This document describes how to configure masquerading of IPsec and PPTP VPN traffic. SSH-based VPNs (such as that sold by F-Secure and outlined in the VPN mini-HOWTO) are based on standard TCP traffic and do not need any special kernel modifications.
VPN Masquerade allows you to establish one or more IPsec and/or PPTP sessions to internet-accessible VPN servers via your Linux internet firewall without forcing you to connect to your ISP directly from the VPN client system - thus retaining all of the benefits of your Linux internet firewall. It also allows you to set up a VPN server with a Private Network IP address (as described in RFC1918) behind a masquerading Linux firewall, permitting you to provide relatively secure access to a private network via only one registered IP address - even if that IP address represents a dynamic dial-up link.
It is strongly recommended that you understand, configure and test regular IP Masquerading before you attempt to set up VPN masquerading. Please see the IP Masquerade HOWTO and the IP Masquerade Resource page at http://ipmasq.cjb.net/ before proceeding.
The patch for the 2.0.x-series kernels works well on Linux kernel version 2.0.36, has been incorporated into the 2.0.37 release, may work on versions earlier than 2.0.36, and should work on Linux kernels up to about version 2.1.102. The IP masquerade code in the kernel was restructured at about version 2.1.103, requiring a different patch for the 2.1.105+ and 2.2.x series of kernels. A patch is available for kernels from 2.2.5 to 2.2.12, and it may work on earlier kernels.
Please feel free to send any feedback or comments regarding this document to me at <jhardin@wolfenet.com>.
I personally have experience with masquerading a MS NT-Server-based PPTP client, configuring a registered-IP PPTP server, and using PPTP for network-to-network routing. The information on masquerading a Private-IP PPTP server is from discussions with Len Bayles <len@isdi.com>, Simon Cocking <simon@ibs.com.au> and C. Scott Ananian <cananian@lcs.mit.edu>.
The current version of this document can be found at
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-Masquerade.sgml - it
and other formats (such as HTML) can be found via the
Linux Documentation Project's
HOWTO repository and in the
/usr/doc/HOWTO/
directory on your nearest Linux system.
The home page for the Linux VPN Masquerade kernel patch is http://www.wolfenet.com/~jhardin/ip_masq_vpn.html
The home page for the PPTP-only Masquerade kernel patch for the 2.1.105+ and 2.2.x kernel series is http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html.
The home page for the ipportfw
port-forwarding kernel patch and
configuration tool is
http://www.ox.compsoc.org.uk/~steve/portforwarding.html.
The home page for the ipfwd
generic IP redirector is
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/.
Profuse thanks to Gordon Chaffee <chaffee@cs.berkeley.edu> for coding and sharing a patch to traceroute that allows tracing GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic is being blocked somewhere. The patch is available at http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz
More thanks to Steve Chinatti <chinatti@alumni.Princeton.EDU> for contributing his original IPsec masquerade hack, from which I shamelessly stole some very important ideas...
More information on setting up firewall rules to run automatically - including how to automatically use the correct IP address in a dynamic-IP environment - can be found at http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html
The home page for Linux FreeS/WAN (IPsec for Linux) is http://www.xs4all.nl/~freeswan
The home page for the Linux PPTP project is http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP and a patch to add PPTP server capability is available at http://debs.fuller.edu/cgi-bin/display?list=pptp&msg=222
A second Linux PPTP server called PoPToP is available at http://www.moretonbay.com/vpn/pptp.html
Paul Cadach <paul@odt.east.telecom.kz> has made patches that add MS-CHAP-v2, MPPE and Multilink support to Linux pppd. See ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz for MS-CHAP and MPPE, and ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz for Multilink.
This document is copyright © 1999 by John D. Hardin. Permission is granted to redistribute it under the terms of the GNU General Public License.
The information presented in this document is correct to the best of my knowledge. IP Masquerading is experimental, and it is possible that I have made a mistake in writing or testing the kernel patch or composing the instructions in this document; you should determine for yourself if you want to make the changes outlined in this document.
THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT. BACK UP ANY AND ALL CRITICAL INFORMATION BEFORE IMPLEMENTING THE CHANGES OUTLINED IN THIS DOCUMENT. MAKE SURE YOU HAVE A WORKING, BOOTABLE KERNEL AVAILABLE BEFORE PATCHING AND RECOMPILING YOUR KERNEL AS OUTLINED IN THIS DOCUMENT.In other words, take sensible precautions.