Linux + Wireless Lan HostAP + DHCP Setup + PPTP VPN
===================================================

Shanker Balan
http://shankerbalan.com/

Changelog
---------

* Sat Apr 26 11:34:13 IST 2003
- Added Links section
* Fri Apr 25 15:04:21 IST 2003
- Initial commit, putting this up before leaving for the LUG meet!

The HOWTO is split into the following Section:

- HostAP Install/Configuration
- Network Configuration
- DHCP Relay Server
- Enabling VPN
- Firewalling

Section1: HostAP Install/Configuration
======================================

- Locate a WiFi PCI/PCMCIA card which works under Linux and BSD in HostAP mode.
  The Intersil Prism2/2.5 chipst based ones are the most preferred ones.

- Asssuming that the card uses the Prism chipset, Download, compile and install
  HostAP drivers from http://hostap.epitest.fi/

- Add the card information to the /etc/pcmcia/hostap_cs.conf database. You can
  look up this info either in /var/log/messages or using "cardctl ident"
command in RedHat Linux.

[root@godzilla root]# cardctl ident
Socket 0:
  product info: "INTERSIL", "HFA384x/IEEE", "Version 01.02", ""
  manfid: 0x0156, 0x0002
  function: 6 (network)

/vsr/log/messages:
Apr 23 15:51:56 godzilla cardmgr[1120]: socket 0: Intersil PRISM2 11 Mbps Wireless Adapter

The hostap_cs.conf entry will look like this based on the above information:

	card "Intersil PRISM2 11 Mbps Wireless Adapter"
	   version "INTERSIL", "HFA384x/IEEE"
	   bind "hostap_cs"

- Restart the PCMCIA service to load the new drivers

[root@godzilla root]# service pcmcia restart

[root@godzilla root]# /sbin/lsmod |grep hostap
hostap_crypt_wep        3916   1 (autoclean)
hostap_cs              46152   1
hostap                 72900   0 [hostap_cs]
hostap_crypt            2768   0 [hostap_crypt_wep hostap]
ds                      8552   1 [hostap_cs]
pcmcia_core            56288   0 [hostap_cs ds yenta_socket]

Dmesg Output:

hostap_cs: Registered netdevice wlan0
prism2_hw_init()
prism2_hw_config: initialized in 9630 iterations
wlan0: NIC: id=0x8002 v1.0.0
wlan0: PRI: id=0x15 v0.3.0
wlan0: STA: id=0x1f v0.8.3
wlan0: defaulting to host-based encryption as a workaround for firmware bug in Host AP mode WEP
wlan0: defaulting to bogus WDS frame as a workaround for firmware bug in Host AP mode WDS
hostap_crypt: registered algorithm 'WEP'
wlan0: prism2_open


Section2: Network Configuration
===============================

- RedHat network init script. Choose a suitable ESSID and Encryption key for
  your environment.

	[root@godzilla root]# cat /etc/sysconfig/network-scripts/ifcfg-wlan0 
	DEVICE=wlan0
	BOOTPROTO=static
	ONBOOT=yes
	IPADDR=192.168.2.24
	MODE="master"
	ESSID="mydomain"
	RATE="auto"
	KEY="0000000000"

- Enable ip_forwarding in sysctl.conf

- Restart the network service

	[root@godzilla root]# service network restart

	[root@godzilla root]# ifconfig wlan0
	wlan0     Link encap:Ethernet  HWaddr 00:02:72:00:10:8F  
		  inet addr:192.168.2.24  Bcast:192.168.2.255  Mask:255.255.255.0
		  inet6 addr: fe80::202:72ff:fe00:108f/64 Scope:Link
		  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		  RX packets:15 errors:0 dropped:1 overruns:0 frame:0
		  TX packets:31 errors:3 dropped:0 overruns:0 carrier:0
		  collisions:0 txqueuelen:100 
		  RX bytes:1768 (1.7 Kb)  TX bytes:3692 (3.6 Kb)
		  Interrupt:11 Base address:0x100 


	[root@godzilla root]# iwconfig wlan0
	wlan0     IEEE 802.11b  ESSID:"mydomain"  Nickname:"godzilla.mydomain.com"
		  Mode:Master  Frequency:2.422GHz  Access Point: 00:02:72:00:10:8F  
		  Bit Rate:11Mb/s   Tx-Power:5 dBm   Sensitivity=1/3  
		  Retry min limit:8   RTS thr:off   Fragment thr:off
		  Encryption key:0000-0000-00   Encryption mode:restricted
		  Power Management:off
		  Link Quality:0  Signal level:0  Noise level:0
		  Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
		  Tx excessive retries:0  Invalid misc:0   Missed beacon:0

- Check for new MAC entries in /proc/net/hostap/wlan0/
	
	[root@godzilla wlan0]# ls
	00:02:2d:76:cd:8c  ap_control  debug  registers     stats
	ap                 ap_debug    pda    scan_results  wds

	The AP is now visible in the air.

- Client Configuration

Configure the WiFi clients using the same ESSID and encryption key, if you are
running a DHCP server set it to use DHCP else configure it manually.

use "neat" for doing the network config part.

- Check network functionality and routing

Try pinging and tracerout from the LAN/HostAP to the WiFi clients and vice-versa.

All done?


Section3: DHCP Server
===========================

Standalone Server
-----------------

/etc/dhcpd.conf:

authoritative;
default-lease-time              86400;
max-lease-time                  86400;
ddns-update-style 				ad-hoc;
ddns-updates        			false;

subnet 192.168.2.0 netmask 255.255.255.0 {
	range 192.168.2.1 192.168.2.20;
	option broadcast-address        192.168.2.255;
	option subnet-mask              255.255.255.0;
	option routers                  192.168.2.24;
	option domain-name              "mydomain.com";
	option domain-name-servers      192.168.2.24;
}

/etc/sysconfig/dhcpd:

# Command line options here
DHCPDARGS="wlan0"

Relay Server
-------------

Required in case DHCP server is not running on the router.

- Install the DHCP packages and configure dhcrelay using
  /etc/sysconfig/dhcrelay

/etc/sysconfig/dhcrelay:

	# Command line options here
	INTERFACES="wlan0 eth0"
	DHCPSERVERS="192.168.1.1"

	[root@godzilla root]# service dhcrelay start

/vsr/log/messages:

Apr 25 11:33:00 godzilla dhcrelay: Copyright 1997-2000 Internet Software Consort ium.
Apr 25 11:33:00 godzilla dhcrelay: All rights reserved.
Apr 25 11:33:00 godzilla dhcrelay: For info, please visit http://www.isc.org/products/DHCP
Apr 25 11:33:00 godzilla dhcrelay: Listening on LPF/eth0/00:50:ba:d7:28:02
Apr 25 11:33:00 godzilla dhcrelay: Sending on   LPF/eth0/00:50:ba:d7:28:02
Apr 25 11:33:00 godzilla dhcrelay: Listening on LPF/wlan0/00:02:72:00:10:8f
Apr 25 11:33:00 godzilla dhcrelay: Sending on   LPF/wlan0/00:02:72:00:10:8f
Apr 25 11:33:00 godzilla dhcrelay: Sending on   Socket/fallback
Apr 25 11:33:00 godzilla dhcrelay: Listening on LPF/eth0/00:50:ba:d7:28:02
Apr 25 11:33:00 godzilla dhcrelay: Sending on   LPF/eth0/00:50:ba:d7:28:02
Apr 25 11:33:00 godzilla dhcrelay: Listening on LPF/wlan0/00:02:72:00:10:8f
Apr 25 11:33:00 godzilla dhcrelay: Sending on   LPF/wlan0/00:02:72:00:10:8f
Apr 25 11:33:00 godzilla dhcrelay: Sending on   Socket/fallback
Apr 25 11:33:00 godzilla dhcrelay: dhcrelay startup succeeded

- DHCP Server Configuring with support for multiple subnets

/etc/dhcpd.conf (on the DHCP server 192.168.1.1)

# partial config
class "wlan" {
        spawn with option agent.circuit-id;
}

subclass "wlan" 00:05:3c:03:f2:e4 {
        option host-name "wlan1";
}

subclass "wlan" 00:02:2d:76:cd:8c {
        option host-name "wlan1";
}

shared-network mydomain {

        subnet 192.168.1.0 netmask 255.255.255.0 {
                option broadcast-address        192.168.1.255;
                option subnet-mask              255.255.255.0;
                option routers                  192.168.1.100;
                option time-offset              39600;
        }

        subnet 192.168.2.0 netmask 255.255.255.0 {
                option broadcast-address        192.168.2.255;
                option subnet-mask              255.255.255.0;
                option routers                  192.168.2.24;
        }

        pool {
                allow members of "wlan";
                range 192.168.2.5 192.168.2.20;
        }

        pool {
                deny members of "wlan";
                range 192.168.1.50 192.168.1.99;
        }
}


- Log entry of a successful DHCP request

Apr 24 15:09:46 monster dhcpd: DHCPDISCOVER from 00:02:2d:76:cd:8c (SALISTOP) via 192.168.2.24
Apr 24 15:09:47 monster dhcpd: DHCPOFFER on 192.168.2.18
to 00:02:2d:76:cd:8c (SALISTOP) via 192.168.2.24
Apr 24 15:09:47 monster dhcpd: DHCPREQUEST for 192.168.2.18 (192.168.1.1)
from 00:02:2d:76:cd:8c (SALISTOP) via 192.168.2.24
Apr 24 15:09:47 monster dhcpd: DHCPACK on 192.168.2.18 to 00:02:2d:76:cd:8c
 (SALISTOP) via 192.168.2.24
Apr 24 15:09:47 monster dhcpd: DHCPREQUEST for 192.168.2.18 (192.168.1.1)
 from 00:02:2d:76:cd:8c (SALISTOP) via 192.168.2.24
Apr 24 15:09:47 monster dhcpd: DHCPACK on 192.168.2.18 to 00:02:2d:76:cd:8c
(SALISTOP) via 192.168.2.24


Section4: The PPTP VPN
======================

Install PopTop http://poptop.sourceforge.net/, MPPE kernel modules and PPPD
also available there. RPM based Build instructions are at
http://pptpclient.sourceforge.net/howto-redhat-90-build.phtml

- Configure PPTP Server

/etc/pptpd.conf

	speed 115200
	option /etc/ppp/options.pptpd
	stimeout 10
	debug
	localip 192.168.3.100
	remoteip 192.168.3.30-50

- Configure PPPD with MPPE encryption and MS CHAPv2 authentication

	debug
	name pptpd

	lock
	mtu 1450
	mru 1450
	proxyarp
	auth
	ipcp-accept-local
	ipcp-accept-remote
	lcp-echo-failure 3
	lcp-echo-interval 5
	refuse-pap
	refuse-chap
	refuse-mschap
	refuse-eap
	require-mschap-v2
	nomppe-40
	require-mppe
	nomppe-stateful

	ms-wins 192.168.1.1
	ms-dns  192.168.1.1

- Add a users to /etc/ppp/chap-secrets

	# Secrets for authentication using CHAP
	# client        server  secret                  IP addresses
	"test"  *       "welcome"       *

TIP: Use '-l 192.168.2.24' to start PPTPD only on the Wlan interface.

- start PPTPD

	[root@godzilla root] service pptpd start

- Cofigure PPTP VPN clients

Linux:

Go to http://pptpclient.sourceforge.net/ and get down the client RPMS.
Configure it as suggested there. Its straight forward. Use the PHP-GTK based
tool for graphical configuration.

Windows:

See http://poptop.sourceforge.net/dox/

Config for Windows 9x and 2000+ Follow it to the word!

- Try a connect

Log from a successful connect:

Apr 24 18:54:27 godzilla pppd[2112]: pppd 2.4.2b1 started by root, uid 0
Apr 24 18:54:28 godzilla /etc/hotplug/net.agent: assuming ppp0 is already up
Apr 24 18:54:28 godzilla pppd[2112]: Using interface ppp0
Apr 24 18:54:28 godzilla pppd[2112]: Connect: ppp0 <--> /dev/pts/3
Apr 24 18:54:28 godzilla pppd[2112]: CHAP peer authentication succeeded for test
Apr 24 18:54:28 godzilla pppd[2112]: MPPE 128-bit stateless compression enabled
Apr 24 18:54:28 godzilla pppd[2112]: local  IP address 192.168.3.100
Apr 24 18:54:28 godzilla pppd[2112]: remote IP address 192.168.3.31

- "lsmod" after the connect

	[root@godzilla root]# lsmod |grep ppp
	ppp_mppe               13592   0  (autoclean)
	ppp_async               9312   0  (autoclean)
	ppp_generic            24572   0  (autoclean) [ppp_mppe ppp_async]
	slhc                    6644   0  (autoclean) [ppp_generic]


Section5: The FireWall
======================

All packets on the 2.x WiFi network are filtered on the router except the VPN
connect. Traffic to and from the 3.x VPN segment are allowed, everything else
is blocked.

[root@godzilla root]# cat rc.fw 
#!/bin/sh

iptables -F

# allow VPN
iptables -A FORWARD -i wlan0 -p tcp -d 192.168.2.24 --dport 1723 -j ACCEPT

# allow 3.x both ways
iptables -A FORWARD -d 192.168.3.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT

# reject eveything else
iptables -A FORWARD -j REJECT

iptables -L -n

Links:

http://hostap.epitest.fi/
http://poptop.sourceforge.net/
http://pptpclient.sourceforge.net/
http://isc.org/products/DHCP/
http://netfilter.org/

ToDo:

- Configure chap secrets to look up samba or LDAP and then have ACLs.
- Cofigure another VPN like CIPE (use "neat")
- Use FreeRadius for Accounting/Authentication
- BSD setup