Ceci est une ancienne révision du document !
But le client initie une connexion ssh et monte une interface 'ppp0' sur le serveur. Le serveur NAT tout ce qui arrive sur cette interface sur le réseau local 'eth0' et tout se arrive sur l'interface eth0 vers ppp0.
Dans cette configuration :
Sur le serveur, seules quelques règles iptables sont nécessaires :
#autorise les requetes du client VPN $IPTABLES -A INPUT -s 192.168.35.0/24 -d 192.168.35.254 -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.35.254 -d 192.168.35.0/24 -j ACCEPT # NAT (LAN > VPN) $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state ! --state INVALID -j ACCEPT $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # NAT (VPN > VPN) $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state ! --state INVALID -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Le client doivent lancer ce script (/etc/init.d/vpnpppssh) :
#!/sbin/runscript # # This script initiates a ppp-ssh vpn connection. # see the VPN PPP-SSH HOWTO on http://www.linuxdoc.org for more information. # # revision history: # 1.6 11-Nov-1996 miquels@cistron.nl # 1.7 20-Dec-1999 bart@jukie.net # 2.0 16-May-2001 bronson@trestle.com # 2.1 23-jan-2006 anthony@nonsenz.org # # The rest of this file should not need to be changed. # PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/: # # required commands... # PPPD=/usr/sbin/pppd SSH=/usr/bin/ssh if ! test -f $PPPD ; then echo "can't find $PPPD"; exit 3; fi if ! test -f $SSH ; then echo "can't find $SSH"; exit 4; fi case "$1" in start) echo -n "Starting vpn to $SERVER_HOSTNAME: " ${PPPD} updetach noauth passive pty "sudo -u ${SERVER_USERNAME} ${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -p ${SERVER_PORT} -l ${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR} route add -net ${LAN_NETWORK} netmask ${LAN_NETMASK} gw ${SERVER_IFIPADDR} dev ppp0 echo " vpn connected." ;; stop) echo -n "Stopping vpn to $SERVER_HOSTNAME: " PID=`ps ax | grep "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -p ${SERVER_PORT} -l ${SERVER_USERNAME} -o" | grep -v ' passive ' | grep -v 'grep ' | awk '{print $1}'` if [ "${PID}" != "" ]; then kill $PID echo "disconnected." else echo "Failed to find PID for the connection" fi ;; config) echo "SERVER_HOSTNAME=$SERVER_HOSTNAME" echo "SERVER_USERNAME=$SERVER_USERNAME" echo "SERVER_IFIPADDR=$SERVER_IFIPADDR" echo "CLIENT_IFIPADDR=$CLIENT_IFIPADDR" ;; *) echo "Usage: vpn {start|stop|config}" exit 1 ;; esac exit 0
et /etc/conf.d/vpnpppssh
# The host name or IP address of the SSH server that we are # sending the connection request to: SERVER_HOSTNAME=ceric35.homelinux.org # The TCP port used by sshd (usually 22) SERVER_PORT=22 # The username on the VPN server that will run the tunnel. # For security reasons, this should NOT be root. (Any user # that can use PPP can intitiate the connection on the client) SERVER_USERNAME=vpnuser # The VPN network interface on the server should use this address: SERVER_IFIPADDR=192.168.35.254 # ...and on the client, this address: CLIENT_IFIPADDR=192.168.35.1 # Lan behind vpn server uses this addresses: LAN_NETWORK=192.168.0.0 LAN_NETMASK=255.255.255.0 # This tells ssh to use unprivileged high ports, even though it's # running as root. This way, you don't have to punch custom holes # through your firewall. LOCAL_SSH_OPTS="-P"