View Source: WirelessNetworkSecurityHowto - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
''In future this document may become a fully-fledged HOWTO.  Right now it's just my experience getting Windows clients to open an encrypted [PPTP] tunnel to a Linux [pptpd(8)] server.''

!!Introduction

Wireless LANs are notoriously insecure. Even with WEP encryption enabled, it is trivial for people to crack your key and enter your network. I believe you should scrap WEP altogether and set up encrypted tunnels from your WLAN clients into your wired LAN.

I recently got two D-Link DWL-650+ !AirPlus PCMCIA 802.11b cards and a DWL-900AP+ AccessPoint.  Because D-Link aren't releasing Linux drivers for these cards until December 2002 I have been forced to use them under Windows.

!!Software

I've currently only setup [pptpd(8)] but a completed setup will require a firewall as well.

While attempting to set up [pptpd(8)] I found out that the default VPN software in Windows (9x, Me, 2000, XP) requires Microsoft Point-to-Point Encryption ([MPPE]). The default Debian kernel and [pppd(8)] packages don't support this, and I had a hell of a time getting it to work. So I wouldn't forget how I did it, and to help anyone who wants to do this, I'm slowing writing this document. :)

You will need the following software:
* PoPToP Point to Point Tunneling Server >= 1.1.2 (Debian package __pptpd__).
* Point-to-Point Protocol (PPP) daemon 2.4.1 (you'll need to patch and rebuild this from source).
* Kernel 2.4.19 (you'll need to patch and rebuild this too).
* Patches to add support for [MPPE] to ppp and the kernel.

!PoPToP installation

Install your distribution's pptpd package.  No patching or modifications are required.

!Kernel Patching

The kernel [MPPE] patch is available for many kernel versions, but I used 2.4.19.  You can download the patch from [http://public.www.planetmirror.com/pub/mppe/linux-2.4.19-openssl-0.9.6b-mppe.patch.gz].

Put the patch file into /usr/src and gunzip it. Download the kernel source and extract it into /usr/src/linux-2.4.19. Apply the patch like so:

 root@box:/usr/src/linux-2.4.19# patch -p1 < ../linux-2.4.19-openssl-0.9.6b-mppe.patch

If you use Debian, you can use make-kpkg to do the rest for you.  The following command will allow you to configure your kernel and then it will build the kernel and modules and place them into a .deb package for you.

 root@box:/usr/src/linux-2.4.19# make-kpkg --config=menuconfig kernel_image

If you don't use Debian, you're on your own. ;P

Once the kernel is built, install it and reboot your system.

You'll need to add a module alias to your /etc/modules.conf.  If you use Debian, add this line to /etc/modutils/ppp and then run update-modules.

 alias ppp-compress-18   ppp_mppe

If you use a different distribution, just add the above line to your /etc/modules.conf.

!PPP Patching

You'll need to remove the ppp package, if it's installed.  Unfortunately pptpd depends on ppp, so you'll probably have to install pptpd first and then remove ppp with the command:

 root@box:~# dpkg --remove --force-depends ppp

You really should build a new Debian package of the patched ppp but I'm not sure how so I'll have to add that later. :)

Download the ppp-2.4.1 source tarball from [ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.4.1.tar.gz].  Also grab the patches [http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-MSCHAPv2-fix.patch.gz] and [http://public.www.planetmirror.com/pub/mppe/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz].

Put the above three files into /usr/local/src.  Extract ppp-2.4.1.tar.gz and gunzip the two patch files.  Apply the patches:

 root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-openssl-0.9.6-mppe-patch
 root@box:/usr/local/src/ppp-2.4.1# patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch

Configure ppp:

 root@box:/usr/local/src/ppp-2.4.1# ./configure

Edit the Makefile to change the install path.  Change it to something like this:

 BINDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/sbin
 MANDIR = /usr/local/stow/ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix/man
 ETCDIR = /etc/ppp

If you don't use [stow(8)] (which you ''should'') change BINDIR to /usr/local/sbin and MANDIR to /usr/local/man.

Now you can build and install ppp:

 root@box:/usr/local/src/ppp-2.4.1# make && make install

If you use stow then you'll now need to do this:

 root@box:/usr/local/stow# stow -v ppp-2.4.1-openssl-0.9.6-mppe-MSCHAPv2-fix

Finally, add a link to /usr/local/sbin/pppd so that pptpctrl will be able to find it. It took me about an hour to figure out that an error I was getting was caused by pptpctrl not finding pppd.

 root@box:~# ln -s /usr/local/sbin/pppd /usr/sbin/pppd

!PPTP Configuration

The standard /etc/ppp/pptpd-options will need a couple of modifications to offer Windows clients the encryption and handshaking they require.  Add or uncomment the following lines:

 +chapms
 +chapms-v2
 mppe-40
 mppe-128
 mppe-stateless

That will enable Microsofts CHAP and CHAPv2, as well as turn on 40-bit and 128-bit stateless encryption.

!PPP user account
The users who are allowed to use the VPN connection can be specified in the file /etc/ppp/chap-secrets

It looks like this:
 Secrets for authentication using CHAP
 client        server         secret      IP addresses
 Madcat        madcatServer   MyPwd       *

This will allow user "Madcat" with password "MyPwd" to gain access.
The servername must be the same as in the options file (/etc/ppp/pptpd-options) under the name "name"

Like this:
 change 'servername' to whatever you specify as your server name in chap-secrets
 name madcatServer

!IP range of the VPN network
In the file /etc/pptpd.conf you can configure the IP range you would like for your tunnel
The localip is the ipadress of your server and the remoteip range is the ip's that can be given

for example:
 localip 10.0.1.1
 remoteip 10.0.1.2-100
 listen 300.300.100.100 (this should be your outside adress, it's set to a fake adress)

This way the tunnel ip of the server will be 10.0.1.1 and the first user who will login on IP 300.300.100.100 with the passwd as specified in /etc/pptpd.conf will gain 10.0.1.2, the second 10.0.1.3.. etc

!So how can i login on my Windows XP Pro machiene?

Start -> settings -> control panel
goto network connections-> create a new connection
next -> "connect to workplace" -> vpn -> "fill your name in here " ->
you might get an question about automaticly connecting, fill in what you like. but i prefer not to auto connect
-> fill here the IP of your server in as specified in /etc/pptpd.conf as "listen" ->  finisch

If you did not got the encryption (mppe module) working do this:
goto properties -> security -> advanced -> check CHAP and change data encryption to optional
you get a warning that it might be unsafe, to fix it read the above :)

You also might need to disable LCP to get it working
networking -> settings -> uncheck LCP

Now the fun part comes, creating the connection.
hit connect and enter the user/pwd as specified in /etc/ppp/chap-secrets

! Errors

Todo

!!TODO

I still need to add information about:

* /etc/pptpd.conf and /etc/ppp/chap-secrets (mostly done)
* Configuring Windows clients (mostly done)
* Errors explanation

Until then you can find out this information at [http://www.schumann.cx/wavelan/]

----
CategoryHowto
3 pages link to WirelessNetworkSecurityHowto:
Last edited on Friday, July 7, 2006 11:51:37 am by AristotlePagaltzis
Edit PageHistory Diff Info LikePages