Setting up a network and VPN connection manually in Linux. We are developing a certification center

Sometimes you need to get remote access to the enterprise network, create a tunnel between servers or provide Internet access to a good neighbor who was disconnected from the Network for debt. Or, perhaps, just be able to access your network from any corner of the world where there is the Internet.

For these purposes, you can use virtual private networks (VPN). In our case, this will be the most common protocol in the CIS countries, namely PPTP (Point-to-Point Tunneling Protocol). Many cable Internet providers use it to provide access services.

Raise your server on Linux Ubuntu Server LTS isn't that hard. To do this, we will need access to the Internet and a real IP (if we need to connect from the Internet).

Login to the server using account root and install the necessary packages with the command apt-get install pptpd We will also be asked to install the bcrelay package, it allows you to duplicate broadcast packets received on the incoming interface to virtual (PPP client tunnels).

Press enter and our server is installed. Let's start with the configuration. Let's open the file nano /etc/pptpd.conf and at the very bottom we will see following lines

#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

These are the client IP address settings. Let's uncomment the first two lines (remove the # symbol) and correct them a little.

The line localip 192.168.0.1 means that our VPN servers will be IP 192.168.0.1, you can specify our IP in one of the directly connected networks. For example, in my home network The server's IP address is 172.30.2.1 In order not to load the server with unnecessary things, I used the same one.

The second line - remoteip 192.168.0.234-238,192.168.0.245 indicates the range of IP addresses that will be assigned to clients. As can be seen from these lines, network address can be anything (in the second group of lines). For convenience, we will select it from the same range as the IP of our server.

I use the following logic for issuing IP at home: 1st - router, 2-19 - computers, 20-49 - static VPN (the same address is issued when connecting), 50-100 - VPN clients, 101-199 - Wi-Fi clients, 200-254 - for various devices(for example, IP router, TV, etc.). Let's specify the range remoteip 172.30.2.50-100 and save the configuration.

Let's go to the directory cd /etc/ppp/, all the pptpd (server) and pppd (client) configuration files are stored here.

Let's rename the pptpd-options file with the command mv pptpd-options pptpd-options.bak and create it using the new nano pptpd-options This is done to make it easier to insert several lines into new file than searching for parameters among dozens of lines with comments. Let's paste the following content into this new file:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
#require-mppe-128
ms-dns 172.30.2.1
nodefaultroute
lock
nobsdcomp
auth
logfile /var/log/pptpd.log

What does this all mean? Let's go in order:

• Use pptpd name to look up logins in chap-secrets
• When this option is specified, pptpd will not agree to authenticate using the protocol refuse-pap, refuse-chap, refuse-mschap
• Require peer authentication using MS-CHAPv2
• Require the use of MPPE with 128-bit encryption require-mppe-128 i.e. encrypt all traffic. This increases the load on the server and not all “weak” devices support it ( Wi-Fi routers etc.).
• Suggest using a DNS server with IP 172.30.2.1
• nodefaultroute - do not set a default gateway from the server to the client, otherwise all traffic to the Internet will be sent through the connected client, and the Internet will disconnect due to the loss of the route to the provider.
• Lock - block sessions, i.e. There can be only one connection per login
• nobsdcomp - do not compress traffic. When enabled, it increases the load on our server
• auth - require authorization (login and password)
• logfile /var/log/pptpd.log - write work logs to this file.

Save and close this configuration file.

Now we need to add users who will connect to our server. Let's open the nano chap-secrets file (it is used to store PPP accounts).

For correct operation the following format must be followed: columns must be separated by at least one space or tab (Tab), spaces are not allowed in names (otherwise the space is treated as the next column), the login must begin with a letter. For example:

The first column is the user login, the second is the service name. In our case it is pptpd. Next is the user password, the last one is the IP address that will be issued. Moreover, if it is *, then the IP address will be issued automatically from the previously specified range. You can also specify an address as IP, which may be out of range.

Before you can use the server, you need to restart it. To do this, execute /etс/init.d/pptpd restart; if there are no errors in the configuration, the server will be started.

root@CoolServ:/etс/ppp# /etс/init.d/pptpd restart
Restarting PPTP:
Stopping PPTP: pptpd.
Starting PPTP Daemon: pptpd.

If you use ) you need to add the following lines to it:

# VPN - PPTPD
iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT

To provide access to Internet VPN clients via our server need to add the following rule to IPTables:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Where eth1 is the interface towards the Internet.

To check, you can create a test VPN connection with encryption disabled (optional) and using any specified login to connect to the server.

Common mistakes when connected

To create a client PPTP connection From Windows XP, perform the following steps: click “Start” - “Control Panel” - “Network and Internet Connections” - “Network Connections”.

Click on "Create a new connection" - this will launch the "New Connection Wizard".

Now enter the name of the connection. Here you can write anything, it will just be the name of the connection, for example we will write “PPTP” (by connection type).

The following question may appear: “Use configured Internet connections?” (If you have already configured PPPoE connection), in it click “Do not dial the number”.

If such a message does not appear, read on.

Now you will be asked to enter the server address, indicate the IP of your server or its name.

In the window shown in the photo above, select “Properties”. A window will appear in which we select the “Security” tab. Find the item “Data encryption required” and uncheck the box. otherwise, we will not be able to connect, errors 741 or 742 will appear - “the required encryption type is not supported by the server.”

After that, click the “OK” button, return to the previous window, enter your login and password and connect to our remote server via a secure VPN channel!

After the hype around Windows 10, users began to realize that this system is unsafe and can spread personal information. More and more new users are starting to look for alternatives among open systems. Users want a system that doesn't spy on their data and provides maximum security and privacy. To ensure greater anonymity on the Internet, you can use VPN service s.

But when it comes to VPN on Ubuntu, Fedora, OpenSUSE or other Linux distributions, users may have problems. For developers users are more important Windows, but Linux is still not a priority. In this article we will look at best VPNs for Linux, which will definitely be useful to you. The list will include both paid and free services.

Typically, technologies such as OpenVPN, OpenConnect or NetworkManager are used to connect a VPN in Linux. But it will be much better if the VPN provider releases its client for Linux. It's much easier to set up and there's a lot more more features. Most of the VPNs on this list have a client for the Linux operating system.

1. PIA - Private Internet Access

Private Internet Access provider is one of the best and most widespread VPNs available today. It is affordable, allows you to connect multiple devices at once, offers acceptable network speeds, and is also completely secure. Including, this is one of the most popular VPN services for Linux. It's well deserved. It uses OpenVPN with encryption using a 256-bit AES key. The service has its own client for both Debian and Red Hat systems. But considering all the advantages of the service, it is not cheap - $3.33 per month.

2. ExpressVPN

ExpressVPN released its official client for Linux quite recently, in April 2016. Unfortunately, there is no graphical interface yet and the program only works from command line. But it's still much easier than setting up separate configuration files.

The list of servers will always be up to date, and users can switch between UDP protocols and TCP when working via OpenVPN. The most big drawback This VPN for Linux has a price. The service costs twice as much as PIA. The service offers refunds within 30 days, so you can try the VPN for free. But the servers have more impressive characteristics, and the network speed is much faster.

ExpressVPN works on Ubuntu, Fedora, Debian and CentOS. You can connect up to three devices at the same time, and you can now work with netflix.

3. AirVPN

AirVPN offers official clients for Linux distributions- Debian, Ubuntu, OpenSUSE and Fedora. You can use it either from the command line or via GUI. This is where the most security settings are. You can connect using OpenVPN, SSH or SSL, and forward traffic through a range of alternative ports. This service is also paid, the price is the same as PIA.

4. Buffered

This new VPN service based in Hungary. You can connect three devices at the same time, and the traffic is unlimited. The service is expensive, but there is a 30-day money-back guarantee. Interesting thing there is something that the client may be looking for open ports on secure servers. This is a great way to bypass the login pages that are often found in hotels and airports. Servers are located in 16 countries, but the speed is very fast. The client works on most Linux distributions.

5. Mullvad

The Mullvad service has gone even further and offers a client with an open source code for Debian and Ubuntu. Features such as internet shutdown, DNS leak protection, ipv6 routing are supported. The service keeps logs, but not connection logs, so it is reliable in terms of security. Three connections can be used simultaneously. Port forwarding is also available. The choice of server is limited, but this is acceptable. The official website has packages for Debian and Ubuntu, but the program will work on most distributions. Next, let's look at the best free VPNs of 2016.

6. Itshidden

This is already a free Linux VPN. All the services we discussed above are paid, but they are more reliable. None of them keep connection logs, which means that no one will be able to access your information: neither attackers nor law enforcement agencies. With free services everything is much different. Many of them keep logs and also use insecure protocols communications.

For example, this VPN service uses the PPTP protocol, so it is not entirely secure, but if there are no analogues, then it can be used. The privacy policy states that no logs are kept, so your data still cannot be accessed, according to at least, from the VPN server side.

7.SecurityKISS

This is another best free VPS for Linux that has an official client for this operating system. Various operating protocols are supported, including SSH, FTP, RDP, Telnet and so on. But like other free VPS there are several disadvantages. The company stores logs and IP addresses of users, which is not advisable for those who want to protect their privacy. Also in free version quantity available traffic limited to 300 megabytes per day, which is very little.

Conclusions

Even if VPN provider does not provide official client for Linux, almost all of them can be configured using OpenVPN. In this article, we've looked at the best VPNs for Linux, both free and paid, so you can choose what you need. Free VPNs for Linux have their limitations, but in some situations this can be tolerated. Do you use a VPN to surf the web? What free services would you recommend to other users? Write in the comments!

Finally, a short lecture about what a VPN is and how this technology works:

Network setup and VPN connections"manually" in Linux

• Closet *

We will configure network parameters using Ubuntu distribution, for other distributions the settings will be slightly different.

In some distributions you will find a network configuration utility “network-manager”, which allows you to configure network parameters through a graphical interface. IN this manual We will refuse to use it and will configure everything ourselves, manually.

Since VPN often has to be configured on a machine that no longer has any other Internet access, I advise you to stock up on the pptp-linux package from the official repository in advance. On some distributions, the pptp-linux package is located at installation disk. We will need it later to set up a VPN connection.

Network setup
1. Launch the terminal. Applications - Standard - Terminal.
Let's run this command sudo apt-get remove network-manager, then the user password and delete “network-manager”.

2. Enter the command ifconfig -a, we see a list of all (active and inactive) network devices, which are named as eth0, eth1, eth2, etc. I have one network card (eth0) to which the local network is connected, so in the examples we will use eth0.

3. Almost all information about network settings and methods for activating it is stored in the /etc/network/interfaces file, which is what we will work with. Enter in the terminal sudo nano /etc/network/interfaces, then the user password. So, we launched the nano console editor, with which the settings files will be edited. The cursor is moved using the arrows up, down, left, right :-). IN open file there will be lines like this:

Auto lo
iface lo inet loopback

auto lo- indicates that the local loop lo is raised automatically when the system boots.
lo interface- loopback interface and allows the computer to talk to itself. The interface has an IP address of 127.0.0.1 and is required for normal operation systems.

4. Edit the file and add a few lines:

Auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address xxx.xxx.xxx.xxx
netmask 255.255.255.0
gateway xxx.xxx.xxx.1

auto eth0- indicates that the eth0 network card is raised automatically during system boot.
iface eth0 inet static- indicates that the interface (iface) of the network card (eth0) is in the address range ipv4 (inet) with static ip (static)
address xxx.xxx.xxx.xxx - static IP address, here you must write down your IP
netmask- standard network mask
gateway xxx.xxx.xxx.1 - IP address of the main gateway, also replace it with the IP address of your gateway

Editing is complete. Press Ctrl+O to save, Ctrl+X to exit the nano console editor.

5. It is necessary to write down the addresses of the main and auxiliary DNS servers to the /etc/resolv.conf file. Again, go to the terminal and type sudo nano /etc/resolv.conf, then the user password. Add the line:

nameserver xxx.xxx.xxx.1
nameserver xxx.xxx.xxx.2

xxx.xxx.xxx.1 and xxx.xxx.xxx.2 - replace the IP addresses of your primary and secondary DNS servers. Press Ctrl+O to save, Ctrl+X to exit the nano console editor.

Now let's move on to setting up a VPN connection
Remember at the beginning of the guide I asked you to download the pptp-linux package, I hope you already have it. It's time to install it. Installed? Great, let's move on.

1. Go to the terminal again and type sudo nano /etc/ppp/options.pptp, then the user password. Add the following lines:

lock
noauth
nobsdcomp
nodeflate
persist

Simply comment out all other lines using the # sign at the beginning of the line.

2. Create a VPN connection file. To do this, type in the terminal sudo nano /etc/ppp/peers/vpn
defaultroute
pty "pptp MyVPN.com--nolaunchpppd"
name MyLogin
remotename PPTP
+chap
file /etc/ppp/options.pptp
ipparam vpn

Be sure to replace the value MyLogin to your login, and MyVPN.com to the address of your VPN server. Press Ctrl+O to save, Ctrl+X to exit the nano console editor.

I will describe some parameters:
defaultroute- set the default route;
+chap- authentication type. In addition to +chap, the type can be used +pap.
file- read additional settings from a given file.

3. Edit the file /etc/ppp/chap-secrets. To do this, enter in the terminal sudo nano /etc/ppp/chap-secrets, then the user password. Add the line:
MyLogin PPTP MyPassword *

Replace MyLogin to your login, and MyPassword to your connection password. Press Ctrl+O to save, Ctrl+X to exit the nano console editor.

4. Type in the terminal sudo nano /sbin/vpn, then the user password. Insert the following lines there:
#!/bin/sh
case "$1" in
start)
echo -n "Starting vpn: "
pon vpn
sleep 5
route add default dev ppp0
ifconfig
echo
;;
stop)
echo -n "Stopping vpn: "
poff vpn
sleep 5
route del default dev ppp0
ifconfig
echo
;;
*)
echo "*** Usage: vpn (start|stop)"
exit 1;
;;
esac
exit 0

Press Ctrl+O to save, Ctrl+X to exit the nano console editor.

This is where our settings end. Now reboot the network connection using the command sudo /etc/init.d/networking restart, then the user password.

To connect to VPN, type in the terminal:
sudo sh /sbin/vpn start

To disable VPN, type in the terminal:
sudo sh /sbin/vpn stop

Tags: linux vpn net

The abbreviation VPN has now only been heard by those who have never dealt with a computer. What is it, why is it needed and how to set it up yourself?

What is a VPN and why is it needed?

VPN (Virtual Private Network) – virtual private network, a way to combine into one logical network several computers physically located at some distance from each other.

You can use VPN with different purposes– from organizing a network for work/games to Internet access. At the same time, you must understand the possible legal liability for your actions.

In Russia using a VPN is not a punishable action, except in cases of use for obviously illegal purposes. That is, if you want to go to the website of the president of a neighboring country (for example, Somalia) and write how bad he is, while hiding your IP address, this in itself is not a violation (provided that the content of the statement does not violate the laws) . But using this technology to access resources prohibited in Russia is an offense.

That is, you can play with friends online and work remotely on an organization’s network using a VPN, but you can’t read all sorts of bad sites. That's sorted out. Now let's move on to the setup.

Setting up the server part on Ubuntu Linux

For the server side, it is better to use Linux; in this regard, it is easier to work with. The simplest option is PPTP, does not require installation of certificates on client computers, authentication is carried out by username and password. We will use it.

First, let's install the necessary packages:

Sudo nano /etc/pptpd.conf

If we need more than 100 simultaneous connections, look for the “connections” parameter, uncomment it and indicate the desired value, for example:

Connections 200

If we need to transmit by virtual network broadcast packets, you should make sure that the bcrelay parameter is also uncommented:

Bcrelay eth1

After that, go to the end of the file and add address settings:

Localip 10.10.10.1 remoteip 10.10.10.2-254 listen 11.22.33.44

The first parameter specifies the IP address of the server on the local network, the second – the range of IP addresses issued to clients (the range should provide the ability specified quantity connections, it is better to allocate addresses with a reserve), the third indicates which external address to listen to interfaces for receiving incoming connections. That is, if there are several external addresses, only one can be listened to. If the third parameter is not specified, all available external addresses will be listened to.

Save the file and close. Additional fine settings specify in the file /etc/ppp/pptpd-options:

Sudo nano /etc/ppp/pptpd-options

First of all, we make sure that we have uncommented the lines that prohibit the use of old and insecure authentication methods:

Refuse-pap refuse-chap refuse-mschap

We also check that the proxyarp option is enabled (the corresponding line is uncommented) and additionally, to allow or deny multiple connections from one user, comment (allow) or uncomment (deny) the lock option.

We also save the file and close it. All that remains is to create users:

Sudo nano /etc/ppp/chap-secrets

For everyone VPN user one line is allocated in which its name is indicated sequentially (separator - space), remote address, password and local address.

A remote address can be specified if the user has an external static IP and only it will be used, otherwise it is better to specify an asterisk so that the connection can be accepted. Local must be specified if you want the user to be allocated the same IP address on the virtual network. For example:

User1 * password1 * user2 11.22.33.44 password2 * user3 * password3 10.10.10.10

For user user1, connections will be accepted from any external address, the local one will be allocated to the first available one. For user2, the first available local address will be allocated, but connections will only be accepted from the address 11.22.33.44. For user3, connections are accepted from anywhere, but the local address will always be allocated 10.10.10.10, which we reserved for it.

This completes the configuration of the VPN server; restart it (under Linux you do not need to restart the computer):

Sudo service pptpd restart

Setting up VPN clients

The client part can be configured to suit any operating system, I will use as an example Ubuntu Linux 16.04 .

On the client computer open network connections(the screenshots show for Ubuntu + Cinnamon, for GNOME it is done in the same way, in Kubuntu it looks like it won’t cause any difficulties). Click the “Add” button and select a PPTP connection:

The name of the VPN connection can be left standard, or you can specify one that is convenient and understandable for you - it’s a matter of taste. We enter in the “gateway” field the external IP address of the server to which we are connecting (specified when setting up in the “listen” option), below is the name and password. On the right, in the “Password” field, you must first select the “Save password for this user” option:

After that, close the windows and connect to the server. If the server is located outside your local network, you need Internet access.

This completes the organization of the virtual network, but it will only connect computers to a local network. To access the Internet through the network server, you need to make one more setting.

Setting up Internet access via VPN

On the VPN server enter the following commands:

Iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1/24 -j MASQUERADE iptables -A FORWARD -s 10.10.10.1/24 -j ACCEPT iptables -A FORWARD -d 10.10.10.1/24 -j ACCEPT

where 10.10.10.1/24 is the local server address and network mask.

After that, save the changes so that they work even after the server is rebooted:

Iptables-save

And apply all the changes:

Iptables-apply

After this you will have access to the Internet. If you go to any site that displays your IP address, you will see the external server address, not yours (if they do not match).

Let me remind you that only you are responsible for the consequences of your actions.

Setup using Network Manager"A

Be that as it may, but describe it anyway VPN setup using network-manager. This setting is quite suitable for those who use automatic receipt IP addresses using DHCP.

1. Install the two packages we need:
#apt-get install pptp-linux network-manager-pptp
Since these packages are not on the Ubuntu disk by default, and VPN often has to be configured on a machine that no longer has any other Internet access, I advise you to stock up on these packages from the official repository in advance. To do this, go to the website packages.ubuntu.com/, there we look for these two packages, download them and then install them on the machine we need.
2. If the item “ VPN connections"(VPN Connections) or it will not open, then you need to re-login or even better - reboot.
3. Click the left mouse button (on right button another menu is called up) by the Network Manager icon and in the drop-down menu select “VPN connections” - “Configure VPN”. Add a new connection and set all the necessary options for this connection.
4. After this, your connection should appear in the “VPN connection” menu; if it suddenly does not appear, log back or reboot (well, what can I do, this network-manager is still so crude).
5. Everyone can now connect to what you created vpn connection(and also disconnect by selecting a menu item in Network Manager).

#apt-get install pptp-linux

As I already described above in the installation section using network-manager, VPN often has to be configured on a machine that no longer has another Internet connection, so I advise you to stock up on this package in advance from the official packages.ubuntu.com/ repository.

2. Edit the options.pptp file:
#nano /etc/ppp/options.pptp

lock noauth nobsdcomp nodeflate persist

I will not describe each of the parameters, I will describe only a few:
persist - this parameter tries to re-open the connection when it closes;
nodeflate - do not use deflate compression (although they say it works faster, I don’t know - I haven’t tested it).
Also, if your connection uses encryption, then add one of the lines, depending on the type of encryption - require-mschap-v2, require-mppe-40, require-mppe-128, require-mppe.

3. Create a connection file /etc/ppp/peers/vpn (you can replace the vpn name with any other name, but if you do, do not forget to change it later in this article)

#nano /etc/ppp/peers/vpn

Insert the following lines there:
maxfail 0 lcp-echo-interval 60 lcp-echo-failure 4 defaultroute pty "pptp vpn.ava.net.ua --nolaunchpppd" name sukochev remotename PPTP +chap file /etc/ppp/options.pptp ipparam vpn

Attention!!! Be sure to replace the following options with yours:
Instead of vpn.ava.net.ua, enter the address of your VPN server (you can use the server’s IP). Instead of sukochev, insert your connection login.
I will describe some parameters:
maxfail 0 - always try to connect when there is no connection;
lcp-echo-interval - time interval after which the remote party is polled;
lcp-echo-failure - the number of unanswered requests from the remote side, after which the system considers that we have been disconnected;
defaultroute - set the default route;
+chap - authentication type. In addition to +chap, the +pap type can be used.
file - read additional settings from the specified file.
You can also add the following parameters, if necessary:
deflate 15,15 - use deflate compression (there should not be a nodeflate parameter in the options.pptp file);
mtu- maximum size transmitted packet (this parameter is usually changed when the connection is often disconnected or some sites do not open);
mru - maximum size of the received packet.

4. Edit the file /etc/ppp/chap-secrets (if the type is used PAP authentication, then /etc/ppp/pap-secrets accordingly)

#nano /etc/ppp/chap-secrets

Insert a line there like:

Sukochev PPTP password *

Attention!!! Replace sukochev with your login, and password with your password to connect.
5. If necessary, then write the necessary routes in the /etc/network/interfaces file. For example, I have routes registered so that when the VPN connection is turned on, I can use the local local network. Here is an example of my routes (those that start with up route), yours will naturally be different:

Auto eth1 iface eth1 inet dhcp up route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.1.45.1 dev eth1 up route add -net 10.3.0.0 netmask 255.255.0.0 gw 10.1.45.1 dev eth1

Don’t forget to restart the /etc/network/interfaces file after changing it network connections:

#/etc/init.d/networking restart

6. Now you can turn the VPN connection on and off using the following commands:
Enable

Shutdown

Automatic VPN connection at system boot

To do this, edit the file /etc/network/interfaces
#nano /etc/network/interfaces

And insert the following lines at the end of the file:
auto ppp0 iface ppp0 inet ppp provider vpn pre-up ip link set eth1 up up route del default up route add default dev ppp0

Where eth1 is the interface network device, through which the VPN connection is connected, and vpn is the name of the VPN connection that you created in the /etc/ppp/peers/ folder.