132 The VPN Startup Script Rather than starting up the VPN by hand, we used a modified VPN startup script that was also available in the Linux VPN HOWTO. This script is based on a skeleton used to build Unix startup scripts. You can find the script on the HOWTO itself, or the version we modified for our setup, at http:www.vpn.outer.net under the Tools section. The Slaves Scripts These are very simple scripts that set up PPP and routing on the slave. Ours are available from the VPN web site.

8.4.2 Setting Up the VPN

Most people wouldnt call setting up the VPN a user-friendly process, but if youre comfortable compiling software and editing configuration files on a Unix system—and are willing to spend the time and effort—you shouldnt have too much trouble. Here is a brief summary of the steps to accomplish this: 1. Set up Linux on both the master and slave system. 2. Set up pppd on both systems. 3. Create a user account on the slave. 4. Set up SSH for RSA authentication on both systems. 5. Configure sudo on the slave. 6. Install and configure pty-redir on the master modify if necessary. 7. Set up the VPN script on the master. 8. Set up a routing and PPP script on the slave. In the subsections that follow, well take you through each of these steps.

8.4.2.1 Setting up the master and slave Linux systems

On both the master and slave systems, its recommended that you strip them down to their essentials. Its better not to run something you dont need than to have it become a backdoor for an intruder. Its a good idea to remove the following services from your etcinetd.conf file: systat, netstat, finger, tftp, and the r utilities. After the system is fully configured, you can also disable the telnet and ftp daemons in this file—the ultimate goal being that SSH is the only way to access the system. Youre probably better off not installing sendmail, or you should at least keep it from starting by renaming the file to something else. Finally, make sure that you didnt install any other packages you dont need, such as BIND, NIS, NFS, X11, Samba, etc. Be minimalist. You will need development tools, such as a C compiler gcc is what we used, make, and C libraries. Youll also need a copy of the Linux kernel source code and TCPIP networking utilities installed e.g., netstat, ifconfig, route, etc.. When configuring the kernel for compilation for instance, when doing a make config under Linux, you shouldnt include any other network protocols besides TCPIP and PPP. Its probably also best to tell the configuration program to optimize the system as a router rather than as a host. Whether or not you want to do IP masquerading or use the host as a firewall will depend on your particular 133 needs. Dont augment the kernel with unnecessary capabilities, such as multimedia sound card drivers.

8.4.2.2 Setting up the PPP daemon

The PPP daemon is also required on both systems. After youve extracted the source hierarchy, look at the README file appropriate to your system. On a Linux system, run the configure program to copy the Makefiles into place. Next, run make kernel, which will install the updated PPP drivers into your kernel source tree. Youll then have to build a new kernel with these drivers, install it, and reboot. If youve never built a new kernel before, carefully read the README file in the kernel source tree—typically usrsrclinux. The book Running Linux by Matt Welsh and Lar Kaufman OReilly Associates also describes in detail how to build a kernel. On Linux, the PPP drivers can also be built as a kernel module. Modules are typically used to keep the kernel trim, as it doesnt have to load driver modules until they are needed. For this example, since weve already got a small kernel that only needs to do a few things, we just compiled PPP in directly. If the reboot was successful, return to the PPP daemon source tree and run make to build pppd, auxiliary programs, and the manpages, then run make install to put them into place. In the version of pppd we used, 2.3.5, there was a bug in the Linux kernel driver updates that caused compilation to fail for 2.0.x kernels. While we expect that the authors will have this fixed in future releases, we thought that we would mention it here. If compilation of ppp.c fails with complaints about too few arguments in dev_kfree_skb, edit line 3079 in ppp.c, make VERSION equal to your version of the kernel e.g., change 2,1,86 to 2,0,33. A good place to go for help on these types of problems is the USENET group comp.os.linux.networking or linux.dev.ppp. Once everything is in place, try running pppd from the command line on both the master and slave. On the slave, put a file called .ppprc in vpn1s home directory containing only the word passive. You should see a bunch of garbage characters start to scroll across your terminal screen. It should time out after thirty seconds or so, or you can escape from it by pressing Enter, then ~, then Control-Z. Then kill the process with kill 1 . If you didnt see garbage, something is probably wrong with the PPP daemon itself. On a Linux system, check the varadmmessages and varadmsyslog files for clues or check etcsyslog.conf to see where your files reside. Typically, the messages file will tell you if the daemon started successfully, and syslog will give you protocol-specific errors. If the daemon doesnt believe that the PPP drivers are compiled into the kernel, it will give you a message stating so right away. Use the dmesg command to see if the PPP drivers were loaded.

8.4.2.3 Creating a user account on the slave

Because were going to launch the VPN script on the master from startup it will run as root, so theres no need to create a separate VPN account on that box. On the slave, however, its better to create a separate account for the VPN connection rather than logging in as root. This will