Virtual Private Networking

Firestarter 1.0 does not support VPN configurations without some tweaking. VPN capability in Firestarter is currently planned for version 1.1.

How to use the VPN workarounds in Firestarter 1.0

Copy the lines specific to your VPN solution listed below, and paste them into the /etc/firestarter/user-pre file on the firewall host. Restarting the firewall, for example by executing "/etc/firestarter/firewall.sh start", commits the new settings.

Microsoft VPN clients

The widely used VPN solution for Microsoft Windows machines is based on the PPTP protocol. The following lines allow PPTP clients on the Firestarter administered local network to connect to remote servers:

# Forward PPTP VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Running a Microsoft VPN server

If you want to run a PPTP VPN server on your internal network and allow remove clients to connect to it, the firewall must be told to forward the requests to the server:

# Forward PPTP VPN connections to internal server
SERVER=192.168.0.100 # Internal VPN server

$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p tcp --dport 1723 -j DNAT --to $SERVER
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p 47 -j DNAT --to $SERVER 

Note that you must change the SERVER variable from 192.168.0.100 to the actual internal IP of your VPN server.

OpenVPN

OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:

# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

OpenVPN requires no configuration changes if it is used on the local network.

Cisco VPN and Nortel Contivity clients

Cisco, Nortel and other IPSec based VPN solutions require the following workaround:

# Forward Cisco VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

Firestarter 1.0 works out of the box with the Cisco VPN clients when Transparent Tunnelling is enabled client side. In this mode the client embeds the IPSec traffic into either TCP or UDP packets, which Firestarter is able to deal with as any other form of traffic.

However, tunneling is not always possible, depending on both the client version and the remote server's capabilities. In that case the above workaround must be used.

Firestarter and all the contents on this page are © 2000-2007 Tomas Junnonen.
Firestarter is distributed under the terms of the GPL.