Linux VPN Masquerade


IP Masquerade is a feature of the Linux kernel that permits you to share secure access to the Internet. If you only have one connection to the Internet, whether it is a dial-up phone line, ISDN, DSL, a Cable modem, or something else, a Linux-based IP Masquerade firewall will allow you to share that access, permitting as many computers as you wish on your local network to communicate with the Internet simultaneously.

Your whole office (or family) can surf the World Wide Web, chat, do file transfers, play games and telecommute at the same time.

VPN Masquerade is the part of IP Masquerade which enables you to use IPSec-based and PPTP-based Virtual Private Network clients from behind a shared-access firewall.

This is primarily used for masquerading IPSec and PPTP VPN clients:

IPSec
Client -.
        |   Linux                                  IPSec
PPTP   -+-> Masq and --> Internet --> Firewall --> or PPTP
Client  |   Firewall                               Server
        |
Others -+
        |
No other software is needed to masquerade VPN clients.

It can also be used to provide access to a Private Network IPSec or PPTP server behind a Linux firewall...

IPSec                    Linux        Private-IP
or PPTP --> Internet --> Firewall --> PPTP or IPSec
Client                                Server
To do this you will also need the ipportfw port-forwarding kernel patch and configuration tool to forward the initial 500/udp ISAKMP key-exchange and/or 1723/tcp PPTP control channel traffic in to the server, and the IPFwd generic IP forwarding utility to forward the initial IPSec ESP and/or PPTP GRE traffic in to the server. Details are available in the VPN Masquerade HOWTO.

If your VPN is based on tunnelling PPP over Secure Shell (as described in the VPN mini-HOWTO) it is handled by the standard IP Masquerade code, as ssh is a purely TCP protocol. You'll still need ipportfw if the VPN server is masqueraded (behind the firewall, with a private-network IP address) rather than on the firewall itself.


Why do I want this?

Once VPN Masquerade is configured you will no longer need to dial your ISP directly from your VPN client (or plug your VPN client into your cable modem) when you wish to access your VPN server. This means that all of the benefits of Linux shared access to the Internet remain available even while you are using your VPN to access a remote network - assuming, of course, your VPN server is available over the Internet. (If it isn't then VPN Masquerade probably won't buy you much.)

In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over the VPN) from all of the computers on your local network. I do this every day while working from my home.

Note for W'95/'98 VPN client users: sorry, but the W'95/'98 IP stack does not support IP forwarding (can we say "Brain Dead"?) or more than one simultaneous PPTP session.


Obtaining the VPN Masquerade patch

VPN Masquerade is incorporated into kernel releases 2.0.37 and later in the 2.0.x series. A patch is available for 2.0.36. The patch may work with earlier kernels, but it has not been tested. Work is proceeding on a version of the patch for the 2.2.x kernel series.

If you are using a kernel release earlier than 2.0.37 you can download the patch from:
[ FTP Mirror 1 | HTTP Mirror 1 ]

To download using Lynx: highlight the link, press "d" (download), and select "Save to Disk".


Configuring VPN Masquerade

First, you should be comfortable with recompiling your kernel...

Second, make sure that you have IP Masquerading compiled into your kernel and working properly. Setting up masquerading itself is beyond the scope of this document, and there is a HOWTO already available that describes the process. Also, I have written a GUI wrapper for the ipfwadm command that makes managing firewall and masquerade setup easier.

Third, make sure that your VPN connection works when you dial your ISP directly from your VPN client system.

This modification will go down much more easily if you take small bites and chew them thoroughly. Said another way, don't try to change six things simultaneously...

To install and configure VPN Masquerade, follow the directions given in the VPN Masquerade HOWTO, available at:
[ FTP Mirror 1 | HTTP Mirror 1 ]


Notes and other sites of interest

The IPSec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the IPSec server. Therefore, IPSec implementations that use the AH protocol cannot be successfully masqueraded. Sorry.

If you want to implement an IPSec-based VPN on Linux, please visit the Linux FreeS/WAN site.

Please visit the Microsoft security announcements site for an important PPTP security update for Microsoft PPTP clients and servers. You may also be interested in an analysis of Microsoft's implementation of the PPTP protocol by one of the most respected members of the Crypto community. A second analysis and third analysis by others are also available.

There is also a freely-available native Linux PPTP client and server. Note that this software currently does not include encryption, but see this site or send email to Paul Cadach <paul@odt.east.telecom.kz> for M$-compatible encryption/compression patches for pppd.

Profuse thanks to Gordon Chaffee for coding and sharing a patch to traceroute that allows tracing GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic is being blocked somewhere. Get the patch from:
[ FTP Mirror 1 | HTTP Mirror 1 ]

I've been using a masqueraded VPN through various incarnations of this patch with great success since September 7, 1997.

I only have an x86 box to test this on. Comments from users on other architectures are solicited.

The 2.1.65+ kernels natively support a tunnelling protocol based on GRE, but do not support PPTP natively in any way. See the HOWTO for more details on 2.1.x and 2.2.x kernels.

The patch conflicts with the IP Firewall Chains and ipportfw patches in trying to patch the kernel config files. This is non-critical. See the HOWTO for more details.

Yes, I know that IPSec is peer-to-peer.


You can contact me at <jhardin@wolfenet.com>. I'd like to hear your comments and suggestions, and particularly your problems with this patch. You can also visit the current version of this document, and take a look at my home page...

Disclaimer: No guarantees of functionality. Keep a working compiled kernel around in case this blows up.


The Linux Webring: [ Home | Index | Next | Prev | Random | Stats ]

Linux: the soul of the Internet    Bobby approved    Best viewed with Any Browser

© 1999 by John Hardin. You may copy this page as long as the content is unchanged (you can change the formatting to fit your site if you want) and the link to the original page is left intact.
$Id: ip_masq_vpn.html,v 1.9 1999-03-10 19:16:27-08 jhardin Exp jhardin $