个人工具

UbuntuHelp:VPNClient

来自Ubuntu中文

Oneleaf讨论 | 贡献2007年5月13日 (日) 11:22的版本 (New page: {{From|https://help.ubuntu.com/community/VPNClient}} {{Languages|php5}} #format wiki #language en Parent page: Internet and Networking '''Connecti...)

(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航, 搜索


  1. format wiki
  2. language en

Parent page: Internet and Networking



Connecting to a VPN in Ubuntu


Written for Ubuntu 6.10 (Edgy), i.e. running Gnome desktop, by freeatlast? (with apologies for inaccuracies, i'm no expert, please correct me freely... :). This document describes acting connecting to a VPN as a client - see elsewhere for setting up a UbuntuHelp:VPNServer.


QuickStart

If you're lucky, you'll be able to get connected using the instructions in this section. If not, the remainder of this document will walk you through the process in more detail, and hopefully will help you get sorted!

  • Obtain your connection type (Microsoft PPTP, Cisco, OpenVPN) and authentication details from your VPN administrator.
  • Install Network Manager Applet through the Add/Remove in the Ubuntu menu.
  • Install the plug-in for your connection type, one of network-manager-pptp, network-manager-vpnc (Cisco) or network-manager-openvpn (use Synaptic Package Manager or apt-get).
  • Left click the network manager applet (two monitor screens one behind the other probably in the bottom right of your screen) and select VPN Connections->Configure VPN->Add, then enter your connection details. There may be another icon that looks similar to this, which will bring up a dialog 'Connection Properties' if you left click it - this is not the one you want. Reboot if the applet is not visible.
  • Left click the network manager applet and select VPN Connections then click on your connection to connect.
  • If your new connection is greyed out and unselectable, or all you see is Manual Configuration...:
    • Backup /etc/network/interfaces to /etc/network/interfaces.original.
    • Delete all lines from /etc/network/interfaces not including the string "lo" (leaving two lines, probably the first two, beginning auto and iface).
    • Reboot.
  • If the above step leaves you with no internet connection at all, replace the original file and reboot.



Introduction to VPN

If you are familiar with VPN under windows, you might still benefit from reading this section. If you are familiar with VPN and the vagaries of how things work on modern computers (and particularly on Linux) you can skip it. Certainly, if you want to cut to the chase, head for part 2!


What is VPN?

This section is very introductory, and if you know what a VPN is, you can skip it.

Many companies and universities (and some smug home users) run a 'local area network' (LAN) in their buildings, where many computers are connected together so that employees or students can share resources (printers, shared files, etc.). The people running these networks do not want the public (that is, the rest of the internet) to have access to their local network - they consider it 'private' - so they secure it. The outside world can then not 'see in' (though the people on the local network can generally see out!).

It is often the case, however, that the organisation will want its personnel to be able to 'see in' when they are out and about in the world - they may, for instance, need access to files they keep in their office. This is a textbook example of when the VPN comes in handy. VPN - 'virtual private network' - is a technology that allows a user physically outside the private network to bring themselves virtually inside it, thus gaining access to all of the resources that would be available were the user physically inside the network.

The organisation will run a server which listens on a particular address for personnel to call in and request access. The user (i.e., you) will run a VPN client on their own computer, which will call up the VPN server and ask to be allowed to connect. Assuming the user can provide a recognised username and password when challenged by the server, the server and client machines will then negotiate a secure (i.e. encrypted) channel between them. Once this channel is established, the two machines can talk to each other without fear of anyone overhearing what they are saying, and your company boss will then think it's ok for you to upload/download sensitive company data over this channel.

Typically, once this channel is established, all communications from and to your computer will go over it. Thus, you can use your computer as if you were at work. Note that this means that whatever you do on the internet, you are probably doing it via work - careful, now :D.

For more information, see http://en.wikipedia.org/wiki/VPN.



What are the parts of a VPN?

VPN Servers

The VPN Server is run by your organisation. You can run a UbuntuHelp:VPNServer on Ubuntu, of course, but that is completely the other end of the system from what we're talking about here.

There is more than one way to VPN - any system that can establish a secure channel between you and your workplace, and then route all your communications over that channel, constitutes a VPN. Naturally, several groups have designed VPN 'protocols'. The one you will want to use will depend on the type that your organisation uses, and to find that out you will have to ask your administrator. If you don't know offhand, but you do have your connection details, you might be able to ascertain the type of VPN protocol your organisation uses because the different types require different connection details. This page covers the following types:

  • Microsoft aka PPTP (I think this is the most common?) requires host, username and password.
  • Cisco aka VPNC requires host, group username and group password, as well as username and password.
  • OpenVPN requires...
  • IPSEC is not covered here.


VPN Clients

Once you have ascertained the VPN protocol you need to use, you'll need a client program to handle your end of the secure connection. For each protocol, there's a separate client program. I don't think any of these are included with a default Ubuntu install (???), but they are easy to install (instructions below).


VPN Management

The VPN client will run invisibly in the background, maintaining your end of the VPN connection - that is, it doesn't have any windows or anything helpful like that for you to communicate with it. However, you're going to have to interact with it to tell it your connection details, and to tell it when to connect and disconnect.

Under Windows (XP, at least), you could do this by using the 'Add New Connection' wizard, and choosing 'connect to my workplace (VPN)'. Under Ubuntu, automatic set-up of this sort is developing fast, but you may have problems. If you do, this page should help you to solve them. Currently, things are somewhat in flux, and one of several different approaches may suit your particular situation. We will review them all below, and they are listed in the order that you should try them.



Summary

Let's just take a breath and summarise this introduction - to get your VPN connection up and running, you're going to need (a) your connection details, supplied to you by Bob in IT, (b) a VPN client that matches the protocol your organisation uses, and (c) some way of managing that client. In the next part, we'll go through installing the bits you need, and configuring that connection. It can be tricky, so be ready to cry.



Installing and managing VPN

For general information on how to install software in Ubuntu, look at UbuntuHelp:InstallingSoftware or [1]. All packages listed in the following are available through the usual routes for package management - those marked AM can be reached through the 'Add/Remove applet'; those marked SPM must be installed using 'Synaptic Package Manager' (or aptitude, apt-get). I'm not doing the installs as I write, so it may be that we need to indicate that particular repositories (or repository classes) are needed here - modify if you know so...


Installing a VPN client

There's no explicit harm in installing any of these you don't need, so if you're not sure for some reason which protocol you need, go ahead and install more than one. This part should be straightforward - if you encounter install problems, please post your error messages so this section can be updated.

  • Microsoft aka PPTP client is packaged as pptp-linux (SPM) [2].
  • Cisco aka VPNC client is packaged as vpnc (SPM).
  • OpenVPN client is packaged as openvpn (SPM).



Configuring a connection (VPN Management)

Using System/Administration/Networking

(I don't know what this is really called, but you access it through System->Administration->Networking)

The native configuration manager for networking should be your first port of call, but currently does not support VPN connections (at least in a default Edgy install). This section will be expanded later (or if someone knows the state of play with this, sooner). For now, we move on.


Using Network Manager Applet

The Network Manager Applet (NM), an applet for the Gnome toolbar, has been created to make network management easy (it also puts management at your fingertips rather than forcing you to go off into the Administration section of your computer). One of the things it can do is manage VPN connections. It is packaged as Network Manager (AM) or nm-applet (SPM).

Once installed, it will appear somewhere on your screen, usually the bottom right corner - its icon is two computers one behind the other, or, if it's connected to wireless, a series of bars like a set of stairs. To configure a VPN connection, left click and select VPN connections->Configure VPN->Add. You will be offered a choice of protocols on the second page of the wizard that pops up, but you will be offered only the protocols for which you've installed the appropriate plugin, listed in the appropriate section below. Once you have configured a new VPN connection, it will be available through the VPN connections menu. Confused? You will need to install (i) the client for your protocol above, (ii) the NM applet itself, and (iii) the plugin for your protocol for the NM applet, from the list below.


  • PPTP plugin is packaged as network-manager-pptp (SPM).
  • VPNC plugin is packaged as network-manager-vpnc (SPM).
  • OpenVPN plugin is packaged as network-manager-openvpn (SPM).


If items (particularly, connections), are greyed out in NM's menu system, those connections may be being managed by System/Administration/Networking. NM will not manage connections that are already managed by System/Administration/Networking. All connections listed in /etc/network/interfaces are managed by the system, so remove all lines referring to a particular connection to allow NM to manage it. I recommend you backup /etc/network/interfaces to /etc/network/interfaces.original, and then reduce its content to just the lines below, which allows the system to manage only the loopback (non-physical) interface. Note, however, if you do this, the system will no longer manage your wireless connection, so if you end up with internet failure replace the original version of the file and reboot.

auto lo
iface lo inet loopback
</code>

I could not get NM to work with PPTP, and I cannot find where the logs are stored - I just get "failed to connect" or some such. This is a '''major ommission''' from this page that needs fixing - where are those logs? On the other hand, setting up a Cisco connection was a breeze!

''REFERENCE INFORMATION'' '''nm-applet''' stores data in '''gconf''', and you can find its config files at '''~/.gconf/system/networking'''. Note that this is very different from where config files are stored for the remaining management options that follow, so the two things are quite separate. In fact, I never worked out how '''nm-applet''' invokes a VPN connection, so somebody needs to fill this out.




==== Using KVpnc ====

This third-party tool is designed for KDE, but will run fine under Gnome too (as will most KDE tools) - it is packaged as '''KVpnc''' (AM). Once installed, you may find that when you run it it complains "cannot find su-to-root" or something like it - if so, it wants to be root, so run it with sudo or gksudo, e.g. open a terminal and enter '''sudo kvpnc'''.


''REFERENCE INFORMATION'' Configuration files are stored in '''/etc/ppp/peers''' and prefixed '''kvpnc'''. I think they are copied from existing VPN connection files in that folder (if present). In other words, you are managing the same thing that '''PPTPconfig''' and '''Manual''' manage.



==== Using PPTPconfig ====

Another third-party manager for the profiles stored in '''/etc/ppp/peers''', with its own idiosyncrasies - it is packaged as '''pptpconfig''' (SPM). It has the KDE look and feel, and requires to be run as root ('''sudo pptpconfig'''). I had mixed success with this tool.


==== Manually ====

If all else fails, go to manual, baby! The disadvantage is, you need to have a rough idea of how to get around your box. The advantage is, the best debugging and logging of any of the options. I got there in the end with this approach, and am now trying to move back up this list so I have the slickest interface possible.

To find out whether your internet traffic is being tunnelled, visit [http://whatsmyip.org] - if the IP you are presenting to the outside world belongs to your organisation, you are tunnelled.

'''Managing PPTP'''

NOTE: I don't know how the tools are packaged - perhaps they come with the VPN client '''pptp-linux'''?

Configuration files are stored in '''/etc/ppp'''. Connection profiles are stored in '''/etc/ppp/peers''', so you should start by generating a file in that folder called '''myvpn'''. If you can't do this using one of the tools above, the following might be a good starting point

<pre>
remotename myvpn
linkname myvpn
ipparam myvpn
pty "pptp <host> --nolaunchpppd "
name <username>
usepeerdns
require-mppe
refuse-eap
noauth

# adopt defaults from the pptp-linux package
file /etc/ppp/options.pptp
</code>

You will also need an entry in the file '''/etc/ppp/chap-secrets''' to specify your, well, secrets! It should look like this (add it at the bottom)

<pre>
<username> myvpn <password> *
</code>

You can then start the connection using the command '''pon myvpn nodetach''', and stop it using Ctrl+C. In fact, that command line is a great command line to stick in a launcher on the toolbar (must be "Application in Terminal" type launcher).

Scripts in '''/etc/ppp/ip-up.d''' and '''/etc/ppp/ip-down.d''' are run on connection and disconnection, which gives you a chance to do routing using '''route''' or just log the state of things. Really, if you get as far as a script in /etc/ppp/ip-up.d actually triggering, you're probably basically there in any case so stop crying now. You might also be interested in '''/etc/resolv.conf''' where your '''current''' DNS is specified, and the commands '''ifconfig''' and '''netstat'''.


'''Managing VPNC'''

Configuration files are stored in '''/etc/vpnc''', which was protected to root on my installation so you might need to use '''sudo''' for all commands here. Copy '''example.conf''' to '''myvpn.conf'''

<pre>
sudo cp /etc/vpnc/example.conf /etc/vpnc/myvpn.conf
</code>

and edit the new file to look like this:

<pre>
IPSec gateway <host>
IPSec ID <group username>
IPSec secret <group password>
Xauth username <username>
Xauth password <password>
</code>

Note that you can leave out <password> if you want, and you will be prompted. Now, run '''vpnc-connect myvpn''' to start the connection - your output should look something like this:

<pre>
> vpnc-connect myvpn
Connect Banner:
| Welcome to
| <Your Organisation>
| 
| *** VPN Service ***
| 
| Your connection is now secure

VPNC started in background (pid: 7885)...
> vpnc-disconnect
Terminating vpnc daemon (pid: 7885)
</code>

You can then connect/disconnect with the commands '''vpnc-connect myvpn''' and '''vpnc-disconnect myvpn'''.




'''Managing OpenVPN'''

No information.



== Extra credit: how VPN works ==

Don't expect this to be a work of technical brilliance, but I found my solution very quickly once I worked out what was going on under the hood, so I think a few words for those who are currently crying in frustration might be worthwhile. Please add more info, or correct me, techies.

=== Bringing up the 'tunnel' ===

Your client calls over your normal connection (e.g. your wired/wireless link, e.g. eth0, eth1) to the VPN server. They negotiate authentication so they both believe each other are who they say they are. They exchange encryption information, and can now talk to each other on a narrow channel (a 'tunnel') without anyone else overhearing by sending what they want to say to each other in encrypted packets. This is very interesting, but is useless until some other application wants to send data over this encrypted line. This works as follows.

=== Rerouting communications ===

When an application on your box asks linux to send a packet to some destination host (e.g. ubuntu.com), the following occurs:

* ubuntu.com is resolved to 82.211.81.166 by your DNS server, which is specified in /etc/resolv.conf
* linux (well, the TCP/IP daemon or something, i expect) decides where to send that packet first by looking up in the routing table - type '''route''' into a terminal to see the table
* typically, it is routed to your primary interface (NIC) first. that interface will then route it to probably your router. the router will then probably send it your modem, which will pass it up to your ISP. from there, it's anybody's guess, but the game continues, route by route by route, until it (hopefully) reaches the server at ubuntu.com.

Note, you can test name resolution (ubuntu.com -> 82.211.81.166) by typing '''ping ubuntu.com''' at the terminal prompt. You can test packet routing by executing '''tracepath ubuntu.com''' (your mileage may vary).

Once a VPN tunnel has been established, the above process will carry on unaffected, unless packets are re-routed over the new tunnel. This is done by adding an entry to your routing table, pointing (often all) packets at your tunnel, your point-to-point interface, '''ppp0''' probably. Now, when an application asks linux to send a packet to 82.211.81.166, linux routes it to ppp0. ppp0 encrypts it and readdresses it, so it now gets sent to the VPN server (via the usual non-tunnel route, eth1 or whatever). when the VPN server receives it, it unencrypts it to extract the original packet, and sends it off into its private network (do you see how we just went over the tunnel there?). Hence, if you now ask for ubuntu.com in your browser, the request goes...

* ppp0 (your end of the VPN tunnel), encryption into a container packet, and readdress to your VPN server.
* eth0/1, off into the internet as usual.
* reaches the VPN server, unencryption, and back to its original address, ubuntu.com.
* off into the private network.
* out into the internet again, to ubuntu.com.

=== Notes ===

* Your VPN can connect/disconnect successfully, and have no effect on how the rest of your communications function, unless traffic is routed over the VPN (tunnel).
* Bringing up the VPN, thus, involves both establishing that secure link, and doing the appropriate re-routing.
* You can add/remove routes in script using '''route add''' and '''route del'''.
* You can have scripts run automatically as a connection (e.g. VPN) is brought up and down by placing them in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d
* You can check the current route table by typing '''route''' in a terminal.
* The connection client may re-route automatically unless you tell it not to (pon has an option nodefaultroute i think).
* (this happened to me) If you route all traffic over the tunnel once the VPN connection is up, even your encrypted packets will get routed over the tunnel. Thus, your original packet A will get encrypted into A*, and sent over the tunnel, encrypted into A**, sent over the tunnel, etc... (see below under 'Packet recursion').
* Thus, a typical route table after connection of the VPN will have traffic sent over the tunnel by default, unless it's headed for your VPN server, in which case it's routed straight to your interface card (e.g. eth1).
* More advanced routing is possible, with some traffic going over the tunnel, and some going out as usual, but this is not covered here.
* Let's face it, we've barely covered routing at all, but I just wanted to give some hints... :)





== Troubleshooting ==

* [http://pptpclient.sourceforge.net/howto-diagnosis.phtml] is a great troubleshooting guide for the PPTP client ''pptp-linux'', if you installed it above and it is refusing to connect. The associated website is the source of all that is truly known about this client.

* '''MPPE required, but MS-CHAP[v2] auth not performed''' in debug log messages from '''pon'''
** Your authentication data is missing from the file /etc/ppp/chap-secrets
*** Use pptpconfig to correct this, by trying to connect to the connection and entering your data and asking it to store it
*** Enter a new line in /etc/ppp/chap-secrets reading "username connname password-plaintext *"

* '''Packet recursion'''
** Symptoms - client appears to connect, but VPN does not work (you can't access private resources), and it probably disconnects shortly after connection (30-120 seconds).
** Test for packet recursion - open a terminal, and while the connection is 'up', type 'ifconfig' 3 or 4 times. If you are suffering packet recursion, one of your listed interfaces (probably ppp0) will show 'TX bytes' increasing rapidly on each call to ifconfig (megabytes per second).
** Cause - packets are being routed back on themselves, and so a single packet is looping round and round through the same interface.
** See [http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lots_of_data].
** This is caused because VPN traffic (which should go raw to the VPN server, rather than going over the tunnel) starts going through the tunnel once it is established. This is stupid, since it this traffic that represents the tunnel, so it can't actually go through the tunnel - see 'how it works'.

* '''Cannot determine ethernet address for proxy ARP'''
** This message occurs during PPTP connection but does not indicate a problem - do not worry about it.

[[category:UbuntuHelp]]