While Virtual Private Networks (VPNs) are great providers for secure communication over networks, they are often very hard to set up. VPN appliances erase that problem, but can be expensive. With a do-it-yourself VPN appliance, you erase both problems.
This article will guide readers in installing and configuring a Linux VPN appliance that will allow clients running Linux, Windows XP SP2, Vista and OS X (10.3+) to connect with their native clients. Any IT admin can take on this project, as it doesn't require any developer experience.
Also, this isn't just a VPN appliance for small organizations. This VPN appliance is far more scalable than something from, say, Cisco. Consider that a Cisco VPN may only have a 200 MHz processor, but with this project you are using a server that may have a Xeon processor. Of course, network cards present a bottleneck, but you can always drop in some quad-port PCI NICs.
VPN basics
As the name implies, a VPN creates a virtual, private network between two end-points. These end-points can be a computer-to-router, a router-to-router, or even a computer-to-computer (Microsoft Active Directory Internet Protocol Security, or IPsec, implementations are largely computer-to-computer.) The "virtual" in VPN describes the type of network that is being created: a virtual network not defined by a dedicated physical medium. This type of virtualization is analogous to virtual local area networks (VLANs). "Private" refers to the private communication between the two aforementioned end-points, which cannot be viewed by any device on a network between the two network devices participating in the VPN connection. However, the privacy of the Ethernet frames before they enter the VPN and after they exit cannot be guaranteed.
There are several types of VPNs:
Selecting the VPN server and OS
The first step to creating your VPN appliance is finding a server to use. Any x86 or x86_64 OS will do. For the purposes
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseLinux.com
of this guide I used a white-box x86_64 server running Ubuntu 7.04 x86_64 (Feisty Fawn). A newer version of Ubuntu is available, 7.10 Gutsy Gibbon, but its stability has received questionable reviews, so I am sticking with
Feisty until the next version, Herdy, since it will be a Long-Term Support (LTS) version that includes 5 years of support on the server side of things. It is always a good idea to secure the OS as tightly as possible, especially since this server is going to be acting as your gateway to your internal network. There is more information on how to secure Ubuntu on SearchEnterpriseLinux.com.
Downloading the VPN software
Stability aside, selecting Feisty Fawn as a server distribution has a few downsides. The latest Openswan package available via the Ubuntu repositories is 2.4.6, which includes only l2tpd, a great L2TP daemon, but not very useful with regard to development. To that end, I have packaged the latest release of Openswan, 2.4.11, as an Ubuntu-ready Debian-style package. You can also find the Debian package for the latest release of xl2tpd. The creators of Openswan, recognizing that development on l2tpd seems to have halted, have forked the project and call their fork xl2tpd. Download the software and place the packages in '/usr/local/src/vpn' so you can easily remember where they are (you will need to create this directory.)
Openswan installation and configuration
You need to install three pieces of software in order to facilitate a VPN appliance. The first piece, a PPP daemon, is already installed for you by default with even the most basic server installation from Ubuntu (we'll get to that later.) After downloading the other two pieces of software you need, place them in '/usr/local/src/vpn'. Go ahead and install Openswan 2.4.11 and xl2tpd 1.1.12 by typing:
sudo dpkg --install /usr/local/src/vpn/*.deb
The Openswan package comes with an installation wizard. It does not
really matter what you choose since we will be overwriting the default
values anyway. Hopefully, both packages installed without errors. If
for some reason you encountered errors, feel free to e-mail me with
your errors and I will be happy to help. However, if no errors occurred --
congratulations, you are now the proud parent of your very own VPN server.
Now it's time to configure Openswan. Step one to configuring any piece of software is understanding where that software exists on your system. Openswan exists in several locations:
Now that you know what files you will be using, you need to decide how your users are going to authenticate to your VPN. They have two choices: a pre-shared key (PSK) and X.509 certificates. Certificates are by far the best choice, if only for the reason that should a user lose a certificate, all that is required of the administrator is the issue of a new certificate and entering the old one in the certificate revocation list (CRL), unlike in the event that a PSK is compromised where all users must learn a new PSK. If you do not already have a certificate authority (CA) in your organization it is easy enough to create one. Simply follow the steps that Nate Carlson provides at his website. Even with Nate's fantastic site, creating user certificates can be a bit of a pain, so to make it easier I have provided a script that will help.
Creating the certificate for the VPN server itself can be extremely tricky, especially if you want to make sure that it supports OS X clients. OS X places very specific rules on a VPN server's certificate. These rules are documented at Jacco's website. If you use the script I provided above in conjunction with Jacco's instructions you will do just fine.
Once the certificates are created, place them in either your /etc/ssl directory or in the Openswan certificate directories. I store the certificates inside the standard /etc/ssl directory. I recommend this method since other applications that are compiled against libssl will look in that directory (its sub-directories actually) for certificates.
Now that the certificates are in place, it is time to configure Openswan. Open up /etc/ipsec.conf with your favorite text editor. Note that the real ipsec.conf file does not support comments inside stanzas, such as the ones below which I provide. Any line that begins with "config" or "conn" is the start of a stanza and does not end until an empty line. The other thing to know is that the indentations beneath these section headers are required or the configuration file will not work.
The best way to learn the options in the ipsec.conf file is to read the main page for ipsec.conf. It explains every option in detail. One other note when configuring Openswan: If something is not working the way you think it should, turn on debug logging and check the logs. Also, you can run the command 'ipsec verify' and it will do a sanity check on your system to see if it is properly set up to be a VPN server. For example, because my VPN server was not previously a part of my network topology, it did not have packet forwarding turned on in the Kernel. Before I ran 'ipsec verify' I could connect to my VPN but I could not travel my internal network. The verify command made me aware that packet forwarding was not turned on.
Configuring xl2tpd
The next step to configuring the VPN is to configure xl2tpd, our L2TP server. An L2TP server is necessary because the major OS VPN clients expect to see L2TP in their VPN stack. Eventually, the native clients will all support pure IPsec VPNs, but until that time comes, L2TP is necessary. As mentioned earlier, xl2tpd is xelerance's fork of l2tpd, with new security patches and features. They actually make it very easy to configure xl2tpd since you can use your old l2tpd.conf files. As with Openswan, here are the file locations for xl2tpd:
To get xl2tpd up and running we only have to edit its configuration file. Here is an example:
Configuring pppd
Configuring xl2tpd was easy enough. The final step is to configure PPP. PPP comes with most Linux distributions. Ubuntu Linux's PPP package places files in these locations:
The only file we need to configure is /etc/ppp/options.l2tpd. This file does not exist yet, so create it and then use the following configuration options:
Launching your VPN
Before the VPN can go live, you need to restart all your services. Type:
Congratulations! You have a working VPN appliance. If you have any questions or concerns do not hesitate to e-mail me.
Thanks to Jacco, the Openswan channel on Internet Relay Chat (IRC) and the Openswan mailing list. This guide would not have been possible without their help. Jacco put together what might be the definitive site for information creating VPNs with Openswan. Good luck creating your VPN.
About the author: Andrew Kutz is a Microsoft Certified Solutions Developer (MCSD) and a SANS/GIAC Certified Windows Security Administrator (GCWN). An avid fan of .NET, open source, Terminal Services, and coding, Andrew's current focus is on virtualization. Andrew graduated from the University of Texas at Austin with a B.A. in Ancient History and Classical Civilization and currently lives in Austin, Texas with his wife Mandy and their two puppies, Lucy and CJ.
