15 Februari 2009

VPN di FreeBSD

Karena berbagai alasan yg mendesak dan sekedar penasaran untuk membikin anonymous network, maka saya putuskan untuk mencoba VPN client di router FreeBSD ini. Pertama aplikasi yang saya gunakan masih saya telaah dulu diantaranya pptpclient-1.7.1, mpd/mpd4/mpd5, OpenVPN.

Saya analisa sendiri pptpclient-1.7.1 lebih ke arah Linux-Style shg saya simpulkan setelah running seharian kurang stabil di FreeBSD, untuk OpenVPN saya belom sempat coba, untuk mpd saya coba mulai dari mpd/mpd4/mpd5 dan kelihatnya mpd ini lebih BSD-Style.

Setelah 2 hari saya mencoba ternyata saya memilih mpd dengan pertimbangan:
  1. Lebih BSD-Style karena pihak pengembang juga dari FreeBSD Project Team.
  2. Custom configurasi lebih teratur dan lebih banyak options dukungan yg lengkap.
  3. Lebih stabil running di FreeBSD.
Berikut langkah-langkahnya:
1. Install mpd dari port:
# cd /usr/port/net/mpd/
# make extract
# cd /usr/port/net/mpd/work/mpd-3.18/src/
# vim iface.c
/* Add loopback route */
ExecCmd(LG_IFACE, "%s add %s -iface lo0", PATH_ROUTE, inet_ntoa(iface->self_addr));
if (Enabled(&iface->options, IFACE_CONF_RADIUSROUTE)) {
      for (i=0; (i < bund->radius.n_routes) && (bund->iface.n_routes < IFACE_MAX_ROUTES); i++) {
        memcpy(&(iface->routes[iface->n_routes++]), &(bund->radius.routes[i]), sizeof(struct ifaceroute));
      };
   Log(LG_IFACE, ("[%s] IFACE: using %d RADIUS routes", bund->name, bund->radius.n_routes));
}
Dan:
/* Delete loopback route */
ExecCmd(LG_IFACE, "%s delete %s -iface lo0",
PATH_ROUTE, inet_ntoa(iface->self_addr));
Kasih block komentar untuk coding itu, untuk menghapus routing ke loopback interface (lo0) lalu save.
# make install clean
2. Konfigurasi mpd.conf & mpd.links:
# cat /usr/local/etc/mpd/mpd.conf
default:
      load vpn01
vpn01:
      new -i ng0 vpn01 vpn01
      set bundle authname ******
      set bundle password ******
      set bundle disable multilink

      set iface idle 0
      set iface enable tcpmssfix
      set iface disable on-demand

      set ipcp no vjcomp
      set ipcp ranges 0.0.0.0/0 0.0.0.0/0

      set link no pap acfcomp protocomp
      set link disable chap
      set link accept chap
      set link keep-alive 30 10
      set link ident mpd
      set link mtu 1460
      set link max-redial 0
      open
# cat /usr/local/etc/mpd/mpd.links
vpn01:
      set link type pptp
      set pptp mode active
      set pptp enable originate outcall
      set pptp disable incoming
      set pptp peer IP_REMOTE_VPN
3. Testing jalanin mpd daemon & log file:
# rehash
# mpd
# fgrep -A1 mpd /etc/syslog.conf 
!mpd
*.*                         /var/log/ppp.log
# fgrep ppp /etc/newsyslog.conf
/var/log/ppp.log        root:network    640  3     500  *     JC
# kill -HUP `cat /var/run/syslog.pid`
Sunting file² diatas, dan restart syslog daemon.
# tail /var/log/ppp.log
Feb 15 09:00:33 router mpd:  IPADDR 12.12.13.78
Feb 15 09:00:33 router mpd: [vpn01] IPCP: rec'd Configure Ack #3 link 0 (Ack-Sent)
Feb 15 09:00:33 router mpd:  IPADDR 12.12.13.78
Feb 15 09:00:33 router mpd: [vpn01] IPCP: state change Ack-Sent --> Opened
Feb 15 09:00:33 router mpd: [vpn01] IPCP: LayerUp
Feb 15 09:00:33 router mpd:  12.12.13.78 -> 10.0.0.1
Feb 15 09:00:33 router mpd: [vpn01] IFACE: Up event
Feb 15 09:00:33 router mpd: [vpn01] setting interface ng0 MTU to 1400 bytes
Feb 15 09:00:33 router mpd: [vpn01] exec: /sbin/ifconfig ng0 12.12.13.78 10.0.0.1 netmask 0xffffffff -link0
Feb 15 09:00:33 router mpd: [vpn01] IFACE: Up event
# ifconfig ng0
ng0: flags=88d1 metric 0 mtu 1400
     inet 12.12.13.78 --> 10.0.0.1 netmask 0xffffffff
4. Pastikan protocol gre(4) di allow di firewall:
# grep GRE /etc/protocols
gre     47      GRE             # Generic Routing Encapsulation
# grep gre /etc/rc.firewall
${fwcmd} add 400 allow gre from any to any
# grep gre /etc/ipf.rules
pass  in        quick proto gre from any to any
pass  out       quick proto gre from any to any
5. Bikin auto script untuk start/restart/stop daemon mpd:
# cat mpd.sh
#!/bin/sh
   case "$1" in
     start)
        /usr/local/sbin/mpd -b -p /var/run/mpd.pid
        echo 'Starting VPN...'
     ;;
     stop)
        /usr/local/sbin/mpd -k `cat /var/run/mpd.pid` > /dev/null
        echo 'Shuting down VPN...'
     ;;
     restart)
        /usr/local/sbin/mpd -k `cat /var/run/mpd.pid` > /dev/null
        /usr/local/sbin/mpd -b -p /var/run/mpd.pid
        echo 'Restarting VPN...'
     ;;
     *)
        echo "Gunakan keyword: `basename $0` {start|stop|restart}" >&2
        ;;
   esac
exit 0