It is not trivial to setup VPN server on Gentoo. After several trial and errors, the VPN is up and running. I think it is better to leave a documentation of what I did.
The final outcomes I want to achieve are
- A gentoo linux with a public IP that runs VPN server. Its IP is 172.104.75.62
- Other clients, esp my android phone, can connect to the VPN server via L2TP/IPSec protocol.
There are two great articles that help me make it.
Unlike the Gentoo wiki, I do not use certificate files like *.ca or *.crt. I use psk.txt to do the auth job. It would keep the setup task simple.
Install necessary packages
# emerge ipsec-tools xl2tpd pptpd
Setup ipsec-tools (racoon)
There are 3 configuration files for racoon. The first is /etc/racoon/psk.txt. It controls what information clients should provide, as shown below.
# Peer IP/FQDN Secret * be903514
Note that I specify the IP field as *, which means all clients use the same Secret.
The second configuration file is racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt"; remote anonymous { exchange_mode main; my_identifier fqdn "172.104.75.62"; passive on; generate_policy on; nat_traversal on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; }
Finally, the 3rd configuration file for racoon is /etc/ipsec-tools.conf
flush; spdflush; spdadd 172.104.75.62[l2tp] 0.0.0.0/0 udp -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 172.104.75.62[l2tp] udp -P in ipsec esp/transport//require;
After setting up the three files, it's time to call racoon up:
# /etc/init.d/racoon start
Setup xl2tpd
x2ltpd has only one configuration file /etc/xl2tpd/xl2tpd.conf
[global] port = 1701 access control = no [lns default] ip range = 192.168.0.1-192.168.0.20 local ip = 192.168.1.2 require authentication = yes name = LinuxVPN pppoptfile = /etc/ppp/options.xl2tpd
Note that pppoptfile variable refs to a file outside the /etc/xl2tpd directory. We need to create it later.
I also setup iptable rules as suggested in the Gentoo Wiki:
iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
Setup pptd
The first step is to edit /etc/ppp/chap-secrets. The following is my config:
# Secrets for authentication using CHAP # client server secret IP addresses pptpuser * I_am_client *
Next create a file /etc/ppp/options.xl2tpd that matches the setting of /etc/xl2tpd/xl2tpd.conf
noccp auth crtscts mtu 1410 mru 1410 nodefaultroute lock proxyarp silent
OK. Now the xl2tpd and pptpd are ready to run.
# /etc/init.d/xl2tpd start # /etc/init.d/pptpd start
Reap fruits
Now, check the android if it can connect to the VPN server. Tap Settings - More - VPN - Add VPN profile. The following window shows up, and I fill up only the Name, Type, Server IP, and pre-shared key. The IPSec pre-shared key is be903514 in my case (see /etc/racoon/psk.txt).
Save and profile and Tap it again to connect. I will open a dialog. Now, fill in the values that correspond to /etc/ppp/chap-secrets. In my case, Username is pptpuser and the password is I_am_client.If all goes well, a "Connected" message would show in the android.
沒有留言:
張貼留言