VPN on Mac OS X
Pages: 1, 2
Tunneling PPP over SSH
While PPTP is a very common solution for creating a VPN on the Internet, server solutions for Mac OS X are limited at this point. There is a PPTP VPN daemon available, shipping with Mac OS X Server, but unfortunately it is not listed as an open source component on Apple's site. This greatly hampers the ability to get two Mac OS X clients together in a VPN. However, there is another solution: using PPP and SSH together to form a VPN link.
This method works by creating a PPP link between two systems over an SSH connection. The master machine initiates an SSH connection to the slave. Once it has authenticated the connection, the slave machine launches pppd, with output going to the inbound SSH session. On the master machine, pppd is launched to respond to the slave's pppd. The two daemons sync up and begin passing packets, which are in turn encrypted by SSH. While it isn't terribly optimized (read "fast"), it does work, and is a great placeholder while we're waiting for more PPTP daemons to be ported to Mac OS X.
The slave machine is the machine that is connected to the main network. This is the same box that would run the actual VPN server, but in this situation it is the slave of the PPP link. This is the easiest method, because it allows the remote machine to build and tear down the VPN connection. The slave machine in my examples will be "utopia.lifehertz.com."
The first thing we'll need to do is create an account on the slave machine for our master machine to log into. This should be a brand-new account and will not be used beyond the VPN. We're going to modify some settings on the account that may break a normal user.
To create the user account, open the Accounts tab of the System Preferences pane. Click New User, and enter "VPN User" for the Name and "vpn" for the Short Name. Set an easy-to-remember password for now; we're going to disable it later. Once you've filled out these fields, click the OK button.
|
|
The next step is to setup the vpn account with the ability to launch the PPP daemon. To do this, we're going to edit the sudoers file. Open up the Terminal and issue the command sudo pico /etc/sudoers to open the file in pico. You'll want to add the VPN Cmnd_Alias and VPN user privileges to make your sudoers file look similar to the one below:
# Cmnd alias specification
Cmnd_Alias VPN=/usr/sbin/pppd, /sbin/route
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
vpn ALL=NOPASSWD: VPN
The master machine is the machine you are using remotely. This machine will initialize the SSH connection and then respond to the PPP daemon launching on the slave. In my example, the master machine is "nomad.lifehertz.com." In order to easily log in to the slave machine to launch pppd, we'll be using SSH key authentication. To do this, we first need to generate the key, then copy the public portion of the key to the vpn account's home directory on the slave machine. You don't need to use a password on the key. The commands below should help you do this:
$ sudo ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/root/.ssh/id_rsa.
Your public key has been saved in /var/root/.ssh/id_rsa.pub.
The key fingerprint is:
a3:46:24:8b:b7:a9:d6:91:d7:25:9a:e2:82:ce:16:82 musouka@nomad
$ sudo scp /var/root/.ssh/id_rsa.pub vpn@utopia.lifehertz.com:~
The authenticity of host 'utopia (24.218.227.101)' can't be established.
RSA key fingerprint is 00:41:24:66:bf:d4:38:d4:cb:2a:e2:75:93:74:d2:9e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'utopia,24.218.227.101' (RSA) to the list of known hosts.
vpn@utopia's password:
id_rsa.pub 100% |**********************************************************************| 123
Once you've copied the public key to the slave system, you'll want to connect to it and finish setting up the vpn account. First ssh into the slave machine and then attempt to connect back to the master machine from the slave to exchange host keys. You'll want to confirm adding the master to your slave's known hosts and then just Ctrl-C to cancel the actual connection. Verify that there is a file in the vpn account's ~/.ssh folder called known_hosts. Next, move the generated public key to the a file called authorized_keys in the ~/.ssh folder. Finally, configure the PPP daemon to launch passively upon login. The commands below should get you there:
$ ssh vpn@utopia.lifehertz.com
vpn@utopia's password:
$ ssh nomad
The authenticity of host 'nomad (209.94.128.164)' can't be established.
RSA key fingerprint is 71:7d:6d:03:87:86:28:94:ee:16:2f:e2:01:dd:e9:38.
Are you sure you want to continue connecting (yes/no)? yes
vpn@nomad's password: ^C
$ mv ~/utopia.pub ~/.ssh/authorized_keys
$ echo "sudo /usr/sbin/pppd passive; logout" > ~/.login
$ logout
To verify that your slave machine is set up properly, from the master machine, attempt the command sudo ssh
vpn@utopia.lifehertz.com. Your master machine should connect to the slave machine, be authenticated via
the SSH key, and then begin to see the garbled output of the PPP daemon. If this is all working properly, then your
slave machine is ready to go.
To finish up configuring the master machine, you'll need to make use of a little tool called pty-redir. This program will execute a passed command on a separate TTY. As you saw above, when you SSH to the slave machine, the PPP daemon will launch and start filling your screen with garbage. In order to get the two machines to connect, you need to have the PPP daemon on the master machine launch to respond to the slave's PPP daemon. The problem is that you can't launch pppd very well if you're busy looking at the slave machine's output. pty-redir helps you get around this quite easily. To download and install pty-redir, follow the code below:
$ curl -O http://www.macdevcenter.com/mac/2002/12/20/examples/pty-redir-0.1.tar.gz
$ tar zxvf pty-redir-0.1.tar.gz
$ cd pty-redir-0.1
$ make
$ sudo mkdir /usr/local/bin
$ sudo cp pty-redir /usr/local/bin
These commands will put the pty-redir binary in your /usr/local/bin directory. To test it out, execute the command sudo /usr/local/bin/pty-redir /usr/bin/ssh vpn@utopia.lifehertz.com. You should just see a result along the lines of /dev/ttyp4. This output tells you which TTY was allocated for your command and to where its output is going. In this case, the slave machine's PPP daemon is sending its connection information to the redirected TTY. All you need to do to finish the link is launch pppd on the master machine and have it use the redirected port. You do this with the command sudo /usr/sbin/pppd /dev/ttyp4 local noauth proxyarp persist 192.168.10.1:192.168.10.2. This will tell the master machine's PPP daemon to use the redirected TTY and use the IP address of 192.168.10.1 for its end of the PPP link. The slave machine's IP would be 192.168.10.2. If everything is working up to this point, you should be able to ping 192.168.10.2 and get a response from the slave machine. This means your connection is up and running!
|
Related Reading Learning Unix for Mac OS X |
Now that you have the tunnel up, you can use a static route to point to the slave machine's network. You will then be able to pass traffic to other hosts on the slave's network through the encrypted PPP tunnel securely. If the network you are trying to access is 192.168.3.0/24, you would use the command sudo /sbin/route add -net 192.168.3.0/24 192.168.10.2. Make sure that the gateway for the route is the slave machine's end of the PPP link. Depending on the slave machine's routing setup, you might be able to have the master machine pass all Internet traffic through the slave machine. This is a good way to help secure traffic if you're using a wireless access point in a public place. You can bring up the VPN connection and then change your default route with the command sudo /sbin/route add -net 0.0.0.0 192.168.10.2. This will route all of your Internet traffic through the VPN link, securing your wireless traffic. The main thing to consider with changing the gateway is that you are going to take a hit in performance. You must take into account that your traffic will be encrypted, passed through the tunnel, decrypted, passed out of the slave machine, and then out onto the Internet. This can definitely slow things down.
So you've been connected into your slave machine for a while, and have decided that it's time to disconnect. The process is pretty simple. Use ps ax | grep pppd to search for the PPP daemon's process ID. Then use the sudo kill command to kill the daemon. The master machine's PPP daemon will bring down the link. This allows the slave machine's PPP daemon to quit. Upon quitting, the slave machine will log out the vpn user. At this point, the PPP connection will have stopped, both daemons will have quit, and your SSH connection should be down as well.
For finishing touches, I've included a script here that can help build and tear down the VPN connection with just a few keystrokes. It's also a good idea to disable the vpn user's password, making it less susceptible to break-in attempts. To do this, just issue the command sudo niutil -createprop . /users/vpn passwd *.
Jason Deraleau works as a systems administrator by day, IT consultant and technical writer by night, and is the coauthor of the upcoming Running Mac OS X Tiger.
Return to the Mac DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 30 of 30.
-
Why use pty-redir
2004-11-01 19:18:35 went [Reply | View]
Why use pty-redir when ppd already has a ``pty'' command line switch within it? In other words, a command along the lines of this will work and require fewer steps than the original script:
/usr/sbin/pppd pty '/usr/bin/ssh -t vpn@utopia.lifehertz.com' local noauth proxyarp<-b>
In addtion, note the ``-t'' option used with ssh so that it knows to force a pseudo-tty allocation.
Finally, note that the ``defaultroute'' option is available and could remove even a few more steps from the original script. The other nice thing about this option is that pppd will shoulder the responsibility of deleting the route whenever pppd needs to quit.
-
Why use the pty-redir hack?
2004-11-01 19:22:08 went [Reply | View]
Why use pty-redir when ppd already has a ``pty'' command line switch within it? In other words, a command along the lines of this will work and require fewer steps than the original script:
/usr/sbin/pppd pty '/usr/bin/ssh -t vpn@utopia.lifehertz.com' local noauth proxyarp
In addtion, note the ``-t'' option used with ssh so that it knows to force a pseudo-tty allocation.
Finally, note that the ``defaultroute'' option is available and could remove even a few more steps from the original script. The nice things about these options is that pppd will shoulder the responsibility for cleanly shutting down the ssh and deleting the route whenever pppd needs to quit.
-
problem with default route
2004-09-27 06:57:31 swix [Reply | View]
Very interesting article, everything seems to work, except the last part with default routing. Here (10.3), I get that at the end:
Configuring routing...
add net 192.168.3.0: gateway 192.168.10.2
route: writing to routing socket: File exists
add net 0.0.0.0: gateway 192.168.10.2: File exists
As my main goal would be to route the whole traffic over the ssh tunnel, it's not very practical... Any idea? :)
-
vpn: losing it
2003-12-09 12:15:25 anonymous2 [Reply | View]
Most times when I switch from my DSL connection to a wifi-based VPN configuration. I use the locations control.
Then when I launch Internet Connect, there's nothing displayed under status. And pressing "connect" does nothing. I have to restart, then.
Is there any way I can do this without a reboot?
-
PPP over SSH is a bad idea
2003-09-10 17:09:48 anonymous2 [Reply | View]
PPP over SSH is functional and secure but it has major performance problems. See this article for details why:
http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
Basically the problem is that TCP over PPP over SSH (which uses TCP) results in two TCP stacks trying to compensate for errors, which results in really really sloooooow performance.
Use SSH + port forwarding, or just bite the bullet and set up a proper VPN. I just saw this in the store today:
http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=411
Linksys sells an IPSec VPN router for just over $100! Amazing.
-
isakmpd complies on "os x"
2003-04-22 16:44:02 anonymous2 [Reply | View]
ISAkmpd complies on "os x". This gives you a good solution for mobilke users because isakmpd sets upd the SA and SP db automaticly the sources can ba optained from www.openbsd.org
P S use
EDITOR=pico sudo visudo
to edit sudo ... this may help you if your syntax is messed up :)
man sudoers:
AVEATS
The sudoers file should always be edited by the visudo
command which locks the file and does grammatical check-
ing. It is imperative that sudoers be free of syntax
errors since sudo will not run with a syntactically incor-
rect sudoers file.
-
Loss of internet when connected to VPN
2003-03-12 14:23:42 anonymous2 [Reply | View]
Having set up VPN to work from Jaguar, much the same as the first part of this article, I find that I loose my internet conection while the VPN is connected.
Digging into the BSD environment I find that it is because it creates a default route via the VPN which overrides the default route to my NAT router.
I cannot find any configuration in either the network or Internet Connect configuration to prevent this.
Is this a known problem.
Alban. -
Re: Loss of internet when connected to VPN
2003-03-12 15:01:52 Jason Deraleau |
[Reply | View]
Your default gateway is determined by the order of your network interfaces in the Network pane of System Preferences. Whichever interface is at the top of the list will be the default gateway. If that interface isn't availble, the next in the list will be the default gateway, and so forth. What you want to do is be sure that the interface used for your Internet connection is above the one for PPTP.
To change the order, select "Network Port Configurations" from the Show drop down menu. This will display a screen which allows you to drag and drop your interfaces into the desired order. -
Re: Loss of internet when connected to VPN
2003-03-13 11:49:33 anonymous2 [Reply | View]
Thanks for the reply.
I have checked the order and Built-in Ethernet is above PPTP.
netstat -r normally gives:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 6 4 en0
127.0.0.1 127.0.0.1 UH 14 3290 lo0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 1 0 en0
192.168.1.1 0:20:78:da:e3:e2 UHLW 6 0 en0 868
192.168.1.50 127.0.0.1 UHS 0 1 lo0
After connecting the VPN
Destination Gateway Flags Refs Use Netif Expire
default 10.1.2.150 UGSc 1 5 ppp0
10.1.2.150 10.1.2.151 UH 2 0 ppp0
127.0.0.1 127.0.0.1 UH 13 4107 lo0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 1 0 en0
192.168.1.1 0:20:78:da:e3:e2 UHLW 1 0 en0 1092
192.168.1.50 127.0.0.1 UHS 0 1 lo0
vpnsvr_address 192.168.1.1 UGHS 1 1 en0
Note: vpn server address obscured for security
It appears the VPN ppp0 interface completely replaces the default routing. Reversing the order makes no difference.
I can set the routes manually each time, but I don't believe this should happen.
I would expect to get a route to 10.0.0.0/8 via 10.1.2.150 and the default route left alone.
Note it adds a route via the original default gateway to the address of the VPN server.
There appears to be no way of setting no default route for the pptp interface.
Any other ideas,
Alban
-
Re: Loss of internet when connected to VPN
2003-11-17 17:40:27 anonymous2 [Reply | View]
I found an automated script for correcting the route here:
http://www.macosxhints.com/article.php?story=20030313194656474
works well for me, in panther, after some small mods.
-millz -
Re: Loss of internet when connected to VPN
2003-03-13 11:53:10 Jason Deraleau |
[Reply | View]
Hmm. Coincidentally, this hint came through Mac OS X Hints earlier today:
http://www.macosxhints.com/article.php?story=20030311232930261&mode=print
It describes how to run pppd to make the VPN connection by hand, allowing you to remove the defaultroute statement. Apparently this is an unforeseen circumstance on Apple's behalf.
-
CUPS may be better than expected
2003-02-22 16:05:48 steve_nordquist [Reply | View]
It's just that...does it do PostScript3? Nah.
Does MacOS? er... Okay, so it's not an integrated commandline RIP, optimizer and transmogrifier for Epson inkjets, but there's a lot to like from afar.
-
Okay, now printer sharing....
2003-02-22 15:57:01 anonymous2 [Reply | View]
Presumably, I'd like to print something for the people at the office (or particular PPTP connection) from time to time. How do I expose lovaly Mac print facilities to (particular) clients (say, Win32 and Linux clients?)
SMB might be OK. Or it might peg the Mac's CPU and annoy everyone! :-/
How about I set up another PPTP to a particular Mac print service and tell the PC how to cater to it? If I knew how to do that...hey, maybe I could make the iMac pause Epson printers that aren't on and stow the job 'til it is!
-
how
2003-01-27 21:37:37 redhotdaddy [Reply | View]
how do i find the name of my computer as a slave machine?
I want to tunnel through my current network to another. Also I got stuck at teh password promt in this part:
$ sudo scp /var/root/.ssh/id_rsa.pub vpn@utopia.lifehertz.com:~
The authenticity of host 'utopia (24.218.227.101)' can't be established.
RSA key fingerprint is 00:41:24:66:bf:d4:38:d4:cb:2a:e2:75:93:74:d2:9e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'utopia,24.218.227.101' (RSA) to the list of known hosts.
vpn@utopia's password:
id_rsa.pub 100% |**********************************************************************| 123
once I entered my password I got nothing. I had to escape with a ^C.
any ideas?
-
how
2003-01-28 07:53:07 Jason Deraleau |
[Reply | View]
The slave machine must be accessible from the Internet. If it is directly connected to the Internet it should have a DNS entry, which would either be something you had to configure yourself; something your network administrator configured; or maybe something your ISP provides for you. If you don't have a DNS entry for the machine, you can use the machine's IP address instead.
If you are behind a NAT router of some sort, you're going to need to forward the SSH port (22) to the internal machine. You'd then want to use your NAT router's IP for the slave machine entry.
If it prompted you for the password then you are connecting properly to the remote machine and it is responding. If it is then just sitting there it could be an issue with the SSH daemon on the remote machine authenticating your connection. Unfortunately troubleshooting SSH is really beyond the scope of this article.
In my personal experience, sshd will often hang if the remote machine is not able to do a reverse lookup on the IP address that is connecting. If you are connecting from a machine with an RFC1918 IP (i.e. 192.168.x.x/24, 10.x.x.x/8, 172.16.x.x/16) and do not have reverse DNS entries for those IPs, that might be at fault. In that case however, it will hang for maybe 30 seconds (until the lookup times out) and then it should let you in. If it's still not letting you in, I'm honestly not sure what would be causing the problem. You might have some luck searching Google for "BSD sshd refuses connection" or "BSD ssh connection times out". Good luck!
-
Firewall Issues
2002-12-30 15:00:32 thdomo [Reply | View]
As a relative novice, I'm wondering if anyone has had experience using VPN to connect from behind a Sustainable Networks' IPNetRouter?
I have the latest version of it running under OS 9 on an old PPC mac. The network guy at my office said that the NAT function on my router does not remove all the IP info from packets coming from my host machine. That once the packets reach my company's network, it can see the the private IP number of my host and not the public IP of my router.
He said that the only way I could overcome this was to have my cable modem hooked directly to my host. And I don't want to do that cause then I won't have a LAN at home.
Any ideas or is there a trouble shooting article somewhere? I didn't see one on Apple's site.
-
Firewall Issues
2003-05-26 20:18:11 anonymous2 [Reply | View]
Sounds like IPNetRouter isn't doing NAT right. You should really be using something more modern than an OS 9 box for your router anyway. Options: (1) Figure out whats wrong with your obsolute router software, (2) install a newer *nix box (os x, linux, or something) and have it route for you instead, (3) spend $100 and buy a linksys router. Option #3 is defnitely the easiest way to go, though also the least sexy. -
Firewall Issues
2003-09-08 23:26:37 anonymous2 [Reply | View]
For PPTP to work across a NAT firewall, that NAT firewall needs special code to handle PPTP specifically. An older, simple NAT firewall won't work properly.
It's not a matter of not doing NAT right; it's a matter of trying to do NAT to PPTP when it shouldn't.
-
A note from the author
2002-12-23 10:52:18 Jason Deraleau |
[Reply | View]
I'd like to apologize to those who were expecting more information in this article on IPSec. I hadn't realized that there was such a demand for IPSec material. Below are a couple of links to articles that I have found useful when creating IPSec connections in the past. You'll find that a lot of material written for FreeBSD on the subject will work on DarwinBSD (Mac OS X) as well:
http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
Thanks!
Jason
-
Cisco VPN
2002-12-21 19:39:22 wadesworld [Reply | View]
Just a reminder to those who use Cisco VPN concentrators at work or school. Cisco has a graphical IPSEC VPN client for OS X.
-
PPTP is NOT a minority technology!
2002-12-21 13:57:50 anonymous2 [Reply | View]
...it's still the only viable way to do dial-up or on-demand VPNs without major hassles - IPSec can be extremely finicky to set up, and every vendor that purports to have a 'simple' IPSec solution that won't eat up your IT staff's time to troubleshoot is a damn liar.
-
PPTP is a minority VPN technology
2002-12-21 09:18:46 anonymous2 [Reply | View]
This article completely ignores IPsec, which is much more widely used as a VPN than PPTP. And, yes, IPsec is available on Jaguar. See the presentation about it given at the O'Reilly Mac OS X Conference: <http://conferences.oreillynet.com/cs/macosx2002/view/e_sess/3228>.
-
IPSEC
2002-12-20 21:37:09 anonymous2 [Reply | View]
What about ipsec? See freebsd manual if your serious about getting friendly with darwin. -
IPSEC
2002-12-20 23:50:34 Jason Deraleau |
[Reply | View]
Here's a link:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
The setkey command is present on Jaguar, so the examples provided on the link above should work. I haven't tested them personally yet though. -
IPSEC
2002-12-20 23:45:54 Jason Deraleau |
[Reply | View]
I've seen two requests for IPSec information. Perhaps in another article...
-
vtun!
2002-12-20 21:31:11 anonymous2 [Reply | View]
vtun is much more "tunneling for the masses" than ssh and ppp. plus you can also tunnel it thru ssh...
its just different i guess... -
vtun!
2002-12-20 23:45:10 Jason Deraleau |
[Reply | View]
Looks like vtun is a project on SourceForge (http://vtun.sourceforge.net/) if anyone is interested.
-
The Gui Version
2002-12-20 20:49:41 anonymous2 [Reply | View]
Because my firewall doesn't support PPTP, I was left out for a while. But there are a few solutions out there. Notably VPN Tracker, from Equinux.
www.equinux.de/vpntracker/
From the looks of it, they are supporting many SB firewalls; SonicWall, WatchGuard, etc.
Something to consider, anyway.
Please advise me how to connect the snap gear device or, how to connect and sharing the system of us.