[Tutorial] IPSEC/L2TP VPN on Ubuntu 14.04
This is a guide on setting up an IPSEC/L2TP vpn server with Ubuntu 14.04 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users / PAM for authentication. It has a detailed explanation with every step. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs and because it is supported on all major operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.
Why a VPN?
More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.
A VPN (virtual private network) creates a secure, encrypted tunnel through which all of your online data passes back and forth. Any application that requires an internet connection works with this self hosted VPN, including your web browser, email client, and instant messaging program, keeping everything you do online hidden from prying eyes while masking your physical location and giving you unfettered access to any website or web service no matter where you happen to live or travel to.
This tutorial is available for the following platforms:
- Raspberry Pi with Arch Linux ARM
- CentOS 6, Scientific Linux 6 or Red Hat Enterprise Linux 6
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
This tutorial was written and tested on a Digital Ocean VPS. They've added Ubuntu 14.04 as a supported image right away when it was released! If you like this tutorial and want to support my website, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212
IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we need to use it together with IPSec.
To work trough this tutorial you should have:
- 1 Ubuntu 14.04 server with at least 1 public IP address and root access
- 1 (or more) clients running an OS that support IPsec/L2tp vpns (Ubuntu, Mac OS, Windows, Android).
- Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall.
I do all the steps as the root user. You should do to, but only via * -i* or * su -*. Do not allow root to login via SSH!
Install ppp openswan and xl2tpd
First we will install the required packages:
apt-get install openswan xl2tpd ppp lsof
The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).
Firewall and sysctl
We are going to set the firewall and make sure the kernel forwards IP packets:
Execute this command to enable the iptables firewall to allow vpn traffic:
iptables --table nat --append POSTROUTING --jump MASQUERADE
Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
Set these settings for other network interfaces:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Apply them:
sysctl -p
Persistent settings via /etc/rc.local
To make sure this keeps working at boot you might want to add the following to /etc/rc.local:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
Add it before the exit 0 line.
Comments
Thanks for writing this guide! A question bugs my mind though. Some people have advised me to switch from OpenVPN to an IPsec-based VPN - what's the advantage of the latter over the former?
Nicely elaborated at https://www.ivpn.net/pptp-vs-l2tp-vs-openvpn
IPSEC/L2TP is supported without extra clients on Windows, OS X, iOS and Android.
OpenVPN allows an obfuscated VPN, allows other ports (443 for example) and it is (IMHO) easier to set up OpenVPN with certificate based login.
So LT2P with IPsec is compatible on more platforms than OpenVPN but it's a bit slower, right? Is there any comparison for the performance?
I've yet to try L2TP (I couldn't manage to get it work CentOS->MacBook, had been getting authorization error even though I've had it setup correctly), primarily gonna use it as tunnel for gaming purpose so speed/stability is what I was looking for. OpenVPN has connection drops for about few seconds which is a fatal in a mmorpg game. Gonna try this guide on another box and see if it works and observe the performance.
Set both up and do some measurements. It will also depend on your own internet connection.
Here's a tutorial I also wrote for CentOS 6, which works with a Macbook on OS X 10.8 and 10.9 (tested by myself, hehe): https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-Red_Hat_Enterprise_Linux_or_Scientific-_Linux_6.html
That's a problem on your end.
You can even choose between TCP and UDP with OpenVPN, so you got extra means to deal with not-reliable connections vs reliable connections where speed is a priority.
Not that L2TP with IPsec is a bad election at all, but OpenVPN is more flexible.
Is this possible on an OpenVZ VPS?
If yes, which modules need to be enabled?
Well, common mistake(serious security hole)
iptables -t nat -A POSTROUTING -j MASQUERADEThis works from your LAN, but allows outsiders to masquerade through your firewall.
That's the whole reason I am sticking to OpenVPN, in fact I'm using your debian script
I am pretty sure there's no problem on my end. I have pings running simultaneously to various server just to ensure it's not my connection dropping but the VPN itself.
PS: I am on UDP since it's more reliable than TCP when it comes to latency (iirc)
Tell me more?
Then maybe there's a problem on the connection between you and the server or between the server and the destination. Maybe a mtr can help you locate some packet loss, but I still don't think it's a software problem.
UDP is better latency-wise yeah, but TCP is more reliable if you want a stable connection. Since you have reliability issues, I would recommend switching to TCP and testing, even when it will not solve bigger problems (like long network cuts). If you want to try, just edit
proto udptoproto tcpin the server.conf and client.conf files and do/etc/init.d/openvpn restarton the server.I guess @jimmyvu was saying that it is safer to use SNAT only so that people from the outside world cannot initiate new connections through your VPN server. Here are the relevant IPTables rules in my IPsec/L2TP VPN Auto Setup Script for Ubuntu 12.04. Also see my GitHub Gist here.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ... ... -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -j DROP ... ... COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP} COMMITIn the rules above 192.168.42.0/24 is the range of your VPN network, and ${PRIVATE_IP} is your server's local IP. If you set up SNAT without DNAT and accepts only established connections from eth+ to ppp+, this ensures that the outside world cannot initiate new connections through your VPN back to your PC or phone, or whatever. Otherwise if you use MASQUERADE, they can attack your device from the outside.
Explain this a bit more please? How would one do that then? I've got the MASQ rule from Red Hat documentation on iptables...
I've changed it to SNAT, which also works, however, I'd like to see some more information or sources on MASQ not being secure. My google fuu did not find that much...
I'm looking for exactly the same guide but with Strongswan instead of Openswan. Stronswan is leaner (no L2TP required, connection is established instantly) and actively maintained. But I have been unable to set it up using XAUTH in 14.04, the package structure seem to have changed.
It looks like I did not explain it clearly in my previous post... Actually the problem is NOT with MASQUERADE vs. SNAT. They are basically the same except that MASQUERADE is easier to use with a dynamic server IP (does not require you to specify it).
Upon searching on Google I finally found out the problem - for security one should ALWAYS specify an out interface (and source subnet, see example below) in a MASQUERADE or SNAT rule. see the following post for reference:
http://www.linuxquestions.org/questions/linux-security-4/iptables-dnat-snat-and-masquerading-264649/#post1343099
Quote:
"WARNING.. MASQ may work in either direction if your rules are too simple
BAD EXAMPLE: iptables -t nat -A POSTROUTING -j MASQUERADE. Always specify an (-o) out interface as a minimum guide."To fellow LETers - If you have a VPN server, for security, double check your IPTables SNAT or MASQUERADE rule. It should specify the source subnet and out interface (e.g.
-s VPN_NETWORK_RANGE -o eth+).I wish that L2TP had a custom port option
http://www.linuxquestions.org/questions/linux-security-4/iptables-dnat-snat-and-masquerading-264649/#post1343099
"WARNING.. MASQ may work in either direction if your rules are too simple iptables -t nat -A POSTROUTING -j MASQUERADE. Always specify an (-o) out interface as a minimum guide."
Thanks! I've updated the tutorial.
Hi!
I have tried to follow this tutorial but can't make it work.
Any help appreciated.
My test environment in very easy:
Windows 8.1 laptop 192.168.10.190 <--> wifi router <--> ubuntu-ipsec-server 192.168.10.14.
An extract of the ipsec.conf looks like this:
Note that I have tried both with and without setting the leftprotoport.
Also note that I have added the L2TP-PSK-NAt block at the top.
xl2tpd.conf looks like this:
When starting up xl2tpd I get the following message in syslog:
ubuntu-ipsec xl2tpd[2160]: Listening on IP address 0.0.0.0, port 1701Is this ok?
The result of
ipsec verifyis the same as yours.I have made a simple chap setup with password set in chap secrets:
The firewall has been opened as described in your howto.
iptables has been setup as described with the -o option added:
When trying to connect from the laptop I get the following error message on the laptop:
The auth.log looks like this:
Based on a wireshark dump it looks like the client and server is in connection according to the auth.log above:
The rest is some ARP messages and BROWSER announcements.
What am I doing wrong?
Br,
Arne
One step further! :-)
The clue here is the error messages in the Auth.log where all the Oakley Transforms are rejected.
In Raymiis Ipsec on Ubuntu 14.04 tutorial he has the following config in ipsec.conf:
After commenting out this and opening the firewal for ESP I got connected! :-)
So it seems like Windows 8.1 is not happy with this setting.
Next thing to figure out is how to fix that the client is blocked from DNS lookup through the VPN:
Arne
For the IKE Oakley issue, take a look at:
https://lists.openswan.org/pipermail/users/2014-April/022947.html
Regarding the DNS lookup problem try adding a UFW NAT rule to unblock forwarding of UDP port 53.
I'd recommend using plain IPSec without L2TP. It's more likely to traverse NAT and just more simple.
Strongswan is actively maintained, so I would recommend it over openswan. Racoon is another good choice.
If you're using OpenVZ, you almost never can use IPSec (only on individual providers like BuyVM, who can enable modules for you). You can use user-space IPSec implementations, like SoftEther or RockHopper.
I'll adapt the tutorials to match this soon.
There is no native client support in windows and OS X.
You're wrong. There is native support in both windows and os x.
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
Hi,
You have said at the beginning, among the other "Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall."
But when I do this, as in the guide, xl2tpd service is running under 1701 UDP not TCP. Also I have no rules in my iptables
iptables -L
`Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination `
And when I try to connect it says that L2TP server is not available.
The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.