'THIS PAGE REPLACES MY PREVIOUS HOWTO PAGE AT
* Gentoo Linux L2TP/IPSEC VPN w/ Active Directory/Radius/X.509 serving Windows XP/Vista Clients'
'THIS IS BEING UPDATED FOR NEW VERSIONS - 20 June, 2008'
* PPTP Config Works!
Verified with Vista client
* L2TP/IPsec PSK Config Works!
Verified with Vista client
In this HOWTO you will learn how to configure a VPN Server on Gentoo Linux. Most of this would apply to any other Linux distribution - you just need to translate all the “emerge” commands with whatever package tool your distribution uses or by downloading and compiling the required software manually.
I've provided instructions on several different VPN configurations ranging from a simple PPTP link to a L2TP/IPSEC VPN using X.509 certificates and authenticating username/passwords pairs via Active Directory through a radius server. I tried to break each product up into its own section along with each configuration possible. So you can take from this the pieces you actually need.
When I originally set out to create a VPN server the vast majority of my information came from the below website. If you're looking for more information, help, trouble shooting, check out this site. He's got a lot of detailed technical information that doesn't exist on this howto. Another major difference with his site is that it's focused mostly on openswan and this howto covers strongSwan.
* http://www.jacco2.dds.nl/networking/openswan-l2tp.html
Next.. The below website helped me out a lot as well. So if your lost you could check this out too. As above, this site covers openswan instead of strongswan. * http://www.natecarlson.com/linux/ipsec-l2tp.php
' THIS IS REALLY IMPORTANT ' :
To keep this howto simple - and to get you up and running with minimal complications.
I've used the most basic and minimal configurations in each of these products. It's just enough to get you -working-.
Please take time to read though the documentation provided with each tool so you can be sure your servers are setup how you need them to be.
These configurations might not give you the level of security you really need.
So it's extremely important you review the man pages.
Such as..
man xl2tpd.conf man pppd man ipsec.conf man pptpd man openssl
You need PPP daemon installed. It is required for every configuration here. It is quick and simple to install and we can have some instant gradification having accomplished something!
# emerge ppp
net-dialup/ppp-2.4.4-r15 [2.4.4-r9] USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6 -mppe-mppc" 47 kB
okay you're done :)
It's probably not absolutely necessary to use these specific versions. But this is what I used when making this document.
OS [http://www.gentoo.org Gentoo Linux] sys-kernel/gentoo-sources-2.6.21-r4
PPP [http://www.samba.org/ppp Samba PPP] net-dialup/ppp-2.4.4-r15
PPTP [http://www.poptop.org/ POPTOP] net-dialup/pptpd-1.3.4
L2TP [http://www.xelerance.com/software/xl2tpd/ XL2TPD] net-dialup/xl2tpd-1.1.12
IPSEC [http://www.strongswan.org/ strongSwan] net-misc/strongswan-2.8.4
* I 'really' want to move to 4.x - but I can't get it working. I'm trying!
X.509 [http://openssl.org/ OpenSSL] dev-libs/openssl-0.9.8h
SMB/CIFS [http://www.samba.org/ Samba] net-fs/samba-3.0.30
Kerberos [http://web.mit.edu/kerberos/www/ MIT Kerberos V] app-crypt/mit-krb5-1.6.3-r1
RADIUS [http://www.freeradius.org/ Freeradius] net-dialup/freeradius-1.1.7
AD Server [http://www.microsoft.com Microsoft Windows] 2003 Server
Clients [http://www.microsoft.com Microsoft Windows] Vista/XP
Umn, yeah.. you need some stuff in the kernel.. lets see.. I'm not sure if this is an exact list and I'm sorry that I can't be sure for you. But I don't want to recompile my kernel 10 times trying to find the exact items that are really needed. I'm sure you need this stuff though and if something still doesn't work you can check the strongSwan documentation.. If something is missing from this list please let me know - or if an item isn't actually needed. I'm no genius and sometimes I'm not exactly sure what each kernel modules is all about. http://sqls.net/contact ←- Let me know :)
I know.. I needed
* CONFIG_PPP_SYNC_TTY: synchronous serial line discipline (optional; used by 'sync' pppd option) * CONFIG_PPP_MPPE: MPPE encryption (optional, mostly used by PPTP links) * CONFIG_PPPOE: PPPoE support (optional needed by rp-pppoe plugin) * CONFIG_PPP: PPP support (REQUIRED) * CONFIG_PPP_ASYNC: asynchronous serial line discipline (optional, but highly recommended) * CONFIG_PPP_DEFLATE: Deflate compression (optional, but highly recommended) * CONFIG_PPP_BSDCOMP: BSD-Compress compression (optional, but highly recommended)
You could compile these items as modules if you wish, of course.
For a bit more help. According to the strongSwan documentation..
The strongSwan 4.x branch currently runs only on Linux 2.6 kernels and depents on its native NETKEY IPsec stack. Please make sure that the following IPsec kernel modules are available:
The rule statements are examples and will most likely need to be modified for your environment.
You only need to open the ports for the daemons you plan to use.
You need tcp port 1723 open. # iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT
You need udp port 1701 open # iptables -A INPUT -i eth0 -p udp –dport 1701 -j ACCEPT
You need the esp protocol, udp 500, udp 4500 open. # iptables -A INPUT -i eth0 -p esp -j ACCEPT # IPSEC ESP # iptables -A INPUT -i eth0 -p udp –dport 500 -j ACCEPT # IPSEC CONNECT # iptables -A INPUT -i eth0 -p udp –dport 4500 -j ACCEPT # NAT-T UPSEC over UDP
If you don't want to use PPTP you can skip right to the next section.
This is the most basic VPN setup.
There are pros/cons you can read about else where on the internet. * [http://www.google.com/search?q=PPTP+vs+IPsec Google It!]
I find PPTP to be handy in some situations!
It's the easist client setup on windows and is supported by almost everything.
Unless you've got a large company and strong security needs - this would probably suit your needs just fine!
First install poptop which can be emerged on Gentoo easily.
# emerge pptpd
net-dialup/pptpd-1.3.4 USE="tcpd -gre-extreme-debug" 0 kB
Now add it to your startup. # rc-update add pptpd default
You need to edit the /etc/pptpd.conf file to suit your environment.
You want to set 'localip' to the IP Address that your machine will use
to communicate with the client. It can be the local IP of your machine
or another IP not currently assigned on your box. I believe it does
need to be on the same subnet that is assigned to the vpn client.
Change 'remoteip' to the range that will be handed out to the clients.
You can review '/etc/ppp/options.pptpd' which holds the options
that PPP will use when called by POPTOP. I didn't have to change anything
to get the vpn link up. But you may want to. Such as setting default dns/win dns
servers.
You need to create a username/password pair for the PPP authentication.
To do this! Just add the name into the /etc/chap-secrets file with a password.
The format of the file is :
client server secret ip-to-give-client
So you can narrow things down a bit and say, this user can only connect to x server and be given x ip.
But for now, lets get get a user working!
So, the below line allows joebob to login to any server (if you happened to have more then one) and will be assigned any IP from the range in the pptpd.conf file.
Okay, now lets start it.
# /etc/init.d/pptpd start
If you have a firewall configured you need to allow inbound access to tcp port 1723.
At this point, it should work. You need to -configure- a client for a PPTP connection and test it. * http://sqls.net/wiki/HOWTO:_Linux_VPN_Server#Configure_Clients
'NOTE:' You can have -this- configuration authenticate via radius! Just jump down to the section on configuring PPP and Radius.
* http://sqls.net/wiki/HOWTO:_Linux_VPN_Server#freeRADIUS
Now I'm a bit rusty here on all the reasons. But we're really wanting IPsec here. Because it adds another layer of security by encryping data prior to the username/password handshake of PPP. It also gives us the ability to use per-user X509 certificates which bring a host of features with them. I believe it's possible to get IPsec working with windows clients without L2TP but it's a big pain in several ways. So, first.. Lets get L2TP installed then we will move to the IPsec segment.
First off, we need to install the L2TP daemon! On Gentoo this is easy, of course.
# emerge xl2tpd
net-dialup/xl2tpd-1.1.12 321 kB
NOTE: Gentoo Users If you previously did the PPTP setup. After installing L2TP it will warn you to run etc-update. It has a new PPTP config file. I discarded the proposed changes but you are obviously welcome to make your own choice.
Now, you'll probably want to add this to the default startup too.
# rc-update add xl2tpd default
Okay, now we need a moment of pause for thought… Maybe? You need to map out the IP ranges you want for everything! Here's the IP scheme I plan to use for the remainder of the documentation - but it's likely you'll want something different. In this configuration it puts the VPN users on a seperate IP range and subnet then the internal network. This allows a bit more control over them via firewall rules - and makes things a bit easier for me. So be sure to change each configuration file appropriately if you use different IP addresses.
The IP used by the Server to talk with the Clients * 172.16.45.1 on a 255.255.255.0 netmask
This range of IP addresses are assigned to the VPN clients. * 172.16.45.51 - 172.16.45.249 on a 255.255.255.0 netmask.
LAN (Local Area Network that the VPN is going to be connecting to) * 10.0.0.0 on a 255.255.0.0 netmask.
LAN DNS Server * 10.0.0.4
VPN Server's external/public IP address * 10.0.0.1
Now, lets configure XL2TPD. Please remember these are very basic configuration files. You should read the included documentation for each software package and make sure you are using the most appropriate configuration for your environment and security needs.
First off lets edit the XL2TPD configuration file that should be located at '/etc/xl2tpd/xl2tpd.conf'.
Please note the indentions - they 'are' required in the configuration file.
Next we need to create the PPP options file for XL2TP. This file should be located at '/etc/ppp/options.xl2tpd'.
You can read the man page for pppd for more details on these options. And you should do that!
These options will be used for 'PPPD' when called by 'XL2TPD'.
For me to get things working - I didn't need to add any specific options into this file.
But! For an ideal setup I added ms-dns so my client could resolve names and I added +mschap-v2 so PPP would allow MSCHAP-v2 authentication.
I also disallowed mppe because I don't want double-encryption! IPsec is encrypting everything so I don't need mppe encrypting the PPP packets.
You may not need it!
I highly recommend you read though the man page because I'm sure you'll want something else!
/etc/ppp/options.xl2tpd| <pre> ms-dns 10.0.0.4 nomppe +mschap-v2 </pre>
You need to create a username/password pair for the PPP authentication.
To do this! Just add the name into the /etc/chap-secrets file with a password.
The format of the file is :
client server secret ip-to-give-client
So you can narrow things down a bit and say, this user can only connect to x server and be given x ip.
But for now, lets get get a user working!
So, the below line allows joebob to login to any server (if you happened to have more then one) and will be assigned any IP from the range in the xl2tpd.conf file.
Okay, now lets install IPsec. We're going to use strongSwan for this. There are a handful of options for this that you can research on if you wish. OpenSwan is a big one but after using them both and comparing features and documentation (hey, docs are important!) I ended up picking strongSwan.
On Gentoo. For reasons I don't really know. strongSwan 2.8.0 is the only “stable” ebuild. Even though the current strongSwan version is 4.3.2 and even the 4.1 branch is deprecated. So you will need to unmask strongSwan to get it to let you install it. To do that!
# echo ”~net-misc/strongswan-2.8.4 ~*” » /etc/portage/package.keywords
Next! We need to enable NAT traversal with IPsec transport mode and to do that we need to add the 'nat' use statement for strongSwan.
# echo “net-misc/strongswan nat” » /etc/portage/package.use
# emerge stronswan
net-misc/strongswan-2.8.4 USE="ldap nat -curl -smartcard" 0 kB
Now, we'll want this to start on boot.
# rc-update add ipsec default
You need to choose between using a Pre-Shared Key (PSK) or Certificates (X509) (or 'both'! coming soon?!). You can probably read about the differences all over the internet and because of that I'm not going into much detail.
Pretty much what we're doing with the IPsec is adding a layer of encryption. You have to encrypt stuff with something and there's two options. Both PSK and X509 Certs get the job done. There are some trade offs though.
Pre-Shared Keys (As far as I know)
* A Pre-Sharded Key is sharded for all VPN Clients
* Login to VPN requires a valid username/password and PSK.
* Easier to setup both server and clients.
* If you want to change your PSK - You have to change it on 'every' client too.
Certificates (As far as I know) * Each VPN Client gets their very own Certificate. * Login to VPN requires a valid username/password and Certificate * Bit more server & client setup * You can individually revoke a certificate permanently or temporary.
Generally, smaller groups find PSK to be good enough and use them - not wanting to deal with the hassle of certificates. Larger sites use certificates for the added security measure. Some of them create some type of work flow management to keep control and track of all the individual certificates. I'm going with the certificates options at my job - and working to write a PHP application to manage all my certificates. Now if I was making a VPN for a couple/few dozen people or just myself and the environment didn't require overkill security measures - I would use PSK in a heartbeat. Because, even with the PSK in a persons hand - they still need to have a valid username/password combo. So if you kill a users account they will not be able to login with the PSK alone. Now if they are super techy geeky smart they could try to “sniff” out another users information and then login as that user with the PSK. With a certificate this isn't as easy because they would need the other users certificate as well.
If you're confused just use a PSK. It'll get you up and running faster and when/if you decide to go with Certificates it's just a few configuration changes on the server and reconfiguring the clients.
Depending on your distribution or installation method this file may exist in different locations.
On Gentoo with the ebuild (emerge) it is at '/etc/ipsec/ipsec.conf' for versions prior to 4.
On other systems it may be located at '/etc/ipsec.conf'
Now we have some options here! If you only need to support Windows Vista, XP SP2, Mac OS-X clients the first option will work fine.
Windows XP SP1 and 2000 need a different configuration line - so to include them use the second or third configuration examples.
'Or! We can combine the common elements into a %default connection to simplify the file'
Depending on your distribution or installation method this file may exist in different locations.
On Gentoo with the ebuild (emerge) it is at '/etc/ipsec/ipsec.secrets' for versions prior to 4.
On other systems it may be located at '/etc/ipsec.secrets'
For a Pre-Shared Key setup this file is pretty simple! You can read the file syntax with
# man ipsec.conf
The below example will allow any host to connect using the PSK 'mysecretpsk'
ipsec.secrets| <pre> 10.0.0.1 %any: PSK "mysecretpsk" </pre>
You're done.
Make sure the ipsec and l2tp daemons are running.
Then configure a windows client to connect to your VPN! * http://sqls.net/wiki/HOWTO:_Linux_VPN_Server#Configure_Clients
'NOTE:' You can have -this- configuration authenticate via radius! Just jump down to the section on configuring Radius.
* http://sqls.net/wiki/HOWTO:_Linux_VPN_Server#freeRADIUS
Coming Soon! Just after I finish the PSK section.
I'm working on this right now! - 25 June 2008
You can configure both PPTP and L2TP configurations to use radius and it revolves around the PPPD for both of them. There's a couple settings specific to poptop and XL2TP but after that we're just going to be looking at the PPPD and radius configuration files.
Well, first off we need to install freeRADIUS. Just one emerge away! We're using 1.1.7 right now. Which is proven and known to be stable. I may move to 2.x branch soon!
# emerge freeradius
net-dialup/freeradius-1.1.7 USE="pam ssl -bindist -debug -edirectory -firebird -frascend -frnothreads -frxp -kerberos -ldap -mysql -postgres -snmp -udpfromto" 3,083 kB
'NOTE:' Please note that many other howto's give you tons of things to change in the freeRadius configuration files. For the most part the current freeRadius is configured by some pretty smart folks to support just about everything by default. So please don't change things unless you're sure about what you are doing. As with other sections of this howto I've tried to minimalize any changes to the bare minimum required to get things to work for me.
You will need to edit the /etc/raddb/clients.conf and change the password in the localhost (127.0.0.1) entry to something else - or just use the default of 'testing123' but just make sure you know what it is. Because you'll be needing it a bit later.
Now you'll need at add a user that can be authenticated by freeRadius. Later on there is a section that covers integrating with Active Directory but if you'd just like to get things working or are not using Active Directory at all.. We'll it's super simple.
Edit /etc/raddb/users and add the below line. 'username' is of course the users login name and 'userpass' is of course the users password. You can add as many of these entries as you wish. Oh! 'super important' - you should add these entries at the top of the configuration file.
# username Cleartext-Password := 'userpass'
That's it! You should be able to authenticate via freeRadius now. Here's a way to test it.
# radtest username userpass localhost 0 testing123
Change username and userpass to the user you added to the /etc/raddb/users file and change testing123 to the password in the /etc/raddb/clients file. testing123 is the default for localhost so it might work if you haven't changed it. You should get a response like shown below if it worked.
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=48, length=20
Depending on how you compiled PPP you may need to recompile it with raidus support or install the ppp-radius module. Whatever your distribution uses. On Gentoo just add the use flag “radius” and reemerge PPP # emerge ppp -va
[ebuild R ] net-dialup/ppp-2.4.4-r15 USE="pam radius* -activefilter -atm -dhcp -eap-tls -gtk -ipv6 -mppe-mppc" 0 kB
Now you need to edit the /etc/ppp/radius/servers file and add..
localhost testing123
You should eventually change that password for obvious reasons - it's the default freeRadius password (in the /etc/raddb/clients.conf file) You'll need to change that in both files.
You need to add
plugin radius.so plugin radattr.so
To your pptp PPP options file which is normally /etc/ppp/options.pptpd
And that's it - to get freeRadius to authenticate. There's some more advanced options below like assigning IP addresses with freeRadius and Active Directory support. At this point though you should be able to login using the username/password you added to the freeRadius users file.
Okay! So you want freeRadius to assign the IP addresses to the logged in users? Well it can do that.
edit /etc/pptpd.conf file and add the following two options
noipparam delegate
Oh.. 'man pptpd.conf' tells you all about them, Good read.
Yeah.. uh so.. Haven't got here yet.
A bit late? Maybe.. Cause editing these configuration files is a bit of a pain.. I guess. So there's a web interface we could be using! how bout that.. Someday I'll tell you how to use it.
* http://deployingradius.com/documents/configuration/active_directory.html
They describe this just fine, no reason for me to re-write it.
* Configure Windows Vista PPTP VPN * Configure Windows Vista L2TP/PSK VPN * Configure Windows Vista RSA VPN
There's a tool called CMAK for Windows 2003 that allows you to create an install file for VPN settings. It includes a lot of extra features including pre/post scripts you can run.
Because spending four hours debugging a non-connecting vpn client to find out the XL2TPD wasn't running….
First off, when you run into trouble make sure you check the logs. Depending on your syslog configuration your logs might end up in different places. You might check '/var/log/messeges', '/var/log/auth', '/var/log/daemon' or.. heck! All your /var/log files if you don't find anything in those.
PPPD and XL2TP log to the daemon facility as pppd and xl2tpd.
strongSwan log to the auth facility as pluto.
According to [http://www.jacco2.dds.nl/networking/freeswan-l2tp.html Jacco]
When you use l2tpd you will see the message “This binary does not support kernel L2TP” in /var/log/messages. This does not indicate an error. It is just an informational message. The original creators of l2tpd intended to implement support for both user mode and kernel mode L2TP. But they never got around to do kernel mode L2TP.
I found this in my strongSwan log when the 'left' IP address in the ipsec.conf file was set to something other then the IP my clients were connecting to.
This was caused by having the server IP set incorrectly in my ipsec.secrets file. Make sure the first IP address on that line is set to the address that the clients are connecting to.
As the error might imply! This turned up whenever a client tried to connect using the wrong preshared key. Now this could mean someone is trying to break into your system. But if you're testing a client and it doesn't connect and you find this in the log. Make sure the ipsec.secrets file and the client are using the same preshared key.
This might be cause it's still using it's non-VPN DNS server. If the clients normal DNS server is from say.. a linksys router or some other small device then it's likely that it's using that DNS server instead of the VPN DNS server. View this pages for more help. * http://support.microsoft.com/default.aspx?scid=kb;en-us;311218 * http://forums.technet.microsoft.com/en-US/winservercore/thread/94bd0b5f-58fe-4ff7-9ffe-8f5ad97ac0fd/ * http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html * http://michaelhanney.com/blog/2008/03/30/set-default-nameserver-to-intranet-dns-server-when-using-vpn/
This was caused when I configured my windows client to require MS-CHAPv2 but I had not configured to server to use mschap-v2.
You can solve this by allow CHAP authentication on the client or adding '+mschap-v2' to the pppd options file (either /etc/ppp/options.pptp or /etc/ppp/options.xl2tpd depending on which configuration you are using) If you -only- want to allow MSCHAP-v2 you could just add the line 'require-mschap-v2' to the pppd options file and it'll do the trick too.
-
My understanding is - When using a L2TP/IPsec connection the entire thing is encrypted via IPsec. So MPPE shouldn't be required unless you want double encryption. I've found that there's a couple ways to solve this problem. It seems either you need to require mppe in the ppp options file, dis-require it on the client setup, 'or' enable mschap-v2 in the pppd options file. Now, I'd say enabling mschap-v2 sounds like the best solution.
To enable mschap-v2 add '+mschap-v2' to the PPPD options file for XL2TPD (Per this howto, it should be /etc/ppp/options.xl2tpd)
- this should be all you need! Unless you want to try the other options. I like this option best because it makes the client configuration less confusing.
To force MPPE in PPP add 'require-mppe' to the PPPD options file for XL2TPD (Per this howto, it should be /etc/ppp/options.xl2tpd)
To configure the client to not require encryption, uncheck the box “Require data encryption” on the Security tab of the Connection. Or follow the detailed Client setup instructions provided in this howto.
You can read more details on this error at jacco's site [http://www.jacco2.dds.nl/networking/openswan-l2tp.html#L2TP-PPPencryption here] or at [http://support.microsoft.com/kb/314831 this] microsoft site. I'm a tad confused because also, on jacco's site he explains something different [http://www.jacco2.dds.nl/networking/vista-openswan.html here]. But maybe it's just an error on his site? I'm not sure.
* [http://blogs.technet.com/rrasblog/archive/2007/04/08/troubleshooting-vista-vpn-problems.aspx Some trouble shooting of windows client errors]
* MPPE * MPPC * MS-CHAP * IPsec * PPP * PPTP * L2TP
* [http://www.jacco2.dds.nl/networking/freeswan-l2tp.html Using a Linux L2TP/IPsec VPN server - A very detail and helpful document] * [http://deployingradius.com/documents/configuration/setup.html Deploying RADIUS: Setting up FreeRadius] * [http://www.ipsec-howto.org/ The official IPsec Howto for Linux - kinda out dated] * [http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto] * [http://gentoo-wiki.com/HOWTO_PPTP_VPN_client_(Microsoft-compatible_with_mppe) HOWTO PPTP VPN client (Microsoft-compatible with mppe)] * [http://forums.gentoo.org/viewtopic.php?t=178151 PPTP Tunnels with Kernel 2.6] * [http://www.natecarlson.com/linux/ipsec-l2tp.php Configuring an IPsec tunnel with OpenSwan and L2TP] * [http://gagravarr.org/writing/openssl-certs/ca.shtml Certificate Management and Generation with OpenSSL] * [https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/50333 Info on a OpenSSL bug - that might cause you a headache] * [http://www.nthdegree.com.au/sverre/publications/141004.html Setting up Openswan with both PSK and Certificates] * [ftp://ftp.openswan.org/openswan/windows/certimport/ certimport.exe: A tool to insert PKCS12 certificates into Windows] * [http://www.octaldream.com/~scottm/talks/ssl/opensslca.html Creating a Certificate Authority and Certificates with OpenSSL]
For the hard core geek. * RFC 1661 (PPP) http://www.ietf.org/rfc/rfc1661.txt * RFC ???? (PPTP) * RFC 2661 (L2TP) http://www.ietf.org/rfc/rfc2661.txt * RFC ???? (IPSEC) * RFC ???? (X.509)