VpnMac

back to http://scratchpad.wikia.com/wiki/Sasecurity

VPN MAC
I have an almost identical requirement, only I want to access a Windows share. I have set-up the vpn as per the wiki, using the Wiana IP for the client connection instead of vpnhost. In the realm I have a user with Username=vpn, password=vpn, class=vpn. The vpn client connection fails when it tries to validate username and password. Doing "cwradius vpn vpn" on the repeater gives the following:

1.141.47.83@meshbox:~# cwradius vpn vpn DENIED DENIED rad_decode: Received Access-Reject packet from 213.219.19.76 with invalid signature! No reply 1.141.47.83@meshbox:~#

The repeater has captive portal on and is set to Auth only. Wired captive portal is off. I can't see why this would make a difference, but I don't want to turn it on because I have 30+ wired clients I would need to add to the realm.

Create a vpn account in Wiana. Follow the instructions on the wiki about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn server, put in the Wiana ip of the meshbox that the email and samba shares are connected to. Once the vpn session has been established, you should have full connectivity to the LAN segment of that box.

> Can anyone tell me how to get client access to gateway lan email > server & > samba shares on the 1st hop from gateway node ? > > It works fine on the gateway itself.

Create a vpn account in Wiana. Follow the instructions on the wiki about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn server, put in the Wiana ip of the meshbox that the email and samba shares are connected to. Once the vpn session has been established, you should have full connectivity to the LAN segment of that box.

> Can anyone tell me how to get client access to gateway lan email > server & > samba shares on the 1st hop from gateway node ? > > It works fine on the gateway itself.

I don't think that cwradius displays vpn authentication. I tested that on the vpn account I use and I get denied as well.

My repeater that I VPN into has captive portal on, auth only, and wired captive portal off. So my setup is identical in that aspect. I wonder if you substitute vpnhost. instead of the Wiana IP address, will you be able to authenticate? Try that first and let's see if vpn auth is setup correctly. Once you can authenticate to the local vpn host, you should be able to authenticate with the remote.

Oh - one thing that I should mention. I set my laptop to authenticate by MAC address FIRST... then I establish the vpn session to the remote access point.

> I have an almost identical requirement, only I want to access a Windows > share. I have set-up the vpn as per the wiki, using the Wiana IP for > the > client connection instead of vpnhost. > > In the realm I have a user with Username=vpn, password=vpn, class=vpn. > The > vpn client connection fails when it tries to validate username and > password. > Doing "cwradius vpn vpn" on the repeater gives the following: > > 1.141.47.83@meshbox:~# cwradius vpn vpn > DENIED > DENIED > rad_decode: Received Access-Reject packet from 213.219.19.76 with > invalid > signature! > No reply > 1.141.47.83@meshbox:~# > > The repeater has captive portal on and is set to Auth only. Wired > captive > portal is off. I can't see why this would make a difference, but I > don't > want to turn it on because I have 30+ wired clients I would need to > add to > the realm.

> Create a vpn account in Wiana. Follow the instructions on the wiki > about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > server, put in the Wiana ip of the meshbox that the email and samba > shares are connected to. > > Once the vpn session has been established, you should have full > connectivity to the LAN segment of that box. > > Best regards, > Kenny > On Sep 1, 2005, at 6:56 AM, Steve wrote: > >> Can anyone tell me how to get client access to gateway lan email >> server & >> samba shares on the 1st hop from gateway node ? >> >> It works fine on the gateway itself. >>

Yes, in the situation you describe, vpn to the node which has the computer you want to connect to as a client device should work aok. Some example steps to get this going would be:

1) Create the vpn user 2) Test the vpn user on the local node to check that your PPTP is up and running (eg using the standard vpnhost. hostname) 3) Turn off the vpn and check you're authed on the node without it (eg via automac etc) 4) Try the using the vpn user through the mesh on the remote node (by putting in the 1.x.x.x address of the remote node in as the vpn server) 5) Check that this remote vpn is working, can you ping the internet, ping the computer with the file share etc 6) Try accessing the file share with the \\192.168.x.x\ syntax in internet explorer.

Things I would watch out for would be that the remote computer is authed (may affect it) and that firewalls on the local client and remote computer are turned off (at least for initial testing).

If any of the nodes in the network are running older build25 releases then I recommend upgrading to a more recent version as there were some vpn fixes. Try for example: tobuld25dev106

An alternate way to do this would be using port mappings, so on the node with the computer with the file share you could set up two portmaps that look like this:

br:139 192.168.x.x:139 br:445 192.168.x.x.:445

This would redirect ports 139 and 445 (windows networking ports) from that node's 1.x.x.x address to the remote computer (replace 192.168.x.x above with the real ip). You can then try to access the file share using the node's address at \\1.x.x.x\

I haven't personally tried this so I'd be interested to hear if it works.

> I think that he wants to do this on a repeater node. It sounds as if he > connecting to the mesh from one access point, and wishes to access the > windows shares on a box connected to another access point, which is > also a repeater - not the gateway. > > For instance, my computer at work is behind a repeater node. My > computer at home is also behind a repeater node. At work I have VNC > running (server mode) and at home I use a VNC client to access my > computer at work. > > For security purposes, I have the firewall on the work computer setup > to only allow VPN traffic from the local LAN segment. Therefore I have > to have a 192.168.1.x IP address to get into that box. From the > perspective of the VPN server, I am on the local LAN segment. > > That being said, is there an easier or better way to do this? >

> > I don't think you need to set up a vpn to access windows file shares > > on the > > lan segment at the gateway end of your network. There is info about > > doing > > this in the wiki page here: > > > > http://locustworld.com/tracker/wiki?p=WindowsFileShares > > > > You also can't use cwradius to test vpn login credentials. If you're > > trying to > > vpn to another node/remote address then make sure you're authenticated > > on the > > local node and also check that a local personal firewall isn't > > blocking PPTP.

> >> I have an almost identical requirement, only I want to access a > >> Windows > >> share. I have set-up the vpn as per the wiki, using the Wiana IP for > >> the > >> client connection instead of vpnhost. > >> > >> In the realm I have a user with Username=vpn, password=vpn, > >> class=vpn. The > >> vpn client connection fails when it tries to validate username and > >> password. Doing "cwradius vpn vpn" on the repeater gives the > >> following: > >> > >> 1.141.47.83@meshbox:~# cwradius vpn vpn > >> DENIED > >> DENIED > >> rad_decode: Received Access-Reject packet from 213.219.19.76 with > >> invalid > >> signature! > >> No reply > >> 1.141.47.83@meshbox:~# > >> > >> The repeater has captive portal on and is set to Auth only. Wired > >> captive > >> portal is off. I can't see why this would make a difference, but I > >> don't > >> want to turn it on because I have 30+ wired clients I would need to > >> add to > >> the realm.

> >> Create a vpn account in Wiana. Follow the instructions on the wiki > >> about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > >> server, put in the Wiana ip of the meshbox that the email and samba > >> shares are connected to. > >> > >> Once the vpn session has been established, you should have full > >> connectivity to the LAN segment of that box.

> >>> Can anyone tell me how to get client access to gateway lan email > >>> server & > >>> samba shares on the 1st hop from gateway node ? > >>> > >>> It works fine on the gateway itself.

I don't think you need to set up a vpn to access windows file shares on the lan segment at the gateway end of your network. There is info about doing this in the wiki page here:

http://locustworld.com/tracker/wiki?p=WindowsFileShares

You also can't use cwradius to test vpn login credentials. If you're trying to vpn to another node/remote address then make sure you're authenticated on the local node and also check that a local personal firewall isn't blocking PPTP.

Thanks for your replies. Kenny's interpretation is right, I have an XP machine on the wired subnet of my gateway and I want to access a Win 2003 server on the wired subnet of a repeater one hop away. The gateway subnet is 192.168.1.x and the repeater subnet 192.168.3.x. I can auth via the gateway using vpnhost. as the vpn server, so my PPTP client is OK and so, it would appear, are the realm and user. However when I replace vpnhost. with the repeater's 1.x.x.x IP I can't auth. It seems to connect to the remote node then fail to verify username and PW. If I change the user's class to Member rather than vpn I can auth on the remote node. Although I could use port mapping, I'm attracted by the possibility of access to the entire subnet on the wired-side of the repeater that the VPN should allow. Did I mention both boxes are running dev98? Is this likely to be an issue?

Yes, in the situation you describe, vpn to the node which has the computer you want to connect to as a client device should work aok. Some example steps to get this going would be:

1) Create the vpn user 2) Test the vpn user on the local node to check that your PPTP is up and running (eg using the standard vpnhost. hostname) 3) Turn off the vpn and check you're authed on the node without it (eg via automac etc) 4) Try the using the vpn user through the mesh on the remote node (by putting in the 1.x.x.x address of the remote node in as the vpn server) 5) Check that this remote vpn is working, can you ping the internet, ping the computer with the file share etc 6) Try accessing the file share with the \\192.168.x.x\ syntax in internet explorer.

Things I would watch out for would be that the remote computer is authed (may affect it) and that firewalls on the local client and remote computer are turned off (at least for initial testing).

If any of the nodes in the network are running older build25 releases then I recommend upgrading to a more recent version as there were some vpn fixes. Try for example: tobuld25dev106

An alternate way to do this would be using port mappings, so on the node with the computer with the file share you could set up two portmaps that look like this:

br:139 192.168.x.x:139 br:445 192.168.x.x.:445

This would redirect ports 139 and 445 (windows networking ports) from that node's 1.x.x.x address to the remote computer (replace 192.168.x.x above with the real ip). You can then try to access the file share using the node's address at \\1.x.x.x\

I haven't personally tried this so I'd be interested to hear if it works.

> I think that he wants to do this on a repeater node. It sounds as if he > connecting to the mesh from one access point, and wishes to access the > windows shares on a box connected to another access point, which is > also a repeater - not the gateway. > > For instance, my computer at work is behind a repeater node. My > computer at home is also behind a repeater node. At work I have VNC > running (server mode) and at home I use a VNC client to access my > computer at work. > > For security purposes, I have the firewall on the work computer setup > to only allow VPN traffic from the local LAN segment. Therefore I have > to have a 192.168.1.x IP address to get into that box. From the > perspective of the VPN server, I am on the local LAN segment. > > That being said, is there an easier or better way to do this?

> > I don't think you need to set up a vpn to access windows file shares > > on the > > lan segment at the gateway end of your network. There is info about > > doing > > this in the wiki page here: > > > > http://locustworld.com/tracker/wiki?p=WindowsFileShares > > > > You also can't use cwradius to test vpn login credentials. If you're > > trying to > > vpn to another node/remote address then make sure you're authenticated > > on the > > local node and also check that a local personal firewall isn't > > blocking PPTP. > > > > Best Regards, > > > > Jon Anderson > > > > On Wednesday 07 September 2005 12:27, Gareth Owens wrote: > >> Kenny > >> > >> I have an almost identical requirement, only I want to access a > >> Windows > >> share. I have set-up the vpn as per the wiki, using the Wiana IP for > >> the > >> client connection instead of vpnhost. > >> > >> In the realm I have a user with Username=vpn, password=vpn, > >> class=vpn. The > >> vpn client connection fails when it tries to validate username and > >> password. Doing "cwradius vpn vpn" on the repeater gives the > >> following: > >> > >> 1.141.47.83@meshbox:~# cwradius vpn vpn > >> DENIED > >> DENIED > >> rad_decode: Received Access-Reject packet from 213.219.19.76 with > >> invalid > >> signature! > >> No reply > >> 1.141.47.83@meshbox:~# > >> > >> The repeater has captive portal on and is set to Auth only. Wired > >> captive > >> portal is off. I can't see why this would make a difference, but I > >> don't > >> want to turn it on because I have 30+ wired clients I would need to > >> add to > >> the realm.

> >> Create a vpn account in Wiana. Follow the instructions on the wiki > >> about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > >> server, put in the Wiana ip of the meshbox that the email and samba > >> shares are connected to. > >> > >> Once the vpn session has been established, you should have full > >> connectivity to the LAN segment of that box. > >> > >> Best regards, > >> Kenny > >> > >> On Sep 1, 2005, at 6:56 AM, Steve wrote: > >>> Can anyone tell me how to get client access to gateway lan email > >>> server & > >>> samba shares on the 1st hop from gateway node ? > >>> > >>> It works fine on the gateway itself. > >>> > >>> Steve. > >>> > >>>

=
== I reckon you need to upgrade the nodes, anything from build25dev102 upwards should work with what you're trying to do. I recommend: getandverify tobuild25dev106

I think that he wants to do this on a repeater node. It sounds as if he connecting to the mesh from one access point, and wishes to access the windows shares on a box connected to another access point, which is also a repeater - not the gateway.

For instance, my computer at work is behind a repeater node. My computer at home is also behind a repeater node. At work I have VNC running (server mode) and at home I use a VNC client to access my computer at work.

For security purposes, I have the firewall on the work computer setup to only allow VPN traffic from the local LAN segment. Therefore I have to have a 192.168.1.x IP address to get into that box. From the perspective of the VPN server, I am on the local LAN segment.

That being said, is there an easier or better way to do this?

The big difference that I see between the way you are doing this and the way I am doing it is in the fact that I have my laptop setup to "auto-MAC" authenticate anywhere in my network. Therefore I have full internet connectivity *before* I establish the VPN session.

One other thing I've found is that sometimes it will fail on the first try, but work on the second try. To get around that, I will open up a terminal window and ping the remote Wiana IP and once it begins pinging, I will establish the VPN session.

If you are not auto-MAC'd, I suspect that the local access point will not let your traffic go through to the remote access point... because you are not authenticated LOCALLY yet.

Make sense, or have you already auth'd locally?

> Thanks for your replies. Kenny's interpretation is right, I have an XP > machine on the wired subnet of my gateway and I want to access a Win 2003 > server on the wired subnet of a repeater one hop away. The gateway subnet > is 192.168.1.x and the repeater subnet 192.168.3.x. > > I can auth via the gateway using vpnhost. as the vpn server, so my PPTP > client is OK and so, it would appear, are the realm and user. However when > I replace vpnhost. with the repeater's 1.x.x.x IP I can't auth. It seems > to connect to the remote node then fail to verify username and PW. If I > change the user's class to Member rather than vpn I can auth on the remote > node. > > Although I could use port mapping, I'm attracted by the possibility of > access to the entire subnet on the wired-side of the repeater that the VPN > should allow. > > Did I mention both boxes are running dev98? Is this likely to be an issue?

> Yes, in the situation you describe, vpn to the node which has the computer > you > want to connect to as a client device should work aok. Some example steps > to get this going would be: > > 1) Create the vpn user > 2) Test the vpn user on the local node to check that your PPTP is up and > running (eg using the standard vpnhost. hostname) > 3) Turn off the vpn and check you're authed on the node without it (eg via > automac etc) > 4) Try the using the vpn user through the mesh on the remote node (by > putting > in the 1.x.x.x address of the remote node in as the vpn server) > 5) Check that this remote vpn is working, can you ping the internet, ping > the > computer with the file share etc > 6) Try accessing the file share with the \\192.168.x.x\ syntax in internet > explorer. > > Things I would watch out for would be that the remote computer is authed > (may > affect it) and that firewalls on the local client and remote computer are > turned off (at least for initial testing). > > If any of the nodes in the network are running older build25 releases then > I recommend upgrading to a more recent version as there were some vpn > fixes. Try for example: tobuld25dev106 > > An alternate way to do this would be using port mappings, so on the node > with > the computer with the file share you could set up two portmaps that look > like > this: > > br:139 192.168.x.x:139 > br:445 192.168.x.x.:445 > > This would redirect ports 139 and 445 (windows networking ports) from that > node's 1.x.x.x address to the remote computer (replace 192.168.x.x above > with > the real ip). You can then try to access the file share using the node's > address at \\1.x.x.x\ > > I haven't personally tried this so I'd be interested to hear if it works.

> > I think that he wants to do this on a repeater node. It sounds as if he > > connecting to the mesh from one access point, and wishes to access the > > windows shares on a box connected to another access point, which is > > also a repeater - not the gateway. > > > > For instance, my computer at work is behind a repeater node. My > > computer at home is also behind a repeater node. At work I have VNC > > running (server mode) and at home I use a VNC client to access my > > computer at work. > > > > For security purposes, I have the firewall on the work computer setup > > to only allow VPN traffic from the local LAN segment. Therefore I have > > to have a 192.168.1.x IP address to get into that box. From the > > perspective of the VPN server, I am on the local LAN segment. > > > > That being said, is there an easier or better way to do this? > > > > Kenny > > > > On Sep 7, 2005, at 6:10 AM, Jon Anderson wrote: > > > Hi Gareth, > > > > > > I don't think you need to set up a vpn to access windows file shares > > > on the > > > lan segment at the gateway end of your network. There is info about > > > doing > > > this in the wiki page here: > > > > > > http://locustworld.com/tracker/wiki?p=WindowsFileShares > > > > > > You also can't use cwradius to test vpn login credentials. If you're > > > trying to > > > vpn to another node/remote address then make sure you're authenticated > > > on the > > > local node and also check that a local personal firewall isn't > > > blocking PPTP. > > > > > > Best Regards, > > > > > > Jon Anderson > > > > > > On Wednesday 07 September 2005 12:27, Gareth Owens wrote: > > >> Kenny > > >> > > >> I have an almost identical requirement, only I want to access a > > >> Windows > > >> share. I have set-up the vpn as per the wiki, using the Wiana IP for > > >> the > > >> client connection instead of vpnhost. > > >> > > >> In the realm I have a user with Username=vpn, password=vpn, > > >> class=vpn. The > > >> vpn client connection fails when it tries to validate username and > > >> password. Doing "cwradius vpn vpn" on the repeater gives the > > >> following: > > >> > > >> 1.141.47.83@meshbox:~# cwradius vpn vpn > > >> DENIED > > >> DENIED > > >> rad_decode: Received Access-Reject packet from 213.219.19.76 with > > >> invalid > > >> signature! > > >> No reply > > >> 1.141.47.83@meshbox:~# > > >> > > >> The repeater has captive portal on and is set to Auth only. Wired > > >> captive > > >> portal is off. I can't see why this would make a difference, but I > > >> don't > > >> want to turn it on because I have 30+ wired clients I would need to > > >> add to > > >> the realm.

> > >> Create a vpn account in Wiana. Follow the instructions on the wiki > > >> about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > > >> server, put in the Wiana ip of the meshbox that the email and samba > > >> shares are connected to. > > >> > > >> Once the vpn session has been established, you should have full > > >> connectivity to the LAN segment of that box.

> > >>> server & > > >>> samba shares on the 1st hop from gateway node ? > > >>> > > >>> It works fine on the gateway itself. > > >>> > > >>> Steve. > > >>> > >

We would like to offer our business customers, an On-net p2p vpn solution.

I.e. Business customer would like us to provide them with wireless leased line across our network, this may involve multihops. But we would not want to get tied up in using the mesh vpn auth methoeds as disscused.

We would like to install wifi-CPE, vpn router>>> mesh-hop>>>>mesh-hop>>>> wfi-CPE, vpn router> customers lan

Whats the best way of doing this? and will the customer be limited by the client traffic shaping still? also if the customer does not require intenert access on the p2p vpn link, would they still need to be mac authenticated etc, or is the captive portal only of internet access and not On-net???

Yes, in the situation you describe, vpn to the node which has the computer you want to connect to as a client device should work aok. Some example steps to get this going would be:

1) Create the vpn user 2) Test the vpn user on the local node to check that your PPTP is up and running (eg using the standard vpnhost. hostname) 3) Turn off the vpn and check you're authed on the node without it (eg via automac etc) 4) Try the using the vpn user through the mesh on the remote node (by putting in the 1.x.x.x address of the remote node in as the vpn server) 5) Check that this remote vpn is working, can you ping the internet, ping the computer with the file share etc 6) Try accessing the file share with the \\192.168.x.x\ syntax in internet explorer.

Things I would watch out for would be that the remote computer is authed (may affect it) and that firewalls on the local client and remote computer are turned off (at least for initial testing).

If any of the nodes in the network are running older build25 releases then I recommend upgrading to a more recent version as there were some vpn fixes. Try for example: tobuld25dev106

An alternate way to do this would be using port mappings, so on the node with the computer with the file share you could set up two portmaps that look like this:

br:139 192.168.x.x:139 br:445 192.168.x.x.:445

This would redirect ports 139 and 445 (windows networking ports) from that node's 1.x.x.x address to the remote computer (replace 192.168.x.x above with the real ip). You can then try to access the file share using the node's address at \\1.x.x.x\

> > >> Create a vpn account in Wiana. Follow the instructions on the wiki > > >> about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > > >> server, put in the Wiana ip of the meshbox that the email and samba > > >> shares are connected to. > > >> > > >> Once the vpn session has been established, you should have full > > >> connectivity to the LAN segment of that box. I don't think you need to set up a vpn to access windows file shares on the lan segment at the gateway end of your network. There is info about doing this in the wiki page here: http://locustworld.com/tracker/wiki?p=WindowsFileShares You also can't use cwradius to test vpn login credentials. If you're trying to vpn to another node/remote address then make sure you're authenticated on the local node and also check that a local personal firewall isn't blocking PPTP

> Create a vpn account in Wiana. Follow the instructions on the wiki > about setting up vpn. HOWEVER- instead of putting vpnhost. as the vpn > server, put in the Wiana ip of the meshbox that the email and samba > shares are connected to. > > Once the vpn session has been established, you should have full > connectivity to the LAN segment of that box.

> > Can anyone tell me how to get client access to gateway lan email > > server & > > samba shares on the 1st hop from gateway node ? > > > > It works fine on the gateway itself.