Linux VPN Guide

Linux VPN Guide will help you to create a Linux-based VPN server which can be accessed from any Windows client (primarily Windows XP, but can be extended to work with older Windows operating systems such as Windows 2000 or 95/98/NT). I wrote this guide because of the pain I went through to get VPN up and running at my work. After a couple of days of struggling and heavy debugging I was able to set up a VPN server on Fedora Core 2 and 3 with latest updates. I decided that VPN installation should not be such a nightmare and tried to make everything as simple as possible in this guide.

Linux-Windows VPN Guide with OpenSWAN, l2tpd and pppd

1) Who should use this guide?

If you have a private network that you want to be able to access remotely in VPN (virtual private networking) environment (for example, if you have servers at your workplace that are firewalled from outside with internal IP addresses such as 192.168.x.x and you want to be able to access them from the internet), this guide is definitely for you.

2) Can this guide be used on production servers?

To be honest, I'm not sure yet. I have been using this VPN solution for a while now and haven't had any problems so far. But if you notice any performance/compatibility/stability related issues, please let me know.

3) What about security?

VPN is a secure virtual tunnel, which means security is built into it. However, just like any "bullet-proof" solution out there, it has its own security-related issues. First of all, this guide only shows you how to use PSK (pre-shared security key) method of authenticating a VPN tunnel. Your VPN tunnel is encrypted with this security key and in case the key is stolen (or broken with a brute-force attack), your security is compromised. You can use other methods of encryption based on SSL (secure socket layer), but the process of setting up a VPN server and connecting the clients to it is rather complicated. You can refer to Jacco's VPN tutorial to set up a VPN solution based on SSL. As long as your PSK is very long, unguessable and not prone to a simple brute-force, you should not worry about security.

4) On what operating systems has this guide been tested on?

Installation has been successfully tested on Redhat Linux 9.0 and Fedora Core 1/2/3/4, but it should also work on any other linux flavor. For BSD systems, you would have to obtain source files for OpenSWAN and change some configuration options on l2tpd to be able to compile everything successfully.

5) Stuff we'll be needing (sources)

Download the following sources to a src directory i.e. /usr/local/src
a) OpenSWAN 2.6.14 from http://www.openswan.org | Mirror
b) l2tpd 0.69 from this site
c) l2tpd Legacy PTY patch from this site
d) l2tpd SysV PTY patch from this site
e)l2tpd startup file from this site

6) Assumptions

It is assumed that ppp is already installed on the system and you are running the latest version of linux kernel 2.4 or 2.6. You can check if you have ppp installed on the system by running a query in your package manager ("rpm -q -a | grep ppp" in Redhat or Fedora). You can check the kernel version by running "cat /proc/version".

7) OpenSWAN installation and configuration

I recommend downloading an RPM from openswan.org instead of the source tarball, since the RPM has the patches integrated to fit your system. In case you want to compile OpenSWAN yourself, you will have to find out which patches you need for your system. Compilation and installation from source is pretty straightforward - just read the README file and follow the instructions. Run the following command to see if you already have OpenSWAN installed: "rpm -q -a | grep openswan". If openswan is not installed, proceed with the installation.

cd /usr/local/src<br />
yum install openswan<br />
yum install openswan-doc<br />

The openswan-doc rpm file includes all the documentation which you might need in the future.
The OpenSWAN installation has a sample ipsec.conf file included. Let's go ahead and rename it:

mv /etc/ipsec.conf /etc/ipsec.conf.old

Now copy-paste the following into /etc/ipsec.conf

version 2.0<br />
config setup<br />
        interfaces=%defaultroute<br />
        klipsdebug=none<br />
        plutodebug=none<br />
        overridemtu=1410<br />
        nat_traversal=yes<br />
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</p>
<p>conn %default<br />
        keyingtries=3<br />
        compress=yes<br />
        disablearrivalcheck=no<br />
        authby=secret<br />
        type=tunnel<br />
        keyexchange=ike<br />
        ikelifetime=240m<br />
        keylife=60m</p>
<p>conn roadwarrior-net<br />
        leftsubnet=192.168.0.0/16<br />
        also=roadwarrior</p>
<p>conn roadwarrior-all<br />
        leftsubnet=0.0.0.0/0<br />
        also=roadwarrior</p>
<p>conn roadwarrior-l2tp<br />
        leftprotoport=17/0<br />
        rightprotoport=17/1701<br />
        also=roadwarrior</p>
<p>conn roadwarrior-l2tp-updatedwin<br />
        leftprotoport=17/1701<br />
        rightprotoport=17/1701<br />
        also=roadwarrior</p>
<p>conn roadwarrior<br />
        pfs=no<br />
        left=150.150.150.150<br />
        leftnexthop=150.150.150.1<br />
        right=%any<br />
        rightsubnet=vhost:%no,%priv<br />
        auto=add</p>
<p>#Disable Opportunistic Encryption<br />
include /etc/ipsec.d/examples/no_oe.conf<br />

Don't forget to replace "150.150.150.150" with your external IP address and "150.150.150.1" with your default gateway. I'm not going to explain what each line above does. If you want to find out for yourself, please refer to OpenSWAN documentation. The above configuration should work for most people, though.
Now edit the file "/etc/ipsec.secrets" and put the following:

150.150.150.150 %any: PSK "a_very_long_string_up_to_256_characters"

The format of the file is: "external_network_address connecting_from: PSK password". Change "150.150.150.150" to your external IP address. If you want to be able to access the network from anywhere on the Internet, leave "%any" intact. I recommend specifying the IP address of the machine that will be used to initiate VPN connections for security reasons though. PSK stands for "Pre-Shared Key" - it's the key that will be shared by both the server and the client for authentication. Make sure that the key is long (up to 256 characters) and very random. Every client trying to establish a VPN connection will have to provide this pre-shared key.

8) l2tpd installation and configuration

First of all, let me give you some information on l2tpd. The project started out really well and a big community was involved in its development. But seems like the project has been suspended for some reason and there haven't been any new releases of l2tpd since version 0.69 which is more than a year old. Latest versions of the linux distributions such as Fedora and Mandrake are compiled with a new SysV pty system. The current version of l2tpd only supports the old pty system and therefore will not work on these distros unless its patched. Jacco de Leeuw talks about this problem in his detailed VPN guide here. An alternative is to switch to rp-l2tp, which is another l2tpd daemon. But it is not a good way out, since it does not support automatic IP allocations to new connections. Another solution is to recompile the kernel with "Legacy (BSD) PTY support", but most people simply don't know how to do that or are too scared to do it. Recompiling the kernel might be a big problem for those who don't have physical access to the machine. After many hours of googling, I was able to find some patches that fix current l2tpd issues and add some features such as binding l2tpd to a specific IP address. Now here is the interesting part - the rp-l2tp package contains pty.c code that is known to work with the new pty system. I tried to simply copy-paste the script into l2tpd pty.c file, modified l2tpd.c to call "pty_get" instead of the old "getPtyMaster", removed all other pty calls and it worked! I was able to test l2tpd setup successfully on a Fedora Core 3 machine without recompiling the kernel :)
I have included two patches on this page. If you have a recent version of a linux distribution with 2.6 kernel, go ahead and download the file "l2tpd-0.69.sysv.patch". If you have an older version of linux with the old pty system, go ahead and download the file "l2tpd-0.69.lpty.patch".
Now, let's install l2tpd and apply the patch:

cd /usr/local/src<br />
tar zxf l2tpd-0.69.tar.gz<br />
mv l2tpd-0.69.sysv.patch l2tpd-0.69/<br />
mv l2tpd /etc/rc.d/init.d/<br />
cd l2tpd-0.69<br />
patch &lt; l2tpd-0.69.sysv.patch<br />
make<br />
cp l2tpd /usr/sbin<br />
chmod 755 /usr/sbin/l2tpd

Running "make" should compile an l2tpd executable without errors. You might get a couple of warnings, but no fatal errors. If you try to compile the source without patching it first, you will most probably get compilation errors (especially on systems with a newer gcc). Now configure the startup environment:

chmod 755 /etc/rc.d/init.d/l2tpd<br />
chkconfig --add l2tpd<br />
chkconfig l2tpd on

Let's move on to configuring l2tpd. The configuration files for l2tpd should be placed in "/etc/l2tpd" folder. Go ahead and create the folder, then copy paste the following into l2tpd.conf:

[global]<br />
port = 1701</p>
<p>[lns default]<br />
ip range = 192.168.1.101-192.168.1.254<br />
local ip = 192.168.1.100<br />
require chap = yes<br />
refuse pap = yes<br />
require authentication = yes<br />
name = LinuxVPN<br />
ppp debug = yes<br />
pppoptfile = /etc/ppp/options.l2tpd<br />
length bit = yes

The "ip range" line is the start and the end pool of the IP addresses the clients will be given when they establish a VPN connection (on their end). The "local ip" is server IP address - it's used only when at least one connection is established. If you have a different internal network, go ahead and change both lines. Everything else should work for most people. Again, if you want to find out what each line does, please feel free to refer to l2tpd documentation.

9) PPP configuration

L2TP tunnels through PPP, which is why we need to configure it to work with l2tpd. The l2tpd configuration above specifies the "/etc/ppp/options.l2tpd" file as "pppoptfile" (PPP options file). Go ahead and create this file and copy-paste the following:

ipcp-accept-local<br />
ipcp-accept-remote<br />
ms-dns  192.168.1.2<br />
ms-wins 192.168.1.3<br />
noccp<br />
auth<br />
crtscts<br />
idle 1800<br />
mtu 1410<br />
mru 1410<br />
nodefaultroute<br />
debug<br />
lock<br />
proxyarp<br />
connect-delay 5000<br />
silent<br />

Change the line "ms-dns" to your real DNS server and "ms-wins" to your WINS server (if you have any).
Now let's create the authentication files. We use CHAP for PPP authentication. Go ahead and edit the file "/etc/ppp/chap-secrets". The format of this file should be "client server secret IP addresses". Here is a sample file:

# Secrets for authentication using CHAP<br />
# client        server           secret            IP addresses<br />
username     *                 "password"      192.168.1.0/24<br />
*                 username     "password"      192.168.1.0/24<br />

You need two lines for each username because it's a two-sided authentication - one from client to server and one from server to client. Both the password and the IP address pool should be the same for both lines. The IP address network that we specify here (192.168.1.0/24) means "allow this username to get an IP address in the range 192.168.1.0 - 192.168.1.255". The l2tpd configuration file above specifies the range to be 192.168.1.101-192.168.1.254, so only the IPs in this range are given to the client on successful authentication. You can change the networks and subnets in both files as needed. If you need more than one account to be able to access the server, go ahead and add it in the same format.

10) Starting and testing VPN

Everything is installed and configured. Let's go ahead and start the daemons:
Starting l2tpd:

/etc/rc.d/init.d/l2tpd start<br />
Starting l2tpd: [  OK  ]

Starting OpenSWAN:

/etc/rc.d/init.d/ipsec start

ipsec_setup: Starting Openswan IPsec 2.4.0...
ipsec_setup: insmod /lib/modules/2.6.10-1.741_FC3/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.10-1.741_FC3/kernel/net/ipv4/xfrm4_tunnel.ko

Take a look at /var/log/messages and /var/log/secure and make sure there are no errors. You should see notification messages such as "l2tpd: l2tpd startup succeeded" and "ipsec_setup: Starting Openswan IPsec 2.4.0...". If there are no errors, everything is up and running - proceed to next step.

11) Firewall configuration

To be able to route packets from your external to internal interfaces, packet forwarding must be turned on. Edit /etc/sysctl.conf and change "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1". If you don't have that file, just type "echo 1 > /proc/sys/net/ipv4/ip_forward" and add this line to your /etc/rc.d/rc.local file. Restart your networking by typing "/etc/rc.d/init.d/network restart" or whichever way you restart your network interfaces.
Make sure that the following ports are open: UDP 500 & 4500, TCP 4500. If any of these ports are blocked, VPN will not work. If you have Redhat/Fedora distributions with iptables, insert these lines into your /etc/sysconfig/iptables file, before REJECT line at the end of the file:

-A RH-Firewall-1-INPUT -i ppp+ -j ACCEPT<br />
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

One more thing you should keep in mind while changing your firewall configuration - your internal and VPN network should be trusted, otherwise your firewall will keep rejecting packets from 192.168.x.x network into your LAN. I solve this by simply adding the first two lines above into my iptables file. The interface eth0 is external and eth1 is physically inside my internal network, of course :)

Nasim Mansurov is a professional photographer based out of Denver, Colorado. He is the author and founder of The Mansurovs, along with a number of other online resources. Read more about Nasim here.

Related posts:

1. Guide updates
2. ProcMail Installation and Configuration Guide
3. Cisco IOS VPN – PPTP & L2TP + NAT with Microsoft Active Directory
4. GCC 2.95.3 Guide
5. Linux as a desktop operating system?