Setting Up a VPN
Content
VPN Setup for Routers - Getting it to work with an IPSec Client
Technical Summary: This article will show how to setup a Broadband Router that has IPSec VPN capabilities for secure remote access to your home network from anywhere on the Internet. Detailed configuration will be shown for multiple brands of routers. The VPN IPSec client will be SSH-Sentinel since it is free for non-commercial use. How many times have you been at a friend’s house or at work and said 'Gosh, I wish I could get at that file on my hard drive at home'. With a broadband Internet connection and a shiny new 'VPN Router', you can connect to your home network over the Internet from anywhere on the planet SECURELY. This article will show you how. Our goal will be to establish an IPSec VPN connection from somewhere on the Internet to your home network. In addition, the remote computer will be able to mount network file shares (and printers too!) located on the home network.
Possible Uses You can connect to your home hard drive: • From work • From a friends house • From your laptop while on the road You could also allow your friends and relatives access to your network over the internet. That makes file sharing especially! Equipment Needed 1 Solid Broadband Connection to your home (Preferably with a static IP address) 1 VPN Broadband Router (about $150-$300) 1 Copy of SSH-Sentinel (free for non-commercial use!) Most of the consumer level VPN routers operate just about the same way because they all licensed the same IPSec code. The only differences are the number of simultaneous 'VPN Tunnels' they support and how many different 'VPN Profiles' they support at once. They also have the same performance levels - 500kbps to 700kbps max IPSec throughput. A 'VPN Tunnel' is simply an IPSec VPN connection in this case. Each remote computer connecting to your home network is one VPN Tunnel. A 'VPN Profile' is a set of parameters that define how your router will connect to other VPN end points. Some routers support multiple profiles making it easy to use for connecting to your work Intranet 'and' using it to dial into from the road. Configuration Overview In this example, we will be working with two computers and a VPN Router. Throughout the screen shots and the rest of the article, I will refer to the following IP address. Please write them down or print them for reference, it will help you understand the rest of the article. Home WAN IP: 24.60.60.100 (from your ISP) Home LAN Router IP: 192.168.100.1 Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0 Computer on Home LAN: 192.168.100.2 Remote (friends) computer on the Internet: 24.60.60.200
Notes about IP Your Configuration It is wise to change the IP Schema of your home network from the default your router configures. This will aid you in connecting multiple networks together - especially two VPN routers of the same brand. Often the IP Schema is 192.168.1.0/255.255.255.0. All you need to do is change the second from the last number (octet) to something higher than 2 and less than 255. In this example, I made my LAN 192.160.100.0/255.255.255.0. This step is not totally necessary but it could save you some routing headaches later. It is also wise to convert your computers over to STATIC IP address instead of dynamic IP address. If your computers have dynamic IP address, you will not know what the IP address is of the computer you want to connect to from the road. One day it might be .2 the next day it might be .5. Again this is not necessary, but it will save you headaches later. Static IP Schema Example Example LAN Computer 1 IP Address: 192.168.100.51 subnet: 255.255.255.0 Gateway: 192.168.100.1 (router address) DNS: 192,168.100.1 (router address again) LAN Computer 2 IP Address: 192.168.100.52 subnet: 255.255.255.0 Gateway: 192.168.100.1 (router address) DNS: 192,168.100.1 (router address again) etc... VPN Router Tutorial - Getting it to work with an IPSec Client Part 4: Routing Traffic across the VPN We are ALOMST finished with the configutation process. The last thing we need to do is tell the client computer to route the correct traffic through the VPN Connection. IP Schema Review Home WAN IP: 24.60.60.100 (from your ISP) Home LAN Router IP: 192.168.100.1 Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0 Computer on Home LAN: 192.168.100.2 Remote (friends) computer on the Internet: 24.60.60.200 Lets Get To it Version 1.3 users will need to activate the VPN connection by right clicking the SSH Sentinel taskbar icon, sleecting Select VPN and then
selecting the VPN connection you created. 1.3 users will get an error message if the connection fails. Version 1.2 users will activate the VPN network with a PING once we set up the routing. Routing From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2 You should see 'Desitination unreachable' message This is because the REMOTE computer does not know how to get to the private network: 192.168.100.0. Type ROUTE PRINT to see the current routing table. To add the home network to the routing table type in the following route add 192.168.100.0 mask 255.255.255.0 24.60.60.100 The first number is the home lan network IP schema, the second is the network mask, and the third number is the Internet WAN IP address of the VPN router. This route will go away after the computer is rebooted and will need to be typed in again. Under Windows 2000 and XP, a parameter can be added that will make the route permanent. route -p add 192.168.100.0 mask 255.255.255.0 24.60.60.100 I suggest putting this command in a BATCH file so it is easly accessible.
Testing the connection From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2 For version 1.2 users, it mght take a couple of tries to get this command to work. When this PING is first run, the VPN connection is established. This can take up to 60 seconds or so. If you get a response, your VPN works!!! Mounting a network Drive across the VPN Our next set is to mount a shared network drive across the VPN. From the remote computer's file explorer, select "mount network drive' from the menu.
Next type in the home LAN computer address and the name of the share this way. In this case, the computer I want to reach is at 192.168.10.2 and the share name I set up was 'c'
Your VPN is now running!
VPN Router Tutorial - Getting it to work with an IPSec Client Part 2a: Linksys BEFVP41 VPN Router Config From the VPN Screen of your Linksys BEFVP41 router, configure a VPN tunnel as shown in the picture below. You can name this tunnel anything you want - the name will not appear anywhere else - it is unimportant. Be sure to set the Local Secure Group to the LAN network as show. This will give the IPSec tunnel access to all of your LAN computers. The Pre-Shared key is VERY important. This key is the 'password' for your whole network. It will be given to anyone that needs VPN connectivity. A single word from the dictionary should never be used since hackers use dictionaries to break in. The key should be at least 8 characters long. The key shown (1234) is a VERY BAD key. I am using it only for diagnostics.
Down by the View Log button, there is a 'more' link. Press it and make sure it looks like the picture below.
Your router is now ready to receive incoming VPN Connections! The picture below shows a Linksys LOG of a successful incoming VPN connection. Please note: you will not be able to see a log like this till you try connecting.
VPN Router Tutorial - Getting it to work with an IPSec Client Part 3a: IPSec Client Config: SSH Sentinel v1.2 Click here if you are using v1.3 IPSec Client Software SSH Sentinel is my IPSec client of choice - primarily because it is free for non-commercial use. This beats the heck out of paying $150 per license for some of the other clients out there. SSH Sentinel however is not the most intuitive client on the market. Come to think of it, all IPSec client software programs are a little hard to set up for beginners. Version 1.2 or 1.3? When this tutorial was written, SSH Sentinel 1.3 was in BETA. I had a few problems with it retaining its settings so this tutorial was written with version 1.2. If you have version 1.3, click here for v1.3 instructions . Click here to download SSH Sentinel Where does it go? SSH Sentinel should be loaded on the REMOTE computers - the computers on the Internet that you want to have access to your LAN. SSH Sentinel is a free download for non-commercial use and can be found here. The Install When you see the following screen, select 'administrator email' and type in your email address
Next, select 'self-signed certificate'
Key Configuration Once installed, you will need to enter the 'POLICY EDITOR'. It can be reached from the start menu or by right clicking the blue SSH Sentinel icon in your task bar. From the SSH Sentinel Policy Editor, Select the Key Management tab and add a new key.
Select create a preshared key when you see 'Mr. Buff'
Create a name for the key and type in the exact key you typed into your router. Again, this key should be at least 8 characters long and should not be a single word from a dictionary
You have now created a shared key. Now to create the VPN Connection. VPN Tunnel Config
Now, from the Security Policy screen, add a new VPN Connecion. Note: The picture below shows one that was already added. You should only have the add button. The folder layout will look a little different in v 1.2 but that's ok.
Type in the VPN Routers WAN address. You will need to click the 'IP' button to the right if you are typing a static IP address. Next, select the shared authentication key you just created and check the 'use legacy proposal' button. Last, type in the IP schema of the LAN network that is BEHIND the VPN router. and click OK.
These are the PROPERTIES of the new VPN connection we created. Be sure yours looks like this.
Select the ADVANCED tab and make it look like this. BE SURE TO SELECT THE 'Use Perfect Forward Security' checkbox or it will not work! If the remote client computer is behind some kind of NAT based router or firewall, check the 'Enable NAT Traversal' checkbox too.
Congrats! You have confiigured the SSH Sentinel software. Now we must do a little ROUTING to get everything working. VPN Router Tutorial - Getting it to work with an IPSec Client Part 5: Troubleshooting Client Connectivity Problems The Logs Your number 1 buddy in diagnosing VPN connectivity problems is 'IKE LOG WINDOW' found by right clicking the SSH Sentinel and selecting the 'aduiting' menu. Be sure to set the log detal level to 'low'. Try to connect, then look at the last couple of lines of data. It will give you a hint about the problem. Many VPN Routers have logs also that can be checked too. DOUBLE CHECK ALL SETTINGS I found that somehow or another my settings sometimes mysteriously changed in my client setup. Double check them ALL. Time and Time Zones It is very important that your computer and VPN router have the correct time zone settings and time. Without these, keys expiration is not handled correctly. My remote client is behind a router or firewall Not all firewalls or even broadband routers will pass IP traffic. Others require the client computer to be in a DMZ. First look at the technical specs for the router and make sure it specifies 'IPSec Passthrough'. If not, try placing the client computer in the DMZ. Also, try upgrading the firmware of your router. If neither of these work then it might be time for a new router in the client end. My home broabdand connection uses a dynamic IP address and I dont know what it is. You should use a DynamicDNS service to keep track of your curent IP address. Try DNS2GO I want to link up two LAN's instead of going computer to lan This requires a VPN capable broadband router on both sides and will be covered by another tutorial later. The remote computer is on a LAN that has the same IP schema as my lan. You will need to change the IP schema of one of the LAN's. Do something like change it from 192.168.1.0/255.255.255.0 to 192.168.33.0/255.255.255.0
Linux as a broadband router
Linux has a very powerful IP stack built into the operating system. Linux itself has the capability of routing your lan to the internet with NAT or Network Address Transaltion (explain NAT). In the Linux world this is often called IP Masquerading. Here is a HowTo at LinuxDoc My favorite way to use Linux as a router is with a microdistribution. There are versions of Linux out there that run off of a single floppy disk. Using one of these distributions, you can convert an old, unused computer (even a 486!) into a capable broadband router. Since the software fits on a floppy, you don’t even need a hard drive in the system! Most of the micro-distributions of Linux routers have minimum requirements of a 386 with 16Mb of memory. My favorite linux router is called Cyote Linux. Cyote Linux has a very cool installation and configuration method. Cyote Linux starts with a Windows program. Run it, and you can actually configure the router in Windows. Next, a program creates a bootable floppy disk that has your fully configured Linux broadband router!
Update: HomeNetHelp now has an in depth article about setting up an OpenBSD box as a great firewall / router combination. OpenBSD firewall & router Micro-distribution based broadband router projects Cyote Linux http://www.coyotelinux.com/ Linux Router Project http://www.linuxrouter.org/ EDGE Firewal, a Lineo Embedix ThinLinux demonstration of embedded computing products http://edge.fireplug.net/ For NetBSD Fans, The NetBSD/i386 Firewall Project http://www.dubbele.com/ General Linux Networking Links Linux Firewall and Security Site http://www.linux-firewall-tools.com/linux/ Home Networking with Linux http://www.linuxgazette.com/issue28/journeay.html IP Masquerading How-To http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html Another Linux Router Howto Site
Technical Summary: This article will show how to setup a Broadband Router that has IPSec VPN capabilities for secure remote access to your home network from anywhere on the Internet. Detailed configuration will be shown for multiple brands of routers. The VPN IPSec client will be SSH-Sentinel since it is free for non-commercial use. How many times have you been at a friend’s house or at work and said 'Gosh, I wish I could get at that file on my hard drive at home'. With a broadband Internet connection and a shiny new 'VPN Router', you can connect to your home network over the Internet from anywhere on the planet SECURELY. This article will show you how. Our goal will be to establish an IPSec VPN connection from somewhere on the Internet to your home network. In addition, the remote computer will be able to mount network file shares (and printers too!) located on the home network.
Possible Uses You can connect to your home hard drive: • From work • From a friends house • From your laptop while on the road You could also allow your friends and relatives access to your network over the internet. That makes file sharing especially! Equipment Needed 1 Solid Broadband Connection to your home (Preferably with a static IP address) 1 VPN Broadband Router (about $150-$300) 1 Copy of SSH-Sentinel (free for non-commercial use!) Most of the consumer level VPN routers operate just about the same way because they all licensed the same IPSec code. The only differences are the number of simultaneous 'VPN Tunnels' they support and how many different 'VPN Profiles' they support at once. They also have the same performance levels - 500kbps to 700kbps max IPSec throughput. A 'VPN Tunnel' is simply an IPSec VPN connection in this case. Each remote computer connecting to your home network is one VPN Tunnel. A 'VPN Profile' is a set of parameters that define how your router will connect to other VPN end points. Some routers support multiple profiles making it easy to use for connecting to your work Intranet 'and' using it to dial into from the road. Configuration Overview In this example, we will be working with two computers and a VPN Router. Throughout the screen shots and the rest of the article, I will refer to the following IP address. Please write them down or print them for reference, it will help you understand the rest of the article. Home WAN IP: 24.60.60.100 (from your ISP) Home LAN Router IP: 192.168.100.1 Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0 Computer on Home LAN: 192.168.100.2 Remote (friends) computer on the Internet: 24.60.60.200
Notes about IP Your Configuration It is wise to change the IP Schema of your home network from the default your router configures. This will aid you in connecting multiple networks together - especially two VPN routers of the same brand. Often the IP Schema is 192.168.1.0/255.255.255.0. All you need to do is change the second from the last number (octet) to something higher than 2 and less than 255. In this example, I made my LAN 192.160.100.0/255.255.255.0. This step is not totally necessary but it could save you some routing headaches later. It is also wise to convert your computers over to STATIC IP address instead of dynamic IP address. If your computers have dynamic IP address, you will not know what the IP address is of the computer you want to connect to from the road. One day it might be .2 the next day it might be .5. Again this is not necessary, but it will save you headaches later. Static IP Schema Example Example LAN Computer 1 IP Address: 192.168.100.51 subnet: 255.255.255.0 Gateway: 192.168.100.1 (router address) DNS: 192,168.100.1 (router address again) LAN Computer 2 IP Address: 192.168.100.52 subnet: 255.255.255.0 Gateway: 192.168.100.1 (router address) DNS: 192,168.100.1 (router address again) etc... VPN Router Tutorial - Getting it to work with an IPSec Client Part 4: Routing Traffic across the VPN We are ALOMST finished with the configutation process. The last thing we need to do is tell the client computer to route the correct traffic through the VPN Connection. IP Schema Review Home WAN IP: 24.60.60.100 (from your ISP) Home LAN Router IP: 192.168.100.1 Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0 Computer on Home LAN: 192.168.100.2 Remote (friends) computer on the Internet: 24.60.60.200 Lets Get To it Version 1.3 users will need to activate the VPN connection by right clicking the SSH Sentinel taskbar icon, sleecting Select VPN and then
selecting the VPN connection you created. 1.3 users will get an error message if the connection fails. Version 1.2 users will activate the VPN network with a PING once we set up the routing. Routing From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2 You should see 'Desitination unreachable' message This is because the REMOTE computer does not know how to get to the private network: 192.168.100.0. Type ROUTE PRINT to see the current routing table. To add the home network to the routing table type in the following route add 192.168.100.0 mask 255.255.255.0 24.60.60.100 The first number is the home lan network IP schema, the second is the network mask, and the third number is the Internet WAN IP address of the VPN router. This route will go away after the computer is rebooted and will need to be typed in again. Under Windows 2000 and XP, a parameter can be added that will make the route permanent. route -p add 192.168.100.0 mask 255.255.255.0 24.60.60.100 I suggest putting this command in a BATCH file so it is easly accessible.
Testing the connection From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2 For version 1.2 users, it mght take a couple of tries to get this command to work. When this PING is first run, the VPN connection is established. This can take up to 60 seconds or so. If you get a response, your VPN works!!! Mounting a network Drive across the VPN Our next set is to mount a shared network drive across the VPN. From the remote computer's file explorer, select "mount network drive' from the menu.
Next type in the home LAN computer address and the name of the share this way. In this case, the computer I want to reach is at 192.168.10.2 and the share name I set up was 'c'
Your VPN is now running!
VPN Router Tutorial - Getting it to work with an IPSec Client Part 2a: Linksys BEFVP41 VPN Router Config From the VPN Screen of your Linksys BEFVP41 router, configure a VPN tunnel as shown in the picture below. You can name this tunnel anything you want - the name will not appear anywhere else - it is unimportant. Be sure to set the Local Secure Group to the LAN network as show. This will give the IPSec tunnel access to all of your LAN computers. The Pre-Shared key is VERY important. This key is the 'password' for your whole network. It will be given to anyone that needs VPN connectivity. A single word from the dictionary should never be used since hackers use dictionaries to break in. The key should be at least 8 characters long. The key shown (1234) is a VERY BAD key. I am using it only for diagnostics.
Down by the View Log button, there is a 'more' link. Press it and make sure it looks like the picture below.
Your router is now ready to receive incoming VPN Connections! The picture below shows a Linksys LOG of a successful incoming VPN connection. Please note: you will not be able to see a log like this till you try connecting.
VPN Router Tutorial - Getting it to work with an IPSec Client Part 3a: IPSec Client Config: SSH Sentinel v1.2 Click here if you are using v1.3 IPSec Client Software SSH Sentinel is my IPSec client of choice - primarily because it is free for non-commercial use. This beats the heck out of paying $150 per license for some of the other clients out there. SSH Sentinel however is not the most intuitive client on the market. Come to think of it, all IPSec client software programs are a little hard to set up for beginners. Version 1.2 or 1.3? When this tutorial was written, SSH Sentinel 1.3 was in BETA. I had a few problems with it retaining its settings so this tutorial was written with version 1.2. If you have version 1.3, click here for v1.3 instructions . Click here to download SSH Sentinel Where does it go? SSH Sentinel should be loaded on the REMOTE computers - the computers on the Internet that you want to have access to your LAN. SSH Sentinel is a free download for non-commercial use and can be found here. The Install When you see the following screen, select 'administrator email' and type in your email address
Next, select 'self-signed certificate'
Key Configuration Once installed, you will need to enter the 'POLICY EDITOR'. It can be reached from the start menu or by right clicking the blue SSH Sentinel icon in your task bar. From the SSH Sentinel Policy Editor, Select the Key Management tab and add a new key.
Select create a preshared key when you see 'Mr. Buff'
Create a name for the key and type in the exact key you typed into your router. Again, this key should be at least 8 characters long and should not be a single word from a dictionary
You have now created a shared key. Now to create the VPN Connection. VPN Tunnel Config
Now, from the Security Policy screen, add a new VPN Connecion. Note: The picture below shows one that was already added. You should only have the add button. The folder layout will look a little different in v 1.2 but that's ok.
Type in the VPN Routers WAN address. You will need to click the 'IP' button to the right if you are typing a static IP address. Next, select the shared authentication key you just created and check the 'use legacy proposal' button. Last, type in the IP schema of the LAN network that is BEHIND the VPN router. and click OK.
These are the PROPERTIES of the new VPN connection we created. Be sure yours looks like this.
Select the ADVANCED tab and make it look like this. BE SURE TO SELECT THE 'Use Perfect Forward Security' checkbox or it will not work! If the remote client computer is behind some kind of NAT based router or firewall, check the 'Enable NAT Traversal' checkbox too.
Congrats! You have confiigured the SSH Sentinel software. Now we must do a little ROUTING to get everything working. VPN Router Tutorial - Getting it to work with an IPSec Client Part 5: Troubleshooting Client Connectivity Problems The Logs Your number 1 buddy in diagnosing VPN connectivity problems is 'IKE LOG WINDOW' found by right clicking the SSH Sentinel and selecting the 'aduiting' menu. Be sure to set the log detal level to 'low'. Try to connect, then look at the last couple of lines of data. It will give you a hint about the problem. Many VPN Routers have logs also that can be checked too. DOUBLE CHECK ALL SETTINGS I found that somehow or another my settings sometimes mysteriously changed in my client setup. Double check them ALL. Time and Time Zones It is very important that your computer and VPN router have the correct time zone settings and time. Without these, keys expiration is not handled correctly. My remote client is behind a router or firewall Not all firewalls or even broadband routers will pass IP traffic. Others require the client computer to be in a DMZ. First look at the technical specs for the router and make sure it specifies 'IPSec Passthrough'. If not, try placing the client computer in the DMZ. Also, try upgrading the firmware of your router. If neither of these work then it might be time for a new router in the client end. My home broabdand connection uses a dynamic IP address and I dont know what it is. You should use a DynamicDNS service to keep track of your curent IP address. Try DNS2GO I want to link up two LAN's instead of going computer to lan This requires a VPN capable broadband router on both sides and will be covered by another tutorial later. The remote computer is on a LAN that has the same IP schema as my lan. You will need to change the IP schema of one of the LAN's. Do something like change it from 192.168.1.0/255.255.255.0 to 192.168.33.0/255.255.255.0
Linux as a broadband router
Linux has a very powerful IP stack built into the operating system. Linux itself has the capability of routing your lan to the internet with NAT or Network Address Transaltion (explain NAT). In the Linux world this is often called IP Masquerading. Here is a HowTo at LinuxDoc My favorite way to use Linux as a router is with a microdistribution. There are versions of Linux out there that run off of a single floppy disk. Using one of these distributions, you can convert an old, unused computer (even a 486!) into a capable broadband router. Since the software fits on a floppy, you don’t even need a hard drive in the system! Most of the micro-distributions of Linux routers have minimum requirements of a 386 with 16Mb of memory. My favorite linux router is called Cyote Linux. Cyote Linux has a very cool installation and configuration method. Cyote Linux starts with a Windows program. Run it, and you can actually configure the router in Windows. Next, a program creates a bootable floppy disk that has your fully configured Linux broadband router!
Update: HomeNetHelp now has an in depth article about setting up an OpenBSD box as a great firewall / router combination. OpenBSD firewall & router Micro-distribution based broadband router projects Cyote Linux http://www.coyotelinux.com/ Linux Router Project http://www.linuxrouter.org/ EDGE Firewal, a Lineo Embedix ThinLinux demonstration of embedded computing products http://edge.fireplug.net/ For NetBSD Fans, The NetBSD/i386 Firewall Project http://www.dubbele.com/ General Linux Networking Links Linux Firewall and Security Site http://www.linux-firewall-tools.com/linux/ Home Networking with Linux http://www.linuxgazette.com/issue28/journeay.html IP Masquerading How-To http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html Another Linux Router Howto Site
