A Cross-Platform VPN with PPTP

There are alternatives to PPTP. These include the following.

OpenVPN OpenVPN is an up-and-comer based on the same SSL protocol that underlies ssh connections and secure websites . OpenVPN is supported on both Windows and Linux, although Windows support is still lacking in user -friendliness. Since OpenVPN is not standard with Windows, users must install a client program to support it. We also found it quite difficult to authenticate OpenVPN users against both the ad and the corp domains simultaneously . Still, OpenVPN is a straightforward and flexible system that's well worth a look. See http://www.openvpn.org/ for more information about OpenVPN.

IPSEC IPSEC is an open standard that is supported on Windows and Linux. Unfortunately, however, a fully Windows-compatible installation of IPSEC on Linux is currently quite difficult to configure. While there is some support in the Fedora GUI for configuring IPSEC connections, don't get your hopes up too highas of this writing, that GUI is only suitable for creating simple VPN tunnels between Fedora Linux and other Unix systems and is not suitable for use with Windows clients. See the Linux IPSEC HOWTO at http://www.ipsec-howto. org/ for more information about IPSEC.

PPTP is widely deployed. It comes in the box with Windows, and open source implementations exist. Why doesn't everybody use it? Well, security issues have been raised regarding Microsoft's PPTP in the past. A well-known article by Bruce Schneier of Counterpane Systems caused quite a stir in 1998 by pointing out serious cryptographic flaws in the original PPTP implementation. You can read that article at http://www.schneier.com/pptp-faq.html .

However, in the years since, Microsoft has standardized on the much-improved MSCHAP2 authentication protocol and improved other cryptographic aspects of its PPTP implementation. A more recent article by Mr. Schneier acknowledges that this addresses most of the technical flaws:

• http://www.schneier.com/pptp.html

One lingering concern is the backward compatibility that, by default, Microsoft's PPTP server tries to provide with MSCHAP, thus allowing less secure authentication to be used on the network. However, this is no longer the case in Windows 2003, where MSCHAP is disabled by default.

However, there is still a concern regarding password attacks. Since password hashes do travel "over the wire" in PPTP, there are opportunities for malicious clients to capture the hashes and attack these passwords with fast offline password cracking programs.

Therefore, make it your practice to teach your users to choose passwords that are not vulnerable to dictionary attacks .

A password hacking program, such as the LC5 program found at http://www.atstake.com/products/lc/ , can help you track down weak passwords so you can force your users to change them.

There are some older authentication protocols that shouldn't be used if at all possible. Just for reference, here's a quick rundown of those protocols and why you should avoid using them.

PAP (Password Authentication Protocol) PAP authentication passes the password as cleartext. Obviously, this is not a secure solution, at least by itself. This is the only common method of dial-up authentication in which the password is available to the authentication server in cleartext form. PAP is still somewhat common for PPP (Point-to-Point Protocol) dial-up connections, such as those used to connect to popular ISPs. Here, you need to be worried that the bad guy is tapping the phone line, which is pretty unlikely . But for VPN authentication over the public Internet it's a really bad choice.

CHAP (Challenge Handshake Authentication Protocol) CHAP passes only a hash of the password, based on a unique one-time challenge received from the server. If the hash is intercepted in transit, the party snooping on the connection still doesn't have the means to gain access to the user's account, because a hash mathematically matching that particular challenge will only be valid once.

Unfortunately, CHAP has a serious security flaw. For mathematical reasons beyond the scope of this book, the server can only verify the hash received from the client by keeping a cleartext copy of the password on the server . This is widely agreed to be a bad idea. Databases containing thousands of cleartext passwords have a history of becoming compromised at some point, and then, instead of one user's PAP password being cracked by a patient network sniffer, you have thousands of CHAP passwords cracked wide open. Thus begat MSCHAP.

MSCHAP (Microsoft Challenge Handshake Authentication Protocol) MSCHAP authentication was Microsoft's first effort to fix CHAP's cleartext password storage problem. While similar to CHAP, MSCHAP does not require a cleartext password to be kept on the server. Instead, password hashes are kept as, not coincidentally, the very same password hashes that are used to authenticate users logging into domain member workstations. Alas, MSCHAP had security holes, thus leading to the birth of MSCHAP2.

Configuring PPTP for Windows 2003 Server

Setting up Windows PPTP happens within Windows 2003's Routing and Remote Access (RRAS) console. Contrary to popular belief, you can have incoming PPTP even if your server has only one network card. To configure Windows 2003 PPTP (with only one network card):

1. Click Start All Programs Administrative Tools Routing and Remote Access. The Routing and Remote Access console appears as shown in Figure 9.13.;

2. Right-click over the server name , and select "Configure and Enable Routing and Remote Access."

3. The Routing and Remote Access Wizard appears. Click Next at the introduction screen for the wizard.

4. At the "Configuration" screen, select "Custom configuration" and select "Next."

5. At the "Custom Configuration" screen, select "VPN access" (and nothing else) and click "Next." At the final page of the wizard, click "Finish." You'll be asked to start the RRAS service. Select "Yes."

6. Once back at the Routing and Remote Access console, right-click over the server name and select "Properties." On the "General" tab, click "Local area network (LAN) routing only" and ensure "Remote access server" is also checked. Click "OK" to return to the Routing and Remote Access console. You may be prompted to restart the RRAS services. Select "Yes" to restart them.

7. Back at the Routing and Remote Access console, right-click the icon labeled "Ports" and select "Properties." Select the line labeled "WAN Miniport (PPTP)" and select "Configure." Ensure "Remote access connections (inbound only)" is checked, as shown in Figure 9.14. While you're here, you can also change the maximum number of inbound connections by entering in a number in the "Maximum ports" spinner if you like. Click "OK" to close the "Configure DeviceWAN Miniport (PPTP)" page. Click "OK" to close the "Ports Properties" page.

8. Back at the Routing and Remote Access console, click the icon labeled "Remote Access Policies." Right-click over the "Connections to Microsoft Routing and Remote access server" policy as shown in Figure 9.15 and select "Properties." On the properties page of the policy, select "Grant remote access permission" as shown in Figure 9.15.

Figure 9.13: PPTP is configured once the configuration of RRAS starts.

Figure 9.14: Ensure "Remote access connections (inbound only)" is selected.

Figure 9.15: Be sure to select the policy and allow people access. By default RRAS denies everyone access.

Enabling Individual Users to Use the PPTP VPN

Now you need to specify each user who has access via VPN. You only need to do this step if your Active Directory domain is in the Mixed functional level. In the course of this book, we never changed it, so Mixed functional level is likely what you still have if you've been working through our exercises. To that end, use Active Directory Users and Computers and select the properties of any user you want to allow via VPN. In Figure 9.16, you can see we've selected salesperson1 's properties then clicked the "Dial-in" tab. Be sure to select "Allow access" or salesperson1 won't be able to log on via the VPN.

Figure 9.16: Ensure that the user you want to allow to dial in has been expressly assigned "Allow access" on the "Dial-in" tab.

Testing Your Microsoft PPTP VPN with a Microsoft XP Client (for Users in ad.corp.com )

In our examples, we'll assume you've got a machine named xpmobile1. This should not be a domain member workstation living "inside" the 192.168.2.x LAN. Instead, use an external PC that has no physical access to your internal network. A workstation at home connected via a public broadband ISP is a good example.

Such a workstation can only "see" the firewall, nothing else in the test lab. It's up to your firewall to forward PPTP traffic from its public interface back to the private interface where it can find windc1 . This way, when we're able to ping machines inside the firewall, we'll know for certain that the PPTP connection has succeeded because otherwise we wouldn't see them at all! If we used a workstation inside the firewall, we would already be able to ping the systems behind it, and indeed in most cases this would happen without the benefit of the VPN over the existing unencrypted route to the local area network.

To create a VPN connection from xpmobile1 to the PPTP server:

1. Log on to the machine. If the machine isn't joined to the domain, the only account is the local Administrator account.

2. Click Start My Network Places. Then in the left hand under "Network Tasks," select "View network connections."

3. Still under "Network Tasks," select "Create a new connection" to start the "New Connection Wizard." At the first screen of the wizard, select "Next."

4. At the "Network Connection Type" screen, select "Connection to the network at my work-place" and click "Next."

5. At the "Network Connection" screen, select "Virtual Private Network connection" and click "Next."

6. At the "Connection Name" screen, enter the company name, say, corp.com .

7. At the "Public Network" screen, select "Do not dial the initial connection."

8. At the "VPN Server Selection" screen, enter the publicly visible Internet IP address of the firewall box, which must be configured to forward TCP port 1723 and all GRE traffic to windc1.ad.corp.com , as we've mentioned earlier.

9. At the final screen of the wizard, click the "Add a shortcut to this connection to my desktop" check box (we'll reuse this dial-up tool many times) then click "Finish."

From your Windows XP client, you'll be able to enter credentials for any user in Active Directory. For now, enter salesperson1 as shown in Figure 9.17. You can use the password of p@ssw0rd .

Figure 9.17: You can enter credentials as anyone in Active Directory who has been granted the specific right to log on via dial-in.

Once connected, you should get a pop-up balloon, as shown in Figure 9.18.

Figure 9.18: A pop-up balloon for Windows XP shows that you're connected to the VPN.

Now we can verify our success by using the ping command to access a system behind the firewall, which we normally wouldn't be able to find over the Internet:

1. Click Start Run. In the "Open" field enter cmd and press Enter. The command prompt appears.

2. Use the ping command to verify that you can communicate with linserv1.corp.com : ping 192.168.2.202

3. You should see lines similar to the following:

    Reply from 192.168.2.202: bytes=32 time=100ms TTL=41 

Since you are connecting over the Internet, it is possible that some packets will not come back. That's okay as long as most of them do come through.

Great! We've verified several things:

• PPTP is working.

• RRAS policies are allowing clients in.

• salesperson1 has been granted access to dial-in/VPN in.

• The firewall is correctly configured to forward PPTP traffic.

• If your connection is not successful, check the following:

• If you receive an error message stating that "the VPN server may be unreachable," double-check the Internet (not internal) IP address of your firewall. Then double-check the TCP port 1723 and GRE traffic forwarding rules you have configured on the firewall to forward traffic to windc1.ad.corp.com .

• Try establishing the connection from a workstation inside the local network, such as xppro1.ad.corp.com . This isn't particularly useful, because traffic will still travel unencrypted on the local network via the default route, but success here means that the firewall is not the problem.

• Make sure you have specifically enabled dial-in access for the user salesperson1 .

• Check the event logs on windc1.ad.corp.com .

Okay, so we've logged into a Windows VPN with Windows domain credentials. That's nice, but not very cross-platformnot yet. Now we'll log in using corp domain credentials, demonstrating that users who "live" on our Samba PDC can also access the VPN thanks to our domain trust.

Initially Testing Your Microsoft PPTP VPN with a Microsoft XP Client (For Samba Users in the corp Domain)

We've succeeded in logging in with ad domain credentials. Now let's try it as a user from the corp domain.

Right now, this is a test that should fail. That's because we haven't specifically allowed dial-in access for our individual corp domain users yet. We'll try the test now to see the symptom, then repeat the test after we administer the cure.

Go ahead and double-click the icon on the desktop you created for the dial-up tool. Now enter the credentials of doctor1 , who resides in the corp domain as shown in Figure 9.19. Be sure to specify the corp domain in the "Domain" field. Also enter the password of p@ssw0rd .

Figure 9.19: Enter credentials for doctor1 , who lives in corp .

When you try this, you will not successfully make a connection, as shown in Figure 9.20.

Figure 9.20: Your Samba accounts need to be specifically granted dial-in access.

Why? Because doctor1 hasn't yet been granted access to "dial-in." The only way we've successfully found to enable this is to use the old-school NT 4 tools we saw previously in Chapter 2. This appears to be an unfortunate gap in the currently available Samba tools: Samba and its LDAP back end will cheerfully store the dial-in "flag," but there is currently no interfacecommand line or otherwiseto set it. There's no documentation about it either. Ouch. This is clearly another opportunity for Enterprising Linux Gurus to improve their karma by adding a rather straightforward new feature.

In the meantime, we'll dive in and solve the problem using the NT 4 tools. As discussed in Chapter 2, these run on a Windows domain member workstation and edit user accounts remotely. As far as they are concerned , Samba is an NT 4 server, which is a neat trick. But before we can set that up, we have to clean up our act a little by creating NT-style "domain groups" corresponding to our Unix doctors and nurses groups.

Creating Samba Domain Groups

Our Samba PDC already has two groups of users, doctors and nurses . That's worked fine for us so far, so you may be scratching your head at this point when we tell you that our groups aren't quite good enough.

What's the trouble? The Webmin LDAP Users and Groups module that we've relied upon in this book does a great job of creating users in such a way that they are valid both as Linux users and as NT-style domain users. However, it doesn't do such a great job with groups. Specifically, it doesn't automatically create a "group mapping" so that each new group is specifically advertised to NT domain members . For most applications, this doesn't matter, but the NT user administration tools do care. We need those tools in this chapter to grant "dial-in" (VPN) privileges to users in the corp domain, since Samba is currently missing native tools (and documentation!) for that purpose. The NT tools will complain with nasty message boxes unless we ensure that the group each user belongs to is advertised as a domain group.

So how do we take care of it? Using Webmin's Samba module, which we've seen many times before. This module allows us to easily create a Samba "group mapping" for any existing Unix group. Follow these steps to create Samba group mappings for the existing doctors and nurses groups:

1. Log into Webmin at http://linserv1.corp.com:10000/ with the username root and the password p@ssw0rd .

2. Click "Servers." The "Servers" page appears.

3. Click "Samba Windows File Sharing." The "Samba Windows File Sharing" page appears.

4. Click "Add and edit Samba groups." The "Samba Groups" page appears.

5. Click "Add a new Samba group." The "Create Samba Group" page appears.

6. In the "Group name" field, enter doctors .

7. From the "Group type" menu, select "Domain Group."

8. In the "Unix group" field, also enter doctors .

9. Click "Create." The "Samba Groups" page reappears.

10. Repeat steps 59 for nurses .

The doctors and nurses groups are now correctly advertised as domain groups in a way that is fully compatible with the NT user administration tools. As we've mentioned, this means we'll be able to grant "dial-in" (VPN) privileges to these users using the NT tools without frustrating error messages.

Leveraging the Old-School NT 4 Tools to Allow Dial-Up Access

In Chapter 2, we used the old usermgr.exe and srvmgr.exe tools to manage Samba because Samba really pretends to be an NT 4 domain. In Chapter 2 we explained that the best course of action is to find an old NT 4 server CD-ROM and rip out the tools by hand. The files will be in the i386 directory in compressed format. All you need to do is use the expand command on two files: usrmgr.ex_ and svrmgr. For example, you'll type:

 expand usrmgr.ex_ c:\usrmgr.exe expand srvmgr.exe c:\srvmgr.exe 

When you do this, you'll have two uncompressed and ready-to-run files in your c:\ directory. Once you run them on any Windows machine (say, xppro1.ad.corp.com ), you'll be able to manage your Samba domain and provide the appropriate dial-in permission.

Now, log on to xppro1.ad.corp.com as the administrator of the corp domain. (If you're logged in as anyone else, this won't work, so be sure you're logged in as the administrator of the corp domain.) Then, run usrmgr.exe from wherever you unpacked it.

You'll be able to select the doctor1 "User Properties"; then select "Dial-in" and check the "Grant dial-in permission to user" check box as shown in Figure 9.21.

Figure 9.21: Samba users need the "Grant dial-in permission to user" set within the NT 4 User Manager tool.

Click "OK" to close the "Dial-in Information" window, then click "OK" to close the "User Properties" window.

Retrying Your Microsoft PPTP VPN with a Microsoft XP Client (for Samba Users in corp )

Now that we have granted dial-in access, the Windows VPN should be happy with the response it gets from the Samba PDC. Go ahead and double-click the icon on the desktop you created for the dial-up tool. Now enter the credentials of doctor1 , who resides in the corp domain as shown in Figure 9.19. Also enter the password of p@ssw0rd .

Now it should connect you successfully because that user has been granted the right to log on!

At this point, we have access to both domains from Windows. and that's impressive. However, the picture is incomplete without VPN access from a Linux workstation. That's where we're going next.

Installing the PPTP Client Software for Linux

Where does the PPTP client for Linux come from? The Linux PPTP client project has its home page at http://pptpclient. sourceforge .net . A Fedora Core 3 HOWTO is available on that site as well:

• http://pptpclient.sourceforge.net/howto-fedora-core-3. phtml

Installing pptpclient isn't too difficult, but there are a few requirements that must be taken care of first. Specifically, before installing pptpclient , we need to:

1. Install Fedora Linux on a "road warrior" PC, linmobile1 . This will be our Linux-based VPN client.

2. Add support for MPPE (Microsoft Point-to-Point Encryption) to the kernel. MPPE provides encryption for our PPTP connections. Fortunately, installing this kernel module is not difficult thanks to good packaging.

3. Upgrade pppd (the Point-to-Point Protocol daemon) to version 2.4.3 or better, if necessary. PPTP is built upon PPP, and the implementation of PPP included with Fedora Core 3 has difficulties negotiating with Microsoft's VPN server as of this writing.

4. Install a few system libraries and tools that are required by the pptpclient graphical user interface pptpconfig .

We'll begin by installing Linux on linmobile1 .

 DKMS: install Completed. 

 modprobe ppp-compress-18 && echo MPPE kernel module loaded 

 MPPE kernel module loaded 

 modprobe ppp-compress-18 && echo MPPE kernel module loaded 

 pppd --version 

 pppd version 2.4.2 

Testing pptpclient by Logging In as an Active Directory (ad) User

Configuring pptpclient is made much easier by the user-friendly pptpconfig utility. This utility allows us to create and manage as many VPN connections as we find useful. It is, dare we say it, a darn nice GUI for a Linux application. Now that the utility is installed, we can access it using the standard Fedora menus and use it to connect to the RAS PPTP server on windc1.ad.corp.com . Follow these steps to create a linmobile1 to the VPN :

1. Log into linmobile1.

2. Select the "Applications" menu.

3. Select the "Internet" submenu.

4. Select the "PPTP Client" item.

   Note	If you are not logged in as root, you will be asked to provide the root password. This is because establishing new network routes is a privilege reserved for root in Linux.

5. The pptpconfig tool then appears. In the next few steps we will configure the fields shown beneath the "Server" tab, as shown in Figure 9.22.

6. In the "Name" field, enter windc1_as_salesperson1 .

7. In the "Server" field, enter the Internet-visible IP address of your router. Although you see 192.168.2.226 in the screen shot, this is only a placeholder. You should use the externally visible address of your router, which must be configured to forward PPTP traffic to 192.168.2.226 as described earlier in this chapter.

8. In the "Domain" field, enter ad .

9. In the "Username:" field, enter salesperson1 .

10. In the "Password:" field, enter p@ssw0rd .

11. Click "Add." An entry for the windc1_as_salesperson1 connection now appears in the "PPTP Client Tunnel List" area.

12. Click the "windc1_as_salesperson1" entry in the "PPTP Client Tunnel List" area.

13. Click "Start." The "pptpconfig tunnel windc1_as_salesperson1" window appears, displaying the status of the connection. After a few moments, the display should resemble Figure 9.23. "Connected" should appear in the lower-left corner of the window.

14. Click "Close" to dismiss the status window.

15. Click "Quit" to close the "pptpconfig tunnel windc1_as_salesperson1 " window. This does not break the VPN connection.

Figure 9.22: You can use pptpconfig to create a new PPTP VPN connection.

Figure 9.23: You'll see "connected" in the pptpconfig status window up successfully connecting from linmobile1

If the "pptpconfig tunnel windc1_as_salesperson1 " status window does not display "Connected," examine the messages in the window and check the following:

• Make sure you specified the domain ad (not corp , since we used an ad username) in the "Domain" field.

• Make sure you loaded the MPPE kernel module and upgraded pppd to version 2.4.3 or better.

• Check the event logs on windc1.ad.corp.com .

Once you are connected, you can communicate with all hosts on the company network as if your machine were directly connected to it. You can verify this by pinging hosts such as 192.168.2.202, which would otherwise not be accessible from linmobile1 because they are part of the nonpublic network behind the company firewall. Use the ping command from the Linux command line on linmobile1 exactly as you used it in Windows on xpmobile1 .

Great! We've logged into the company VPN using ad domain credentials from a Linux client. Just one more thing left to do: log into the VPN using corp domain credentials from that very same client.

Testing pptpclient by Logging in as Samba (corp) Users

Logging in to the VPN using corp credentials is an important scenario because users hosted on the Linux-based PDC are probably more likely to be logging in from Linux workstations in the first place.

To log into the VPN using corp domain credentials on a Linux workstation, follow the steps in the previous section, substituting the corp domain and the username doctor1 . You'll be adding a second connection description in pptpconfig . The simplest way is to select the windc1_as_salesperson1 connection description by clicking it. Then change the "Name," "Domain," and "Username" fields appropriately and click "Add" to add another connection description. Now you can right-click the new connection description and click "Start" to make a connection.

This connection should work just as smoothly as salesperson1 and the ad domain. If you do have difficulties though, check the following:

• You must first complete the domain trust creation steps presented in this chapter.

• As described earlier, you must use the Windows NT tools to enable dial-in access to the doctor1 account in the corp domain.

We're up and running! Both Windows and Linux clients can log into the VPN with either ad or corp domain credentials.