If you use an internal Linksys WRT54GL with DD-WRT-VPN firmware upgrade, behind a D-LINK main firewall, don't forget to port forward TCP 1723 (and Protocol 47 GRE which is done automatically by the D-LINK firmware) to the IP address of the internal Linksys box.
-If you VPN into your home/office network and still want "Internet access", consider OpenVPN (OpenVPN is NAT and router friendly), OpenVPN is slightly harder to setup. In addition, OpenVPN can be configured to operate as: (default, partial stealth) only the internal traffic goes home; or (full stealth) all traffic goes through home.
How to setup a Debian PPTP VPN Server:
(user reported that this also works for Ubuntu Linux)
(user reported that this also works for Ubuntu Linux)
Server hardware:
Intel Pentium 3 or Intel Pentium 4 or AMD CPU (500 MHz CPU), 64 Meg RAM, 20 G Hard disk.
Intel Pentium 3 or Intel Pentium 4 or AMD CPU (500 MHz CPU), 64 Meg RAM, 20 G Hard disk.
Preferred hardware. 
To be safe, you should first flash the DD-WRT-mini version first, then flash the DD-WRT-VPN version so you won't destroy your Linksys box.
The DD-WRT-VPN version has an excellent PPTP server which is easy to set up and works perfectly behind a D-LINK firewall. See thiscombination.
The PPTP Server is in the Administration Tab, Services Tab. Check the PPTP check box. Server IP is the IP address of the WRT54GL box itself.
CHAP secret field is in the form of username * password *
e.g. alice * strong-password *
Insert the Debian (netinst) install CD in the server, power up the server.Software for Debian:
Create a "Debian install CD" from a CD image file.
Download the file "debian-40r5-i386-CD-1.iso" (about 650 meg bytes) or
download the file "debian-40r5-xxxx-i386-netinst.iso" (about 160 meg bytes) from
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/
Create a CD from the iso image file using any suitable CD burning software.
Follow the prompts to install a standard system (not a desktop, not a workstation, not a server)
After the Debian operating system is installed, install the Microsoft-compatible PPTP VPN server as follows:
(pptpd is the PPTP VPN server, mc is Midnight Commander, an editor similar to "notepad")
aptitude install pptpd mc
(pptpd is the PPTP VPN server, mc is Midnight Commander, an editor similar to "notepad")
aptitude install pptpd mc
Type ifconfig and inspect the "eth0" section to find out the IP address of your server [inet addr]
mc -e /etc/pptpd.conf
add two lines:
(Assuming that your internal network IP address is 10.5.1.xxx, geeks call this the 10.5.1.0/24 subnet).
(It is important to avoid using the 192.168.1.xxx subnet for your home because most hotels, Linksys boxes, Cisco boxes, TP-LINK and Trendnet default to 192.168.1.xxx You cannot VPN from one 192.168.1.0/24 network into another 192.168.1.0/24 network)
localip 10.5.1.3 (this address should be your server's IP address, [inet addr] when you type ifconfig, see above )
remoteip 10.5.1.241-246
add two lines:
(Assuming that your internal network IP address is 10.5.1.xxx, geeks call this the 10.5.1.0/24 subnet).
(It is important to avoid using the 192.168.1.xxx subnet for your home because most hotels, Linksys boxes, Cisco boxes, TP-LINK and Trendnet default to 192.168.1.xxx You cannot VPN from one 192.168.1.0/24 network into another 192.168.1.0/24 network)
localip 10.5.1.3 (this address should be your server's IP address, [inet addr] when you type ifconfig, see above )
remoteip 10.5.1.241-246
Above configuration assigns 6 IP addresses for 6 roaming users to VPN into your home/corporate network simultaneously, super geeks (geeks that have network knowledge over and above normal geeks) call this the 10.5.1.240/29 subnet (to intimidate other ordinary geeks), see this subnet chart for different subnets you can choose without having to find/ask a super geek. The first address in a block is called the "network address", the last number in a block is called the "broadcast address", to be an Internet purist, avoid assigning the network address or the broadcast address to any roaming users (the first and last address of any block in the subnet chart).
mc -e /etc/ppp/options find the line that says ms-dns, modify the IP addresses to suit your local environment.
These two IP addresses should be the IP addresses of the DNS servers provided to you by your ISP.
The following examples are the OpenDNS servers which anyone can use.
ms-dns 208.67.222.222
ms-dns 208.67.220.220
These two IP addresses should be the IP addresses of the DNS servers provided to you by your ISP.
The following examples are the OpenDNS servers which anyone can use.
ms-dns 208.67.222.222
ms-dns 208.67.220.220
Create user accounts and passwords for roaming/telecommuting users to access your VPN server (use strong passwords for security)
mc -e /etc/ppp/chap-secrets
e.g.
alice pptpd a-strong-password *
bob pptpd another-strong-password *
mc -e /etc/ppp/chap-secrets
e.g.
alice pptpd a-strong-password *
bob pptpd another-strong-password *
The trailing * means these users are allowed to come in from any IP address, if the telecommuter or branch office
has a static or fixed IP address and never roams, then you can replace the * with his/her fixed IP address (or IP address block) for added security.
has a static or fixed IP address and never roams, then you can replace the * with his/her fixed IP address (or IP address block) for added security.
You typically want to use a "static IP" address for VPN server behind firewall.
Change the Debian box from DHCP to static IP address:
mc -e /etc/network/interfaces
find the line that says iface eth0 inet dhcp
change the above line to iface eth0 inet static
add 4 lines below the iface eth0 inet static line, the actual addresses you use should be your own internal network environment.
address 10.5.1.3
netmask 255.255.255.0
broadcast 10.5.1.255
gateway 10.5.1.1
F2 to save the file, F10 to quit editing
mc -e /etc/resolv.confmc -e /etc/network/interfaces
find the line that says iface eth0 inet dhcp
change the above line to iface eth0 inet static
add 4 lines below the iface eth0 inet static line, the actual addresses you use should be your own internal network environment.
address 10.5.1.3
netmask 255.255.255.0
broadcast 10.5.1.255
gateway 10.5.1.1
F2 to save the file, F10 to quit editing
nameserver 216.21.128.22 (note: please use your ISP/cable/DSL company's DNS servers)
nameserver 216.21.129.22F2 to save the file, F10 to quit editing.
reboot
One final tweak is to instruct the Linux kernel to "forward" VPN packets.
| mc -e /etc/sysctl.conf fine the line that says: #net.ipv4.conf.default.forwarding=1 delete the #save the file. reboot |
| With older kernels, you may need to add these (depreciated) steps: touch /etc/init.d/pptp chmod 755 /etc/init.d/pptp mc -e /etc/init.d/pptp edit the file, add one line, save the file. echo 1 > /proc/sys/net/ipv4/ip_forwardcd /etc/rcS.d ln -s /etc/init.d/pptp S85-pptp-packet-forward reboot |
If the PPTP VPN server is behind a D-LINK router/firewall, configure your D-LINK router/firewall to forward (or allow) TCP port 1723to the PPTP VPN server. You can find out what IP address the VPN server is using, simply type ifconfig and inspect the "eth0" section.
You also need to forward protocol GRE 47 to the PPTP server, D-Link routers will do this automatically for you when you forward TCP port 1723 to an internal IP address.
Linksys WRT54G V4 with factory firmware (or DD-WRT firmware) cannot forward GRE 47 protocol from WAN-to-LAN, hence you cannot use a PPTP VPN server behind such router/firewall. But if you use a WRT54GL with DD-WRT-VPN firmware upgrade, you can use the same box to do firewall and PPTP VPN at the main entry point. Other combinations that might work are shown in this combination chart.
Disclaimer
On the roaming or telecommuter
XP or 
Vista laptop (or iPhone iPad), create a VPN network connection icon.Start ... Connect To ... Show All ....Create New Connection ... connect to the network at my workplace...
Virtual Private Network connection ... Company is myHQ ... Do not dial the initial connection ...
Hostname or IP address is your externally accessible IP address ... add a shortcut to desktop
To establish a VPN connection from hotels or telecommuting offices:
Double click the desktop VPN icon, enter username and password.
You are now VPN'ed to your home office or corporate office! This has the effect of moving the roaming user into the home/office.Click here
Double click the desktop VPN icon, enter username and password.
You are now VPN'ed to your home office or corporate office! This has the effect of moving the roaming user into the home/office.Click here You can access your home/corporate email servers and other TCP-based services (such as print servers, VNC servers, etc) almost exactly as if you were sitting at home/office, except perhaps much slower. The PPTP VPN is a tunnel which encrypts the data trafficwhile traveling over a public network.
Caveats: You might not be able to do full Windows Network Browsing. There is a work around. Click here.
Your home/corporate network IP address range (geeks call subnet) should be different than that of hotel/telecommuter, e.g., in above example, it might not work if the hotel or telecommuter also uses IP addresses 192.168.1.xxx. Note that 192.168.1.xxx is the default IP subnet used by the popular Linksys WRT54G routers. In other words, if your home/corporate network is 192.168.1.xxx, then the road warriors will complain for sure because most hotels are also using 192.168.1.xxx, in that case, you need to change your home/office network to 10.x.x.x, which is a rather painful exercise.
You might not be able to do full Windows Network Browsing. There is a work around. Click here. Your home/corporate network IP address range (geeks call subnet) should be different than that of hotel/telecommuter, e.g., in above example, it might not work if the hotel or telecommuter also uses IP addresses 192.168.1.xxx. Note that 192.168.1.xxx is the default IP subnet used by the popular Linksys WRT54G routers. In other words, if your home/corporate network is 192.168.1.xxx, then the road warriors will complain for sure because most hotels are also using 192.168.1.xxx, in that case, you need to change your home/office network to 10.x.x.x, which is a rather painful exercise.
Maintenance.Periodically issue two commands to keep the system patched up to the latest security fixes. Click here.
Once you have a VPN server, you may want to increase your security by using email security software
© 2007-2011 Nicholas Fong 
Revised September 27, 2011
Revised September 27, 2011
没有评论:
发表评论