Gentoo: IPSec, L2TP VPN for iOS

Posted by Jeremy Olexa on September 18, 2012 Leave a comment (18) Go to comments

There are thousands of guides out there on this subject, however I still struggled to set up an IPSEC VPN at first. This is a HOWTO for my own benefit – maybe someone else will use it too. I struggled because most of the guides involved setting up the VPN on a NAT’d host and connecting to the VPN inside the network. I didn’t do that on my linode, which has a static public IP.

My objectives were clear:

Create a connection point that was semi-secure while connecting to open wifi networks
Bypass some “You are not in the US” restrictions while on the road

Step 1: Install applications, net-misc/openswan, net-dialup/xl2tpd
Step 2: Configure openswan:

# cat /etc/ipsec.conf 
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    oe=off
    protostack=auto

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=1.1.1.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear

# cat /etc/ipsec.secrets
1.1.1.1 %any: PSK "TestSecret"

Where 1.1.1.1 is your public eth0 address and 10.152.2.0 is the subnet that xl2tpd will assign IPs from (can be anything, I picked this at the advice of a guide because it is unlikely to be assigned from a router on a public network)

Step 3: Configure xl2tpd:

# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

The local IP must be inside the subnet but outside the IP range above.

# cat /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

The ms-dns lines are configurable to any DNS server you have access to.

# cat /etc/ppp/chap-secrets
# Format:
# client server secret IP-addresses
#
# Two lines are needed since it is two-sided auth
test l2tpd testpass *
l2tpd test testpass *

Step 4: Configure kernel parameters (sysctl)

# cat /etc/sysctl.conf
# only values specific for ipsec/l2tp functioning are shown here. merge with
# existing file
# iPad VPN
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Remember that sysctl.conf is evaluated at boot so run sysctl -p to get the settings enabled now as well.

Step 5: Configure firewall (iptables):
This is the critical step that I wasn’t grokking from the existing guides in the wild. Even when bringing the firewall down to test, you need the NAT/forwarding rules:

# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 10.152.2.0/24 -j ACCEPT
# iptables -A FORWARD -j REJECT
# iptables -t nat -A POSTROUTING -s 10.152.2.0/24 -o eth0 -j MASQUERADE

Step 6: Configure the device/client:
Settings -> General -> Network -> VPN -> Add VPN Configuration

L2TP
Description: Description
Server: 1.1.1.1 (or the hostname)
Account: test
RSA SecurID=OFF
Password: testpass
Secret: TestSecret
Send All Traffic=On

Step 7: Verify it works by going to some IP display webpage and it should show 1.1.1.1

Conclusion: The above examples should be enough to get the VPN working. There are some tweaking oppurtunities that I didn’t document or elaborate on. There is plenty of examples out there to look at or research, however. This was all setup without the firewall configuration and the client would connect but there would be no onward internet activity. It acted just like there was a invalid DNS server configured, at that point I looked into setting up a NAT, dnsmasq on the local interface, and other wierd things. In the end, just needed to forward the traffic properly.

With that knowledge of the firewall issue, the ultimate instructions would probably be this page: https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd

gentooiOS, linode, VPN

← RTW Trip – What people are asking me (FAQ)

Dropping Celluar, Using Google Voice only →

18 Comments.

Sam September 18, 2012 at 12:00 pm

Thank you for this. I’ve been trying to set something similar on a Gentoo vps and got lost in all the different ways. I can try again.

Reply
- Jeremy Olexa September 18, 2012 at 12:01 pm
  
  I know, it is really confusing out there in the wild. I spent about 4-6 hours getting this far =/
  
  Reply
FishB8 September 18, 2012 at 3:21 pm

Gentoo really needs an official OpenL2TP ebuild…

Reply
- Jeremy Olexa September 18, 2012 at 3:28 pm
  
  It looks like there is an enthusiastic user out there maintaining it. Do you know if it is a drop-in replacement for xl2tpd?
  
  Reply
  - FishB8 September 19, 2012 at 1:55 pm
    
    Not sure if it is totally as simple as a drop-in replacement (setting up the config is no doubt different) but from what I understand, it utilizes the kernel L2TP functionality, while xl2tpd does not. Also has more advanced features.
    
    Reply
    - Jeremy Olexa September 19, 2012 at 1:58 pm
      
      Makes sense. I knew about that kernel vs userspace already. Also, since I only will ever have one client (me) accessing the VPN at a time, I’m not sure I’m worried about the performance penalty. I probably won’t pursue OpenL2TP to be honest.
      
      Reply
      - FishB8 September 20, 2012 at 6:24 pm
        
        I used it on my OpenWRT image that I load onto my little router. The userspace L2TP was a total dog on the little MIPS chip. I used it to connect home with my android phone, but have not had it installed for over a year. (After installing cyanogen on the phone, I switched to OpenVPN)
        
        Reply
Bjarke I. Pedersen September 19, 2012 at 4:54 am

Just wondering, why did you choose openswan instead of strongswan?

It looks like development of openswan has stopped?

Reply
- Jeremy Olexa September 19, 2012 at 7:32 am
  
  Not sure, it is a really confusing space of tools. Seemed like openswan was more popular… ?
  
  Reply
  - Bjarke I. Pedersen September 19, 2012 at 9:02 am
    
    Okay
    
    From what I can tell, strongswan is the one being active developed for the moment, so if possible, I would move to that one – configuration should be pretty close to the other one.
    
    Reply
    - Jeremy Olexa September 19, 2012 at 9:07 am
      
      Yea, cursory research shows similar configuration. I’ll look into it and followup (time permitting). How about a stablereq in the meantime??
      
      Reply
      - Bjarke I. Pedersen September 20, 2012 at 3:28 am
        
        Done – https://bugs.gentoo.org/show_bug.cgi?id=435614
        
        Reply
Dropping Celluar, Using Google Voice only | Jeremy Weblog - pingback on September 26, 2012 at 8:46 pm
Mark Ackley October 3, 2012 at 2:54 am

Use Hotspot Shield Free VPN. http://www.hotspotshield.com

Easy to install.

Reply
- Jeremy Olexa October 3, 2012 at 10:03 am
  
  Why? I’d rather not pay for a service…
  
  Reply
  - Mark Ackley October 4, 2012 at 4:23 am
    
    Its free mate
    
    Reply
    - Jeremy Olexa October 4, 2012 at 9:03 am
      
      Free for the first 7days only, then you need to buy a subscription it looks like from the website
      
      Reply
      - Mark Ackley October 8, 2012 at 11:42 pm
        
        No its free version(ad-supported) is available for lifetime not for just 7 days
        
        Reply

Trackbacks and Pingbacks:

Dropping Celluar, Using Google Voice only | Jeremy Weblog - Pingback on 2012/09/26/ 20:46

jOlexa.net

Current Mission: Travel the World