VPN Configuration for Gentoo Linux at University of Sheffield

VPN Configuration for Gentoo Linux at University of Sheffield
Neil Shephard
Clinical Trials Research Unit
School of Health and Related Research
University of Sheffield
Regent Court
30 Regent Street
Sheffield
S10 2RX
n.shephard@sheffield.ac.uk / nshephard@gmail.com
November 30, 2009
1

Contents
1 Overview 3
2 Register for RATS 3
3 Kernel Configuration 3
4 Software 4
4.1 Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Configuring vpnc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5 Checking your Router 5
6 Connecting to RATS 5
7 NFS 6
7.1 NFS/CIFS Kernel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.2 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.3.1 CICS / Novell Network Drives . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.3.2 GNU/Linux NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8 References 9
2

1 Overview
Virtual Private Networks (VPN) provide a secure way of connecting to a secure network (The
University of Sheffield) from an unsecure network (e.g. anywhere else on the internet). They work
by implementing an additional network via software (as opposed to hardware) between the secure
network and the computer that you are connecting from and are used at the University of Sheffield
to provide access to staff and students from home so that they can take advantage of the services
provided by the University.
This document details how to install, configure and use a VPN under the Gentoo Linux distribution
to access the University of Sheffield. Its quite specific to the distribution but the information
should be general enough that it can be adapted and used for other Linux distributions.
2 Register for RATS
You must first register for Remote Access To Sheffield (RATS). These days 1 secure access is
provided by a Virtual Private Network (VPN) service from the University and you will be registered
for this as part and parcel of registering with CICS.
To retrieve your RATS password required for establishing a VPN connection simply go to the
Computer Account Management Facility. Once logged in select Request new Remote Access
(RATS) password and a new password will be emailed to your University email address. 2
3 Kernel Configuration
In order for VPN software to work under GNU/Linux the kernel must include the Universal
TUN/TAP device driver. Most common binary distributions such as Debian 3 , Fedora and SuSE
will likely already include this in the kernel (or if not as a module that will be automatically loaded
on the fly). However, you may find that whilst installing the software described below that you
are informed that your current kernel does not inlcude this support and you will therefore have to
compile your own kernel to include support.
How to compilie a kernel is beyond the scope of this document, but there are a number of useful
resources available. . .
• Gentoo Linux Kernel Upgrade Guide (If you’re only going to read one of these, read this one).
• The Linux Kernel HOWTO
• Upgrading the Linux Kernel on Red Hat Linux systems
1 I first attended University of Sheffield back in 1995 when RATS provided students and staff with dial-up access!
2 The remainder of these instructions are simply adapted from the Gentoo vpnc HowTo.
3 This includes the myriad of Ubuntu distributions and derivatives.
3

You will have to enable the following option in your kernel configuration, either directly in the
kernel or as a module, before compiling and installing your kernel. Note that this is the location
of the ✓driver
within the menuing system for kernel v2.6.31, it may differ for your kernel.
-> Device Drivers
-> Network device support (NETDEVICES [=y])
Universal TUN/TAP device driver support.
✒
To ☛ compile and install the new kernel (assuming you are in the /usr/src/linux/ directory. . .
darwin # make && make modules_install
darwin # cp arch/x86/boot/bzImage /boot/2.6.31-ice
✡
After compiling and installing, don’t forget to update your boot loader (whether ist GRUB or
LILO).
4 Software
This guide uses the vpnc software, but users should be aware that there are other options such as
OpenVPNor Cisco VPN Client 4 , but this document uses vpnc as its small, simple and easy to
install and configure.
4.1 Install the software
How to install vpnc will depend very much on the distribution you are using. Examples for a couple
of distributions are provided. Installation is straight forward. Select any of the possible USE flags
by adding ✬the
appropriate line to /etc/portage/package.use, for example. . .
✩
darwin # equery u net-misc/vpnc
* Searching for net-misc/vpnc ...
[ Legend : U - flag is set in make.conf ]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-misc/vpnc-0.5.3:
U I
- - bindist : Flag to enable or disable options for prebuilt (GRP)
packages (eg. due to licensing issues)
- - hybrid-auth : Enable hybrid authentication (certificates), only if
not redistributed as compiled binary
- - resolvconf : Enable support for DNS managing framework net-dns/openresolv
darwin # echo ’net-misc/vpnc resolvconf’ >> /etc/portage/package.use
✫
✪
Once ✞ you’ve set the desired USE flags simply emerge vpnc. . .
☎
darwin # emerge -av net-misc/vpnc
✝
✆
4 If you have succesfully installed and configured alternative VPN Clients, please consider contributing and expanding
this document. Please contact CICS in the first instance.
4
✏
✑
✟
✠

4.2 Configuring vpnc
Once installed you need to configure vpnc to connect to the University of Sheffield Network. The
configuration file is located at /etc/vpnc/vpnc.conf. The following example assumes that you’re
username for the Campus network is abc12xyz and that your RATS password is 12345678. Substitute
✤these
as appropriate.
IPSec gateway vpn.shef.ac.uk
IPSec ID Unishef
IPSec secret Unishef
Xauth username abc12xyz
Xauth password 12345678
✣
5 Checking your Router
If you have a router in place on your home network then you must ensure that it allows IPSec
Pass-through which enables IP (Internet Protocol) traffic to pass through the router. How you do
this will depend very much on your router and software and is beyond the scope of this document.
Please consult your routers documentation.
• Linksys Router Documentation
• Belkin Router Documentation
• Retrevo Manuals
6 Connecting to RATS
Once you’ve installed and configured the software correctly you are ready to connect to the University
of Sheffields VPN.
To start the service, su to root and start vpnc and check your ifconfig with. . .
5
✜
✢

✬
darwin # /etc/init.d/vpnc start
* Starting VPNC: vpnc...
darwin vpnc # ifconfig
eth0 Link encap:Ethernet HWaddr 00:1f:d0:20:79:79
inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21f:d0ff:fe20:7979/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110554423 errors:0 dropped:0 overruns:0 frame:0
TX packets:76252808 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:147275230677 (137.1 GiB) TX bytes:37278646011 (34.7 GiB)
Interrupt:30 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7668 (7.4 KiB) TX bytes:7668 (7.4 KiB)
✩
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:143.167.209.33 P-t-P:143.167.209.33 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:2824 (2.7 KiB)
✫
The important output is for the tun0 device which shows that traffic is being routed through
the University’s network
✪
5 .
You should now be connected to the internet and for all intent and purposes your traffic will
be routed through the Universities servers and you will be able to access electronic journals from
home and connect to MUSE.
7 NFS
Once you’ve sucessfully setup a VPN connection to the University what can you do with it? One
thing you can do is mount Network File Systems to your home computer and use them seamlessly
5 Domain 143.167.*.*.
6

(albeit with a bit of lag due to bandwidth limitations). There are a number of drives you may wish
to mount, such as the network space CICS provide, or if you have Linux installed on your work
computer you can configure it to export the local hard drives and mount them. There are two main
protocols that will be used to achieve this CIFS for mounting the network drives provided by CICS
and your department and NFS for mounting the local drives on your work computer.
7.1 NFS/CIFS Kernel Configuration
You must enable support for these protocols to work as a client in the kernel. Optionally if you
wish to setup your work (or home) server to have the harddrives available as NFS you will have to
enable ✬server
support too.
-> File Systems
[*] Network File Systems -->
NFS client support
[*] NFS client support for NFS version 3
[*] NFS client support for the NFSv3 ACL protocol extension
[*] NFS client support for NFS version 4 (EXPERIMENTAL)
[ ] NFS client support for NFSv4.1 (DEVELOPER ONLY)
[*] Root file system on NFS
NFS server support
[*] NFS server support for NFS version 3
[ ] NFS server support for the NFSv3 ACL protocol extension
[ ] NFS server support for NFS version 4 (EXPERIMENTAL)
< > SMB file system support (OBSOLETE, please use CIFS)
CIFS support (advanced network filesystem, SMBFS successor)
[ ] CIFS statistics
[ ] Support legacy servers which use weaker LANMAN security
[ ] Kerberos/SPNEGO advanced session setup
[ ] CIFS extended attributes
[ ] Enable additional CIFS debugging routines
[ ] DFS feature support
✫
[ ] CIFS Experimental Features (EXPERIMENTAL)
7.2 Software
You now need to install the software software that allows you to mount the network drives. For
the shared network drives that CICS and your department provide this requires the mount-cifs
package. ✞ For the local hard-drives on your work Linux computer this requires nfs-utils. . .
darwin # emerge -av mount-cifs
✝
7
✩
✪
☎
✆

7.3 Configuration
7.3.1 CICS / Novell Network Drives
You must create the file /etc/nfs_share.credentials which should contain your CICS username
and password substitute these in the example below. To ensure the security of your connection
you✓must also change the permissions so that only the root user can read and write this file. . .
darwin # echo ’username=abc12xyz’ > /etc/nfs_share.credentials
darwin # echo ’password=123456789’ >> /etc/nfs_share.credentials
✒
darwin # chmod 0600 /etc/nfs_share.credentials
Now create a mount point and change ownership to your normal user (otherwise you will be
unable to write to the drive). In the example below we mount the CICS directory for user abc12xyz
which is on the server Darkwood, the account username on the home computer is me, again substitute
these ✎appropriately.
. .
darwin # mkdir /mnt/abc12xyz
darwin # chown -R me:me /mnt/abc12xyz
✍
Now add a line to your /etc/fstab file so that you can mount and unmount the network
drive. ✓.
.
## Work NFS drives
//Darkwood/abc12xyz /mnt/abc1def cifs credentials=/etc/nfs_share.credentials,
rw,uid=me,gid=me,umask=133 0 0
✒
You should now be able to mount the drive as root, and as a normal user create and modify
files. ✓.
.
darwin # mount /mnt/abc1def
darwin # exit
✒$
echo ’Hello World!’ > /mnt/abc1def/test.txt
7.3.2 GNU/Linux NFS
TODO!
8
✏
✑
☞
✌
✏
✑
✏
✑

8 References
• Gentoo vpnc HowTo
• Gentoo Wiki : Samba
9