While reading and searching for which IPSEC app to use for this server on Raspi (that is how I am going to call my Raspberry Pi now) I realised that Openswan may have some issues and as I had successfully installed Strongswan on my VPS, I stick to Strongswan.
We will do it in small steps. First Strongswan, then L2TP and then firewall rules.
sudo apt-get install strongswan iptables-persistent
go to /etc directory
copy both ‘ipsec.conf’ and ‘ipsec.secrets’ to keep default originals
sudo cp ipsec.conf ipsec.conf.original sudo cp ipsec.secrets ipsec.secrets.original
cleanup the ‘ipsec.conf’ to put your own config
sudo echo ''| sudo tee ipsec.conf and now edit with your favourite editor
sudo vim ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn vpnserver type=transport authby=secret pfs=no rekey=no keyingtries=1 left=%any leftprotoport=udp/l2tp leftid=@wildfire right=%any rightprotoport=udp/%any auto=add include /var/lib/strongswan/ipsec.conf.inc
As we are using PSK instead of certificates, we will be editing the
ipsec.secrets file next. You need to insert the line below in the file replacing x.x.x.x with IP of the interface on server which will listen for connections and ‘password’ with a pass phrase.
x.x.x.x &any : PSK "password"
Now it is the turn for L2TP installation.
sudo apt-get install xl2tpd
Make a copy of the config file to keep
sudo cp xl2tpd.conf xl2tpd.conf.original
Edit the config file and add these lines at the end of file
[global] port = 1701 auth file = /etc/xl2tpd/l2tp-secrets access control = no [lns default] exclusive = no ; enter the IP range you wish to give out to your clients here ip range = x.x.x.x - x.x.x.x ; address of the L2TP end of the tunnel (i.e. this machine) local ip = x.x.x.x require authentication = yes pppoptfile = /etc/ppp/options
We will use PPP for authentication hence install
sudo apt-get install ppp
Again, make copies of files we will be changing
sudo cp /etc/ppp/option option.original
sudo cp /etc/ppp/chap-secrets chap-secrets.original
Now at the end of ‘options’ file enter this code replacing the x.x.x.x with your desired DNS server’s IP address which you want to pass to the VPN clients
noccp auth mtu 1410 mru 1410 nodefaultroute proxyarp silent debug ms-dns x.x.x.x
You will also need to ‘remark’ the following lines in the ‘options’ file
#modem #lock #crtscts
At the end of ‘chap-secrets’ file, add this code replacing ‘username’ and ‘password’ with what you desire for each client and you can also restrict from a certain IP. We leave it with ‘*’ to allow the connection from anywhere.
user * password *
First of all make a copy of ‘/etc/sysctl.conf’ to save and then edit this file. Find the first three lines and ‘unremark’ them. Last line may or may not be in your config file. If it is, unremark it and if it isn’t add this.
net.ipv4.ip_forward=1 .. net.ipv4.conf.all.accept_redirects = 0 .. net.ipv4.conf.all.send_redirects = 0 .. net.ipv4.ip_no_pmtu_disc = 1
Now make a copy of ‘/etc/iptables/rules.v4’ and start editing this file. You need to enter the block of code below, replacing x.x.x.x/x with the subnet you have selected to use for allocating IP addresses to your VPN clients.
-A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s x.x.x.x/x -m policy --pol ipsec --dir in -j ACCEPT
and now you need to run a command to allow the server to serve as a NAT device for all VPN clients. Replace x.x.x.x/x with the subnet allocated for VPN clients to get IP address from.
sudo iptables -t nat -A POSTROUTING -s x.x.x.x/x -j MASQUERADE