I’ve been using PPTP as a VPN solution for a while (despite is security obsolescence) however I have the feeling that one of my ISPs has started filtering and/or throttling PPTP traffic that goes outside its network.
As a result, I had to look for an alternate VPN system to use when I need to dial back to my home network while on the move to access my media library or when I require a trusted connection or a whitelisted IP.
The next best thing (and least complicated to set up going from PPTP) is IPSec/L2TP, which has built-in support in most current operating systems (including Windows, Linux and Android).
Prerequisites
Due to its double-encapsulation nature (L2TP performs the tunnelling of data and IPSec provides the encrypted channel), L2TP/IPSec has a more complex setup and configuration procedure, both for the server and the client:
- OpenSWAN provides the IPSEC component, encapsulating packets from the client to/from the server, providing basic network connectivity and authentication. On connection, the client provides a pre-shared key to the server, and then OpenSWAN establishes the IPSEC tunnel and passes control to xl2tpd.
- xl2tpd provides the component which connects the two networks (the client’s and the server’s) together. It talks to pppd to authenticate a user, and then makes that user appear on the local network as some IP in its defined range.
- pppd provides authentication for users.
This way, there are 2 passwords required – one for the IPSec component provided by OpenSWAN (set as the pre-shared key), and one for the actual user account which is connecting to the VPN.
The numbers used in the configurations below – adjust them to suit your specific network setup needs:
- 192.168.1.0/24 – local LAN network range
- 192.168.1.100 – LAN IP of VPN server (also running the DNS server)
- 192.168.1.1 – peer local IP of the L2TP VPN
- 192.168.1.101-120 – local IP range used for the L2TP tunnels, outside of the DHCP allocation range
- 192.168.1.254 – router NATting internet traffic for the LAN
Packages
To set up a server on CentOS, we start by installing the necessary software:
yum install openswan xl2tpd pppd
chkconfig ipsec on
chkconfig xl2tpd on
Then edit /etc/sysctl.conf and set
net.ipv4.ip_forward = 1
Edit /etc/rc.local and add the following at the end:
# Correct ICMP Redirect issues with OpenSWAN for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects echo 0 > $each/rp_filter done
IPSec
Edit /etc/ipsec.conf to contain:
config setup klipsdebug=none plutodebug=none protostack=netkey nat_traversal=yes virtual_private=%v4:192.168.1.0/24 interfaces="%defaultroute" oe=off conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport forceencaps=yes right=%any rightsubnet=vhost:%no,%priv rightprotoport=17/%any leftnexthop=%defaultroute left=%defaultroute leftprotoport=17/1701
Next edit /etc/ipsec.secrets and define the PSK secret (preshared key as it’s named in most clients) for IPSec:
192.168.1.1 %any: PSK yoursecretkey
Xl2tpd
Moving on to xl2tp, edit /etc/xl2tpd/xl2tpd.conf to contain:
[global] listen-addr = 192.168.1.1 [lns default] ip range = 192.168.1.101-192.168.1.120 local ip = 192.168.1.100 refuse pap = yes require authentication = yes name = LinuxVPNServer ppp debug = no pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
Then /etc/ppp/options.xl2tpd:
ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.1 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
The last step is to edit /etc/ppp/chap-secrets and insert records for all logins allowed into the VPN:
# Secrets for authentication using CHAP # client server secret IP addresses firstusername * firstpassword * secondusername * secondpassword *
Finalizing
Almost done. (Re)start the services:
service ipsec restart
service xl2tpd restart
And you should be able to connect from your Windows, Linux or Android clients (tutorials coming soon).
Source: this tutorial is pretty much a copy of IPSec/L2TP VPN Server on CentOS 6 (PSK)