FAIL: native VPN with iPhone and linux (raspian/ubuntu)

Posted on by

FAIL: this experiment did not work / needs more testing

I want a working on-demand VPN for my iPhone to tunnel all my traffic in case I have to use some dubious wlan (such as the one at techinc or in some hotel)

as openswan is not working, yet but I need a quick solution I will start with PPTP – better than nothing! (it will connect to my raspberry pi)

http://www.domoticz.com/wiki/Installing_a_PPTP-VPN_server_on_a_Raspberry_Pi

problem: NAT seems broken…

Jun 23 12:19:12 pi pppd[2421]: Connect: ppp0 < --> /dev/pts/1
Jun 23 12:19:15 pi pppd[2421]: peer from calling number 80.252.84.2 authorized
Jun 23 12:19:15 pi pppd[2421]: MPPE 128-bit stateless compression enabled
Jun 23 12:19:15 pi pppd[2421]: local IP address 89.18.174.10
Jun 23 12:19:15 pi pppd[2421]: remote IP address 192.168.1.1
Jun 23 12:19:16 pi kernel: [ 322.838123] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=55 TOS=0x00 PREC=0x00 TTL=254 ID=33883 PROTO=UDP SPT=58293 DPT=53 LEN=35
Jun 23 12:19:16 pi kernel: [ 322.838236] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=87 TOS=0x00 PREC=0x00 TTL=254 ID=33984 PROTO=UDP SPT=55601 DPT=53 LEN=67
Jun 23 12:19:16 pi kernel: [ 322.838324] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=69 TOS=0x00 PREC=0x00 TTL=254 ID=103 PROTO=UDP SPT=60048 DPT=53 LEN=49
Jun 23 12:19:16 pi kernel: [ 322.838850] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=59 TOS=0x00 PREC=0x00 TTL=254 ID=52840 PROTO=UDP SPT=57961 DPT=53 LEN=39
Jun 23 12:19:16 pi kernel: [ 322.84024

so tried allowing 192.168.1.1 using “ufw allow” – no joy
then tried to allow the default forwarding policy: still no joy
/etc/default/ufw
>>> DEFAULT_FORWARD_POLICY=”ACCEPT”
service ufw restart

disabling ufw still doesn’t work – is PP2P really dead?

now for L2TP:

Install the necessary packages.
sudo apt-get install openswan ppp xl2tpd

question if I want to create a cert for this host? – yes
“create”
“self-sign”

Alternatively you can reject this option and later use the command “dpkg-reconfigure openswan” to come back.

Using the following setup:

172.31.1.11 Ubuntu Server IP Address
172.31.1.1 Gateway Internal IP

On your router, forward ports 500/udp and 4500/udp to the server
(e.g. ufw allow 500/udp) etc…

===================
Here’s my /etc/ipsec.conf file.
===================

version 2.0

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

include /etc/ipsec.d/l2tp-psk.conf

==================
Here’s my /etc/ipsec.d/l2tp-psk.conf file.
(change left & leftnexthop values)
Important NOTE: dpd entries allow you to connect multiple times without having to restart IPSEC…Thanks to user “FTT” for this
==================

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=172.31.1.11
leftnexthop=172.31.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
#Uncomment the line below for OSX on MAC? untested!
#rightprotoport=17/0

==================
Here’s my /etc/xl2tpd/xl2tpd.conf file.
(change ip range & local ip)
Important NOTES: “local ip” value must be outside “ip range”
Both “local ip” and “ip range” MUST be outside the DHCP range on your local router or DHCP server. – using: 17 for local and 18 – 19 for VPN IP assignment
==================

[global]
ipsec saref = yes
[lns default]
ip range = 172.31.1.18-172.31.1.19
local ip = 172.31.1.17
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================
Here’s my /etc/ppp/options.xl2tpd file.
(change ms-dns value)
==================

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================
Here’s my /etc/ppp/chap-secrets file.
(change username & password values)
Example uses (username=test and password=testpass)
Important NOTE: The 233 IP Address must be in the “ip range” from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
==================


test l2tpd testpass 172.31.1.18
l2tpd test testpass 172.31.1.18

==================
Here’s my /etc/ipsec.secrets file. (change IP address & Secret values)
==================


include /var/lib/openswan/ipsec.secrets.inc
172.31.1.11 %any: PSK "TestSecret"

================

Run these three commands to restart everything


sudo /etc/init.d/pppd-dns restart
sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

==================

Run the following command, you should get the text below.


sudo ipsec verify

Got a warning: disabled it for eth0

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

==================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

If the two netkey / ICMP lines fail, don’t worry…it should still work. Not sure why this happens for some and not others. I tried changing the ipv4 ICMP settings and got no change in the verify results. Not quite sure what the problem is here yet??

=========

Last but not least, place the following line into your /etc/rc.local file
(This allows forwarding of packets so you can access WAN addresses, not just LAN addresses and persistent across reboots.)

echo 1 > /proc/sys/net/ipv4/ip_forward

=========

Running the following command enables it currently, no need to reboot

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

(permission denied? hacking it manually?)

================================================== =============

Now for the Iphone Setup

Settings -> General -> Network -> VPN -> Add VPN Configuration

L2TP
Description: WhateverYouWantToCallIt
Server: WANipAddress (could be a DynamicDNS URL)
Account: test
RSA SecurID=OFF
Password: testpass
Secret: TestSecret
Send All Traffic=On

Save it, then turn your VPN on, it should connect and you will see a VPN icon in the upper status bar (left side on 3gs, right side on 4). Now all your traffic will be protected in WiFi hotspots, 3G, etc.

if /var/log/syslog complains about:

ipsec__plutorun: 003 “/etc/ipsec.secrets” line 16: error loading RSA private key file

in your syslog

root@:/etc/ipsec.d/private# openssl rsa -in vpn.example.com.key -outform pem -out vpn.example.com.key.new
writing RSA key

may very well help.