Setting up an L2TP VPN with pfSense

UPDATE:  I think it is important that I inform readers that this guide is strictly for setting up and using L2TP.  It has come to my attention that many of you are are looking for a L2TP/IPSec solution, which is currently not supported in PFSense as of the version I am using (2.0.1).  I will update this post with full L2TP/IPSec instructions once this functionality has been added in new versions of PFSense.

I’ve been toying around with setting up a home VPN for about a week or so now, which has progressively improved.  At first, I had a working VPN implementation with PPTP and life was good.  But apparently  PPTP is known to be less secure than other methods.  So that got me thinking about beefing up my security.  Here’s a quick summary I found.

PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.

After discovering this information I decided to poke around for a little bit to decide what would work the best for me.  There were pretty much two options when it came down to setting up my VPN server the way I wanted it.  L2TP and OpenVPN.  They are both considered secure and from what I’ve read OpenVPN is considered slightly better.  The reason I chose L2TP is becuase it is built in to the VPN client on pretty much every OS these days, making client set up and configuration fairly quick and painless (I’m sure its not difficult to set up and use OpenVPN either but I didn’t get that far, maybe I will experiment with it in the future).

There isn’t really all that much to getting things up and going.  Open up the pfSense management interface and navigate to the L2TP VPN settings.  VPN -> L2TP

Next, we have to configure our settings.

  • Server address – Use an ip address that doesn’t fall into the subnet that the VPN clients connect to.  I used my external IP address to make things easier.
  • Remote address range – This will be the subnet that VPN clients connect to.  I am using the 192.168.2.0/24 subnet.
  • Subnet mask – I am using the entire subnet so I chose /24.
  • Number of L2TP users – pretty self explanatory, I have 10 right now for testing purposes.

>I left everything else as the default initially.  Here is what the configuration page looked like for me when I got everything working.  Remember to change these values accordingly.

Next we need to throw up some user accounts.

So far so good.  Now we need to set up some traffic rules for our L2TP clients that connect.  This is the absolute most basic method you can go with, so if you have restraints here you will need to adjust these settings.

<

The last and most important piece to get this working is setting up the firewall rules for the WAN interface.  I got stuck at this part and didn’t realize there were two sets of ports that I needed to allow through for things to work correctly.  Port 500 for Internet Key Exchange (IKE) UDP traffic and port 1701 for L2TP UDP traffic.  Here’s what the rules look like.

That should be it.  Try connecting to your VPN server with an endpoint client.  I was testing this with my Android phone and had no problems after creating the two firewall rules.  Happy VPNing!

 

Read More

Updating Ubuntu (10.04 and up) to use Sun Java

I am in the middle of a home project to build a virtual environment using Proxmox and running into Java issues. Since Proxmox uses java as a VNC console it is necessary to use the correct version (of Java) to access VM’s.  By using the wrong version you can cause instability issues and thus bad things to happen.

This is not just a problem with Proxmox either, there are a few other programs and apps that behave poorly with this version of Java, notably for me, Minecraft. Apparently newer versions of Ubuntu have shipped with the OpenJDK version as their default version and in this post I will discuss how to use to the Sun Java 6 version.

Switch to the appropriate directory, in my case I used my home directory and either punch these commands in or copy/past them to get get Ubuntu to see the correct repos.

cd ~/
wget https://raw.github.com/flexiondotorg/oab-java6/master/oab-java6.sh -O oab-java6.sh
chmod +x oab-java6.sh
sudo ./oab-java6.sh

Once this script goes through and does its thing you should have access to the old sun-java6 repos.  So to install the correct pieces for Proxmox use apt-get to install the appropriate packages.

sudo apt-get install sun-java6-jre sun-java6-fonts sun-java6-plugin

To set system settings to prefer Sun Java over the OpenJDK version type the following commands:

sudo update-alternatives --set java /usr/lib/jvm/java-6-sun/jre/bin/java
sudo update-alternatives --set javaws /usr/lib/jvm/java-6-sun/jre/bin/javaws
sudo update-alternatives --set mozilla-javaplugin.so /usr/lib/jvm/java-6-sun/jre/lib/*/libnpjp2.so

Now you should have a much more stable experience using Proxmox and the console to take a look at your VM’s!  I can’t take the credit for this but I can ease the burden for anybody that comes across this post.

References:
https://github.com/flexiondotorg/oab-java6
http://pve.proxmox.com/wiki/Java_Console_(Ubuntu)

Read More

Protip: January

I found this one a little while back and figured I might as well share it out since not that many people I talk to seem to know about it. For the longest time if I wanted to search through all my old commands I would do something like this:

history | less

and just kind of wade my way through previously executed commands not very efficient. Once I started getting lazier and the list of items in my history cache grew I started to use this one:

history | grep -i "bleh"

This is a little better, but still a lot more searching and typing than I want. Finally, thanks to the helpful folks over at reddit, I stumbled across this hidden gem:

Ctrl + r "bleh"

So, just press Ctrl then R keys and then a piece of the command you are looking for, bleh in this example, then just hit tab to pull the command up you were looking for once you have enough of the string matched. This is a shortcut that executes the “reverse-i-search” command, and it is freakin awesome. So if there was a command you ran a really long time ago and can’t remember the syntax 100% but know the general idea you can use this to capture the pieces you do remember, saving yourself all that extra time of having to go back through trying to figure out what the hell you were doing.

Read More

A Brief Overview of the Linux chattr Command

I recently watched a talk given by Raphael Mudge, the creator of Armita, entitled “Dirty Red Team Tricks”. In this talk he basically goes over the basics of how to play the hacker version of capture the flag from the point of view of the offensive team or attackers, the red team (pretty self explanatory right?). It was a really good watch, and he demonstrated some really neat little tricks to the audience, including how to use Armitage effectively. Here is the link If you would like to view the presentation.

There was one very curious trick he mentioned in his talk that I want to focus this post on and to save as a note to myself for future reference. That is the chattr command.

The main use case for this command is to essentially make a file immutable by setting the “+i” flag. This is similar to using the attrib command in dos on Windows.  So for instance, you could do something like change the attributes of a password file or any other important file that you didn’t want getting altered by issuing the following command:

chattr +i some_file_name

Note, you must be root or in the sudo group to use this. Until the flag to turn this off is issued, even the root user cannot change the file, how cool is that?! I see why Mudge likes to use this dirty little trick when competing in capture the flag games now. So to check what attributes a particular file has applied to it you can use the lsattr command as follows, notice that the i flag is now set for the file:

lsattr some_file_name
----i------------e- some_file_name

And finally, to switch this flag off use the following command:

chattr -i some_file_name

We can check again to see if the flag actually got turned off:

lsattr some_file_name
-----------------e- some_file_name

That’s it. I couldn’t believe how simple this nasty little trick was to use but how effective it may be in a given situation. I hope this post was helpful for you, and seriously, you should check out Armitage if you are messing around with penetration testing tools, Raphael Mudge is a really smart dude.

Read More

My favorite browser is Windows

So I’ve been getting acclimated to my new environment at work and have been thinking more and more about how much I miss Linux and the command line.  The new environment is nearly entirely a Windows based environment and I feel like my productivity has dropped without the option for using the command line, hence the title of this article.  It seems like the most productive aspect of my Windows experience is using a web browser.

At my previous place of employment I got so used to command line that I take it for granted now as I could do nearly all of my daily work from the command line (aside from web browsing, and email I never made that jump).  In this post I would like to highlight some of the command line tools that I am talking about and how they contributed to my productivity in a former life (although I still take advantage of them at home obviously).

The first and most important piece of the command line experience is getting a good terminal multiplexer, I have played with both screen and tmux but have to say out of the two I like using tmux more.  Both of them can do nearly identical things but I just became more attached to tmux the more that I played with it, one thing that drew me in was the quick and easy screen splitting functionality of tmux.

After much experimentation I finally have a .tmux.conf config file that I feel comfortable with that utilizes all of the settings I like and need as well as the bindings to match those in screen along with a few other neat tricks.

# This configuration file binds many of the common GNU screen key bindings to
# appropriate tmux key bindings. Note that for some key bindings there is no
# tmux analogue and also that this set omits binding some commands available in
# tmux but not in screen.#
# Note this is a good starting point but you should check out the man page for more
# configuration options if you really want to get more out of tmux

### Unbind existing tmux key bindings (except 0-9).

# Set the prefix to ^A.
unbind C-b
set -g prefix ^A
bind a send-prefix

# Bind appropriate commands similar to screen.
# lockscreen ^X x
unbind ^X
bind ^X lock-server
unbind x
bind x lock-server

# screen ^C c
unbind ^Cbind ^C new-window
bind cbind c new-window

# detach ^D d
unbind ^D
bind ^D detach

# displays *
unbind *
bind * list-clients

# next ^@ ^N sp n
unbind ^@
bind ^@ next-window
unbind ^N
bind ^N next-window
unbind " "
bind " " next-window
unbind n
bind n next-window

# other ^A
unbind ^A
bind ^A last-window

# prev ^H ^P p ^?
unbind ^H
bind ^H previous-window
unbind ^P
bind ^P previous-window
unbind p
bind p previous-window
unbind BSpace
bind BSpace previous-window

# windows ^W w
unbind ^W
bind ^W list-windows
unbind w
bind w list-windows

# quit \
unbind \
bind \ confirm-before "kill-server"

# kill K k
unbind K
bind K confirm-before "kill-window"
unbind k
bind k confirm-before "kill-window"

# redisplay ^L l
unbind ^L
bind ^L refresh-client
unbind l
bind l refresh-client

# More straight forward key bindings for splitting
unbind %
bind | split-window -h
bind v split-window -h
unbind '"'
bind - split-window -v
bind h split-window -v

# History
set -g history-limit 10000

# Terminal emulator window title
set -g set-titles on
set -g set-titles-string '#S:#I.#P #W'

# Status Bar
set -g status-bg black
set -g status-fg white
set -g status-interval 1
#set -g status-left '#[fg=green]#H#[default]'
set -g status-left '#[fg=green](#S) #(whoami)@#(host `hostname` | cut -d " " -f 4)'
set -g status-right '#[fg=yellow]#(cut -d " " -f 1-4 /proc/loadavg)#[default] #[fg=cyan,bold]%Y-%m-%d %H:%M:%S#[default]'

# Notifying if other windows has activities
setw -g monitor-activity on
set -g visual-activity on

# Highlighting the active window in status bar
setw -g window-status-current-bg red

# Clock
setw -g clock-mode-colour green
setw -g clock-mode-style 24

# Hostname and IP address
#set -g status-right '#[fg=white]#(hostname)@#(host `hostname` | cut -d " " -f 4)'
#set -g status-right '#[fg=white]#(host `hostname` | cut -d " " -f 4)'

The most important part of how you utilize your tmux experience is the management of your sessions.  Within tmux I usually have at least four terminals open for various different tasks.  At least one term for bash, one for Irssi command line IRC client, one for ipython python interpreter and one for editing text files (I use Vim but that is separate topic).   Once you get comfortable with the key combinations for navigation and other tasks, tmux can increase your productivity a great deal. As I stated, in my daily work the only things I don’t use the command line for are email and web browsing, which I know is possible I just never tired to make the switch. I would still like to do at some point in the future.

If you have any command line-fu you would like to share let me know or post in the comments section I always love hearing about what others are doing and incorporating it into my own bag of tricks.

Read More