VPNによる認証付LANの構築

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


======================================================================
 Part 4  VPNLAN 
					 
						  yuuji@yatex.org
======================================================================

LAN



(LAN)

LANLAN
(WEP)


Part4LAN
LANLAN



 VPN


LAN802.1X
WEP

802.1X
    * OS
    * LAN802.1X
    * 802.1XLAN
      ( )
WEP
    * LANOS
    * 
    * LAN()
      

---[ ]------------------------------------------------------------
Part3802.1XLAN
802.1XLAN-AP(
)
----------------------------------------------------------------------


	LANLAN

LAN


	LAN
	  

LANVPN


VPNLAN


---[ ]------------------------------------------------------------


  %image: lan-phys.png

  

----------------------------------------------------------------------



---[ ]------------------------------------------------------------

  %image: lan-logical.png

  VPNLAN

----------------------------------------------------------------------

VPNLAN

	* LAN
	* 
	* LAN(SSH)
	* 
	  
	* OS(Windows/Linux/*BSD 
	  )

LANVPN
VPN


	* IP
	  (LANIP)
	  
	* VPN
	  



PC
LAN


Windows
 PPP over SSH VPNLAN


PPP over SSH

  /
  
  VPN(Virtual Private Network)VPN
  

	* 
	* 
	* OS

  SSHPPPVPNPPP
  over SSH

	* ppp(pppd  FreeBSD user-ppp)
	* SSH(OpenSSH)
	* IP(iptables, ipfw, ipfilter)

  3Unix
  

	(1)TCP over TCP
	   : http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
		 (Why TCP Over TCP Is A Bad Idea)
		  20033 p112 
		 VPN
	(2)SSH
	(3)
	   

  (1)PPP2
  (2)
  VPN
  



 VPN


LAN
VPN
VPN


LANDHCP 

VPN
LAN-AP


---[ ]------------------------------------------------------------


	LAN(LAN)(10.0.0.0/24)
		|
		|(LANIP)
		|vpngw 10.0.0.100
	+-------+---------------+
	|	NIC-1		|
	|   VPN	| !! VPN  !!
	|			| !!  !!
	|	NIC-2		|
	+-------+---------------+
		|(IP)
		| vpnsv	192.168.11.254
		|
		|  LAN(192.168.11.0/24)
		|  ()
      		|
      		|192.168.11.1
      	 +------+--------------------+
      	 | LAN-AP		     |
	 | ()	     |
      	 | 100BASE-TX HUB    |
      	 |			     |
      	 +-+--------------------+----+
	   :			| []
	   :			|
	   :192.168.11.201	|192.168.11.202
   +------------------+	  +-----+-------+
   | LAN          |	  |  LAN	|
   | 	      |	  |  	| .........
   +------------------+	  +-------------+

----------------------------------------------------------------------

LAN-AP()
LANVPN


	a. VPNVPNSSH
	b. () ping(icmp-echo) 
	c. 
	   (: HTTP)

VPN
VPN



 PPP over SSH VPN


VPNPPP over SSH


VPN

  

  (1)IP
  (2)VPN
  (3)PPP

  
  
  (1)IP

     IPON
     

     # sysctl -w net.inet.ip.forwarding=1     (FreeBSD, NetBSD)
     # sysctl -w net.ipv4.ip_forward=1	      (Linux)
       ( /etc/sysctl.conf )
     # ndd -set /dev/ip ip_forwarding 1	      (Solaris)
       (ON)
     

  (2)VPN

     rootVPN
     VPN
     

	:		vpn
	:		vpn
	:	/etc/ppp/vpn

     

     * Solaris, Linux, NetBSD 

       # groupadd vpn
       # useradd -g vpn -d /etc/ppp/vpn vpn
       (Linux
        )

     * FreeBSD 

       # pw useradd vpn -g network -d /etc/ppp/vpn

  (3)PPP

      vpn ppp

     * Solaris, Linux, NetBSD(pppd) 

       ppp
       /etc/ppp/options ( )

	privgroup vpn

---[ ]------------------------------------------------------------
pppd setuid-root "privgroup vpn" 
(Linux)chmod u+s /usr/sbin/pppd 
sudo vpn 
rootpppd
----------------------------------------------------------------------

       vpn(/etc/ppp/vpn)
       vpn.option 

	proxyarp
	noauth
	notty

       vpn(/etc/ppp/vpn)
       pppd start-client-1.sh 
       

	# cd ~vpn
	# vi start-client-1.sh
	()

	#!/bin/sh
	PATH=/usr/sbin:/bin:$PATH
	# VPNIP
	MYIP=10.0.0.100
	# IP
	CLIP=10.0.0.201
	exec pppd file vpn.option ${MYIP}:${CLIP}


	()
	# chmod +x start-client-1.sh

        10.0.0.201 VPN
       LANIP
       IP
       (FreeBSD)PPP
       IP
       IP
       PPPPPP
       PPP
       
			192.168.11.254
		PPP	10.0.0.100

	

     * FreeBSD (user-ppp)

       /etc/ppp/ppp.conf 

        vpn-default:
                allow users vpn 
                set timeout 0
                set log phase chat connect lcp ipcp command proxy
                set escape 0xff
		enable proxy
        vpn-client-1:
		load vpn-default
		# set ifaddr  
		set ifaddr 10.0.0.100 10.0.0.201

       vpn(/etc/ppp/vpn)
       pppd start-client-1.sh 
       

	# cd ~vpn
	# vi start-client-1.sh
	()

	#!/bin/sh
	exec /usr/sbin/ppp -direct vpn-client-1

	()
	# chmod +x start-client-1.sh

VPN

  

  (1)VPN
  (2)SSH
  (3)PPP

  (1)
  

  SSH

    vpnssh

    # su vpn
    % ssh-keygen -t dsa -f ~/.ssh/vpn2vpnsv
    ()

    ~vpn/.ssh/vpn2vpnsv.pub 
    VPN~vpn/.ssh/authorized_keys 
    
    

    % scp ~/.ssh/vpn2vpnsv @vpnsv

     vpn2vpnsv ****
    ~vpn/.ssh/authorized_keys 

    vpnsv# su vpn
    vpnsv% mkdir -m 700 ~/.ssh
    vpnsv% cat vpn2vpnsv.pub  >> ~/.ssh/authorized_keys
    vpnsv% chmod 600 ~/.ssh/authorized_keys

    vpn
    ( )

    % ssh -2 -i ~/.ssh/vpn2vpnsv vpnsv echo OK
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The authenticity of host 'vpnsv (192.168.11.254)' can't be established.
    RSA key fingerprint is 5a:a6:d3:79:82:e9:17:4d:4b:ed:86:ce:e7:07:7b:f8.
    Are you sure you want to continue connecting (yes/no)? yes
                                                           ~~~
    OK

---[ ]------------------------------------------------------------
SSH ~/.ssh/known_hosts 
fingerprint
yes known_hosts 
pppssh
yes/no
----------------------------------------------------------------------

    OK
    OK
    PPP
     ~vpn/vpn2vpnsv.sh 

    ()
    % cat > ~/vpn2vpnsv.sh <<_EOF_
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    #!/bin/sh
    exec /usr/bin/ssh -x -2 -i /etc/ppp/vpn/.ssh/vpn2vpnsv vpn@vpnsv dummy
    _EOF_

    % chmod +x ~/vpn2vpnsv.sh
      ~~~~~~~~~~~~~~~~~~~~~~~

    PPP
    PPP
    

    (vpnsv)
    PPP 
    ~vpn/.ssh/authorized_keys 

    vpnsv# vi ~vpn/.ssh/authorized_keys
	   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    VPNSSH

	command="./start-client-1.sh"
	no-X11-forwarding
	no-pty

    3()

    
    ssh-dss AAAAB3Nza...........
	
    command="./start-client-1.sh",no-X11-forwarding,no-pty ssh-dss AAAAB3Nza...........

    ~vpn/vpn2vpnsv.sh 

	% ./vpn2vpnsv.sh
	  ~~~~~~~~~~~~~~
	~}#}!}!} }2}"}&} } } } }%}&6}'}"}4

    PPP()C-c
     authorized_keys 
    
    SSH
    


  PPP

    pppVPN
    ppp
    

    * Solaris, Linux, NetBSD (pppd)

      vpn connect-vpn.sh 
      

      % cat > connect-vpn.sh <<_EOF_
      #!/bin/sh
      exec pppd defaultroute pty /etc/ppp/vpn/vpn2vpnsv.sh
      _EOF_

      % chmod +x connect-vpn.sh

      VPN
      pppd defaultroute 
       defaultroute 
      

    * FreeBSD (user-ppp)

      /etc/ppp/ppp.conf 

---[ ]--------------------------------------------------------
vpn-default:
 allow user vpn
 set dial
 set timeout 0
 set ifaddr 10.0.0.0/24 10.0.0.0/24
 add default HISADDR
vpnsv:
 load vpn-default
 set server /var/tmp/vpnsv "" 0177
 set device !/etc/ppp/vpn/vpn2vpnsv.sh
----------------------------------------------------------------------

      pppd
       "add default HISADDR" 

      vpn connect-vpn.sh 
      

      % cat > connect-vpn.sh <<_EOF_
      #!/bin/sh
      exec ppp -ddial vpnsv
      _EOF_

      % chmod +x connect-vpn.sh


  PPP

    ~vpn/connect-vpn.sh vpnsvLAN 
    IP

    (vpn)
    % ~/connect-vpn.sh
      ~~~~~~~~~~~~~~~~
    ()
    % ifconfig -a
      ~~~~~~~~~~~
    

    ppp0: flags=8051 mtu 1500
	inet 10.0.0.201 -> 10.0.0.100 netmask 0xff000000
	inet6 fe80::203:47ff:fe8a:9035%ppp0 ->  prefixlen 64 scopeid 0x3

    LANIP
    ( )
---[ ]------------------------------------------------------------
pppd  ppp* user-ppp tun* 

----------------------------------------------------------------------

    vpnsvPPP proxy arp LAN 
    VPN(
    )
     default route vpnsv
    LAN

    

	pppd		/var/log/messages
	user-ppp	/var/log/ppp.log

    ()


  PPP(VPN)

    pppd  pppd  PID  INTTERM 
    user-ppp PPP
     /var/tmp/vpnsv 

	% pppctl /var/tmp/vpnsv
	  ~~~~~~~~~~~~~~~~~~~~~
	PPP ON client> quit all
		       ~~~~~~~~
    PPP


---[  ]-------------------------------------------

 VPN/PPP over SSH LAN

100BASE-TX, 10BASE-T 
801.11b 3VPN PPP over SSH 
VPN
HTTPpingRTT



VPN
  CPU	Celeron 1.2MHz
  OS	Vine Linux 2.6r4 (kernel 2.4.22, pppd 2.4.1)
  SSH	OpenSSH_3.6.1p2


  CPU		Celeron 700MHz
  OS		NetBSD 2.0E (pppd 2.4.1)
  SSH		OpenSSH_3.6.1 NetBSD_Secure_Shell-20030917
		(Cipheraes128-cbc)


--------------------------------------------------
 100BASE-TX(100Mbps)
		http		http		ping-RTT
		(Kbps)		(Kbps)		(ms)		(ms)
		Ether		VPN		Ether		VPN
		23937		15237		1.195		1.628
      	 737.6		456.9		0.029		0.065
--------------------------------------------------
 10BASE-T(10Mbps)
		http		http		ping-RTT
		(Kbps)		(Kbps)		(ms)		(ms)
		Ether		VPN		Ether		VPN
		7252		4366		0.706ms		1.414ms
      	 6.9		580.4		0.062		0.129
--------------------------------------------------
 802.11b(11Mbps)
		http		http		ping-RTT
		(Kbps)		(Kbps)		(ms)		(ms)
		40bit-WEP	WEP+VPN	40bit-WEP	VPN
		1255		2717		5.940		5.044
    	210.7		32.8		0.442		0.240


10MbpsEthernet7Mbps
PPP/SSH 4Mbps
802.11b802.11bWEP
()WEP(40bits)WEP
VPN

802.11bWEP+VPN2
WEP/
SSH/
(LAN-AP)

Web
SSH
CUI
1Mbps


SSHVPN


802.11g(AP
)VPN
SSH



----------------------------------------------------------------------


 Windows


PPP over SSH Windows 

VPN Windows 2000 Windows XP 



http://www.kmc.gr.jp/proj/vpn/


http://www.kmc.gr.jp/proj/vpn/download.html
PPPoverSSHTool 
 0.3-pre 

		PPPoverSSHTool-0.3-pre.zip
		300546
	MD5		6dd0ba92df1e81dfab5505003dfa1245

Web
PPPoverSSHTool-0.2 
 PPPoverSSHTool-0.2 


PPPoverSSHTool-0.3-pre

  0.3-preZIP
  PPPTunUtil.msi (
  (I))
  
  

  SSH

  PPP over SSH Tool
   PuTTYgen 

       [SSH2/DSA] 
       [Generate] 
       

  DSA
  (C-c)

  (notepad)(C-v)

  PuTTYgen  "Save public key" 
  "Save private key" 
  

  
  Unix ~vpn/.ssh/authorized_keys 
  (1)autorized_keys 1
  

	ssh-dss AAAAB3NzaC1kc3MAAACAfMNlssXD...........

  

	command="./start-client-xp.sh"

  

	command="./start-client-xp.sh" ssh-dss AAAAB3NzaC1kc3MAAACAfMNlssXD...........

   
  start-client-xp.sh start-client-xp.sh 
  

	#!/bin/sh
	exec /usr/sbin/pppd file vpn.option 10.0.0.100:10.0.0.202

  LANIP
   Windows XP( 2000)LAN
  IPstart-client-xp.sh 

  PPP

  
  PPP over SSH

  (A)

  
  vpn
   PuTTYgen 

  [OK]

  SSH

  Windowsppp
   PuTTY( ) 
  PuTTYSSH
  PuTTYgen vpn
  Unixpppd
  ppp 
  

---[ ]------------------------------------------------------------
PuTTY
http://www.chiark.greenend.org.uk/~sgtatham/putty/

PuTTYISO2022
http://hp.vector.co.jp/authors/VA024651/#PuTTYkj_top

PuTTY  INI
http://www007.upp.so-net.ne.jp/bemax/arita/putty.html
----------------------------------------------------------------------

  

  
  
  
  
  PPP over SSH
  

  

  
  (D)
  

  %
  % 
  %



  FreeBSD user-ppp 
  pppd
  vpn(/etc/ppp/vpn)
  vpn-windows.option (Unix
  notty )

	proxyarp
	noauth

  ppp
  Unix




 VPN


 PPP over SSH VPN
( 192.168.11.* )
SSH
LAN
LAN

---[ ]------------------------------------------------------------

(PC)

   +---------------------    +-------------------+
   |                    |   192.168.11.201     | 	   |
   |                    |-------------------->[ ]eth0 22/tcpOK |
   |  |		       |		   |
   |                    |-------------------->[ ]ppp0 OK	   |
   |                    |  10.0.0.201	       |		   |
   +---------------------    +-------------------+


----------------------------------------------------------------------


SSH

  VPN
  

	(192.168.11.0/24)
	
			192.168.11.0/24
			192.168.11.254
			22/tcp

	

  VPN(ppp0,
  ppp1, ...)
  ping
   icmp(echo) 
  

  
  PPP over SSH
  
  

  Linux(iptables)
    ---------------------------------

    iptables
    /
     eth0, eth1 ( )

---[ ]--------------------------------------------------------------------
  Linux 

  |      +----------------------------+  |
  |  [192.168.11.0/24]   |  [[[Linux]]]     | [10.0.0.0/24]    |
  +----------------------= eth1                  eth0 =------------------+
  |			 | 192.168.11.254  10.0.0.100 |		         |
  |			 +----------------------------+		         |
  |									 |
  |									 |

------------------------------------------------------------------------------

    iptablesINPUT, FORWARD 
    

---[ ]--------------------------------------------------------
#!/bin/sh
#  ACCEPT 
# iptables-FFlush
iptables -F FORWARD
iptables -F INPUT

# TCP
iptables -A INPUT -p tcp -m state --stat ESTABLISHED -j ACCEPT
iptables -A INPUT -f -j ACCEPT
iptables -A FORWARD -p tcp -m state --stat ESTABLISHED -j ACCEPT
iptables -A FORWARD -f -j ACCEPT

# 192.168.11.0/24 22/tcp
iptables -A INPUT -s 192.168.11.0/24 -p tcp --dport 22 -i eth1 -j ACCEPT

# ICMP(echo-request)
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -i eth1 -j ACCEPT

#  eth1 DROP(tcp tcp-reset )
iptables -A INPUT -p tcp -i eth1 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp -i eth1 -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -j DROP

----------------------------------------------------------------------

  FreeBSD(ipfw)
    -------------------------------

    Linuxiptablesipfw(ipfw2)
    FreeBSD
    FreeBSD IPFilter 
    IPFilter

---[ ]--------------------------------------------------------------------
  Linux 

  |      +----------------------------+  |
  |  [192.168.11.0/24]   |  [[[FreeBSD]]]   | [10.0.0.0/24]    |
  +----------------------= fxp1                  fxp0 =------------------+
  |			 | 192.168.11.254  10.0.0.100 |		         |
  |			 +----------------------------+		         |
  |									 |
  |									 |

------------------------------------------------------------------------------

---[ ]--------------------------------------------------------

#!/bin/sh
# ipfwflush
ipfw -f flush

# TCP
ipfw add allow tcp from any to any established
ipfw add allow ip from any to any frag

# 192.168.11.0/24 22/tcp
ipfw add allow tcp from 192.168.11.0/24 to me 22 via fxp1

# ICMP(echo-request)
ipfw add allow icmp from 192.168.11.0/24 to me via fxp1 icmptypes 8

#  fxp1 deny(tcp tcp-reset )
ipfw add reset tcp from any to any in via fxp1
ipfw add deny ip from any to any in via fxp1

# LANTCP
ipfw add allow tcp from 10.0.0.0/24 to any setup

# LAN()
ipfw add allow ip from any to 10.0.0.0/24 via fxp0
ipfw add allow ip from 10.0.0.0/24 to any out via fxp0

#UDP
ipfw add allow udp from 10.0.0.0/24 to any 53 keep-state
ipfw add allow udp from 10.0.0.0/24 to any 123 keep-state

# ()
# ssh
ipfw add allow tcp from any to me 22
# smtp
ipfw add allow tcp from any to me 25

# 
ipfw add 65535 deny log ip from any to any
----------------------------------------------------------------------

   NetBSD, FreeBSD, Solaris (IPFilter)
    --------------------------------------------------------

    LinuxOS( )IPFilter
    
     fxp1fxp0

---[ ]------------------------------------------------------------
OpenBSDIPFilterPF
PFIPFilter
IPFilter
----------------------------------------------------------------------


---[ ]--------------------------------------------------------
# VPN by PPP over SSH (IPFilter)
#  vpn-filter 
# ipf -Fa -f vpn-filter
# 

# fxp1tcpestablished
pass out quick on fxp1 proto tcp from any to any keep state

# fxp0, fxp1 ()
# blockpass
block in  on fxp0 all head 100
pass  out on fxp0 all head 110
block in  on fxp1 all head 200
block out on fxp1 all head 210


# (192.168.11.254)201
block in from any to 192.168.11.254 head 201 group 200

# 192.168.11.0/24 22/tcp
# (201 any to any )
pass in quick proto tcp from any to any port = ssh keep state group 201

# ICMP(echo-request)
pass in quick proto icmp from any to any icmp-type echo keep state group 201

#  fxp1 tcptcp-reset 
block return-rst in quick proto tcp from any to any group 201

# 

# LANTCP
pass out on fxp0 proto tcp from 10.0.0.0/24 to any keep state

# LAN
pass in quick from 10.0.0.0/24 to any group 100

# UDP
pass out quick proto udp from any to any port = domain keep state group 110
pass in quick proto udp from any to any port = domain group 100
pass out quick proto udp from any to any port = ntp keep state group 110
pass in quick proto udp from any to any port = ntp group 100

# LAN
pass in quick proto tcp from any to any port = ssh keep state group 100
pass in quick proto tcp from any to any port = smtp keep state group 100
pass in quick proto tcp from any to any port = http keep state group 100

# TCP tcp-reset 
block return-rst in proto tcp from any to any group 100

# 
----------------------------------------------------------------------






  * SSH22

     /etc/ssh/sshd_config "Port 9999" 

  * sshdUnix

     /etc/ssh/sshd_config "PasswordAuthentication no" 

  * PPP

     

  * SSHssh-agent

     PC

  * POP before PPPoverSSH 

     PC

ppp(mtu,mru)
SSHCompressionON
pppdSSH



 

%%%%%%% 

VPN
LANSSH


SSH
 PPP over SSH 





yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]