User Tools

Site Tools


ubuntu_10.04

Installation medium

CD/DVD

Before installation always check DVD/CD on defects. Different cdrom drives may have problems with a installation medium that was already successfully verified.

USB hdd

I have used this description http://wiki.ubuntuusers.de/Live-USB of chapter “Ältere Ubuntu-Versionen”. With an external USB hard drive it is okay but don't forget to write an MBR to the disk. Problem with auto detect cdrom of installation sequence: try cdrom-detect/try-usb=true kernel command line option (menu F6 or text.cfg within boot menu) because we don't use a CD drive

X

Start X install with your graphic card related driver package due to the minimal amount of xorg package will depend on it and automaitcially installed.

  • Thinkpad-T60 has an on board intel so I use xsrever-xorg-video-intel package
  • Sony vaio p11z based on intel GMA500 so I follow poulsbo instructions

and always got foolowing packages automatically:

  • x11-common
  • x11-input
  • ..

additionally install

  • xorg package to get startx script

Sound

1. Always start installation sound system using alsa.

  • packages alsa-base, alsa-utils and under gnome gnome-alsamixer
  • check correct sound using mplayer, audacious and alsa-mixer for volume control

But gnome has one problem because the alsa volume control can not be placed in the panel as icon.

2. install second sound system pulseaudio

  • pulseaudio volume control is displayed in the panel within notification area or can be accessed under System→Preferences→Sound

Network Connection

Former times I always using /etc/network/interfaces and /etc/wpa_supplicant for my default network configuration. But gnome has network-manager (icon available in notification area of the panel). But I spend approximated 3 days for a default wireless connection. Problems:

  • enable of network-manager conflicts my default settings
  • system connection not established at boot time

Steps to solve:

    
[Allow user YOURUSERNAME to create wireless connections for all users]
Identity=unix-user:YOURUSERNAME
Action=org.freedesktop.network-manager-settings.system.modify
ResultAny=no
ResultInactive=no
ResultActive=yes
  • use the network-manager and connect to the wireless network
  • edit the connection; enable “automatic connect” and “available to all users” but I always got a disconnect when applying
  • see if the system connection was saved /etc/NetworkManager/system-connection
  • finally: edit /etc/NetworkManager/nm-system-settings.conf and set managed=true ;)

Result: The connection will be established at boot time.

Printer (cups network client)

What a hell, because the gnome “System → Administration → Printing” does not save the settings.

Install cups-client package and edit/create

#/etc/cups/client.conf
ServerName print-server

After it the print-server provided printers are always visible in all gnome tools and in the administration settings.

OpenVPN

First, the different vpn systems like ipsec/l2tp, openvpn, vpnc and so on are note compatible to each other. You need the appropriate vpn server for a specific vpn client. For example mobile phones which in generally only supports ipsec based vpn.

I tried to understand ipsec/l2tp vpn server but at a specific point I stopped the evaluation because its configuration is very complicate. Finally I choose openvpn and it works nearly out of the box and therefore not to complicate for my home router.

basic install

http://wiki.ubuntuusers.de/openvpn

Follow the server instruction. It works without problems.

my /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key  # This file should be kept secret
dh ./easy-rsa2/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

network manager client

Install the package network-manager-openvpn and create a default vpn connection using the ca.crt, client.crt and client.key. <note important>Enable LZO compression in the extended settings because this is the default in the server configuration.</note> Symptom: No connection can be established if the client compression setting does not match the server config. <note important>Edit /etc/default/openvpn and set AUTOSTART=“none” to avoid automatic vpn enable by network-manager at boot. Looks like the connect automatically in the GUI connection editor is broken.</note>

Finally the vpn connection can be enabled/disabled via left click to the nm applet → “VPN connections” → Disconnect/ or configuration name

firewall (firhol) on server

I tried evaluation on a dedicated server behind my home router, that has only one interface. But it should be easy to adapt to the home router configuration described at interface_overview. I will minimize the settings described.

#/etc/firehol/firehol.conf

server_openvpn_ports="udp/1194"
client_openvpn_ports="any"

interface eth1 local_lan
        policy drop
        server icmp accept     # only for ping check needed to see if vpn server is available
        server openvpn accept  # open vpn server is listening at this port

# restrict the vpn clients 
server_myicq_ports="tcp/5190 udp/5190"
client_myicq_ports="any"
VPNACCEPTED="icmp ICMP ftp http https dns ping ssh myicq smtps pop3s smtp pop3 privoxy"

router eth12vpn inface eth1 outface tun0
        protection strong
        policy drop  # change to enable traceroute
        client "${VPNACCEPTED}" accept # clients on tun0 are allowed to get this trafic

router vpn2eth1 inface tun0 outface eth1
        policy drop
        masquerade   # to avoid dedicated source nat rule

interface tun0 vpn
        policy drop
        protection strong
        server "icmp ICMP" accept # ping tun0 vpn server from inside vpn network
        client "icmp ICMP" accept # ping vpn network clients from tun0 vpn server

firewall (firhol) on client

The tun0 device needs an firwall at client too else the default route access through it will be rejected.

debugging

route on client (vpn enabled)

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
router0.private router1.private 255.255.255.255 UGH   0      0        0 wlan0
192.168.2.0     *               255.255.255.0   U     2      0        0 wlan0
default         10.8.0.5        0.0.0.0         UG    0      0        0 tun0

route on client (vpn disabled)

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     2      0        0 wlan0
default         router1.private 0.0.0.0         UG    0      0        0 wlan0

route on server

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
default         router1.private 0.0.0.0         UG    100    0        0 eth1

ping vpn server

10.8.0.1 is much faster with vpn enabled because it is the default route end point and not like traceroute shows a server in wan if vpn connection disabled.

traceroute

Does not work due to the very strict firewall rules. But changing drop to accept within router eth12vpn settings shows:

#tracerouter www.google.de
 1  10.8.0.1 (10.8.0.1)  3.662 ms  3.667 ms  3.927 ms
 2  router1.private.lan (192.168.1.1)  4.013 ms  4.144 ms  4.446 ms
 3  rdsl-nrbg-de02.nw.mediaways.net (213.20.57.196)  25.435 ms  25.460 ms  26.366 ms
...

and shows that the vpn gateway is used as entry, instead the real wlan0 device.

T.B.D.

client dhcp published names via local DNS

client-to-client config

whats about this.

UMTS (/dev/ttyHS0)

UMTS (broadband connection using network manager) basically works. I enable all settings in PPP dialog box.

  • enabled methods: EAP, PAP, CHAP, MSCHAP, MSCHAP v2
  • compression: use MPPE (with 128 bit and statefull), allow BSD and deflate data compression, TCP header compression
  • enable ppp echo

All IPv4 settings on automatic and no additional routes. Fo the basics only the Number: *99# and the APN: event.vodafone.de is needed

But in conjunction with openvpn you have somthing to know:

  • UMTS is a PtP connection
  • the route command only shows one default entry papped to hso0 device
  • there is no default gateway (IP or name) present.

Before an vpn connection can be established you have to set an additional route

  • sudo route add “mydyndns-name” hso0

because the default route is overwritten by network manager and the openvpn server will not longer be accessible

Additionally the openvpn server shall

  • push a dhcp dns pointing to the internal network gateway

usb stick /dev/ttyUSBx

ONDA communication ZTE MF636 usb stick with id: 19d2:0031.

  • download, build and install the newest usb-modeswitch and usb-modeswitch-data from the website
  • install libusb-dev make and build essential before

<note important>Disable MPPE in PPP settings of network manager broadband connection settings. It looks that the stock can not handle encryption. See /var/log/daemon.log </note> <note important>it creates ppp0 ifconfig device, remember the firewall settings</note>

VPN (ipsec) to be continued

Interface Overview

After reading a lot about strongswan and l2tp I have an idea how to implement the VPN for my home router with following constraints.

  • vpn is a third subnet (additional to the wlan and lan)
  • by default the vpn network is separated
  • vpn dns and services back to the internet shall be supported by default¦
  • access to the routers services like nfs, printer shall be done via explicit routing
  • access to the other subnets shall be done via explicit routing

Solution Bring up a internal dummy vpn network interface used for:

  • ipsec gateway address
  • vpn destination port forwarding from outside
  • listen address for l2tp
  • therefore the entry point for the vpn subnet that can be later used in the firewall and routing rules
              internet
                 ↓
outside  -----------------------------
             |ppp0/eth0|
router                      

          |wlan0|     |eth2|    |vpn0|
inside   -----------------------------
             ↓           ↓        
  • ppp0: [dynamic ip; mutties-domain.dyndns.org] dsl modem connected through eth0 with dynamic IP via pppoe from ISP
  • wlan0: [192.168.2.X;*.private.wlan] master mode running hostapd wireless interface
  • eth2: [192.168.1.X; *.private.lan] local ethernet
  • vpn0: [192.168.3.X; *.private.vpn] vpn subnet

X=1 is always the gateway in this subnet.

dummy network device

Small sample how to bring up a dummy network device. This would be quite helpfully to separate the vpn network.

  # modprobe dummy numdummies=1
  # ifconfig dummy0 192.168.3.1 netmask 255.255.255.0

firewall (basic)

Following stuff needs to be forwarded:

  • UDP port 500 (IKE)
  • IP protocol 50 (ESP) and 51
  • UDP port 4500 (NAT-T) - needed if some of your clients are behind a NAT router

from public interface to the dummy vpn interface.

<note>No NAT (like port forward) possible because IP package data like src/dst address are signed by ESP</note> Additionally services needs to be served:

  • UDP port 1701 (L2TP)

Note: no incoming interface restriction, so internal vpn connection should be possible

server_myl2tp_ports="udp/1701"
client_myl2tp_ports="udp/1701"

# Note: VPNIN interface must not have accepted server because all vpn related trafic will be forwarded prior
VPNIN="ppp0 wlan0"
VPNSERVICE="ESP isakmp AH" # 50/any, udp/500, 51/any
interface vpn0 vpn
   policy drop
   protection strong      # don't trust the clients within vpn
   server ${VPNSERVICE} accept      
   server myl2tp accept

router nonvpn2vpn inface ${VPNIN} outface vpn0
   server ${VPNSERVICE} accept

X509 certificates

we need different certificates and keys for

the VPN server certificate

  • CA-Cert (Format .der oder .pem) in /etc/ipsec.d/cacerts
  • Gateway-Cert (Format .der oder .pem) in /etc/ipsec.d/certs
  • Gateway-Cert-RSA-Key in /etc/ipsec.d/private

Note: gateway=vpnserver

cd /etc/ipsec.d 
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/vpnserverKey.pem -out cacerts/vpnserverCert.pem
cp cacerts/vpnserverCert.pem certs/ # created certificate already signed therefore this simple copy is possible

Binary DER format can be created using -outform DER -out cacerts/vpnserverCert.der

Copy the opensssl config into current directory to use it for further client certificate creations

cp /usr/lib/ssl/openssl.conf /etc/ipsec.d
change the [CA_default] section
dir = /etc/ipsec.d # Where everything is kept 
certificate = $dir/cacerts/vpnserverCert.pem # The CA certificate 
private_key = $dir/private/vpnserverKey.pem # The private key 

create for each VPN client

  • private key
  • and public signed certificate (2 years)
openssl req -newkey rsa:1024 -keyout private/client1Key.pem -out reqs/client1Req.pem
openssl ca -config /etc/ipsec.d/openssl.conf -in reqs/client1Req.pem -days 730 -out certs/client1Cert.pem -notext

transfer the files to the client

Following files are needed

  • the vpnserver CA cert /etc/ipsec.d/certs/vpnserverCert.pm
  • the client private key /etc/ipsec.d/private/client1Key.pem
  • the client CA certified certificate (public/host key) /etc/ipsec.d/certs/client1Cert.pm

The three files can be summarized into one PKCS#12 file for example to be usable under windows.

openssl pkcs12 -export -inkey private/client1Key.pem -in certs/client1Cert.pem -name "client1" -certfile cacerts/vpnserverCert.pem -caname "strongSwan Root CA" -out client1.p12
import network-manager

use the dnydns address for the vpn gateway because we have NAT forwarded ports to the correct internal dummy device. http://mopoinfo.vpn.uni-freiburg.de/node/15

import nokia symbian

ipsec (vpn server)

#/etc/ipsec.secrets
:RSA vpnserverKey.pem “pempassword”
config setup 
    nat_traversal=yes 
    interfaces="ipsec0=vpn0"

conn rw
     left=%defaultroute                 # == domain.dyndns.org but url is not possible
     leftsubnet=192.168.3.0/24
     leftrsasigkey=%cert
     leftcert=vpnserverCert.pem
     right=%any
     rightrsasigkey=%cert
     auto=add

xl2tp (vpn server)

network manager strongswam

<note>The /var/log/daemon.log logs an file coded in unknown format error while loading the vpn's server *Cert.pem. So I stopped evaluation at this point.</note>

Security

Open Ports and services behind

# sudo netstat -andp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1042/dnsmasq    
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      2409/cupsd      
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      2793/0         

Local Address 0.0.0.0 says that the service is listening on all IP addresses (interfaces) the host has. The :XX behind is the port number. A list of all available possible services and ports can be found in /etc/services.

encrypt home directory (mobile devices)

Reason: Wlan PSK, ssh private key, OpenVPN keys should be part of the home directory. If the mobile device is lost and booted using a live cd, the private network infrastructure should be save. The network manager keyring is not enough because OpenVPN certs and keys as well as the network manager system wide settings (/etc/NetworkManager/system-connections/) are not secure.

T.B.D.

http://wiki.ubuntuusers.de/ecryptfs

ubuntu_10.04.txt · Last modified: 2015/05/17 17:44 (external edit)