2

Install VPN Server with Linux

This is how I installed L2TP IPSEC VPN server from a debian squeeze Linux at home, now I can connect the VPN from my iPhone, iPad and Windows 7 laptop

All stuff source is grabbed from here, well documented by Steeve, but just in case it dissapears one day and for my own informations, I add to my blog. For more detailled instruction and explanations, see his blog.

My local network is 192.168.1.0/24 and the VPN server is 192.168.1.7, my local DNS server is 192.168.1.8

What do you need ?

  • A debian linux box with
  • Openswan
  • xl2tp

Install the software

aptitude install openswan xl2tpd

During installation choose to not use certifcate, we will use pre-shared key

edit the file /etc/ipsec.conf, my local network is 192.168.1.0/24 so I changed the line virtual_private as follow :

virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12

removed the warning when starting service about certificate in the same file

protostack=netkey

Then paste the following code at the end of the file

conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
dpddelay=30
dpdtimeout=60
dpdaction=clear
compress=yes
left=%defaultroute
leftprotoport=udp/1701
right=%any
rightprotoport=udp/0
auto=add

Now edit /etc/ipsec.secrets and add a line similar to this :

%any %any: PSK "MyPreSharedKeyStrongPassword"

if your external IP is fixed you can replace the 1st %any by your external IP, mine is not.

then edit /etc/xl2tpd/xl2tpd.conf. I added the following to mine.

[global]
access control = no
rand source = dev

[lns default]
ip range = 192.168.1.100-192.168.1.110
local ip = 192.168.1.7
require chap = yes
refuse pap = no
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tp
length bit = yes

ip range is your LAN reserved IP for the VPN clients, they should be removed from your dhcp range, the local IP is the VPN server IP

now copy the file /etc/ppp/options to /etc/ppp/options.l2tp

cp /etc/ppp/options /etc/ppp/options.l2tp

and edit the new file /etc/ppp/option.l2tp

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.8
noccp
name vpn
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin pppol2tp.so
require-mschap-v2

ms-dns is your local DNS server, name is a name that will use in the next file

Finally, add entries to /etc/ppp/chap-secrets to set up individual VPN users

mylogin vpn "mypassword" 192.168.1.7/24
vpn mylogin "mypassword" 192.168.1.7/24

mylogin is the client’s login options-name must match the name parameter from the previous file, options.l2tp. The last parameter is the subnet and mask to match this client. It should be the range of your internal network.

Now if you want to access other computer from your LAN from your VPN client, you need to enable ip forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

Of course you need to redirect upd ports from your internet gateway to your linux box if you have one. And also open the ports in your linux box firewall if it is activated. The ports are UDP 500, UDP 1701 and UDP 4500

This prodecure works fine for my iPhone and Windows 7 client.

For windows 7 client to work fine, you need to uncheck the box “unsecure password PAP” into connexion properties security tab and check CHAP and MS-CHAP-V2. And also enter your PSK under advanced parameters from VPN type.

Charles

Charles