MULTIPLE VPN

Issues related to configuring your network
Post Reply
marcelofeb
Posts: 2
Joined: 2019/07/23 23:17:28

MULTIPLE VPN

Post by marcelofeb » 2019/07/24 02:09:00

Good night!
First sorry because I'm using google translator.
Now comes my doubts, I have a server using CentOS 7 minimal recently installed and all updated, I have some clients that have VPN servers, all types, PPTP, L2TP IPSEC ... I need to find a fast and easy way to configure these VPNs , they need to be always active and if the connection goes down, it needs to reconnect again, when restarting the server they need to connect automatically.
I tried to do for Webmin without success
I've been trying to solve this problem for a long time.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: MULTIPLE VPN

Post by aks » 2019/07/24 19:34:34

I need to find a fast and easy way to configure these VPNs
Sorry, no such thing. Each of these technology specific and "premeditated" configurations.
the connection goes down, it needs to reconnect again
That depends on the chosen VPN software.
when restarting the server they need to connect automatically.
I guess a systemd service could do this? But this will depend on your chosen VPN software. I feel that you could hook into NetworkManager, but that's probably dependant on what software you use.

marcelofeb
Posts: 2
Joined: 2019/07/23 23:17:28

Re: MULTIPLE VPN

Post by marcelofeb » 2019/07/25 02:00:12

Good night! Thanks for the reply aks, using nmtui I can create a vpn connection of type pptp, my client has a Windows Server with this protocol, I need my CentOS to connect to it remotely.
My Centos (VPN Client) ======> WindowsServer (PPTP VPN Server)
Unfortunately I don't know much so so many questions, thanks
Attachments
vpn.png
vpn.png (17.18 KiB) Viewed 1858 times

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: MULTIPLE VPN

Post by TrevorH » 2019/07/25 10:33:25

If you can find something other than pptp that would be good. It's been marked as "insecure, do not use" since about the early 2000's.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: MULTIPLE VPN

Post by aks » 2019/07/25 17:06:49

Okay, so you are planning to use the the software supplied by the yum repositories. What you have access to depends on what repositories you have configured and which packages you have installed.
I've been using NM with repository VPN software on Fedora (mainly for the "bleeding edge" software I usually require) for many years. AFAIK, a drop in the VPN has always resulted the VPN re-connecting fairly well - except when I'm directly interacting with something on the other side of the VPN connection - mainly because I would notice long before the VPN software has "worked out" that we need to retry. But that also depends on the nature of the outage.

So PPTP is pretty simple. The big problem is that (as Trevor alluded to):
1) The password hash (usually MSCHAPv2 or similar) can be reversed within a minute, regardless of password length (even up to the maximum length possible), characters involved (it's actually limited) and so on. Really the hash is okay if you had hardware from like mid-90s, but not now.
2) A "fair amount" of places (on the wider Internet) will block and/or drop that kind of traffic. I've had conversations with some ISPs where they will tell me that certain services (i.e.: protocols, ports etc.) have been requested to be dropped by their (the ISPs) clients. Obviously this is not the general case, but it is a case. I have experienced it whereby the ISP's official line is "we do not carry that kind of traffic", and Apple (specifically) doesn't allow it any-more.

Off the bat, think about going for IPSec type tunnels, with certificates (yes certificates still suck) and passwords - so mutli-factor (something you have, something you know). Even better, add another factor (like text message to confirm you are you - also something you have) for even better security. Further think about having multiple endpoints for your VPN connection (server side) and advertise the routes via an external routing protocol (like BGP).

PPTP wise it's fairly simple and Linux "defaults" are usually reasonable. I seems to recall (it's been a really long time now) that failures are usually something like LCP: Timeout sending Config-Request. PPTP uses a GRE tunnel, so local firewalls (and NATs) need to support that. In the old days we'd just grep syslog, but now you could do something like:
journalctl -u NetworkManager --no-pager
to find out why the VPN has failed. I also seem to recall that there is much help via Google for various LCP problems (LCP is the important thing in PPTP).

Post Reply