Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:ipsec:openswan:openswanxl2tpvpn [2020/03/17 16:12] – [Openswan L2TP/IPsec Configuration] fix intro lukepicci | docs:guide-user:services:vpn:libreswan:openswanxl2tpvpn [2023/06/29 21:33] – proper project homepage valdikss | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | <color # | + | ====== Libreswan L2TP/IPsec ====== |
| + | This how-to explains how to configure an openwrt router to act as an L2TP/IPsec gateway (vpn server) using xl2tpd (for L2TP) and Libreswan (for IPsec). | ||
| - | ====== Openswan L2TP/IPsec Configuration ====== | + | The new [[docs: |
| - | This howto explains how to configure an openwrt router to act as an L2TP/IPsec gateway (vpn server) using xl2tpd (for L2TP) and openswan (for IPsec). | + | Use this one as a reference for the **xl2tpd** part. |
| + | ===== Deprecation Note ===== | ||
| + | As of OpenWrt version 20.x.x, ipsec-tools was removed for security reasons (project abandoned http:// | ||
| - | :!: This page is about Openswan, which is deprecated. The new [[docs: | + | See the discussion of OpenWrt developers here https://github.com/openwrt/ |
| - | ===== Introduction ===== | + | Please use [[docs: |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== Required Packages ==== | + | |
| - | === Server (OpenWrt) === | + | |
| - | + | ||
| - | The openwrt vpn server needs the following packages installed. Use opkg or a webinterface to install the packages | + | |
| - | + | ||
| - | < | + | |
| - | ipsec-tools we | + | |
| - | iptables-mod-ipsec | + | |
| - | kmod-crc-ccitt | + | |
| - | kmod-crc16 | + | |
| - | kmod-crypto-aes | + | |
| - | kmod-crypto-arc4 | + | |
| - | kmod-crypto-authenc | + | |
| - | kmod-crypto-core | + | |
| - | kmod-crypto-des | + | |
| - | kmod-crypto-hmac | + | |
| - | kmod-crypto-md5 | + | |
| - | kmod-crypto-sha1 | + | |
| - | kmod-ipsec | + | |
| - | kmod-ipsec4 | + | |
| - | kmod-ppp | + | |
| - | openswan | + | |
| - | ppp | + | |
| - | xl2tpd | + | |
| + | If you try to install Libreswan using this manual on OpenWRT > 19.07.9, you'll get an error: | ||
| + | <code bash> | ||
| + | opkg_install_cmd: | ||
| </ | </ | ||
| - | |||
| - | The openswan package might try to drag with it the kmod-openswan package, if it does manually uninstall it as we are not going to use it and it might interfere with the default in kernel mod-ipsec module. | ||
| - | |||
| - | |||
| - | === Client === | ||
| - | |||
| - | Ipsec/l2tp support is installed per default on android and windows devices. For linux clients please consult your distributions documentation in order to find what packages they recommend. | ||
| ===== Installation ===== | ===== Installation ===== | ||
| - | Use opkg or whatever prefered tool like webif to install | + | === Server === |
| + | Install | ||
| <code bash> | <code bash> | ||
| - | ipsec-tools | + | opkg update |
| - | iptables-mod-ipsec | + | opkg install |
| - | kmod-crc-ccitt | + | kmod-crc16 kmod-crypto-aes kmod-crypto-arc4 kmod-crypto-authenc |
| - | kmod-crc16 | + | kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 |
| - | kmod-crypto-aes | + | kmod-crypto-sha1 kmod-ipsec kmod-ipsec4 kmod-ppp |
| - | kmod-crypto-arc4 | + | |
| - | kmod-crypto-authenc | + | |
| - | kmod-crypto-core | + | |
| - | kmod-crypto-des | + | |
| - | kmod-crypto-hmac | + | |
| - | kmod-crypto-md5 | + | |
| - | kmod-crypto-sha1 | + | |
| - | kmod-ipsec | + | |
| - | kmod-ipsec4 | + | |
| - | kmod-ppp | + | |
| - | openswan | + | |
| - | ppp | + | |
| - | xl2tpd | + | |
| </ | </ | ||
| - | The openswan | + | The libreswan |
| + | |||
| + | === Client === | ||
| + | IPsec/L2TP support | ||
| + | For Linux clients please consult your distributions documentation in order to find what packages they recommend. | ||
| ===== Configuration ===== | ===== Configuration ===== | ||
| - | ==== Xl2tpd | + | ==== xl2tpd |
| + | The L2TP protocol is related to ppp and xl2tpd makes use of pppd. | ||
| + | So the configuration of xl2tpd includes both configuring xl2tpd as well as pppd. | ||
| - | The l2tp protocol is related to ppp and xl2tpd makes use of pppd. So the configuration of xl2tpd includes both configuring xl2tpd as well as pppd | + | <code bash> |
| - | + | # / | |
| - | The config file for xl2tpd is '' | + | |
| - | < | ||
| [global] | [global] | ||
| port = 1701 | port = 1701 | ||
| Line 96: | Line 60: | ||
| </ | </ | ||
| - | Here follows some explanations of some of the options. '' | + | Here follows some explanations of some of the options. |
| - | '' | + | * '' |
| + | * '' | ||
| + | | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| The file ''/ | The file ''/ | ||
| - | < | + | < |
| lock | lock | ||
| noauth | noauth | ||
| Line 117: | Line 88: | ||
| </ | </ | ||
| - | The option | + | * '' |
| - | + | * '' | |
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| Add usernames and passwords and ipadresses to ''/ | Add usernames and passwords and ipadresses to ''/ | ||
| - | < | + | < |
| # | # | ||
| username vpn secret 10.1.20.32 | username vpn secret 10.1.20.32 | ||
| </ | </ | ||
| - | Here each client needs a line, with the login username, the provider columns is the same as the name option se in ''/ | + | Here each client needs a line, with the login username, the provider columns is the same as the name option se in ''/ |
| + | A separate password for each client and then the ip address the client should have, it should be in the range configured in ''/ | ||
| - | ==== Openswan | + | ==== Libreswan |
| + | The Libreswan configuration is pretty straightforward. | ||
| + | The exact default config file entries have changed a bit in recent releases, but the syntax has remained the same. | ||
| + | Libreswan is picky about whitespaces so be careful and follow the conventions as described in the ipsec.conf manpage. | ||
| + | The config setup section contains generic settings and should only contain the following options. | ||
| - | The openswan configuration is pretty straightforward. The exact default config file entries have changed a bit in recent releases, but the syntax has remained the same. Openswan is picky about whitespaces so be carefull and follow the conventions as described in the ipsec.conf | + | <code bash> |
| + | # /etc/ipsec.conf | ||
| - | ''/ | ||
| - | |||
| - | < | ||
| config setup | config setup | ||
| dumpdir=/ | dumpdir=/ | ||
| Line 144: | Line 120: | ||
| </ | </ | ||
| - | The key options here are '' | + | * '' |
| + | * '' | ||
| Then there should be a section that defines the actual ipsec connection, such as this. | Then there should be a section that defines the actual ipsec connection, such as this. | ||
| - | '' | + | <code bash> |
| + | # / | ||
| - | < | ||
| conn myvpn | conn myvpn | ||
| auto=add | auto=add | ||
| Line 164: | Line 141: | ||
| </ | </ | ||
| - | Here, '' | + | * '' |
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| ==== Network configuration ===== | ==== Network configuration ===== | ||
| + | Each client L2TP connection get its own PPP interface, so we start by defining a bunch of interfaces. | ||
| + | In this case four are defined but you can define as many as you need. | ||
| + | You do this by adding the following lines. | ||
| - | Each client l2tp connection get its own ppp interface, so we start by defining a bunch of interfaces. In this case four are defined but you can define as many as you need. You do this by adding the following lines. | + | <code bash> |
| - | + | # / | |
| - | '' | + | |
| - | < | ||
| config ' | config ' | ||
| option ' | option ' | ||
| Line 194: | Line 181: | ||
| </ | </ | ||
| - | The next step is to group these interfaces together and allow traffic to and from the vpn. This is done by creating a zone that is made up by the vpn interfaces, and then allow traffic to flow to and form this zone. Add the following lines. | + | The next step is to group these interfaces together and allow traffic to and from the VPN. |
| + | This is done by creating a zone that is made up by the VPN interfaces, and then allow traffic to flow to and form this zone. | ||
| + | Add the following lines. | ||
| - | '' | + | <code bash> |
| + | # / | ||
| - | < | ||
| config ' | config ' | ||
| option ' | option ' | ||
| Line 218: | Line 207: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | |||
| </ | </ | ||
| - | for a deeper understanding of what these lines do please consult the OpenWrt documentation. | + | For a deeper understanding of what these lines do please consult the OpenWrt documentation. |
| - | In order to allow ipsec traffic trough the firewall add the following rules. | + | In order to allow IPsec traffic trough the firewall add the following rules. |
| + | |||
| + | <code bash> | ||
| + | # / | ||
| - | ''/ | ||
| - | < | ||
| config ' | config ' | ||
| option ' | option ' | ||
| Line 252: | Line 241: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | |||
| </ | </ | ||
| - | This basicly | + | This basically |
| + | It also opens up port 500/udp traffic, this is used for the IKE protocol that is used by IPsec to manage encryption keys. | ||
| + | Lastly port 4500/udp is opened, this is used when ipsec operates in NAT traversal mode, e.g. when the client is behind a NAT. | ||
| - | The last thing we need to do is allow l2tp traffic through the firewall. We can not just open up udp port 1702 like we have done for the ipsec traffic. This would allow pure l2tp traffic trough and that is not acceptable as l2tp is unencrypted and uses somewhat weak mschapv2 authentication. | + | The last thing we need to do is allow L2TP traffic through the firewall. |
| + | We can not just open up udp port 1702 like we have done for the ipsec traffic. | ||
| + | This would allow pure l2tp traffic trough and that is not acceptable as l2tp is unencrypted and uses somewhat weak mschapv2 authentication. | ||
| The solution is to add a custom firewall rule that only allows udp traffic on port 1702 that have been delivered with ipsec encryption. | The solution is to add a custom firewall rule that only allows udp traffic on port 1702 that have been delivered with ipsec encryption. | ||
| - | '' | + | <code bash> |
| - | + | # / | |
| - | < | + | |
| iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT | iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT | ||
| </ | </ | ||
| - | Backfire have had some issues with automatically bringing up the vpn zone in the firewall, but it seems to work in trunk. In order to fix this i have just used a simple line in rc.local that brings up the vpn zone. After it has been brought up once it seems to work just fine. | + | Backfire have had some issues with automatically bringing up the VPN zone in the firewall, but it seems to work in trunk. |
| + | In order to fix this i have just used a simple line in '' | ||
| + | After it has been brought up once it seems to work just fine. | ||
| - | '' | + | <code bash> |
| - | + | # / | |
| - | < | + | # Apply for each VPN interface |
| - | # needed | + | |
| ifup vpn0 | ifup vpn0 | ||
| </ | </ | ||
| - | |||
| - | Each vpn[x] interface that has been added needs to be activated using " | ||
| - | |||
| - | |||
| ==== Client configuration ==== | ==== Client configuration ==== | ||
| - | === Linux === | ||
| Mount manually: | Mount manually: | ||
| - | < | + | |
| + | < | ||
| sudo mount 192.168.1.254:/ | sudo mount 192.168.1.254:/ | ||
| </ | </ | ||
| - | Or mount permanently with entries | + | Or mount permanently with entries on each client PC: |
| - | < | + | < |
| + | # /etc/fstab | ||
| # Intranet | # Intranet | ||
| 192.168.1.254:/ | 192.168.1.254:/ | ||
| Line 295: | Line 284: | ||
| </ | </ | ||
| - | Check the [[http:// | + | Check the [[man>mount]]. |
| - | + | ||
| - | === Windows === | + | |
| - | + | ||
| - | === Mac OS X === | + | |
| - | + | ||
| - | + | ||
| - | ===== Examples ===== | + | |
| - | + | ||
| - | * [[doc: | + | |
| - | * [[doc: | + | |
| - | + | ||
| - | ===== Start on boot ===== | + | |
| - | To enable/ | + | |
| - | ''/ | + | |
| - | ''/ | + | |
| - | + | ||
| - | ===== Administration ===== | + | |
| - | TODO | + | |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| - | If you get something like this: | + | < |
| - | < | + | nft list ruleset |
| - | Try `iptables -h' or ' | + | |
| </ | </ | ||
| - | then bla bla bla | ||
| ===== Notes ===== | ===== Notes ===== | ||
| - | * The Project Homepage: [[http://mumble.sourceforge.net/]] | + | * The Project Homepage: [[https://libreswan.org/]] |
| - | * a very good tutorial: [[http:// | + | * A very good tutorial: [[http:// |