4644
Comment:
|
3723
|
Deletions are marked like this. | Additions are marked like this. |
Line 88: | Line 88: |
# Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # |
|
Line 111: | Line 100: |
# Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add |
This ?HowTo describes how to set-up your Debian machine as a VPN server for the iPhone. The iPhone uses l2tp over IPsec as a VPN protocol. Others are possible as well but here we stick to l2tp over IPsec.
Installation
Install the following packages:
- freeradius
- openswan
- l2tpns
Network layout
Internet === Router (10.76.1.1) === Debian PC (10.76.1.2)
Configuration
freeradius
First we configure freeradius. In /etc/freeradius/clients.conf change the default secret (line 101):
secret = mysecret
Create a default user for freeradius by adding the following lines in /etc/freeradius/users:
DEFAULT Auth-Type := System Fall-Through = Yes
l2tpns
In /etc/l2ptns/ip_range a range of IP addresses which will be assigned to VPN clients can be defined. The IP range shall be a subnet of your own internal network.
10.76.1.32/28
/etc/l2tpns/startup-config is the main configuration file for l2tpns. Most of the settings can be left commented out. Only the following lines are active in my setup:
set debug 2 set log_file "/var/log/l2tpns" set pid_file "/var/run/l2tpns.pid" set l2tp_secret "" set primary_dns 10.76.1.2 set secondary_dns 10.76.1.2 set primary_radius 127.0.0.1 set primary_radius_port 1812 set radius_secret "mysecret" set accounting_dir "/var/run/l2tpns/acct" set bind_address 10.76.1.2 set send_garp yes set peer_address 10.76.1.1 set throttle_speed 64 set cluster_interface lo set cluster_hb_interval 100 set cluster_hb_timeout 20
Make sure you have set peer_address to the IP of your router. The setting primary_radius is set to the the local IP since freeradius is running on the same machine. In my case primary_dns is set to the IP of the Debian machine since I'm running a local DNS server.
openswan
In /etc/ipsec.secrets we add our ipsec secret:
10.76.1.2: PSK "mykey"
The ipsec main configuration file /etc/ipsec.conf is looking like this:
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.76.1.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # #interfaces="ipsec0=br0" uniqueids=no conn road_warrior rekey=no authby=secret pfs=no keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear compress=yes # left=10.76.1.2 leftprotoport=17/1701 leftnexthop=10.76.1.1 # right=%any rightprotoport=17/%any rightsubnet=vhost:%no,%priv # auto=add
Make sure you have excluded your entire local IP range in virtual_private using !10.76.1.0/24. The setting left in the connection setup shall be set to the IP of your Debian machine. The setting leftnexthop is set to the IP of your router.
Network configuration
In order to map your VPN subnet to the local network ARP proxying can be used. Enable proxy_arp for your main network interface in /etc/network/interfaces:
iface eth0 inet static address 10.76.1.2 netmask 255.255.255.0 gateway 10.76.1.1 up sysctl net.ipv4.conf.eth0.proxy_arp=1