road worriers<\/code>, to connect becomes necessity.<\/p>\nOverview<\/span><\/h1>\nThe VPN server setup will be on EC2 micro instance so monthly costs for running this server are around $5. It will be IPsec\/L2TP VPN server which offers high security.<\/p>\n
In short, the following are the key elements of the setup:<\/p>\n
\n- OS = Ubuntu 12.04 Server LTS<\/li>\n
- Kernel = 3.2.0-59-virtual<\/li>\n
- L2TP daemon = xl2tpd 1.3.1<\/li>\n
- IPsec Implementation = Openswan 2.6.37-1<\/li>\n
- IPsec Stack = Netkey (26sec) – (supplied as part of Kernel 2.6)<\/li>\n
- IKE \/ Key management daemon = pluto – (supplied as part of
Openswan<\/code>)<\/li>\n<\/ul>\nI’m going to give a short description of each of the parts involved here.<\/p>\n
xl2tpd<\/code>: is a Layer 2 Tunneling Protocol (L2TP) used to support virtual private networks (VPNs) (RFC2661). L2TP<\/code> facilitates the tunneling of Point-to-Point Protocol (PPP) packets across an intervening network in a way that is as transparent as possible to both end-users and applications. The main purpose of this protocol is to tunnel PPP frames through IP networks using the Link Control Protocol (LCP) which is responsible for establishing, maintaining and terminating the PPP connection. L2TP does not provide any encryption or confidentiality itself; it relies on an encryption protocol to encrypt the tunnel and provide privacy, hence L2TP is used with IPSec<\/code> that provides the encryption<\/p>\nOpenswan<\/code>: is a set of tools for doing IPsec on Linux operating systems. The tool-set consists of three major components:<\/p>\n\n- configuration tools<\/li>\n
- key management tools (aka
pluto<\/code> )<\/li>\n- kernel components (KLIPS and sec)<\/li>\n<\/ul>\n
pluto<\/code>: is the key management daemon, it is an IPsec Key Exchange (IKE) daemon. IKE's<\/code> Job is to to negotiate Security Associations for the node it is deployed on. A Security Association (SA) is an agreement between two network nodes on how to process certain traffic between them. This process involves encapsulation, authentication, encryption, or compression.<\/p>\nnetkey<\/code>: is the name of the IPSec stack<\/code> in the 2.6 kernel used to encrypt the PPP packets over the L2TP tunnel. Netkey<\/code> is a relatively new IPsec stack is based on the KAME stack from BSD. Netkey is also referred to as 26sec<\/code> or native<\/code> stack. Netkey supports both IPv4 and IPv6.<\/p>\npppd<\/code>: is the Point-to-Point Protocol daemon which is used to manage network connections between two nodes. Specifically pppd<\/code> sets up the transport for IP traffic within the L2TP tunnel for the VPN.<\/p>\nVPN client<\/code>: any pc, mobile device or network using an IPsec PSK tunnel with the l2tp<\/code> secret enabled. The client can also support PPTP, basic L2TP and also certificate based authentication.<\/p>\nServer installation and setup<\/span><\/h1>\nInstallation<\/span><\/h2>\nInstallation is fairly simple, we just run:<\/p>\n
root@vpn-server:~# aptitude install -y openswan xl2tpd\n<\/code><\/pre>\nIPsec configuration<\/span><\/h2>\nWe take backup of the ipsec config file \/etc\/ipsec.conf<\/code> and modify it as follows:<\/p>\nversion 2.0\n\nconfig setup\n dumpdir=\/var\/run\/pluto\/\n nat_traversal=yes\n virtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12,%v4:25.0.0.0\/8,%v6:fd00::\/8,%v6:fe80::\/10\n oe=off\n protostack=netkey\n nhelpers=0\n interfaces=%defaultroute\n #plutodebug=all\n\nconn vpnpsk\n auto=add\n left=172.31.12.198\n leftid=<my-vpn-server-dns>\n leftsubnet=172.31.12.198\/32\n leftnexthop=%defaultroute\n leftprotoport=17\/1701\n rightprotoport=17\/%any\n right=%any\n rightsubnetwithin=0.0.0.0\/0\n forceencaps=yes\n authby=secret\n pfs=no\n type=transport\n auth=esp\n ike=3des-sha1\n phase2alg=3des-sha1\n dpddelay=30\n dpdtimeout=120\n dpdaction=clear\n<\/code><\/pre>\nImportant thing here is that the leftid<\/code> needs to be pointing to the public IP (EIP of the EC2 instance) or the DNS name as in my case that is hosted in Route53.<\/p>\nNext we create random hard to guess PSK key (the one given below is not the one I used for the server of course):<\/p>\n
root@vpn-server:~# ipsec ranbits --continuous 128\n0xe37ef1c5f42eb7dde93a974a5dcc7b2c\n<\/code><\/pre>\nThen we use this password key in the secrets file \/etc\/ipsec.secrets<\/code>:<\/p>\n<my-vpn-server-dns> %any : PSK \"0xe37ef1c5f42eb7dde93a974a5dcc7b2c\"\n<\/code><\/pre>\nThis line translated say any client connected to this host () should use this password as shared key. If we have created this for first time we need to set proper permissions:<\/p>\nroot@vpn-server:~# chmod 600 \/etc\/ipsec.secrets\n<\/code><\/pre>\nCHAP authentication<\/span><\/h2>\nThe CHAP authentication file \/etc\/ppp\/chap-secrets<\/code> is where we put our users and their credentials.<\/p>\n# Secrets for authentication using CHAP\n# client server secret IP addresses\n\n<my-user> l2tpd <my-password> *\n<my-user-2> l2tpd <my-password-2> 192.168.42.41\n<\/code><\/pre>\nWe have two users here with their user name and password. The last parameter in the line specifies the ip address the client should get upon successful connection. The first user will simply get the first available ip from the pool specified in the xl2tpd configuration in the next step. If we have created this for first time we need to set proper permissions:<\/p>\n
root@vpn-server:~# chmod 0600 \/etc\/ppp\/chap-secrets\n<\/code><\/pre>\nXL2TPD daemon<\/span><\/h2>\nThere two configuration files we need to setup here, first is \/etc\/xl2tpd\/xl2tpd.conf<\/code>.<\/p>\n[global]\nport = 1701\n\n;debug avp = yes\n;debug network = yes\n;debug state = yes\n;debug tunnel = yes\n\n[lns default]\nip range = 192.168.42.10-192.168.42.250\nlocal ip = 192.168.42.1\nrequire chap = yes\nrefuse pap = yes\nrequire authentication = yes\nname = l2tpd\n;ppp debug = yes\npppoptfile = \/etc\/ppp\/options.xl2tpd\nlength bit = yes\n\/etc\/ppp\/options.xl2tpd\nipcp-accept-local\nipcp-accept-remote\nms-dns 8.8.8.8\nms-dns 8.8.4.4\nnoccp\nauth\ncrtscts\nidle 1800\nmtu 1280\nmru 1280\nlock\nconnect-delay 5000\n<\/code><\/pre>\nFirewall<\/span><\/h2>\nWe need to open TCP port 500, and UDP ports 500 (IKE), 1701 (L2TP) and 4500 (NAT-T) in the EC2 instance security group. On the server it self we need to set iptables for the ppp0 interface and the network the clients will get their ip’s from:<\/p>\n
root@vpn-server:~# iptables -t nat -A POSTROUTING -s 192.168.42.0\/24 -o eth0 -j MASQUERADE\nroot@vpn-server:~# iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT\nroot@vpn-server:~# iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT\n<\/code><\/pre>\nTo make this rules persist over reboots we need to install iptables-persistent<\/code> package:<\/p>\nroot@vpn-server:~# aptitude install iptables-persistent\nroot@vpn-server:~# iptables-save > \/etc\/iptables\/rules.v4\n<\/code><\/pre>\nConfigure the kernel<\/span><\/h2>\nAppend the following to the end of the kernel config file.<\/p>\n
net.ipv4.ip_forward=1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.lo.accept_redirects = 0\nnet.ipv4.conf.lo.secure_redirects = 0\nnet.ipv4.conf.lo.send_redirects = 0\nnet.ipv4.conf.eth0.accept_redirects = 0\nnet.ipv4.conf.eth0.secure_redirects = 0\nnet.ipv4.conf.eth0.send_redirects = 0\n<\/code><\/pre>\nsave the file and make the rules effective:<\/p>\n
root@vpn-server:~# sysctl -p\n<\/code><\/pre>\nFinal check<\/p>\n
root@vpn-server:~# ipsec verify\nChecking your system to see if IPsec got installed and started correctly:\nVersion check and ipsec on-path [OK]\nLinux Openswan U2.6.37\/K3.2.0-58-virtual (netkey)\nChecking for IPsec support in kernel [OK]\n SAref kernel support [N\/A]\n NETKEY: Testing XFRM related proc values [OK]\n [OK]\n [OK]\nChecking that pluto is running [OK]\n Pluto listening for IKE on udp 500 [OK]\n Pluto listening for NAT-T on udp 4500 [OK]\nTwo or more interfaces found, checking IP forwarding [OK]\nChecking NAT and MASQUERADEing [OK]\nChecking for 'ip' command [OK]\nChecking \/bin\/sh is not \/bin\/dash [WARNING]\nChecking for 'iptables' command [OK]\nOpportunistic Encryption Support [DISABLED]\n<\/code><\/pre>\nAll is ok so now we can start the services and go on with client configuration.<\/p>\n
root@vpn-server:~# \/etc\/init.d\/ipsec restart\nroot@vpn-server:~# \/etc\/init.d\/xl2tpd restart\n\nroot@vpn-server:~# ifconfig ppp0\nppp0 Link encap:Point-to-Point Protocol\n inet addr:192.168.42.1 P-t-P:192.168.42.10 Mask:255.255.255.255\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1\n RX packets:10809 errors:0 dropped:0 overruns:0 frame:0\n TX packets:10375 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:3\n RX bytes:2054854 (2.0 MB) TX bytes:3895668 (3.8 MB)\n<\/code><\/pre>\nClients setup<\/span><\/h1>\nLinux<\/span><\/h2>\nInstalling the client is fairly simple:<\/p>\n
$ sudo aptitude install l2tp-ipsec-vpn\n<\/code><\/pre>\nThen either launch the L2TP ipces VPM Manager<\/code> from the Application menu or enable the L2TP applet as shown on the screen shot and click on it.<\/p>\nThis basically does the following:<\/p>\n
Adds the shared key to ipsec secrets file \/etc\/ipsec.secrets<\/code>:<\/p>\n%any @<my-vpn-server-dns>: PSK 0t0xe37ef1c5f42eb7dde93a974a5dcc7b2c\n<\/code><\/pre>\nAdds the connection to the xl2tpd conf file \/etc\/xl2tpd\/xl2tpd.conf<\/code>:<\/p>\n[lac SAI_VPC_AU]\nlns = <my-vpn-server-dns>\npppoptfile = \/etc\/ppp\/SAI_VPC_AU.options.xl2tpd\nlength bit = yes\nredial = no\n<\/code><\/pre>\nAnd sets the user credentials in the \/etc\/ppp\/SAI_VPC_AU.options.xl2tpd<\/code> file<\/p>\n\n This app has bug in the Ubuntu 12.04 version that doesn’t exist in 10.04, 11.04 or 11.10. The user password is not passed on during the connection and workaround is to set it manually in the \/etc\/ppp\/SAI_VPC_AU.options.xl2tpd<\/code> file.\n<\/p><\/blockquote>\nSo right after name line we add password line as shown below in the \/etc\/ppp\/SAI_VPC_AU.options.xl2tpd<\/code> file:<\/p>\n# \/etc\/ppp\/SAI_VPC_AU.options.xl2tpd - Options used by PPP when a connection is made by an L2TP daemon\n# $Id$\n\n# Manual: PPPD(8)\n\n# Created: Sun Mar 9 16:54:40 2014\n# by: The L2TP IPsec VPN Manager application version 1.0.6\n#\n# WARNING! All changes made in this file will be lost!\n\n#debug\n#dump\n#record \/var\/log\/pppd\n\nplugin passprompt.so\nipcp-accept-local\nipcp-accept-remote\nidle 72000\nktune\nnoproxyarp\nasyncmap 0\nnoauth\ncrtscts\nlock\nhide-password\nmodem\nnoipx\n\nipparam L2tpIPsecVpn-SAI_VPC_AU\n\npromptprog \"\/usr\/bin\/L2tpIPsecVpn\"\n\nrefuse-eap\nrefuse-pap\nrefuse-mschap\nrefuse-mschap-v2\n\nremotename \"\"\nname \"<my-user>\"\npassword \"<my-password>\"\n\nusepeerdns\n<\/code><\/pre>\nBad news is that when ever we use this VPN Manager again it will overwrite our changes and we’ll have to do it over again.<\/p>\n
The log file from the server showing the session being successfully established:<\/p>\n
Mar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: Connection established to <my-public-ip-reducted>, 1701. Local: 49762, Remote: 50824 (ref=0\/0). LNS session is 'default'\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: control_finish: Warning: Peer did not specify transmit speed\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: start_pppd: I'm running:\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"\/usr\/sbin\/pppd\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"passive\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"nodetach\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"192.168.42.1:192.168.42.10\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"refuse-pap\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"auth\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"require-chap\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"name\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"l2tpd\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"file\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"\/etc\/ppp\/options.xl2tpd\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"ipparam\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"<my-public-ip-reducted>\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: \"\/dev\/pts\/3\"\nMar 8 11:00:28 ip-172-31-12-198 xl2tpd[23625]: Call established with <my-public-ip-reducted>, Local: 32087, Remote: 16751, Serial: 1\nMar 8 11:00:28 ip-172-31-12-198 pppd[23907]: pppd 2.4.5 started by root, uid 0\nMar 8 11:00:28 ip-172-31-12-198 pppd[23907]: Using interface ppp0\nMar 8 11:00:28 ip-172-31-12-198 pppd[23907]: Connect: ppp0 <--> \/dev\/pts\/3\nMar 8 11:00:28 ip-172-31-12-198 pppd[23907]: local IP address 192.168.42.1\nMar 8 11:00:28 ip-172-31-12-198 pppd[23907]: remote IP address 192.168.42.10\n<\/code><\/pre>\nThen I was able to connect to one of the servers in the VPC from my pc by simply using its private ip:<\/p>\n
igorc@silverstone:~$ ssh ubuntu@172.31.18.41\nThe authenticity of host '172.31.18.41 (172.31.18.41)' can't be established.\nECDSA key fingerprint is d2:93:cd:e5:cc:6c:45:52:76:09:34:bf:6f:a4:fc:9d.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '172.31.18.41' (ECDSA) to the list of known hosts.\nubuntu@172.31.18.41's password:\nWelcome to Ubuntu 12.04.2 LTS (GNU\/Linux 3.2.0-49-virtual x86_64)\n\n * Documentation: https:\/\/help.ubuntu.com\/\n\n System information as of Sat Mar 8 22:04:24 EST 2014\n\n System load: 0.16 Processes: 113\n Usage of \/: 84.2% of 7.87GB Users logged in: 0\n Memory usage: 50% IP address for eth0: 172.31.18.41\n Swap usage: 0% IP address for eth1: 172.31.51.41\n\n Graph this data and manage this system at https:\/\/landscape.canonical.com\/\n\n159 packages can be updated.\n81 updates are security updates.\n\nGet cloud support with Ubuntu Advantage Cloud Guest\n http:\/\/www.ubuntu.com\/business\/services\/cloud\n\nUse Juju to deploy your cloud instances and workloads.\n https:\/\/juju.ubuntu.com\/#cloud-precise\n*** \/dev\/xvda1 will be checked for errors at next reboot ***\n\nYou have new mail.\nLast login: Thu Mar 6 15:25:36 2014 from <\/my><my -public-ip-reducted>\nubuntu@ip-172-31-18-41:~$\n<\/code><\/pre>\nIf we prefer to do the things manually, the start step-by-step (without applet) would be:<\/p>\n
root@igor-laptop:~# service xl2tpd restart\nroot@igor-laptop:~# service ipsec restart\nroot@igor-laptop:~# ipsec auto --add SAI_VPC_AU\nroot@igor-laptop:~# ipsec auto --up SAI_VPC_AU\nroot@igor-laptop:~# echo \"c SAI_VPC_AU\" > \/var\/run\/xl2tpd\/l2tp-control\n<\/code><\/pre>\nThen to end the VPN connection:<\/p>\n
root@igor-laptop:~# ipsec auto --down SAI_VPC_AU\nroot@igor-laptop:~# echo \"d SAI_VPC_AU\" > \/var\/run\/xl2tpd\/l2tp-control\nroot@igor-laptop:~# service ipsec stop\nroot@igor-laptop:~# service xl2tpd stop\n<\/code><\/pre>\nMac<\/span><\/h2>\nOpen your network settings:<\/p>\n
\n- Click on the
+<\/code> button in the top-left corner of the interfaces list<\/li>\n- Select a VPN interface, with
IPSec L2TP<\/code> and give it a name<\/li>\n- In the address field, put the public IP of our VPN server (you can get it via
nslookup<\/code>)<\/li>\n- In the account name field, put the value of the VPN_USER variable that you defined earlier.<\/li>\n
- Click on auth settings, fill your VPN_PASSWORD in the first field and your IPSEC_PSK in the second box. Click Ok<\/li>\n
- Click on Advanced Settings, select “Send all traffic” and click ok.<\/li>\n
- If you are running firewall then make sure the appropriate ports are not blocked (see the Firewall section)\n<\/li>\n<\/ul>\n
<\/my><\/p>\n","protected":false},"excerpt":{"rendered":"
The access to our Amazon VPC’s atm is based on ssh key pairs. While this is working fine and is pretty much secure it requires though each EC2 instance having public subnet interface which is not always desired. Usually the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,12],"tags":[32,36],"class_list":["post-373","post","type-post","status-publish","format-standard","hentry","category-aws","category-devops","tag-aws","tag-vpn"],"_links":{"self":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=373"}],"version-history":[{"count":2,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/373\/revisions"}],"predecessor-version":[{"id":375,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/373\/revisions\/375"}],"wp:attachment":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}