Have you ever wanted to set up your own VPN server? By following the steps below, you can set up your own L2TP VPN server on CentOS 6. Note that an L2TP VPN, which we’re setting up here, is more secure than a PPTP VPN server. OpenVPN is another alternative to L2TP VPNs, but OpenVPN requires OpenVPN software on the client device. In contrast, L2TP VPNs are supported out of the box in most modern operating systems (Windows, Mac OS X, Ubuntu, RHEL, CentOS) as well as mobile devices (iOS [iPhones, iPads], Android, and Windows Phone).
Packages to install
yum install lsof man yum install openswan yum install ppp xl2tpd
Note: You need to have the epel repository installed to install xl2tpd. To install epel if you haven’t already, check this post.
Potential OpenSwan version issues with iOS devices behind NAT
OpenSwan version 2.6.32-18.el6_3 had a bug wherein iOS devices were unable to make a successful VPN connection if they were behind NAT, which includes attempting a VPN connection while connected to a cellular network. Downgrading to version 2.6.32-16.el6 allowed iOS devices to again connect.
It appears that this bug is fixed as of version 2.6.32-21.2.el6, but do note if you have trouble getting iOS devices to work behind NAT, it may be due to the version of OpenSwan you’ve installed.
For more information, see this page: http://bugs.centos.org/view.php?id=5832
IP Addresses in this example
In the following configuration files, various IP addresses are listed. Change these IPs to match your environment
- 10.0.100.0/24 – Internal LAN IP subnet: This is the IP subnet used on your local LAN that the VPN server resides upon.
- 10.0.100.3 – Local IP used by VPN server for the L2TP tunnels: This is a completely made up number – you are assigning an IP address to the tunnel side of your VPN server. Make sure the IP you assign is not within your DHCP server’s DHCP scope.
- 10.0.100.50-100 – Local IP range to be handed out to VPN-connected clients: You define your own range here – make sure it’s in the same subnet as your local LAN but not part of your DHCP scope.
- 10.0.100.2 – IP address of VPN server: This is the primary IP address of the VPN server on your local LAN – this should be a static or statically assigned address.
- 10.0.100.1 – DNS server: This is the DNS server that the L2TP VPN-connected clients will use.
- 10.0.100.1 – Gateway/Router: This is the IP address of the border router on your internal network – it can be NAT’ed.
Configuration Files
/etc/sysctl.conf
# Controls IP packet forwarding net.ipv4.ip_forward = 1
Reload sysctl with this command:
sysctl -p
/etc/rc.local
Add the following block to the bottom of the configuration file:
# Correct ICMP Redirect issues with OpenSWAN for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects echo 0 > $each/rp_filter done
/etc/ipsec.conf
In the ipsec.conf file, you define a “left” and “right” side of the IPsec connection. In this example, the “left” side is your internal LAN, while the “right” side is the remote, client side which originates on port 1701.Make sure to change the virtual_private line to match your internal LAN subnet.
nehelpers is set to 0 to work around an error message when network helpers are not available.
plutodebug may be set to “control” if you wish to see messages logged in /var/log/pluto.log. Note: I do not suggest leaving this turned on as the log file will quickly grow to a massive size.
Additional lines are added at the bottom of the defined L2TP-PSK connection to better handle compatibility with Mac OS X and iOS clients.
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces=%defaultroute klipsdebug=none nat_traversal=yes nhelpers=0 oe=off plutodebug=none plutostderrlog=/var/log/pluto.log protostack=netkey virtual_private=%v4:10.0.100.0/24 conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport forceencaps=yes right=%any rightsubnet=vhost:%any,%priv #rightprotoport=17/0 rightprotoport=17/%any 多客户端不同账号同一IP连接VPN,尝试过有问题 # Using the magic port of "0" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port, but propose "0" instead of their port. left=%defaultroute leftprotoport=17/1701 # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf
/etc/ipsec.secrets
First, create a new host key for the machine — this example is using a pre-shared key (PSK), but it’s still a good idea to generate the machine key:
ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/
Next, add a line with the internal LAN IP address of the server, the var %any:PSK to use the pre-shared key, and then define the pre-shared key in quotes.
10.0.100.2 %any: PSK "yourPSKHere"
In the /etc/IPsec.secrets file, make sure you remove or uncomment the line “include /etc/ipsec.d/*.secrets,” or you’ll get an error and the VPN just won’t connect.
: RSA { # Your RSA generated machine key will be here after running the above IPsec newhostkey command } # do not change the indenting of that "}" 10.0.100.2 %any: PSK "yourPSKHere"
sudo chown root:root /etc/ipsec.secrets sudo chmod 600 /etc/ipsec.secrets
/etc/xl2tpd/xl2tpd.conf
[global] listen-addr = 10.0.100.2 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; ipsec refinfo = 30 ; ; works around bug: http://bugs.centos.org/view.php?id=5832 force userspace = yes ; [lns default] ip range = 10.0.100.50-10.0.100.100 local ip = 10.0.100.3 ; leave chap unspecified for maximum compatibility with windows, iOS, etc ; require chap = yes refuse pap = yes require authentication = yes name = CentOSVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
/etc/ppp/options.xl2tpd
ms-dns should be set to the DNS server you wish the VPN clients to use. You can specify multiple DNS servers by adding multiple ms-dns entries on separate lines.
ipcp-accept-local ipcp-accept-remote ms-dns 10.0.100.1 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 logfile /var/log/ppp.log
/etc/ppp/chap-secrets
This is the file in which you define your user accounts for the VPN — they are in username and password pairs.
# Secrets for authentication using CHAP # client server secret IP addresses user1 * sgrongPassword1 * user2 * strongPassword2 *
Secure the /etc/ppp/chap-secrets file
sudo chown root:root /etc/ppp/chap-secrets sudo chmod 600 /etc/ppp/chap-secrets
IPTables Configuration
If you are running IPTables as the firewall on your VPN server, run the following commands to allow functioning VPN access
#Allow ipsec traffic iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT #Do not NAT VPN traffic iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE #Forwarding rules for VPN iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Ports for Openswan / xl2tpd iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT #Save your configuration iptables save
Note that if your current firewall configuration contains the following lines, your VPN connection will fail!
Remove these lines if they exist in your /etc/sysconfig/iptables file:
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited, the VPN connection will fail!
Enable and Start Services
chkconfig xl2tpd on chkconfig ipsec on service ipsec start service xl2tpd start
Optional configuration
Ignore ICMP Redirects:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
Don’t send ICMP Redirects:
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
Troubleshooting
To see if your IPsec configuration looks OK, run the following command:
ipsec verify
You can also enable logging in /etc/ipsec.conf by setting plutodebug to “control”. This will log messages to /var/log/pluto.log.
There is an additional log file in /var/log/ppp.log.
Helpful links
http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html
http://coding.zencoffee.org/2012/10/ipsecl2tp-vpn-server-on-centos-6-psk.html
http://amadys.blogspot.com/2010/06/openswan-2626-ipsec-for-linux.html
http://comments.gmane.org/gmane.network.openswan.user/20373
http://www.pariahzero.net/Blog/files/e7d5abf84a96640d5cd70dd0dfb3d200-71.html
http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-with-ubuntu-1004-and-strongswan/