Setting up an L2TP over IPSec VPN server on Ubuntu, also compatible with iOS devices February 28, 2013

0 Comments and 1 Reaction Hacker News Bookmark this on De icious Fi ed under! "ecurity #ni$

% use &'Ns a the time these days to access resources on the ser(ers % mana)e and ha(e restricted *or security reasons, but a so to be ab e to watch some +ro)rams *rom Fin and , %ta y , #- , #", re)ard ess o* where % am .% o(e /he 0++rentice *or instance, and ob(ious y % can1t watch it *rom Fin and, norma y23 4es, there are )eo)ra+hica restrictions *or some reason, % know, but that1s not the +oint o* this artic e 523 Besides, % a so own an i'ad and an i'hone so % +re*er ha(in) a more +ri(ate connection when % am on the mo(e and need to sur* the %nternet or 6ust check my emai s, but ha(e to use some +ub ic networks or anyway networks o(er which % ha(e no contro 5 7mai and many sites % need to authenticate on use ""8, but ne(erthe ess usin) a &'N )i(es +eace o* mind since you don1t ha(e to worry as much about how much attention has been +aid to the security as+ects o* these ser(ices 9 as *ar as the encry+tion o* the data is concerned, at east3 "o the &'N % use must a so be com+atib e with these de(ices, and that1s why % ha(e re+ aced my on) time *a(ourite :+en&'N with 82/' o(er %'"ec &'Ns3 /hese &'Ns are %;: sim+ er to setu+, secure, and com+atib e with most o+eratin) systems and de(ices without ha(in) to insta some third +arty so*tware or c ient to be ab e to estab ish the connection3 /his is a + us, since it means % can a so con*i)ure a &'N access on my i'hone without ha(in) to 6ai break it or insta third +arty a++s to be ab e to use another &'N3 "o here1s a sim+ e )uide on how to set u+ such a &'N on a #buntu ser(er and )et .as an e$am+ e2 a ;ac or i'hone connected 9 the +rocess shou dn1t di**er much on other distros3 Ho+e*u y this wi he + you sa(e some tria and error5 % won1t )o in the detai s *or each settin) or command as % am myse * not too *ami iar with se(era o* them5 so i* you 6ust want a <*ast9track< how9to here you are3 For starters, you1 need to insta :+en"wan, which is an %'"ec im+ ementation *or 8inu$5 %'"ec is res+onsib e *or the encry+tion o* the +ackets
apt-get install openswan

4ou wi be asked Do you have an existing X509 certificate file that you want to use for Openswan?3 %* you, ike me, want a more com+atib e &'N *or use with i'hones,i'ads and other de(ices, answer No since these ty+ica y do not su++ort setu+s with certi*icates3 Ne$t you1 need to edit a *ew con*i)uration *i es3 %1 +aste be ow the settin)s % current y use on = &'N ser(ers and that % know work *or sure5 you may want to em+ty those *i es be*ore +astin) the con*i)urations % su))est, 6ust to kee+ thin)s sim+ er3 First, edit /etc/ipsec.conf and chan)e,add the *o owin) settin)s!
version 2.0

config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:1 2.1!8.0.0/1!,%v4:1"2.1!.0.0/12 oe=off protostac#=net#ey conn $2%&-&'(-)*% rig+tsu,net=v+ost:%priv also=$2%&-&'(-no)*% conn $2%&-&'(-no)*% aut+,y=secret pfs=no auto=a-#eyingtries=. re#ey=no i#elifeti/e=8+ #eylife=1+ type=transport left=t+e pu,lic 0& of your server leftprotoport=1"/1"01 rig+t=%any rig+tprotoport=1"/%any

:b(ious y, re+ ace the (a ue *or the left settin) with the actua +ub ic %' o* the bo$ on which you are insta in) the &'N ser(er3 Ne$t, edit /etc/ipsec.secrets and add the *o owin)!
1server2s pu,lic 0&3 %any: &'( 45our s+are- secret4

0)ain, you wi ha(e to s+eci*y here the +ub ic %' o* the ser(er and a so a shared secret that wi be used on c ients to)ether with the credentia s *or each s+eci*ic c ient account3 4ou may want to )enerate some random secrets, and one way o* doin) this is with the apg uti ity that o*ten comes with #ni$ systems .you cou d insta with rew install apg on ;ac :", i* you1re usin) homebrew2!
6 apg nag7ees+ (ovayrof veo78a/#i 9a,can8yro :utparva yutan#*y

.4ou can a so use the !m o+tion to s+eci*y a en)th 9 see a the a(ai ab e o+tions with apg !h23 Now create the *i e /etc/vpn!setup and +aste the *o owin) in it!
;</,in/,as+ ec+o 1 6 /proc/sys/net/ipv4/ip_forwarfor eac+ in /proc/sys/net/ipv4/conf/= -o ec+o 0 6 >eac+/accept_re-irects ec+o 0 6 >eac+/sen-_re-irects -one

makin) sure you make this *i e e$ecutab e with

c+/o- ?@ /etc/vpn-setup

/his is re>uired to redirect a the %nternet tra**ic throu)h the &'N )ateway5 to ensure the commands in the *i e are e$ecuted at startu+, edit /etc/rc.local and add, be*ore the exit 0 ine, /etc/vpn!setup3 un /etc/vpn!setup once, manua y *or now, so to a++ y these settin)s *or the current session, then restart %'"ec!
service ipsec restart

Ne$t, et1s con*i)ure some *irewa ru es to a ow the redirection o* the web tra**ic3 %* you are usin) ipta les, run the *o owin) commands to a++ y the re>uired ru es immediate y!
ipta,les ipta,les ipta,les ipta,les ipta,les -* -* -* -t -* 0)&A% -p u-p -/ u-p ---port B00 -7 *CCD&% 0)&A% -p u-p -/ u-p ---port 4B00 -7 *CCD&% 0)&A% -p u-p -/ u-p ---port 1"01 -7 *CCD&% nat -* &E'%8EA%0)F -s 10.1.2.0/24 -o et+0 -7 G*'HAD8*:D IE8J*8: -s 10.1.2.0/24 -7 *CCD&%

/hen backu+ the current con*i)uration to *i e with!

ipta,les-save 6 /etc/ipta,les.rules

/o ensure these ru es are a so a++ ied at start u+, u+date /etc/networ"/interfaces so it ooks somethin) ike the *o owin)!
auto et+0 iface et+0 inet static a--ress ... net/as# ... ,roa-cast ... networ# ... post-up ipta,les-restore K /etc/ipta,les.rules

/he im+ortant ine that you need to add is the one startin) with post!up3 0t this +oint you shou d be ab e to estab ish an %'"ec connection *rom a c ient 9a thou)h we sti need to sort out the authentication side9 so it1s a )ood time to test this be*ore )oin) ahead!
ipsec verify

%* a went we 9and there are no +rob ems with the (ersion o* the kerne you are usin)9 you shou d see somethin) ike the *o owin)!
C+ec#ing your syste/ to see if 0&'ec got installe- an- starte- correctly: Lersion c+ec# an- ipsec on-pat+ ME(N $inu@ Epenswan A2.!.28/(2.!..2-B-!8! 1net#ey3 C+ec#ing for 0&'ec support in #ernel ME(N )D%(D5 -etecte-, testing for -isa,le- 0CG& sen-O_re-irects ME(N )D%(D5 -etecte-, testing for -isa,le- 0CG& acceptO_re-irects ME(N C+ec#ing t+at pluto is running ME(N &luto listening for 0(D on u-p B00 ME(N &luto listening for )*%-% on u-p 4B00 ME(N C+ec#ing for 2ip2 co//anME(N C+ec#ing for 2ipta,les2 co//anME(N Epportunistic Dncryption 'upport M:0'*9$D:N

% can1t remember how to set u+ an 82/',%'"ec c ient on ?indows or 8inu$ deskto+, but here1s how to do it on ;ac! )o to #ystem $references 9@ Networ", and create a new connection by c ickin) on the % button3 ?hen you1re asked *or the ty+e o* the connection you want to create, choose &$N and ea(e the de*au t ty+e, '()$ over *$#ec se ected3 /hen )i(e your connection whate(er name you +re*er! /hen enter either the ser(er1s %' or a hostname +ointin) to it, and in +ccount name enter whate(er username you1 want to use to estab ish the connection3 Don1t worry i* you ha(en1t con*i)ured this yet, the authentication wi *ai at *irst but we1 need to (eri*y the %'"ec connection can be estab ished correct y be*ore +roceedin) with the rest o* the con*i)uration! Ne$t, in +uthentication #ettings you need to enter the +assword you are )oin) to use with your account and the shared secret s+eci*ied in /etc/ipsec.secrets! %n +,vance, make sure the o+tion #en, all traffic over &$N connection is checked i* you want to a++ear as *rom the ocation o* your ser(er!

Now, sti on your ;ac, o+en a termina and run

tail -f /var/log/syste/.log

then c ick on -onnect in the &'N connection1s settin)s3 %* e(ethin) was *ine so *ar you shou d see somethin) ike this!
Ie, 1! 22:.2:B0 Litos-Gac-&ro-..local config-M1"N: 'C)C: start, triggere- ,y 'yste/A0'erver, type $2%&, status 0Ie, 1! 22:.2:B0 Litos-Gac-&ro-..local ppp-M8".B4N: ppp- 2.4.2 1*pple version B !.1.3 starte- ,y vito, ui- B02 Ie, 28 22:.2:B0 Litos-Gac-&ro-..local ppp-M8".B4N: $2%& connecting to server 2...2 1@@@.@@@.@@@.@@@3... Ie, 28 22:.2:B0 Litos-Gac-&ro-..local ppp-M8".B4N: 0&'ec connection starteIe, 28 22:.2:B0 Litos-Gac-&ro-..local racoonM."8N: Connecting. Ie, 28 22:.2:B0 Litos-Gac-&ro-..local racoonM."8N: 0&'ec &+ase1 starte- 10nitiate,y /e3. Ie, 28 22:.2:B0 Litos-Gac-&ro-..local racoonM."8N: 0(D &ac#et: trans/it success. 10nitiator, Gain-Go-e /essage 13. Ie, 28 22:.2:B. Litos-Gac-&ro-..local racoonM."8N: 0(D &ac#et: trans/it success. 1&+ase1 8etrans/it3. Ie, 28 22:..:00 --- last /essage repeate- 2 ti/es --Ie, 28 22:..:00 Litos-Gac-&ro-..local ppp-M8".B4N: 0&'ec connection faileIe, 28 22:..:00 Litos-Gac-&ro-..local racoonM."8N: 0&'ec -isconnecting fro/ server

@@@.@@@.@@@.@@@

Don1t worry about the messa)e *$ connection faile,, that1s because we ha(en1t con*i)ured the authentication on the ser(er yet5 the im+ortant thin) is that the connection is *ine .i3e3 *$#ec connection starte,23 Now, *or the authentication, insta xl(tp, with
apt-get install @l2tp- ppp

then edit /etc/xl(tp,/xl(tp,.conf and either chan)e the *o owin) settin)s or 6ust remo(e e(erythin) in there and +aste what *o ows!
Mglo,alN ipsec saref = yes Mlns -efaultN ip range = 10.1.2.2-10.1.2.2BB local ip = 10.1.2.1 refuse c+ap = yes refuse pap = yes rePuire aut+entication = yes ppp -e,ug = yes pppoptfile = /etc/ppp/options.@l2tplengt+ ,it = yes

Ne$t, edit /etc/ppp/options.xl(tp, and +aste the *o owin)!

rePuire-/sc+ap-v2 /s--ns 8.8.8.8 /s--ns 8.8.4.4 async/ap 0 aut+ crtscts loc# +i-e-passwor/o-e/ -e,ug na/e l2tppro@yarp lcp-ec+o-interval .0 lcp-ec+o-failure 4

/he ast bit o* con*i)uration is the *i e /etc/ppp/chap!secrets which contains the credentia s *or each &'N account!
; 'ecrets for aut+entication using CQ*& ; client server secret 0& a--resses Kuserna/e6 l2tpKpasswor-6 =

Fina y, restart the (arious ser(ices in(o (ed!

/etc/init.-/@l2tp- restart /etc/init.-/ipsec restart /etc/init.-/ppp---ns restart

4ou shou d now be ab e to success*u y estab ish a connection *rom your ;ac c ient and your %' address, as seen *rom the %nternet, wi be that o* your &'N ser(er3

Con*i)urin) the &'N c ient on a mobi e de(ice shou d be (ery sim+ e in most cases5 with the i'hone *or e$am+ e, )o to #ettings 9@ &$N! /hen add a &'N new con*i)uration

and enter the same in*ormation you ha(e used on your ;ac or anyway other c ient3

Ansure the #en, all traffic is turned on, so to ha(e a more +ri(ate connection when you are on the mo(e3 Fina y, )o back to the *irst screen and turn the &'N on3 0s said in the be)innin) these instructions ha(e worked *or me with se(era &'N ser(ers, but + ease et me know i* they don1t work *or you3 9 "ee more at! htt+!,,(itobotta3com, 2t+9i+sec9(+n9ser(er,Bsthash36N*6t"H?3d+u*