I was recently asked how to access BBC iPlayer and itv from New Zealand. These services are geolocked and require you to be in the UK to access them. Anyway it prompted me to setup a VPN server.
As the VPN Server needs to be on 24/7, it would ideally be a server which consumes little power and maintenance. For this I have chosen an Orange PI Zero. I have grown to love this little ARM computer, it’s so small and can be powered off a router’s USB port, no wall wart required.
This post will aim to guide a user through setting up the VPN server and clients and their associated settings.
First thing to note is that although L2TP/IPSec is used, there are many flavours of this, and specifically my requirement is that the server must be compatible with native L2TP/IPSec clients on Windows, OSX, Android and iPhone.
IPSec can operate in tunnel mode where two routers establish an encrypted connection over the internet. In this case we want to setup a client-server type relationship, as such IPSec transport mode will be used.
To keep things simple we’ll also use PreSharedKey (PSK) authentication instead of certificates.
Orange Pi OS & VPN Server:
– Armbian based off Debian Scratch
– xl2tpd to manage L2TP connections
– strongSwan for IPSec
Router Settings
To allow our VPN server to be visible on the internet, the router will need to enable port forwarding to the Orange PI to receive on the IPSec ports. The IKE (500) and NAT-Traversal (4500) UDP ports should be open and forwarded to the VPN Server in this case 192.168.1.109.
IP Protocol 50 (ESP) also needs to be open and not blocked.
L2TP UDP Port 1701 does not need for be forwarded as we don’t want to allow basic unencrypted L2TP tunnels to be opened up to our VPN server.
VPN Server Settings
Install xl2tpd and strongswan:
sudo apt-get install xl2tpd sudo apt-get install strongswan
xl2tpd is the L2TP server and strongswan handles the IPSec.
IPtables
To allow clients on the 192.168.20.0/24 network to access the internet we add this line.
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j MASQUERADE
This basically sets up (double) NAT for the 192.168.20.0/24 private network that the VPN Server manages.
So that DNS queries to do ‘leak’ out we also need to allow DNS redirection to our selected DNS server
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.1 iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 192.168.1.1
There’s a good explanation of this command here:
https://www.karlrupp.net/en/computer/nat_tutorial
xl2tpd settings
Configure the xl2tpd settings.
Navigate to /etc/xl2tpd/xl2tpd.conf
[global] port = 1701 access control = no [lns default] ip range = 192.168.20.2-192.168.20.20 local ip = 192.168.20.1 require authentication = yes name = LinuxVPN pppoptfile = /etc/ppp/options.xl2tpd
When VPN clients connect to us we assign them a VPN IP Address, in this case I’ve kept it separate from the 192.168.1.0/24 addresses and used 192.168.20.0/24.
The VPN Server itself now has 2 IP Addresses, 192.168.1.109 and 192.168.20.1. It will also assign IPs in the range of 192.168.20.2-192.168.20.20 as clients connect.
PPP Settings
Why do we need PPP? In a way this is PPP/L2TP/IPSec, where PPP (read internet data) packets go through the L2TP tunnel and then encrypted by IPSec. See https://drfone.wondershare.com/vpn/l2tp-vpn.html for a nice diagram and further explanation.
Normally a ppp server is included with the Linux distro, if not you can install using:
apt-get install ppp
Navigate to /etc/ppp/options.xl2tp
Setup the PPP Server settings for the xl2tp server at /etc/ppp/options.xl2tpd
noccp auth mtu 1410 mru 1410 nodefaultroute proxyarp silent debug ms-dns 192.168.20.1
The ms-dns 192.168.20.1 is the DNS server which clients will be directed to resolve addresses when they connect to the VPN server. Beware that a DNS leak can be caused if say a DNS such as 8.8.8.8 is used as the client will try to directly contact 8.8.8.8. Ideally the DNS resolution is done via the VPN server.
If you want more info regarding these settings goto: https://ppp.samba.org/pppd.html#sect4
On the client side, you’ll also want to update the /etc/resolv.conf and replace the default nameserver with the VPN IP address too, otherwise you might run the risk of DNS leaks.
PPP Authentication
To allow the pppd to authenticate users we need to add the account to the chap-secrets file.
Add users with the command:
#echo “User * mysecretpass *” >> /etc/ppp/chap-secrets
You can also edit the chap-secrets file manually to add users.
IPSec Settings
We now have to configure strongSwan. Edit the file /etc/ipsec.conf
ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn vpnserver type=transport authby=secret pfs=no rekey=no keyingtries=1 left=%any leftid=%any right=%any auto=add esp=aes128-sha1-modp1536 ike=aes128-sha1-modp1536 include /var/lib/strongswan/ipsec.conf.inc
Take note how the type is ‘transport’ and authby is ‘secret’. This means we are using IPSec in transport and PSK mode. StrongSwan uses this ‘left’ and ‘right’ kind of configuration file where the server is left and the clients are right. Sometimes these can be switch, but strongswan will figure it out.
In this instance we are using the same IKE/ESP authentication mode as commonly used by Windows/OSX etc, which is aes128-sha1. IKE represents the settings used by IPSec Phase 1 and ESP is the method used in IPSec Phase 2.
Some tutorial has leftid=@myvpn.com. This can cause issues in OSX clients (which use racoon IPSec) where they check that the server id matches. If the ServerID does not match, then Phase 1 can fail.
You can read more about the IPSec Phases here: http://www.brocade.com/content/html/en/vrouter5600/42r1/vrouter-42r1-ipsecvnp/GUID-0B3591F2-F0FE-4F64-ABF9-A3B5F05ABD96.html
And
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
IPSec Password
The final part is to add the IPSec secret by editing the /etc/ipsec.secrets file
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. %any %any : PSK "ipsecpass" # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc
Stay tuned for Part 2 on how to setup the VPN for the clients such as macOS, Windows, FreeBSD and Ubuntu/Debian Linux!
References:
http://www.jacco2.dds.nl/networking/openswan-l2tp.html
https://drfone.wondershare.com/vpn/l2tp-vpn.html
PPP Manual
https://ppp.samba.org/pppd.html#toc0
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
https://www.karlrupp.net/en/computer/nat_tutorial
Howdy! I just want to give a huge thumbs up for the great information you’ve got here on this post. I will probably be coming back to your blog for more soon.
If there is no requirement for clients to be able to access the internet via the VPN, can all 3 of the ‘iptables -t nat’ rules be left out (i.e. in this case clients can only access services running on the LAN extended by the VPN)?