VPN – Nosce Te Ipsum

Tag: VPN

Setting up L2TP/IPSEC server using PSK on Raspberry Pi…

November 7, 2018November 7, 2018
by Muhammad

While reading and searching for which IPSEC app to use for this server on Raspi (that is how I am going to call my Raspberry Pi now) I realised that Openswan may have some issues and as I had successfully installed Strongswan on my VPS, I stick to Strongswan.

We will do it in small steps. First Strongswan, then L2TP and then firewall rules.

Strongswan

sudo apt-get install strongswan iptables-persistent

go to /etc directory

cd /etc

copy both ‘ipsec.conf’ and ‘ipsec.secrets’ to keep default originals

sudo cp ipsec.conf ipsec.conf.original
sudo cp ipsec.secrets ipsec.secrets.original

cleanup the ‘ipsec.conf’ to put your own config

sudo echo ''| sudo tee ipsec.conf
and now edit with your favourite editor

sudo vim ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup

# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.

conn vpnserver
type=transport
authby=secret
pfs=no
rekey=no
keyingtries=1
left=%any
leftprotoport=udp/l2tp
leftid=@wildfire
right=%any
rightprotoport=udp/%any
auto=add

include /var/lib/strongswan/ipsec.conf.inc

As we are using PSK instead of certificates, we will be editing the ipsec.secrets file next. You need to insert the line below in the file replacing x.x.x.x with IP of the interface on server which will listen for connections and ‘password’ with a pass phrase.

x.x.x.x &any : PSK "password"

L2TP (Xl2tpd)

Now it is the turn for L2TP installation.

sudo apt-get install xl2tpd

Make a copy of the config file to keep

sudo cp xl2tpd.conf xl2tpd.conf.original

Edit the config file and add these lines at the end of file


[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no

[lns default]
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = x.x.x.x - x.x.x.x
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = x.x.x.x
require authentication = yes
pppoptfile = /etc/ppp/options

PPP

We will use PPP for authentication hence install

sudo apt-get install ppp

Again, make copies of files we will be changing

sudo cp /etc/ppp/option option.original sudo cp /etc/ppp/chap-secrets chap-secrets.original

Now at the end of ‘options’ file enter this code replacing the x.x.x.x with your desired DNS server’s IP address which you want to pass to the VPN clients


noccp
auth
mtu 1410
mru 1410
nodefaultroute
proxyarp
silent
debug
ms-dns x.x.x.x

You will also need to ‘remark’ the following lines in the ‘options’ file


#modem
#lock
#crtscts

At the end of ‘chap-secrets’ file, add this code replacing ‘username’ and ‘password’ with what you desire for each client and you can also restrict from a certain IP. We leave it with ‘*’ to allow the connection from anywhere.


user   *    password   *

Firewall rules

First of all make a copy of ‘/etc/sysctl.conf’ to save and then edit this file. Find the first three lines and ‘unremark’ them. Last line may or may not be in your config file. If it is, unremark it and if it isn’t add this.


net.ipv4.ip_forward=1
..
net.ipv4.conf.all.accept_redirects = 0
..
net.ipv4.conf.all.send_redirects = 0
..
net.ipv4.ip_no_pmtu_disc = 1

Now make a copy of ‘/etc/iptables/rules.v4’ and start editing this file. You need to enter the block of code below, replacing x.x.x.x/x with the subnet you have selected to use for allocating IP addresses to your VPN clients.


-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m conntrack --ctstate NEW -s x.x.x.x/x -m policy --pol ipsec --dir in -j ACCEPT

and now you need to run a command to allow the server to serve as a NAT device for all VPN clients. Replace x.x.x.x/x with the subnet allocated for VPN clients to get IP address from.


sudo iptables -t nat -A POSTROUTING -s x.x.x.x/x -j MASQUERADE

General Unix

Setting up VPN Routing on my home server

October 19, 2011October 19, 2011
by Muhammad

After my previous post in which I got a laptop installed with Ubuntu and turned into VPN server I went on to try this on my home server. This is also running on Ubuntu but is my home file sharing samba, PS3 DLNA and Apache (this blog) server. Another issue was that I did not want the server itself to pass all its internet traffic through VPN. I simply wanted it to NAT all LAN clients via VPN whose gateway is set to be this server. So the basic requirements are:

– Ubuntu / Debian Linux install (I used Ubuntu with Gnome therefore the steps require to use Network Manager under GUI – I would love to experiment this setup one day with command line control only)
– An advanced router (I use cheap second hand Linksys WRT160N with DD-WRT)

First thing you have to do is to setup your Linux server for VPN and VPN routing:
Create a VPN network account. I used PPTP and for this you have to make sure to use MS-CHAP2 only, remove ticks from all other authentication protocols andEnable MPPE Compression under the Advanced Tab in VPN connection window. Also make sure to click on IPV4 settings tab and tick the option Use this connection only for resources on its network. This will prevent all traffic from your Ubuntu server going out of VPN gateway. You cannot use the Network Manager’s option of automatic connect and allow all users. They are buggy. We will use a command line script to fire up this connection but for that you have to leave keychain password blank when asked for after creating the VPN connection.

Now you should try to connect this VPN to make sure it is all working. Fix any username, password or VPN server address issues here if encountered.

Now we are going to create three script files.
Script #1 will be to start the VPN connection when provided with the VPN connection name via script #2.
Script #2 will launch via “Startup Applications” feature in Ubuntu so that it runs nearly at the end of all startup scripts. You can also add it to rc#.d/ files buy using update-rc.d script defaults command but that will have to be another blog post :). This script checks if there is a VPN connection, reports a fault in case of error with config files or absence of any network interface being up, fires up the named VPN connection in case of positive on network connectivity but absence of VPN connection, fires up Script #3 after each startup of VPN connection and then sleeps for 60 seconds before going through the same process again 😉
Script #3 is fired by Script #2 each time it establishes a VPN connection. This script creates a temporary Script #4 file. Fills in the variables from VPN connection in this script and then fires up this Script #4.
Script #4 has routing commands which will enable route incoming packets from your selected LAN clients via VPN.

Script #1 has to be saved in /usr/local/bin
Script #2 & Script #3 I saved in /etc/init.d/
Script #4 is automatically created by Script #3 in /tmp

make sure that all scripts except #4 are made executable by chmod 755 and I also made root owner of these files. Script #4 gets its chmod via Script #3. Now my system has auto-login on boot with my username. Script #1, #2 and #3 are launched via startup scripts so they have no issues but Script #4 is called via “logged on” user environment so we have a problem. It will not run unless you run this script with sudo and to avoid sudo asking for password you have to add the following line in /etc/sudoers file via “visudo” as root.

username ALL=NOPASSWD: /tmp/firewall_script.sh

replace “username” with the username of autologin user and /tmp/firewall_script.sh with name of script file you create via Script #3.

Script #1
########### #SETTINGS # ########### get_connections_paths() { dbus-send --system --print-reply --dest="$1" "/org/freedesktop/NetworkManagerSettings" "org.freedesktop.NetworkManagerSettings.ListConnections" \ | grep "object path" | cut -d '"' -f2 } # get_connection_settings() { dbus-send --system --print-reply --dest="$1" "$2" org.freedesktop.NetworkManagerSettings.Connection.GetSettings } # get_connection_string_setting() { echo "$1" | grep -A 1 \""$2"\" | grep variant | cut -d '"' -f2 } # get_connection_id() { get_connection_string_setting "$1" "id" } # get_connection_type() { get_connection_string_setting "$1" "type" } # get_device_type_by_connection_type() { echo "$1" | grep -q "ethernet" && echo 1 && return echo "$1" | grep -q "wireless" && echo 2 && return echo 0 } # find_connection_path() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` [ "$connection_settings_id" = "$2" ] && echo "$1" "$connection_path" done } # find_connection_path_everywhere() { find_connection_path "org.freedesktop.NetworkManagerSystemSettings" "$1" find_connection_path "org.freedesktop.NetworkManagerUserSettings" "$1" } # print_connections_ids() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # print_connections_ids_everywhere() { print_connections_ids "org.freedesktop.NetworkManagerSystemSettings" print_connections_ids "org.freedesktop.NetworkManagerUserSettings" } # # ########### # DEVICES # ########### # get_devices_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.NetworkManager.GetDevices" \ | grep "object path" | cut -d '"' -f2 } # get_device_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Device" string:"$2" \ | grep variant | awk '{print $3}' } # get_device_type() { get_device_property "$1" "DeviceType" } # get_device_path_by_device_type() { device_path_by_device_type="/" for device_path in `get_devices_paths` do device_type=`get_device_type "$device_path"` [ "$device_type" = "$1" ] && device_path_by_device_type="$device_path" done echo "$device_path_by_device_type" } # # ####################### # ACTIVES CONNECTIONS # ####################### # get_actives_connections_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager" string:"ActiveConnections" \ | grep "object path" | cut -d '"' -f2 } # get_last_active_connection_path() { get_actives_connections_paths | tail -n 1 } # get_parent_connection_path_by_device_type() { parent_connection_path="/" [ "$1" = 0 ] && parent_connection_path=`get_last_active_connection_path` echo "$parent_connection_path" } # get_active_connection_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Connection.Active" string:"$2" \ | grep variant | awk -F '"' '{print $2}' } # get_active_connection_service() { get_active_connection_property "$1" "ServiceName" } # get_active_connection_path() { get_active_connection_property "$1" "Connection" } # get_active_connection_path_by_connection_path() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` [ "$service" = "$1" ] && [ "$path" = "$2" ] && echo "$active_connection_path" done } # print_actives_connections_ids() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` connection_settings=`get_connection_settings "$service" "$path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # # ############## # START/STOP # ############## # start_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_connection_settings=`get_connection_settings $my_connection_complete_path` my_connection_type=`get_connection_type "$my_connection_settings"` my_connection_device_type=`get_device_type_by_connection_type "$my_connection_type"` # my_connection_service=`echo $my_connection_complete_path | awk '{print $1}'` my_connection_path=`echo $my_connection_complete_path | awk '{print $2}'` my_connection_device_path=`get_device_path_by_device_type "$my_connection_device_type"` my_parent_connection_path=`get_parent_connection_path_by_device_type "$my_connection_device_type"` # echo "connection_service=$my_connection_service" echo "connection_path=$my_connection_path" echo "connection_device_path=$my_connection_device_path" echo "parent_connection_path=$my_parent_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.ActivateConnection" string:"$my_connection_service" objpath:"$my_connection_path" objpath:"$my_connection_device_path" objpath:"$my_parent_connection_path" } # stop_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_active_connection_path=`get_active_connection_path_by_connection_path $my_connection_complete_path` # echo "active_connection_path=$my_active_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.DeactivateConnection" objpath:"$my_active_connection_path" } # # ######## # MAIN # ######## # invalid_arguments() { echo "Usage: `basename "$0"` connexion_name start|stop" echo "---Available Connections:" print_connections_ids_everywhere echo "---Active Connections:" print_actives_connections_ids exit 0 } # [ "$#" != 2 ] && invalid_arguments # case "$2" in "start") start_connection "$1" ;; "stop") stop_connection "$1" ;; *) invalid_arguments ;; esac

This script uses command line based network-manager control and starts the VPN connection whose name is provided via the command. I called this script “vpn_connect” and the usage is:

vpn_connect VPN_CONNECTION_NAME start

where VPN_CONNECTION_NAME is the name you give to your VPN connection in network manager.

Script #2
#!/bin/bash for (( ; ; )); do # creating ifinite loop tested=$(vpn_connect|grep -c VPN_CONNECTION_NAME) # VPN_CONNECTION_NAME here is the name of desired vpn connection to monitor. The results can be: # 0 - this connection does not exist # 1 - connection exists, but not active # 2 - connection exists, and is active case $tested in "0") echo "something is wrong, cannot find desired connection in avaliable list" ;; "1") echo "VPN avaliable, but not connected" vpn_connect VPN_CONNECTION_NAME start /etc/init.d/route & ;; "2") echo "VPN seems to work" ;; esac # enter desired time between checks here. sleep 60 done

I called this file start_vpn
Replace “VPN_CONNECTION_NAME” with the name of your VPN connection. Also you see in this script that I am firing up Script #3 called “route” just after VPN connection is established. At the end of command line to start the “route” script is & which will launch the route script and will continue processing this script without waiting the “route” script to finish and report back etc.

Script #3
#!/bin/bash INT=ppp0 echo "sleep 60" > /tmp/firewall_script.sh echo "/sbin/iptables --table nat --append POSTROUTING --out-interface $INT --jump MASQUERADE" >> /tmp/firewall_script.sh ; echo "/sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.2 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.3 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.4 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.5 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.6 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.7 table 200" >> /tmp/firewall_script.sh ; echo "ip rule add from 192.168.x.8 table 200" >> /tmp/firewall_script.sh ; echo "REMOTEIP=\$(ifconfig $INT | sed -n 's/.*inet *addr:$[0-9\.]*$.*/\1/p')" >> /tmp/firewall_script.sh ; echo "ip route add default via \$REMOTEIP dev $INT table 200" >> /tmp/firewall_script.sh ; echo "ip route flush cache" >> /tmp/firewall_script.sh ; chmod 777 /tmp/firewall_script.sh sudo /tmp/firewall_script.sh &

This script is called route and creates the Script #4 once the VPN connection is established. You can see that Script #4 gets a sleep time of 60 seconds which allows time for VPN connection to be established by Script #2.
INT is the name of interface which is created for the VPN connection. You need to get this for your server’s VPN connection by using ifconfig after VPN connection is manually created (via Network Manager) and use the value here in this script. In my case it is ppp0. Next thing you would want to change are the lines having my internal LAN client IP addresses who I wish to use this VPN router for. They are static assigned by your router (discussed below). You can add as many or few as you like (add or remove lines of ip rule command as needed). The last two lines of this script are important. It chmod’s the Script #4 and launches it with “sudo”. You can change the name and location of this script but remember to change it in all lines where it occurs. With a regular logged on user chmod will work but you cannot execute this script unless it is launched bu sudo. Explained above how to edit sudoers file to let this happen.

That is it for your VPN server. Reboot it and watch everything getting done by itself.

Now for your router you will have to decide, find and implement specific configuration. Mine is DD_WRT and I can use DNSMasq options to get static IPs assigned to selected MAC addresses with a different gateway than the rest of dynamically assigned IP addresses 😉 I used the guide at this page to accomplish this. One thing I found was that for all the MAC addresses you are assigning the static address and different gateway via the DNSMasq options you should NOT put them in the GUI provided static mapping table.

I will add more information if and when required.

General Unix

Use Linux (Debian/Ubuntu) as a VPN router

October 9, 2011October 9, 2011
by Muhammad

First step would be to make sure that the chosen hardware has a NIC which can easily be found and installed under linux. I had issues getting BM4312 (broadcom) lp-phy (low power) chip to work in my first trial hardware (Dell laptop). Next step is to choose if you wish to use Debian or Ubuntu. Installing server versions are better but remember no GUI by default so if you are GUI lover go with desktop versions and install the server bits you need later.

Once the NICs are operational you need to get the VPN working. This will be different for server and desktop versions. For server you need to install the plugin and create the dialup script (refer to documentation available for the linux flavour you chose). For desktop version the network manager provides easy and graphical way to create this. Once you have the VPN connection configured and tested to work you make the VPN (in our case, PPTP) auto dial after auto-login (Desktop version provides easy way for auto-login). You also need some changes to ip forwarding and firewall to let the traffic from your local network flow via the VPN connection.

For auto-connecting VPN in Desktop (using Network Manager and its VPN plugins) follow the guide below:

create a script file with the code below:
#!/bin/bash # # ############ # SETTINGS # ############ # get_connections_paths() { dbus-send --system --print-reply --dest="$1" "/org/freedesktop/NetworkManagerSettings" "org.freedesktop.NetworkManagerSettings.ListConnections" \ | grep "object path" | cut -d '"' -f2 } # get_connection_settings() { dbus-send --system --print-reply --dest="$1" "$2" org.freedesktop.NetworkManagerSettings.Connection.GetSettings } # get_connection_string_setting() { echo "$1" | grep -A 1 \""$2"\" | grep variant | cut -d '"' -f2 } # get_connection_id() { get_connection_string_setting "$1" "id" } # get_connection_type() { get_connection_string_setting "$1" "type" } # get_device_type_by_connection_type() { echo "$1" | grep -q "ethernet" && echo 1 && return echo "$1" | grep -q "wireless" && echo 2 && return echo 0 } # find_connection_path() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` [ "$connection_settings_id" = "$2" ] && echo "$1" "$connection_path" done } # find_connection_path_everywhere() { find_connection_path "org.freedesktop.NetworkManagerSystemSettings" "$1" find_connection_path "org.freedesktop.NetworkManagerUserSettings" "$1" } # print_connections_ids() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # print_connections_ids_everywhere() { print_connections_ids "org.freedesktop.NetworkManagerSystemSettings" print_connections_ids "org.freedesktop.NetworkManagerUserSettings" } # # ########### # DEVICES # ########### # get_devices_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.NetworkManager.GetDevices" \ | grep "object path" | cut -d '"' -f2 } # get_device_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Device" string:"$2" \ | grep variant | awk '{print $3}' } # get_device_type() { get_device_property "$1" "DeviceType" } # get_device_path_by_device_type() { device_path_by_device_type="/" for device_path in `get_devices_paths` do device_type=`get_device_type "$device_path"` [ "$device_type" = "$1" ] && device_path_by_device_type="$device_path" done echo "$device_path_by_device_type" } # # ####################### # ACTIVES CONNECTIONS # ####################### # get_actives_connections_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager" string:"ActiveConnections" \ | grep "object path" | cut -d '"' -f2 } # get_last_active_connection_path() { get_actives_connections_paths | tail -n 1 } # get_parent_connection_path_by_device_type() { parent_connection_path="/" [ "$1" = 0 ] && parent_connection_path=`get_last_active_connection_path` echo "$parent_connection_path" } # get_active_connection_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Connection.Active" string:"$2" \ | grep variant | awk -F '"' '{print $2}' } # get_active_connection_service() { get_active_connection_property "$1" "ServiceName" } # get_active_connection_path() { get_active_connection_property "$1" "Connection" } # get_active_connection_path_by_connection_path() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` [ "$service" = "$1" ] && [ "$path" = "$2" ] && echo "$active_connection_path" done } # print_actives_connections_ids() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` connection_settings=`get_connection_settings "$service" "$path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # # ############## # START/STOP # ############## # start_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_connection_settings=`get_connection_settings $my_connection_complete_path` my_connection_type=`get_connection_type "$my_connection_settings"` my_connection_device_type=`get_device_type_by_connection_type "$my_connection_type"` # my_connection_service=`echo $my_connection_complete_path | awk '{print $1}'` my_connection_path=`echo $my_connection_complete_path | awk '{print $2}'` my_connection_device_path=`get_device_path_by_device_type "$my_connection_device_type"` my_parent_connection_path=`get_parent_connection_path_by_device_type "$my_connection_device_type"` # echo "connection_service=$my_connection_service" echo "connection_path=$my_connection_path" echo "connection_device_path=$my_connection_device_path" echo "parent_connection_path=$my_parent_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.ActivateConnection" string:"$my_connection_service" objpath:"$my_connection_path" objpath:"$my_connection_device_path" objpath:"$my_parent_connection_path" } # stop_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_active_connection_path=`get_active_connection_path_by_connection_path $my_connection_complete_path` # echo "active_connection_path=$my_active_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.DeactivateConnection" objpath:"$my_active_connection_path" } # # ######## # MAIN # ######## # invalid_arguments() { echo "Usage: `basename "$0"` connexion_name start|stop" echo "---Available Connections:" print_connections_ids_everywhere echo "---Active Connections:" print_actives_connections_ids exit 0 } # [ "$#" != 2 ] && invalid_arguments # case "$2" in "start") start_connection "$1" ;; "stop") stop_connection "$1" ;; *) invalid_arguments ;; esac

give it a name e.g. “vpn_connect”
copy it to /usr/local/bin
make it executable

sudo cp vpn_connect /usr/local/bin/ sudo chmod ugo+x /usr/local/bin/vpn_connect

now create another script in your home folder which will check if the VPN is connected and if not it will connect it. This script will monitor the VPN connection every 60 seconds and in case it finds it disconnected it will connect it again.

#!/bin/bash for (( ; ; )); do # creating ifinite loop tested=$(vpn|grep -c USA) # VPNNAME here is the name of desired vpn connection to monitor. The results can be: # 0 - this connection does not exist # 1 - connection exists, but not active # 2 - connection exists, and is active case $tested in "0") echo "something is wrong, cannot find desired connection in avaliable list" ;; "1") echo "VPN avaliable, but not connected" vpn_connect USA start ;; "2") echo "VPN seems to work" ;; esac # enter desired time between checks here. sleep 60 done

let’s call it startvpn
make this script executable

sudo chmod ugo+x startvpn or sudo chmod 777 startvpn

you can now put this in the startup applications (if using Desktop version of Ubuntu) or execute it on every reboot by having it in /etc/rc.local

The final part is to have the forwarding and enabled and the route defined. Assuming your VPN connection interface is ppp0.

create a script file with code below:

#!/bin/bash sleep 120 echo 1 >; /proc/sys/net/ipv4/ip_forward iptables -A POSTROUTING -t nat -s 192.168.100.0/24 -o ppp0 -j MASQUERADE iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

this script enables forwarding, routing (from 192.168.100.0/24 network) and make sure that MTUis set correctly otherwise routing does not work fully.

let us call the script as vpn_route
you can now have it run on every boot by copying this code to /etc/rc.local or copy the script file in /etc/init.d/ and then the following command

sudo update-rc.d /etc/init.d/vpn_route defaults

This will add this script to all run level rc folders and will execute it on each boot.

Also make sure that the ‘/proc/sys/net/ipv4/ip_forward’ has value of 1 in it

Now the VPN should auto connect on every boot, will be monitored for disconnection and reconnected in case of disconnection and the forwarding, routing and MTU settings will be applied on every reboot as well.

Enjoy VPN router out of a linux box.

note: help on codes came from various places but will mention these posts specially:

Script for VPN connection
Further script for VPN connection
VPN Connection Sharing forwarding and routing
MTU setting command which bugged me for a while when browsing was half working

General Unix

PPTP VPN config on Linux

March 26, 2011
by Muhammad

apt-get install pptpd mc

Type ifconfig and inspect the “eth0” section to find out the IP address of your server [inet addr]

mc -e /etc/pptpd.conf
add two lines:
(Assuming that your internal network IP address is 10.5.1.xxx, geeks call this the 10.5.1.0/24 subnet).
(It is important to avoid using the 192.168.1.xxx subnet for your home because most hotels, Linksys boxes, Cisco boxes, TP-LINK and Trendnet default to 192.168.1.xxx
You cannot VPN from one 192.168.1.0/24 network into another 192.168.1.0/24 network)

localip 10.5.1.3 (this address should be your server’s IP address, [inet addr] when you type ifconfig, see above )
remoteip 10.5.1.241-246

Above configuration assigns 6 IP addresses for 6 roaming users to VPN into your home/corporate network simultaneously.

mc -e /etc/ppp/options

find the line that says ms-dns, modify the IP addresses to suit your local environment.
These two IP addresses should be the IP addresses of the DNS servers provided to you by your ISP or use your router if that does the DNS for your network.
The following examples are the OpenDNS servers which anyone can use.

ms-dns 208.67.222.222
ms-dns 208.67.220.220

Create user accounts and passwords for roaming/telecommuting users to access your VPN server (use strong passwords for security)

mc -e /etc/ppp/chap-secrets

e.g.
alice pptpd a-strong-password *
bob pptpd another-strong-password *

The trailing * means these users are allowed to come in from any IP address, if the telecommuter or branch office
has a static or fixed IP address and never roams, then you can replace the * with his/her fixed IP address (or IP address block) for added security.

You typically want to use a “static IP” address for VPN server behind firewall.

Change the Debian box from DHCP to static IP address:

mc -e /etc/network/interfaces

find the line that says iface eth0 inet dhcp
change the above line to iface eth0 inet static
add 4 lines below the iface eth0 inet static line, the actual addresses you use should be your own internal network environment.
address 10.5.1.3
netmask 255.255.255.0
broadcast 10.5.1.255
gateway 10.5.1.1

F2 to save the file, F10 to quit editing

mc -e /etc/resolv.conf
nameserver 216.21.128.22 (note: please use your ISP/cable/DSL company’s DNS servers)
nameserver 216.21.129.22
F2 to save the file, F10 to quit editing.

reboot

One final tweak is to instruct the Linux kernel to “forward” VPN packets.
mc -e /etc/sysctl.conf
fine the line that says:
#net.ipv4.conf.default.forwarding=1
delete the #
save the file.
reboot
With older kernels, you may need to add these (depreciated) steps:
touch /etc/init.d/pptp
chmod 755 /etc/init.d/pptp
mc -e /etc/init.d/pptp edit the file, add one line, save the file.
echo 1 > /proc/sys/net/ipv4/ip_forward

cd /etc/rcS.d
ln -s /etc/init.d/pptp S85-pptp-packet-forward
reboot

Technology

L2TP/IPsec error 678: in Windows

December 21, 2010
by Muhammad

When connecting to an L2TP/IPsec VPN which sits behind NAT you might get error 678 in Windows. To fix this the solution is as follows:

For Windows XP

http://support.microsoft.com/default.aspx?kbid=885407
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
On the Edit menu, point to New, and then click DWORD Value.
In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.

Important This value name is case sensitive.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value data box, type one of the following values:
0 (default)
A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators.
1
A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators.
2
A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.

Note This is the behavior of IPsec NAT-T in Windows XP without service packs installed and in Windows XP SP1.
Click OK, and then quit Registry Editor.
Restart the computer.

For Windows Vista

http://support.microsoft.com/kb/926179
Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
Click Start, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Note You can also apply the AssumeUDPEncapsulationContextOnSendRule DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value Data box, type one of the following values:
0
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
Click OK, and then exit Registry Editor.
Restart the computer.

December 2023
M	T	W	T	F	S	S
« Oct
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31