Security Blog
VPNs: Setting up your own IPSEC VPN
This is the second part of a two part article about setting up your own VPN services. In the first article I talked about how to set up an SSL-based VPN server. While SSL-based VPNs are very useful and require no inherit support from the OS, they’re only as good as the supported clients. If there isn’t a client for your device, you’re out of luck.
Think Linux, Mac, Windows, iOS, Android, Blackberry
This is where an IPSEC VPN is useful. There is built in native support on almost all operating systems including iPad, iPhone, Blackberry, Android, Linux, Mac, and Windows.
Why setup your own VPN?
Well quite frankly I’m a little biased since I love computer security and might be a little paranoid. But to be honest it’s amazing how much having your own VPN can come in handy. No more worries about open WI-FI networks (think coffee shop), filtering of content, or using work’s VPN for personal business. Don’t pay for a VPN service, it’s really not hard to set up your own for free.
Before you begin
As mentioned in the previous article. These instructions are based off an installation to Ubuntu Linux. However, it really is very easy to port these instructions to another distribution of Linux; I promise! If you want help, leave a comment.
One last thing before we dive in. This isn’t exactly “command line kung fu” (sed & awk) but if you’re uncomfortable using the command line, quit now. After all, I assume that if you know what an IPSEC VPN is and you’re reading this to set up your own IPSEC server, you know how to use the command line. You didn’t expect it to be point-and-click did you?
FYI, I have personally tested the following setup and configuration as working flawlessly on: iPad, iPod Touch, Ubuntu Linux, Mac OS X, Windows XP, and Windows 7.
Installing the software
You can start by installing the packaged version of OpenSwan using your package installer (apt-get, yum, rpm, dpkg, etc) but I’d highly recommend, instead, you download the latest release and compile it yourself. The latest version will have the most up-to-date security fixes that may not have made it to the packages yet.
Building from source can be a nightmare if you run into dependency hell so it’s easiest to have the package manager install all of the build dependencies.
nobody@nobody:~/$ sudo apt-get install build-dep openswan
Next, visit the download page for OpenSwan and note the latest release number. At this time, the latest release is 2.6.37. Make sure you replace below with the latest version.
nobody@nobody:~/$ export OS_REL=2.6.37
nobody@nobody:~/$ wget
> {OS_REL}.tar.gz
Since OpenSwan now uses the Linux kernel’s native IPSEC stack (added in 2.6 and back ported to 2.4), installation is much simpler than it used to be. Just extract, build, and install.
nobody@nobody:~/$ tar xvvzf openswan-${OS_REL}.tar.gz
nobody@nobody:~/$ cd openswan-${OS_REL}
nobody@nobody:~/$ make programs
nobody@nobody:~/$ sudo make install
IPSEC is a point-to-point communication between the VPN client and the VPN server so we need to install the Point-to-Point Protocol (PPP).
nobody@nobody:~/$ sudo apt-get install ppp dnsmasq
Since we’ll be sending PPP frames over the Internet, we need a way to tunnel them over Internet Protocol (IP). The Layer 2 Tunneling Protocol (L2TP) does just this: tunnels PPP frames (and other types of frames) over IP. Essentially, L2TP creates a UDP packet with an L2TP header that wraps the PPP frame. It’s also worth nothing that L2TP is used just as a means of transferring. IPSEC will provide the confidentiality, authentication, and integrity to the packet. Let’s install it.
nobody@nobody:~/$ sudo apt-get install xl2tpd
We’re now finished with the install part. Next up, we need to configure all of the settings. Be prepared, it’s a lot of configuration!
We’ll set up our VPN to use a Pre-Shared Key (PSK) since it’s the easiest to configure on devices and is still sufficiently secure as long as good practices are used to generate the key (long and random).
Configuring IPSEC
First up, we need to configure the actual IPSEC settings of OpenSwan. You do that by editing
/etc/ipsec.conf
. You’ll see terms like ‘right’ and ‘left’. This is referring to which end of the VPN connection. In our case, ‘left’ is the VPN server and ‘right’ is the client connecting.
version 2.0 # basic configuration config setup # Enable this if you're behind a router nat_traversal=yes # exclude networks used on server side so they don't conflict with your NAT virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16,%v4:172.16.0.0/12 # which IPsec stack to use. netkey is Linux Kernel Impl protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=tunnel left= leftnexthop= # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # The remote user. right=%any rightprotoport=17/%any
and creating a pre-shared key in
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. %any : PSK "STRONG_PASSWORD"
Configuring L2TP
Next up for configuration is L2TP. You can do that by adding the following to the bottom of
/etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes [lns default] # The range of ips to assign the client when connecting ip range = 10.8.1.2-10.8.1.255 local ip = 10.8.1.1 # We're going to us Chap-v2 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
Configuring PPP
You’ll notice we referenced an options.xl2tpd file in the previous configuration file. Let’s set that up by editing
/etc/ppp/options.xl2tpd
next
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
Now we need to setup the username and password to authenticate with in /etc/ppp/chap-secrets. This is different than the pre-shared key that you setup previously. Do not make the passwords the same. Note that the ‘server’ parameter needs to match the ‘name’ parameter in the previous configuration file.
# Secrets for authentication using CHAP # client server secret IP addresses username l2tpd strong_pass *
Configuring the firewall and system start-up
We’re still not done with configuration, hang in there, this is the last one!
We need to configure iptables to properly forward our packets as well as enable ip forwarding in the Linux kernel, among other Linux kernel settings that are related to the IP stack. If you don’t configure these, OpenSwan will complain and may not work properly. Edit
/etc/rc.local
and add the following
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
exit 0
Last steps
At this point, you’ll need to either restart your server or execute /etc/rc.local if you’d prefer not to restart.
Congratulations, you now have a working IPSEC VPN. If you’re familiar with how to setup a client on your operating system, you should be able to fire one up and connect right away. If not, follow one of the many guides that are available online to figure out your specific configuration. Feel free to comment if you need help.
Enjoy!
Comments are closed.