OpenVPN is easy to set up, but needs an extra program installation on client side. On the other hand, L2TP /IPSec is implemented in most operating systems such as Windows 7/8/10, MacOS, several Linux distributions, Android, iOS, and so on, so that we can connect to L2TP/IPSec VPN out-of-the-box with most operating systems.
In this article, we explained how to install L2TP/IPSec server on CentOS 7 Linux distribution.
1. Install epel repository for extra features in CentOS. This is necessary for l2tpd installation.
# sudo yum -y install epel-release
2. Install necessary packages.
# yum install lsof man openswan xl2tpd
3. Design the network and think of the range of IP addresses. In this article, we use the following IP address ranges. Please note that we configure the VPN as the part of the current LAN network of the VPN server, thus VPN-connected clients will join the LAN network.
[Physical settings that already configured]
- 192.168.0.0 / 24 : Physical network of LAN that resides VPN server
- 192.168.0.1 : Physical IP address of VPN server. (Already set up)
[VPN networks using for VPN setting]
- 192.168.0.201 : Local IP used by VPN server for L2TP tunnel. You can choose IP in the LAN network range.
- 192.168.0.202-250 : Local IP range for VPN-connected clients.
4. Allow IP forwarding for NAT in /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
5. Reload sysctl to make the config effective
sysctl -p
7. /etc/rc.local
for each in /proc/sys/net/ipv4/conf/*; do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
done
8. /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file9. Generate a key file to /etc/ipsec.secrets
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
plutostderrlog=/var/log/pluto.log
interfaces="%defaultroute"
plutodebug=none
virtual_private=%v4:192.168.0.0/24
nat_traversal=yes
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
type=transport
left="%defaultroute"
leftprotoport=17/1701
right=%any
rightprotoport=17/0
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf
ipsec newhostkey --output /etc/ipsec.secrets --verbose --configdir /etc/pki/nssdb/10. Add the PSK key (shared between clients/server) at the end of /etc/ipsec.secrets
192.168.0.1 %any: PSK "yourPSKHere"
11. /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 192.168.0.1
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; works around bug: http://bugs.centos.org/view.php?id=5832
force userspace = yes
;
[lns default]
ip range = 192.168.0.202-192.168.0.250
local ip = 192.168.0.201
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = CentOSVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
12. Update DNS server (ms-dns) on /etc/ppp/options.xl2tpd
ms-dns 8.8.8.8
13. Add ID/PW of users at /etc/ppp/chap-secrets
# client server secret IP addresses13-1. Alternatively, use Linux's ID/PW for login. Follow the instructions on this article:
user1 * sgrongPassword1 *
user2 * strongPassword2 *
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html#Local_user_(PAM//etc/passwd)_authentication
14. Setup iptables
#Allow ipsec traffic15. Enable and start services
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
#Save your configuration
iptables save
systemctl enable ipsec
systemctl start ipsed
systemctl enable xl2tpd
systemctl start xl2tpd
16. Configure clients (Windows/Mac/Linux/etc..)
- Type of VPN: L2TP/IPSec
- L2TP Security: choose pre-shared key for authentication. Put the PSK ("yourPSKHere") configured in Step 10.
- ID/PW: ones set up in Step 13
No comments:
Post a Comment