Project VOLANS: Setting up VPN using LinVPN

:: Setting up VPN using LinVPN ::
HOME

Click Here for Comparison Chart for different VPN solutions

Recipe to set up VPN using LinVPN

In order to keep everything isolated, I created a new user/group (linvpn/linvpn) on mia and zidler. Instructions for creating users using command line options can be found here. I have also set up passwordless login using SSH. PLease refer to this document for the HowTo. However, I still execute linvpn daemon as root. Use sudo appropriately if you want to execute it as any other user.
LinVPN basically creates a PPP-over-SSL tunnel. However it provides an easy to use interface to the user.
Properly configure the PPP software on all participating nodes; i.e Make sure you have the right configuration in:
1. /etc/ppp/options: This is the default options file for the PPP daemon. I mainly use the following options :
```
-------------------------------------
            PPP-Client     PPP-Server
-------------------------------------
lock            X             X
noauth          X             X      
debug           X  
dump            X 
logfd 2         X
updetach        X
noccp           X             X   **
novj            X             X   **
novjccomp       X             X   ** 
nopcomp         X             X   **
noaccomp        X             X   ** 
```
  **comment out the option if you want compression enabled in PPP.
2. /etc/ppp/(ip-up,ip-up.local): This script is called when the PPP interface comes up. I use it to set the routing table, firewall rules. Use it as approprriate.
3. /etc/ppp/(ip-down,ip-down.local): This script is called when the PPP interface goes down. Use it appropriately.
Download the LinVPN tarball and compile it. I used some special compilation flags, since I wanted all the binaries and config files, to be in /home/linvpn directory.
NOTE: You may need to add -I/usr/kerberos/include to the CFLAGS variable (in configure) for RedHat 9.0 (or systems that contain OpenSSL 0.9.7).
The command's I used are as follows:
```
~linvpn#>tar -xvzf LinVPN-version.tar.gz
~linvpn#>cd LinVPN-version
~linvpn#>mkdir /home/linvpn/etc; mkdir /home/linvpn/sbin
~linvpn#>./configure --prefix=/home/linvpn --config=/home/linvpn/etc
~linvpn#>make; make install
```
Because, of the --prefix=/home/linvpn flag during configure, all the executables are installed in /home/linvpn/sbin. I already had another vpnd (VPN Daemon) program installed in /usr/local/sbin, and LinVPN has a similarly named program. Hence I decided to keep this seperate.
Thus to run any LinVPN related program, i have to use the full path name.

LinVPN comes with 4 programs. Below is a listing:

shashank@zidler:/home/linvpn/sbin# ls | more
vpn-wrapper          #wrapper program to execute certain commands like route, similar to sudo
vpnd                 #Program to be run by the server                          
vpncd                #program to be run by the client               
vpndel               #NOT REQUIRED. Same functionality availavle in vpncd and vpnd.               
vpnadd               #Used to create a self-signed certificate. I Do not use this method.

You can also get good explanation of setting up a linux-to-linux vpn by reading the How-To that comes with tarball, and this recipe will serve as a good supplement.

I am asssuming that we are using the following setup with mia as the client and zidler as the server .
The first thing you need to do is get a good name for your VPN. I will name this vpn as testVPN.

Before starting the actual configuration, you will need to get a signed certificate for your server. This can be done in the following two ways. The second method of getting a certificate signed from a CA is more complicated, and involves extra configuration steps than the first method. I will explain the second method here. However, you can skip the appropriate steps, if you wish to follow the first method.

Create a self signed certificate for the server. This can be done using the vpnadd command. Use the following command:

linvpn@zidler:/home/linvpn/sbin# ./vpnadd server testVPN 192.168.254.201:192.168.254.200 1024
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..++++++
..........................................++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Illinois]:
Locality Name (eg, city) [Chicago]:
Organization Name (eg, company) [UIC]:
Organizational Unit Name (eg, section) [ECE]:
Common Name (eg, your name or your server's hostname) []:linvpn
Email Address []:[email protected]
Adding VPN testVPN on server: done!

At the end, you will get a cert.pem file, in /home/linvpn/sbin that you can send to the peer.

The second method, is to generate a certificate request and get it signed from a Certificate Authority, (like Verisign).
I have set up my own Certification Authority, which can sign and approve user generate request. Steps to set up a CA, generating a user certificate request and getting it signed from this CA can be found here.

Use the following sequence of commands to set up the server (zidler)

I will assume that the user has generated a certificate request + private key (key.pem), and received a signed certifcate (cert.pem) from the CA. You can refer to steps viii, ix, x, xi... of this document for doing this.

Once u get a signed certificate (cert.pem), just append it to the end of the private key (key.pem). After appending, the key.pem file should look like:

linvpn@zidler:/home/linvpn/sbin# cat key.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCXX7qha8ZZRK1XzObWodf8m8SbmNLN0vKb6P7vPk81iTASV9Ok
VlsBRVVEYsugRoM9iekCQGk9lqJ1DVvw3slJXrD//COqO/pmLDIoyf4cBDwg18FG
wTnlVxGxO/iQ9vB/c/nNVJVIETqyQirg+ltx70XEfyo=
--SNIP--
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIBDzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
Bcn3QAUVbzbTkRT06UH23Uc3Q/gQAfabSFPmKUznN7muoyBCfDPDEOXSWw==
--SNIP--
-----END CERTIFICATE-----

NOTE: The blank line between the certificate and the private key.

Place the (Private Key + Certificate) combination file (key.pem) in the same directory as your vpnd program, viz. /home/linvpn/sbin
Send the certificate file (cert.pem) to any peer who wishes to set up a VPN with you, using scp.

Now use the following set of commands to start the daemon and to set the various parameters for our VPN. Use vpnd --help for getting help.

1. linvpn@zidler:/home/linvpn/sbin# ./vpnd daemon
-------------------------------------------------------------------------------
2. linvpn@zidler:/home/linvpn/sbin# ./vpnd --help  
   usage: ./vpnd [command [option(s)]]
   Avaliable commands:
    insert       vpn_name local:remote      : Insert a new entry
    remove       vpn_name                   : Remove an existing entry
    fetch        vpn_name                   : Fetch an existing entry
    change       vpn_name local:remote      : Change an existing entry
    list                                    : Show all entries
    stats                                   : Show connected clients
    disconnect   vpn_name                   : Disconnect a client
    event        vpn_name [conn|disco]      : Edit VPN events
    setkey       vpn_name keyfile.pem       : Set RSA private key
    dumpkey      vpn_name                   : Dump key to stdout
    daemon                                  : Run daemon
    --version                               : Show version
    --help                                  : This help
 
-------------------------------------------------------------------------------
3. linvpn@zidler:/home/linvpn/sbin# ./vpnd insert testVPN 192.168.254.201:192.168.254.200
   Entry testVPN has been added successfully!

-------------------------------------------------------------------------------
4. linvpn@zidler:/home/linvpn/sbin# ./vpnd setkey testVPN key.pem 
   Keyfile of testVPN has been saved successfully!

-------------------------------------------------------------------------------
5. linvpn@zidler:/home/linvpn/sbin# ./vpnd dumpkey testVPN 
   -----BEGIN RSA PRIVATE KEY-----
   MIICXAIBAAKBgQCXX7qha8ZZRK1XzObWodf8m8SbmNLN0vKb6P7vPk81iTASV9Ok
   gF4v9OZBADj2wKeuE7Ex5j8+LzfN2Lch/P2ntQMZy/te6i+0YPSVTLOF57nswdn1
   --SNIP--
   -----END RSA PRIVATE KEY-----

   -----BEGIN CERTIFICATE-----
   MIIDJzCCAg+gAwIBAgIBDzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
   dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
   cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
   --SNIP--
   -----END CERTIFICATE-----

-------------------------------------------------------------------------------
6. linvpn@zidler:/home/linvpn/sbin# setenv EDITOR pico
7. linvpn@zidler:/home/linvpn/sbin# ./vpnd event testVPN conn
8. linvpn@zidler:/home/linvpn/sbin# ./vpnd event testVPN disco
-------------------------------------------------------------------------------

The last two commands (7, 8) will open up the editor and you can add appropriate routing commands to it. For example, I added the following commands (though this did not work for me):

+/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 dev $i

Use the following sequece of commands to set up the client (mia).

Remember that the server has sent us a certificate file (cert.pem). Make sure that it is residing in the same directory as your vpncd executable. In our case this is /home/linvpn/sbin.

Now use the following sequence of commands at the client:

1. linvpn@mia:/home/linvpn/sbin# ./vpncd --help
   usage: ./vpncd command [option(s)]
   Avaliable commands:
     insert    vpn_name remote_host          : Insert a new entry
     remove    vpn_name                      : Remove an existing entry
     fetch     vpn_name                      : Fetch an existing entry
     change    vpn_name remote_host          : Change an existing entry
     list                                    : Show all entries
     connect   vpn_name [retry=#]            : Make your VPN connection
     event     vpn_name [conn|disco]         : Edit VPN events
      setcert   vpn_name cert.pem             : Set a Certificate
      --version                               : Show version
      --help                                  : This help
-------------------------------------------------------------------------------
2. linvpn@mia:/home/linvpn/sbin#./vpncd insert testVPN 131.193.50.184
   Entry testVPN has been added successfully!

-------------------------------------------------------------------------------
3. linvpn@mia:/home/linvpn/sbin#./vpncd setcert testVPN cert.pem
   Keyfile for testVPN has been saved successfully!
-------------------------------------------------------------------------------
4. linvpn@mia:/home/linvpn/sbin# setenv EDITOR pico
5. linvpn@mia:/home/linvpn/sbin# ./vpnd event testVPN conn
6. linvpn@mia:/home/linvpn/sbin# ./vpnd event testVPN disco

-------------------------------------------------------------------------------
7. linvpn@mia:/home/linvpn/sbin# ./vpncd connect testVPN

The two commands (5, 6) will open up the editor and you can add appropriate routing commands to it. For example, I added the following commands (though this did not work for me):

+/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 dev $i

Check if the interfaces are up using ifconfig command:

[shashank@mia sbin]# ifconfig
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.254.200  P-t-P:192.168.254.201  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:56 (56.0 b)  TX bytes:56 (56.0 b)

I tried using the vpnd event LinVPN1 conn command, but it requres permissions to be granted to the user under which vpnd is run by default. I prefer to add my routes manually (.). This is how I add the routes.

shashank@zidler:# route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0
---------------------------------------------------------------------------
shashank@mia:# route add -net 192.168.2.0 netmask 255.255.255.0 dev ppp0

Use netstat -rn and ping to verify that the networks are reachable.
Kill the vpnd & vpncd processes to bring down the interface.

Avg. overhead (No compression)
1. The below diagram traces the path taken by a packet as it travels over the tunnel formed by LinVPN.
2. The TCP/IP/Ethernet layers add known amount of header/trailer which are trivial to find out. Hence, I will not explain them here. I will concentrate only on the overhead added by the PPP protocol and the (LinVPN + SSlv2) layer.
3. PPP protocol adds a maximum overhead of 8 bytes and a minimum of 5 bytes. This can be verified by reading
  - The Point-to-Point Protocol (PPP), RFC1661: Read Section 2 (PPP-encapsulation), followed by
  - PPP in HDLC-like Framing, RFC1662: Read Section 3.1 (Frame Format).
  The PPP frame format from the above RFC's is reproduced below for future reference:
  (Note: Padding field is optional and our PPP implementation does not use padding)
```
           +----------+----------+----------+
           |   Flag   | Address  | Control  |
           | 01111110 | 11111111 | 00000011 |
           +----------+----------+----------+
           +----------+-------------+---------+
           | Protocol | Information | Padding |
           | 8/16 bits|      *      |    *    |
           +----------+-------------+---------+
           +----------+----------+
           |   FCS    |   Flag   |
           |16/32 bits| 01111110 |
           +----------+----------+
```
  PPP uses character/byte stuffing to escape the flags characters. However, in our experiments, we make sure that the input to PPP does not have any character that will be escaped.
4. The LinVPN layer does not add any headers of its own, but sends the packet using SSLv2 protocol, which adds further headers to the packet.
5. How did I know that linVPN uses SSLv2? I had to hack into the code and find out, which SSL method was being used. Refer to $basedir/src/client/network.c, line# 114 to find this out.
6. SSLv2 is vastly different than SSLv3 in many respects. Hence, refer to the SSL 2.0 PROTOCOL SPECIFICATION [original, mirror] for more information on the added overhead. A brief summary follows in the next point.
7. You will find that SSLv2 bundles packet as:
```
2-byte    Header  
1-byte    padding_length (ONLY IF PADDING IS PRESENT)
m-byte    MAC (message authentication code); e.g. SHA1 (20 Bytes), MD5 (16 Bytes)
n1-byte   payload; 
n2-byte   random padding; (OPTIONAL. Will be added only if payload is not 
          a multiple of BLOCK_SIZE for the cipher.)
```
  Note: The 1-byte padding_length field is optional, and may be present only if the packet is required to be padded, i.e. when the payload is not a multiple of the BLOCK_SIZE for the selected cipher. The presense/absense of the 1-byte padding_length field can be found out from the 1st MSB of the header.
8. Let us assume that we are using DES-CBC3-MD5. Suppose that the input to the SSLv2 layer is a packet of length 136 bytes, then you can calculate the total overhead added by SSLv2 as follows:
  1. Find out what block size is used by the cipher. Since we are using 3des, the BLOCK_SIZE is 8 bytes.
  2. Calculate (floor[(136 + 7)/16] * 8 - 136) = 0 to find out the required padding. Since, in this case, it is zero, we will not add the padding bytes.
  3. Now add: MD5 MAC (16 Bytes) + 2 Byted Header to the above packet to give a packet of 154 Bytes. We verifed this with experiments too.
  4. If instead, the input data was 311 bytes, then we would have calculated the padding as: (floor[( 311+ 7)/16] * 8 - 311) = 1 Byte. Add to this a 16 byte Mac + 1 byte padding_length + 2 byte header, and one would get a packet of size of 331 bytes, which we also verified from our experiments.
  5. Thus we conclude that the SSLv2 layer adds a minimum of (2(Header) + 0(padding_len) + 16(MAC=md5) = 18 bytes) and maximum of (2(packet len) + 1(padding_len) + 7(padding) + 16(MAC=md5) = 26 bytes).
9. LinVPN does not provide any way of finding out which cipher suite is in use. You can find this out by:
  - adding the following line after the client calls SSL_connect as we have done here.
```
fprintf (stdout, "SSL connection using %s\n", SSL_get_cipher (ssl));
```
  - using the following command to determine which cipher suite is preferred.
```
> openssl ciphers -ssl2 -v
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5 
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
```
10. Assuming no compression mechanism is used in PPP, and using the cipher suite (DES-CBC3-MD5), we conducted a series of experiments with varying application input sizes. The input data for this experiment was totally random (NOT containing any characters that will be escaped by PPP). An example of such data is shown below:
```
seq_no: 0
Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3;                             
"Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/
U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4q                   
```
  This data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
  The results are presented below here.
Avg. overhead (Full compression)
1. LinVPN does not provide any compression routing on its own. Hence we had to rely on only the PPP layer to provide compression. This can be aceived by commenting out the following options in /etc/ppp/options (at both client/server):
```
noccp
novj
novjccomp
nopcomp
noaccomp
```
  The results are presented here.
2. The input data for this experiment was again totally random. An example of such data is shown below:
```
seq_no: 0 
Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3;
"Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/
U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4q
```
  This data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
3. Using compression, it is not possible to estimate the amount of overhead, as the amount of compression really depends on the entropy in the data. It is entirely possible for the data on the wire to be lesser in size to the input data. For e.g. when we used an input data of size 1200 bytes (each having a value "S"), we found that the packet size on the wire was just 130 Bytes.
Inbuilt support for Routing:
1. LinVPN tunnels, do not have inbuilt routing mechanisms. As a result the user has to take care of establishing routes to remote networks. This can be done in the following ways:
  - Static routes can be added after the PPP link comes up. I used this method, since the other methods failed for me.
```
route add -net network/netmask gw gateway-ip 
```
  - LinVPN allows certian scripts to be executed when a LinVPN client connects/disconnects to/from a LinVPN server. These events can be utilised to add the above static routes.
  - PPP also allows executes the scripts /etc/ppp/(ip-up.local|ip-down.local), which can be utilized to set up the static routes. This was also not working for me.
  Although the above methods are simple for small networks, it becomes exceedingly difficult to maintain such routes one your network reaches a decent size (> 5 nodes, say). Hence one should avoid using this method, unless you have a very small network.
2. Another way is to use a routing software that will set up/tear down the routes automatically. One such software to consider is Gnu Zebra with one of its components: OSPF. At the time of this writing, I could not find much documentation on how to configure zebra, and since I was not working with any complex network architectures, I preferred to use the first method. However, I do plan to include the steps to set up zebra in future.
Using Algorithm Plug-in's
1. LinVPN uses the SSlv2 protocol for security. Hence, it can only be possible to incorporate different algorithm plugin's, if someone can incorporate it in the OpenSSL distribution.
Scalability of the solution
1. The LinPN solution for forming VPN's is highly unscalable. (This may not be true
2. For e.g. If a company has 'N' different sites, then it would be necessary to have O(N^2) point-to-point PPP-over-SSH links and each site will have to maintain an entry in the routing table for (N-1) other sites. I think a full mesh will be necessary in this case, as the complexity of maintaining any other network infrastructure will be prohibitively high.