2012-01-16

OpenWRT L2TP/IPsec server


I would like to setup a VPN server for my home NAS. I would like to connect to it from my MacBook and my Android phone out-of-box. I have decided to use L2TP with IPsec. I had an old, unused Fonera 2.0.



Architecture
The Fonera connects to my local network via its WAN port. The DHCP server on my router is providing addresses between 192.168.55.100 and 192.168.55.149.

OpenWRT on Fonera
I had some issues, when I tried to reach RedBoot via telnet. Terminal on Mac OS X couldn't send Ctrl+C to RedBoot to login into the boot menu. I found a very good solution:

  1. Download this: break
  2. Set 192.168.1.2/24 manually on the Ethernet interface
  3. Open a terminal, and start to ping 192.168.1.1
  4. In an other terminal, when ping was successful, execute the following command:
        nc -vv 192.168.1.1 9000 > break
  5. Finally you could access RedBoot via telnet:
        telnet 192.168.1.1 9000
If you could access the RedBoot prompt, you have to flashing OpenWRT to the Fonera: OpenWRT on a Fonera 2.0

First steps

First of all, I created a new root password, and enabled SSH. Next I disabled the WLAN device, and the LAN port of the device.

Required packages

You should install the following packages with opkg:

  • openswan
  • ipsec-tools
  • xl2tpd
  • iptables-mod-ipsec
  • kmod-ipsec4
  • kmod-ipsec6
  • kmod-ipt-ipsec
  • kmod-crypto-aes

Configuring kernel modules loading

Create the following file:

/etc/modules.d/99-local-ipsec



Configuring openswan

Adding the following connection section to the bottom of the /etc/ipsec.conf file:



And edit the virtual_private line in the config setup section above:



Finally, you should create a Shared Secret Passphrase for IPsec. Cretae the /etc/ipsec.secrets file:



OK, now IPsec configuration is done, you only have to enable ipsec service at boot time: /etc/init.d/ipsec enable

Configuring xl2tpd

You should configure the xl2tpd L2TP daemon. Please edit the /etc/xl2tpd/xl2tpd.conf file:



Next, you should set up the PPPD options for xl2tpd. Edit the /etc/ppp/options.xl2tpd file:



Finally, you should setup the user/password pairs for each users. You could do that in /etc/ppp/chap-secrets file:



OK, now L2TP configuration is done, yo only have to enable xl2tpd service at boot time: /etc/init.d/xl2tpd enable

Firewall configuration

The essential configuration you could to do in the /etc/config/firewall file:



Although, you should adding some additional rules manually in the /etc/firewall.user file:



Workarounds

Unfortunately, I had some stability issues with xl2tpd and openswan. I solved this, by restarting of the daemons. First of all, I restarted them after boot (after everything initiated). To do this I added the following to the /etc/rc.local file:



Next, I restarted them after each disconnection. To do this I created a new file at /etc/ppp/ip-down.d/99-l2tp-restart:



Router configuration

You should open the following port on your router:

  • 500
  • 4500
  • 1701



Conclusion

It works great with Mac OS X (Lion) and Android (HTC Wildfire).

Resources

0 comments:

Post a Comment

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Top WordPress Themes