For you road warriors who wish to set up their own VPN to secure their traffic when using any untrusted/unprotected networks (“free” WiFi?) when travelling, this would be the thing you use: a trusted VPN setup.
While I did dabble with OpenVPN sometime back, protocols like L2TP would be more commonly supported, especially on the “venerable” iOS device (iPhone, iPod Touch, iPad), and on Windoze machines, Android, etc.
This post will be on what you’ll need to setup a L2TP server in Ubuntu for iOS devices to connect to. The server is assumed to be directly accessible from the internet. Some of the stuff are taken from other places, for my own reference here. There’s also a great write up on IPsec over at Steve Friedl’s Unixwiz.net Tech Tips site, for you geeks who actually want to understand a little regarding what you’re using (high five!).
The L2TP server setup mainly comprises of three parts actually (surprise!). The L2TP daemon, IPsec daemon and the PPP daemon (providing DHCP services).
- install openswan (for IPsec), xl2tpd (L2TP) and ppp
- configure the (Linux) kernel to turn on IP forwarding, and IP masquerading if the iptables firewall is on
- configure the device itself
- take a break, have a pina colada or something
Step #1: install
sudo apt-get install openswan ppp xl2tpd
Say “No” to creating a certificate when installing openswan. You will be using a pre-shared secret (password) instead.
Step #2: configure
The config files:
version 2.0 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey include /etc/ipsec.d/l2tp-psk.conf
(change left & leftnexthop values accordingly)
left is your external interface IP
leftnexthop is the router for the external interface
conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport left=192.168.1.22 leftnexthop=192.168.1.1 leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=15 dpdtimeout=30 dpdaction=clear #Uncomment the line below for OSX on MAC? untested! #rightprotoport=17/0
(change ip range & local ip)
Important: “local ip” value must be outside “ip range”
[global] ipsec saref = yes [lns default] ip range = 192.168.1.231-192.168.1.239 local ip = 192.168.1.230 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
(change ms-dns value to point to the relevant DNS resolver for the server)
require-mschap-v2 ms-dns 192.168.1.1 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
(change and create username & password values as needed)
In the example below, username=test and password=testpass
Important: The IP address (“192.168.1.233″) for each user must be in the “ip range” from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
# Secrets for authentication using CHAP # client server secret IP addresses test l2tpd testpass 192.168.1.233
(change IP address to your external IP, and the secret “TestSecret” to something else)
192.168.1.22 %any: PSK "TestSecret"
Restart the daemons after configuring. Remember to configure your firewall for inbound access on UDP/500, UDP/4500 and UDP/1701 too.
sudo /etc/init.d/pppd-dns restart sudo /etc/init.d/xl2tpd restart sudo /etc/init.d/ipsec restart
Step #3: configure IP forwarding
edit this file below, and add in these lines above the “exit 0;” line in the file (the last line)
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
after editing the file, run it once first
Step #4: configure your device
iOS (iPhone, etc.) settings are below, the settings for desktops like Windows should be similar. You can set them in iOS devices under Settings > General > Network > VPN > Add VPN Configuration…remember to change the example accordingly to what you set in your own configuration files above (you didn’t use the sample configuration flies wholesale…did you?)
L2TP Description: <as you wish> Server: <server's external IP address> Account: test RSA SecurID: OFF Password: testpass Secret: TestSecret Send All Traffic: ON Proxy: Off
Step #5: take a break
You’ve survived! Now take a breather
Step #6: profit!
Turn on the VPN by activating the slider in Settings, and enjoy!