AttackPrevention: Comments on HOWTO: Configure VPN Access to a System with One Interface: Whitepapers and Tools

AttackPrevention > Authentication > Comments on HOWTO: Configure VPN Access to a System with One Interface

Date Submitted: 05/09/05
Hits: 1832
Rating:

based on 1 vote

HOWTO: Configure VPN Access to a System with One Interface

Added by Papergrl

By: Sojournist

Virtual Private Networking provides organizations with a low-cost, high-bandwidth, very secure method of providing external users access to internal resources. Using VPN technology not only is all traffic from the client to the server encrypted, it also hides what kind of traffic is passing. FTP traffic, HTTP traffic, and ICMP pings, for example, all look the same to anyone watching the transmission. Encapsulation of all traffic hides source and destination ports. The only thing an eavesdropper can tell from monitoring the traffic is source and destination IP address and the tunnel protocol used.

This article will discuss how to configure a VPN solution from any Internet client to a single Windows machine. VPN servers typically route traffic onto an internal subnet, requiring one interface for WAN and one interface for the LAN.

WHAT IS A VPN
A virtual private network uses tunneling and encryption to allow all traffic to pass across open, public networks, but guarantees the confidentiality and integrity of the transmissions. In other words, even knowing that traffic passing through the Internet can be intercepted and reconstructed packet-by-packet, VPN technology ensures that there is no feasible method for an attacker to ascertain the data in the packets, or even what protocols were used in the transmission. VPN traffic is also immune to data tampering in transit via digital signatures stamped on each packet. Modified or injected packets are dropped at the VPN server.

Not only are VPN solutions secure, they are also cheap. Remote access can take advantage of a client’s primary Internet connection. There are no long distance charges for using the Internet. And a home user’s cable modem can achieve speeds well above the capabilities of a dial-up client.

VPN servers accept connections from Internet users and, after authentication, route the packets onto the internal network in plain text. Responses from the internal network are encrypted by the VPN server and returned to the VPN client in the encrypted tunnel. At all times that packets are visible on the Internet, they are tunneled and encrypted.

VPN servers usually require two network interfaces, one WAN connection that accepts remote user connections, and one internal connection to relay packets onto the intranet. How then could we use tunneling and encryption for secure remote access to a single host, say our home PC?

CHEATING TO USE A SINGLE NETORK ADAPTER
Creating a VPN Server on Windows will require enabling Routing and Remote Access Service (RRAS). This service will not start unless you have at least two network connections. The purpose of RRAS is to pass packets between IP subnets. It basically turns your Windows workstation or server into a router. Normally, when you have only one network interface, any attempt to enable the service will fail.

To get around this requirement, a /�?virtual/�? network adapter can be installed. This software-based NIC is called Microsoft Loopback Adapter. To install the Loopback Adapter, you can follow the instructions below. This step-by-step, like all the others in this article, follow the wizards and consoles installed in Windows 2000. The wizards and tools on Windows XP Pro and Server 2003 are similar. The instructions below provide enough information to configure utilities on those operating systems with very little modification.

Follow these instructions to install the virtual adapter:

In the Control Panel, double click on the Add/Remove Hardware icon. This launches the Add/Remove Hardware Wizard.
On the /�?Welcome to Add/Remove Hardware Wizard/�? page, Click Next.
On the /�?Choose a Hardware Task/�? page, click Next, accepting /�?Add/Troubleshoot a device/�?
This will display a page labeled /�?New Hardware Detection./�? The wizard will pause while searching for uninstalled software. Be patient and let it fail to see anything new.
When hardware detection fails, the /�?Choose a Hardware Device/�? page will appear. Select /�?Add a new device/�? from the list and hit Next.
On the /�?Find New Hardware/�? page, select /�?No, I want to select hardware from a list/�?
Select /�?Microsoft/�? from /�?Hardware Manufacturers:/�? and /�?Microsoft Loopback Adapter/�? from /�?Network Adapters:/�? then click Next.
On the /�?Start Hardware Installation/�? page, click Next.
On the /�?Completing the Add/Remove Hardware Wizard/�? page, click Finish.

This will create the additional network connection that you need to turn on RRAS. Right-click on My Network Places and select Properties. The last adapter listed, probably named Local Area Connection2, will now be available. Rename this connection /�?Loopback/�? in order to easily differentiate it from your real network interface card.

An IPCONFIG will show that the interface has assigned itself an IP address on the 169.254.0.0 subnet. This is the address space set aside for DHCP clients that cannot retrieve addressing information from a server. Leave it as default, as there isn’t actually a network connected to the virtual adapter.

ENABLING AND CONFIGURING VIRTUAL PRIVATE NETWORKING
Now that our system has two adapters, we can turn on Windows Routing and Remote Access Service. This service has to be running in order for the workstation or server to NAT connections, route (using static routes, RIP or OSPF), accept dial-up connections and act as VPN tunnel endpoint. The last feature is what we’re shooting for.

Open the Routing and Remote Access tool. It can be found by navigating: START > Programs > Administrative Tools > Routing and Remote Access.
If necessary, expand Routing and Remote Access.
Right-click on the name of your machine and click /�?Configure and Enable Routing and Remote Access./�? This starts the Routing and Remote Access Server Setup Wizard
On the /�?Welcome to the Routing and Remote Access Server Setup Wizard/�? page, click Next.
On the /�?Common Configurations/�? page, choose /�?Remote Access Server/�? and click Next. While we are really going to create a VPN server, we are not going to choose /�?Virtual private network (VPN) server/�? from the wizard. Choosing VPN will automatically create 128 L2TP ports and 128 PPTP ports on the server. Our intent is to allow only one concurrent connection, not 256. Choosing /�?Remote Access Server/�? will create 5 of each VPN port by default.
On the /�?Client Remote Protocols/�? page, verify that /�?TCP/IP/�? is listed and click Next.
On the /�?Network Selection/�? page, choose your real network adapter, NOT the Loopback adapter and hit Next.
On the /�?IP Address Assignment/�? page, choose /�?Automatically/�? and click Next.
On the /�?Managing Multiple Remote Access Servers/�? page, select /�?No, I don�t want to set up this server to use RADIUS now,/�? and click Next.
On the /�?Completing the Routing and Remote Access Server Setup Wizard/�? page, click Finish.

This will turn on RRAS on your workstation or server. The red down-arrow on the graphic of your server in the Routing and Remote Access console will change to a green up-arrow to signify that the service is running and ready to accept incoming connections.

Navigate to the Ports in the RRAS utility. You will see five PPTP ports, five L2TP ports and any hardware devices capable of supporting RRAS, such as modems. PPTP is Point-To-Point Tunneling Protocol. L2TP is Layer 2 Tunneling Protocol. Both perform the same function. They encapsulate traffic, and by using an underlying encryption algorithm, encrypt it. Of the two, L2TP with IPSec is the stronger security. PPTP with Microsoft Point-To-Point Encryption (MPPE) is weaker security, but is more interoperable with legacy operating systems and network infrastructures. Of the two, PPTP is probably the better choice for a generic implementation because it works through NAT. L2TP does not work through NAT for Windows 2000 and earlier, and can only tunnel through NAT on Windows XP and Server 2003 with additional software.

If you want to allow five concurrent connections via each protocol, you can keep the default ports. If you want only one connection at a time supported, delete all the L2TP ports and all but one of the PPTP ports.

ENABLING USERS TO CONNECT THRU VPN
Once RRAS is configured, your host is ready to accept VPN connections; however, until you deem otherwise, the default rule is that everyone is denied remote access. To give your account the ability to remotely connect via VPN, you must change the properties on the local account:

Right-click on /�?My Computer/�? and click /�?Manage/�?
Expand System Tools
Expand Local Users and Groups
Click on Users
Right-click on your user account and click /�?Properties/�?
Click on the /�?Dial-In/�? tab
Under /�?Remote Access Permissions (Dial-in or VPN)/�? select /�?Allow Access/�? and click OK.
Close Computer Management

CREATE THE VPN CLIENT CONNECTION
At this point, your VPN server is running and waiting for connections. Your user account has permission to connect from anywhere in the world. Now that the server is up, it is time to configure the client.

On the machine from which you will be making the VPN connection, do the following:

Right-click on My Network Places and click Properties.
Double-click Make a New Connection
Select Connect to Private Network through the Internet
IF YOU ARE CONNECTING FROM A MACHINE THAT USES DIAL-UP:

On the Public Network page, select /�?Automatically dial this connection:/�? and choose your dial up connection from the drop-down.

IF YOU HAVE A PERSISTENT INTERNET CONNECTION:

On the Public Network page, select /�?Do not dial the initial connection/�?

For Destination Address, type the IP address or DNS name of your VPN Server.
For Create this connection: Decide if the connection is For all users or Only for myself
In the Internet Connection Sharing page, click next without checking the box. (This is for a single NIC configuration after all.)
On the /�?Completing the Network Connection Network wizard/�? page, change connection name if desired, hit finish; add shortcut to my desktop, if desired.

CONNECTING TO YOUR VPN SERVER
This is the easy part. Double click your VPN connection. When prompted enter your username and password. Your connection will be registered on the network and you will be securely connected to the host. A connection icon will show in the system tray on the lower right of the screen. To break the connection, right-click the connection and choose /�?Disconnect./�?

CONNECTING TO YOUR VPN SERVER THROUGH A ROUTER/FIREWALL
If your router or firewall does not support VPN internally, you can still complete a VPN connection directly to your host behind it. On the router, forward TCP port 1723 to the host. Allow Generic Routing Encapsulation (GRE) Protocol 47 if necessary.

On a firewall, allow TCP port 1723 in both directions. Allow GRE protocol 47 in both directions.

The beauty of VPN is really noticeable when you look at the simple firewall rules above. That one port allows any service, any protocol, to pass from the client to the server. FTP, Telnet, SMTP, LDAP—every protocol and port is TUNNELED through the VPN. The original packet is encapsulated in PPTP. It is not until it arrives at the VPN server and the original packet is unwrapped and decrypted that the source and destination ports are discovered. This is how even when every packet is captured, it is not possible to tell what kind of connection is inside the tunnel. Every packet looks exactly the same. It is from the source IP, port 1723 to the destination IP, port 1723.

Tunneling and encryption, the cornerstones of VPN protect the privacy of all the sessions between the endpoints.

WHERE DO I GO FROM HERE?
This article described how to VPN into a single host, without routing the packets onto a subnet. Can you use your VPN server to protect traffic to and from your entire office or home network? Actually, it is easier to deploy a VPN tunnel server than the single-interface model we described above.

Remember that Microsoft Loopback Adapter? Install a second network adapter and skip that part. The VPN interface is your public adapter. The network interface on the internal network is your private adapter. Change the default gateway on all of the hosts on your subnet to the internal network adapter’s address. Your server will route all LAN traffic through the server out the public interface and onto the Internet. All incoming VPN connections will tunnel through the server onto the LAN.

Do you have a dynamic address but still want to be able to VPN regardless of its current address? Check out DYNDNS.ORG for a free Internet DNS name that will map to your current IP address.

VPN is secure and cheap. And it is not a technology exclusively in the hands of corporations with expensive hardware and teams of administrators. Just don’t tell anyone that it’s this easy. The salaries of those glorified VPN architects and administrators might actually drop!

You don't have permission to post replies.

Please login or register.