Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
IPSEC L2TP VPN on Ubuntu 13.10 with OpenSwan, xl2tpd and ppp
Published: 01-12-2014 | Author: Remy van Elst | Text only version of this article
❗ This post is over ten years old. It may no longer be up to date. Opinions may have changed.
Table of Contents
This is a guide on setting up an IPSEC/L2TP vpn server with Ubuntu 13.10 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users / PAM for authentication. It has a detailed explanation with every step. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs.
This tutorial is available for the following platforms:
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we need to use it together with IPSec.
To work trough this tutorial you should have:
- 1 ubuntu 13.10 server with at least 1 public IP address and root access
- 1 (or more) clients running an OS that support IPsec/L2tp vpns (Ubuntu, Mac OS, Windows, Android).
- Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall.
If you are not running Ubuntu 13.10 you might have to compile the packages manually because openswan and xl2tpd in the older repositories seem to have critical bugs which make this all fail.
I do all the steps as the root user. You should do to, but only via * -i* or * su -*. Do not allow root to login via SSH!
Install ppp openswan and xl2tpd
First we will install the required packages:
apt-get install openswan xl2tpd ppp lsof
The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).
Firewall and sysctl
We are going to set the firewall and make sure the kernel forwards IP packets:
Execute this command to enable the iptables firewall to allow vpn traffic:
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%
Replace %SERVERIP% with the external IP of your VPS.
Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
Now apply these settings for other network interfaces:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
And apply them:
sysctl -p
Persistent settings via /etc/rc.local
To make sure this keeps working at boot you might want to add the following to /etc/rc.local:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%
Add it before the exit 0 line and replace %SERVERIP% with the external IP of
your VPS.
Configure Openswan (IPSEC)
Use your favorite editor to edit the following file:
/etc/ipsec.conf
Replace the contents with the following:
(Most lines have a comment below it explaining what it does.)
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#start at boot
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
type=transport
#because we use l2tp as tunnel protocol
left=%SERVERIP%
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
Replace %SERVERIP% with the external IP of your server.
Do note that the config file has changed with this Ubuntu release. If you have upgraded Ubuntu or followed an earlier tutorial, make sure you change the config for ipsec.
The shared secret
The shared secret is defined in the /etc/ipsec.secrets file. Make sure it is
long and random:
%SERVERIP% %any: PSK "69EA16F2C5DCED8B29E74A7D1B0FE99E69F6BDCD3E44"
Verify IPSEC Settings
Now to make sure IPSEC works, execute the following command:
ipsec verify
My output looks like this:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.8.0-19-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
The /bin/sh and Opportunistic Encryption warnings can be ignored. The first
one is a openswan bug and the second one causes xl2tpd to trip.
Configure xl2tpd
Use your favorite editor to edit the following file:
/etc/xl2tpd/xl2tpd.conf
Replace the contents with the following:
[global]
ipsec saref = yes
saref refinfo = 30
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
- ip range = range of IPs to give to the connecting clients
- local ip = IP of VPN server
- refuse pap = refure pap authentication
- ppp debug = yes when testing, no when in production
Do note that the config file has changed with this Ubuntu release. If you have upgraded Ubuntu or followed an earlier tutorial, make sure you change the config for xl2tpd.
Local user (PAM//etc/passwd) authentication
To use local user accounts via pam (or /etc/passwd), and thus not having plain
text user passwords in a text file you have to do a few extra steps. Huge thanks
to Sascha Scandella for the hard work and troubleshooting.
In your /etc/xl2tpd/xl2tpd.conf add the following line:
unix authentication = yes
and remove the following line:
refuse pap = yes
In the file /etc/ppp/options.xl2tpd make sure you do not add the following
line (below it states to add it, but not if you want to use UNIX
authentication):
require-mschap-v2
Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:
login
Change /etc/pam.d/ppp to this:
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
Add the following to /etc/ppp/pap-secrets:
* l2tpd "" *
(And, skip the chap-secrets file below (adding users).)
Configuring PPP
Use your favorite editor to edit the following file:
/etc/ppp/options.xl2tpd
Replace the contents with the following:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
- ms-dns = The dns to give to the client. I use googles public DNS.
- proxyarp = Add an entry to this systems ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
- name l2tpd = is used in the ppp authentication file.
Adding users
Every user should be defined in the /etc/ppp/chap-secrets file. Below is an
example file.
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
- client = username for the user
- server = the name we define in the ppp.options file for xl2tpd
- secret = password for the user
- IP Address = leave to * for any address or define addresses from were a user can login.
Testing it
To make sure everything has the newest config files restart openswan and xl2tpd:
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
On the client connect to the server IP address (or add a DNS name) with a valid user, password and the shared secret. Test if you have internet access and which IP you have (via for example http://whatsmyip.org. If it is the VPN servers IP then it works.
If you experience problems make sure to check the client log files and the
ubuntu /var/log/syslog and /var/log/auth.log files. If you google the error
messages you most of the time get a good answer.