Linux VPN Masquerade


IP Masquerade is a feature of the Linux kernel that permits you to share secure access to the Internet. If you only have one connection to the Internet, whether it is a dial-up phone line, ISDN, DSL, a Cable modem, or something else, a Linux-based IP Masquerade firewall will allow you to share that access, permitting as many computers as you wish on your local network to communicate with the Internet simultaneously.

Your whole office (or family) can surf the World Wide Web, chat, do file transfers, play games and telecommute at the same time.

VPN Masquerade is the part of IP Masquerade which enables you to use IPsec-based and PPTP-based Virtual Private Network clients from behind a shared-access firewall.

This is primarily used for masquerading IPsec and PPTP VPN clients:

IPsec
Client -.
        |   Linux                     IPsec
PPTP   -+-> Masq and --> Internet --> or PPTP
Client  |   Firewall                  Server
        |
Others -+
        |
No other software is needed to masquerade VPN clients.

It can also be used to provide access to a Private Network IPsec or PPTP server behind a Linux firewall...

IPsec                    Linux        Private-IP
or PPTP --> Internet --> Masq and --> PPTP or IPsec
Client                   Firewall     Server
To do this you will also need the ipportfw port-forwarding kernel patch and configuration tool for 2.0.xx kernels or the ipmasqadm utility for 2.2.xx kernels to forward the initial 500/udp ISAKMP key-exchange and/or 1723/tcp PPTP control channel traffic in to the server, and the IPFwd generic IP forwarding utility to forward the initial IPsec ESP and/or PPTP GRE traffic in to the server. Details are available in the VPN Masquerade HOWTO - please read it.

If your VPN is based on tunnelling PPP over Secure Shell (as described in the VPN mini-HOWTO) it is handled by the standard IP Masquerade code, as ssh is a purely TCP protocol. You'll still need ipportfw or ipmasqadm if the VPN server is masqueraded (behind the firewall, with a private-network IP address) rather than on the firewall itself.

If you are using a Checkpoint SecuRemote VPN with FWZ-encapsulated tunnels, you will not be able to masquerade the traffic. Configure your VPN to use pure IPsec protocols and permit NAT, and avoid the CheckPoint proprietary FWZ protocols. See the VPN Masquerade HOWTO for more details.


Why do I want this?

Once VPN Masquerade is configured you will no longer need to dial your ISP directly from your VPN client (or plug your VPN client into your cable modem) when you wish to access your VPN server. This means that all of the benefits of Linux shared Internet access remain available even while you are using your VPN to access a remote network.

In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over the VPN) from all of the computers on your local network. I do this every day while working from my home.

Note for W'95/'98 VPN client users: sorry, but the W'95/'98 IP stack does not easily support IP forwarding. You cannot use a W'95/'98 VPN client to act as a VPN router for your local network - every W'95/'98 system will have to establish its own private connection to the VPN server unless you use a system running WinNT or another OS capable of IP forwarding as a VPN router.


Obtaining the VPN Masquerade patch

VPN Masquerade is incorporated into kernel releases 2.0.37 and later in the 2.0.x series. A patch is available for 2.0.36. The patch may work with earlier kernels, but it has not been tested. Patches are also available for kernels 2.2.5 to 2.2.16, and may work with earlier kernels in the 2.2.x series.

Important note: please download and apply the 2.2.x kfree_skb() bugfix patch after applying any version of the full 2.2.x patch. This corrects a bug that can lead to kernel panics under heavy IPsec masquerade use.

Generic 2.0.x-series kernels

If you are using a kernel release earlier than 2.0.37 you can download the patch from:
[ HTTP Mirror 1 (USA: WA) ]

If you are using 2.0.37 or 2.0.38, there is a bugfix to prevent GPFs under certain circumstances when IPsec masquerade is enabled:
[ HTTP Mirror 1 (USA: WA) ]

Generic 2.2.x-series kernels

2.2.5 - 2.2.10: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 4 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.11 - 2.2.12: [ HTTP Mirror 1 (USA: CA) | HTTP Mirror 2 (USA: WA) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.13: [ HTTP Mirror 1 (USA: CA) | HTTP Mirror 2 (USA: WA) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.14: [ HTTP Mirror 1 (USA: CA) | HTTP Mirror 2 (USA: WA) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.15 - 2.2.16: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.17: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.18 - 2.2.20: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]

I have not had any reports of the patch working with kernel versions higher than those listed above, but the patch will probably work fine. The 2.2.x kernel series is now in maintenance mode, and changes are mostly bugfixes that do not affect the masquerade subsystem.

RedHat and Mandrake 2.2.x-series kernels

RedHat has included the VPN patch in kernels 2.2.16-8 and later. Drop by the RedHat FTP site or a RedHat mirror site and save yourself some patching. Note that you may also have to update to a new version of RPM as well.

If you're attempting to patch a kernel from a RedHat or Mandrake kernel source RPM prior to 2.2.16-8, you will also need to apply the following patch after applying the full VPN masq patch. This will fix an important failed hunk. To apply this patch:

cd /usr/src/linux/net/ipv4
zcat patchfile.gz | patch -l -p0
2.2.12 and 2.2.13: [ HTTP Mirror 1 (USA: CA) | HTTP Mirror 2 (USA: WA) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
2.2.14 through 2.2.16-7: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]

The following patch is needed for the RedHat or Mandrake 2.2.16 kernel, or a kernel which has had the VS-Masq (Virtual Server) patch applied. This includes the kernel shipped with RedHat 7.0 - if you have RedHat 7.0 and you are using the kernel that came with it, you do need this patch. The RedHat 2.2.17-14 update kernel includes this patch, I recommend you get that kernel RPM from the FTP site rather than patching and rebuilding.
If verbose PPTP debugging shows a masquerade address (maddr) of 0.0.0.0 is being used, or tcpdump on your Internet interface shows something like:

08:32:26 0.0.0.0 > 1.2.3.4: ip-proto-50 108 (ttl 63, id 1)
...then you need to apply this patch. To apply this patch:
cd /usr/src/linux/net/ipv4
zcat patchfile.gz | patch -l -p0
2.2.16: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]

Don't forget to run "make modules_install" after patching and recompiling.

The VPN Masq patch was omitted from the first RedHat 2.2.19 kernel RPM due to time constraints. It will be in the next one.

You may wish to download a plain kernel source tarball from a kernel.org mirror site instead.

Bugfix for all 2.2.x series kernel patches

All IPsec masq users should download and apply this bugfix patch and recompile the kernel. This patch fixes a bug in calling kfree_skb() that could lead to kernel panics under heavy masquerade load.

2.2.x: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]

To apply:

cd /usr/src
zcat ip_masq_ipsec-kfree.patch.gz | patch -l -p0
If you get errors about not being able to find the file to patch, make sure that /usr/src/linux exists.

2.4.x-series kernels

Thanks to Brian Kuschak <bkuschak at yahoo.com> for providing a kernel patch for PPTP Masquerade under the 2.4 kernel!

2.4.12: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]

2.4.15: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]

2.4.17: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]

2.4.19: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]

Simply apply the patch, then enable PPTP masquerade in the IPFilter section when configuring your kernel.

No IPsec patch is available yet.

I am told that masquerading a single VPN client using IPtables is fairly simple to set up, and requires no special patches. This may work for both PPTP and IPsec.

The following is thanks to Joshua Eichorn <jeichorn@JoshuaEichorn.com>. I haven't tried it myself.

#!/bin/bash
# Load the NAT module (this pulls in all the others).
/sbin/modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Server masquerade for PPTP also works with the default masquerade code. Add the following rules:

PPTP (1723/tcp and 47/ip):

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to 192.168.0.5
/sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 192.168.0.5
...where 192.168.0.5 is the local-network IP address of the PPTP server. I have not had any reports regarding IPsec server masquerade.


To download files using Lynx: highlight the link, press "d" (download), and select "Save to Disk".
To download using Netscape Navigator: right-click the link and choose "Save Link As..." - if you simply click the link, Navigator tends to corrupt the patch file.

For early 2.2.x kernels you can also visit Gordon Chaffee's site for the 2.2.x PPTP-only Masq patch.


Configuring VPN Masquerade

First, you should be comfortable with recompiling your kernel...

Second, make sure that you have IP Masquerading compiled into your kernel and working properly. Setting up masquerading itself is beyond the scope of this document, and there is a HOWTO already available that describes the process in great detail. If you don't have regular masquerade working properly then please don't contact me for help - read the HOWTO first. (Have I successfully made my point? ;)
Also, I have written a GUI wrapper for the 2.0.x ipfwadm command that makes managing firewall and masquerade setup easier.

Third, make sure that your VPN connection works when you dial your ISP directly from your VPN client system.

To install and configure VPN Masquerade, follow the directions given in the VPN Masquerade HOWTO, available at:
HTML: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
PostScript (printable): [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
PDF: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
SGML source: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]


Notes and other sites of interest

You do not need VPN Masquerade support if the VPN endpoint is the firewall itself - if, for example, you have FreeS/WAN or the Linux PPTP Client installed on your firewall. Don't use the VPN Masq patch if this is the case. It won't work.

You do not need ipmasqadm or ipfwd if you're calling a remote VPN server via the masq gateway. You only need them if a local VPN server is behind the masq gateway.

Depending on the PPTP server in use you may be forced to use a VPN router configuration if more than one masqueraded system wants to connect to a given PPTP server. The PPTP protocol specifies only one control connection from a given client system, and the masquerade gateway is the client as far as the server is concerned. PPTP server implementations that correctly follow the specification will not permit more than one PPTP session to be established from the masquerade gateway. Try it first, though, as some incorrect PPTP implementations (such as that in Windows NT) do permit multiple connections between the same systems.

The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec VPNs that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded.)

Here's a patch for netstat that adds recognition of the ESP and GRE protocols. Add this and netstat -M will work again!

If you want to implement an IPsec-based VPN on Linux, please visit the Linux FreeS/WAN site. This is particularly recommended if you're considering setting up a PPTP-based VPN between two networks that are both behind Linux firewalls. IPsec is more secure and much better suited to this than PPTP.

Please visit the Microsoft security announcements site for an important PPTP security update for Microsoft PPTP clients and servers. You may also be interested in an analysis of Microsoft's implementation of the PPTP protocol by one of the most respected members of the Crypto community. A second analysis and third analysis by others are also available.

There is also freely-available native Linux PPTP client and PPTP server software. Note that this software may not provide encryption: for patches that add M$-compatible encryption and compression to pppd visit this site, or visit this ftp site where Paul Cadach <paul@odt.east.telecom.kz> offers pppd patches to support MS-CHAP-V1/V2 and MPPE and implement multilink PPP with NT. (These links are fairly old. Visit the PoPToP site for the current status of native-Linux PPTP.)

Profuse thanks to Gordon Chaffee for coding and sharing a patch to traceroute that allows tracing GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic is being blocked somewhere. Get the patch from:
[ HTTP Mirror 1 | FTP Mirror 1 ]

A patch for the newer traceroute_1.4a12 is available from http://www.planet.net.au/~neale/debian/traceroute-GRE/

I've been using a masqueraded VPN through various incarnations of this patch with great success since September 7, 1997.

I only have an x86 box to test this on. It has been reported to work on Sparc and PowerPC systems. Comments from users on other architectures are solicited.

The 2.1.65+ kernels natively support a tunnelling protocol based on GRE, but do not support PPTP natively in any way. You must still patch your kernel if you wish to masquerade PPTP. See the HOWTO for more details on 2.1.x and 2.2.x kernels.

The 2.0.x patch conflicts with the IP Firewall Chains and ipportfw patches in trying to patch the kernel config files. This is non-critical. See the HOWTO for more details.

Yes, I know that IPsec is peer-to-peer. Writing this so that it's usable by people using IPsec endpoints on Windows forces the inaccurate terminology.

I'm looking for mirror sites. If you have a web or FTP server, preferably with SSH access, and you don't mind hosting a few files, drop me a note! If you want to mirror me, or are already mirroring me, drop me a note!


You can contact me at <jhardin@impsec.org>. I'd like to hear your comments and suggestions, and particularly your problems with this patch. You can also visit the current version of this document, and take a look at my home page...

Disclaimer: No guarantees of functionality. Keep a working compiled kernel around in case this blows up.


The Linux Webring: [ Home | Index | Next | Prev | Random | Stats ]     Linux: the soul of the Internet    Best viewed with Any Browser

Donations accepted via PayPal.
© 1999-2006 by John Hardin. You may copy this page as long as the content is unchanged (you can change the formatting to fit your site if you want) and the link to the original page is left intact.
$Id: ip_masq_vpn.html,v 1.82 2006-07-13 06:44:50-07 jhardin Exp jhardin $